Overview
overview
10Static
static
3HA_DVDIden...re.exe
windows7-x64
7HA_DVDIden...re.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/Assi...fy.exe
windows7-x64
8$TEMP/Assi...fy.exe
windows10-2004-x64
8$R0.dll
windows7-x64
8$R0.dll
windows10-2004-x64
8Assist/$R0.dll
windows7-x64
6Assist/$R0.dll
windows10-2004-x64
6$TEMP/DUDU_HH.exe
windows7-x64
10$TEMP/DUDU_HH.exe
windows10-2004-x64
10DVD Identifier.chm
windows7-x64
1DVD Identifier.chm
windows10-2004-x64
1DVD Identifier.exe
windows7-x64
6DVD Identifier.exe
windows10-2004-x64
6uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 06:12
Static task
static1
Behavioral task
behavioral1
Sample
HA_DVDIdentifier401_Fire.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
HA_DVDIdentifier401_Fire.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Splash.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Splash.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$TEMP/Assist_hanzify.exe
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
$TEMP/Assist_hanzify.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$R0.dll
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
$R0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Assist/$R0.dll
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Assist/$R0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
$TEMP/DUDU_HH.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
$TEMP/DUDU_HH.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
DVD Identifier.chm
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
DVD Identifier.chm
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
DVD Identifier.exe
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
DVD Identifier.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
uninst.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
uninst.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240508-en
General
-
Target
$TEMP/DUDU_HH.exe
-
Size
220KB
-
MD5
0b2a860a558ca00e1b4f389b6d8be1e6
-
SHA1
5e5a12756446751482d3db2798bd954f2f49ee68
-
SHA256
81db7a9742cb8fb50f7a97a952388cb3f4a1a9d150bc84705f8c2abf2c71dafe
-
SHA512
2210d69d467358c3174bf0685bd6dc1236d56aa9a19246c58931ebf87fe955fb4ed5e9acbb328b1775930e20fa275781c0eb48dd6d943de46ff20dc8fe511147
-
SSDEEP
1536:OmcjI6qnGJWh7jtCY4d/2uXAEaTKKNZuYfoIRSPVOklNmUSxxbZl99JF:OHGnGAl5id+kQfJoIOVOklNmUSxx
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
remotesetup.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica remotesetup.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List remotesetup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\remotesetup.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\remotesetup.exe:*:Enabled:DuDuAcc" remotesetup.exe -
Executes dropped EXE 1 IoCs
Processes:
remotesetup.exepid process 2108 remotesetup.exe -
Loads dropped DLL 4 IoCs
Processes:
DUDU_HH.exeremotesetup.exepid process 2204 DUDU_HH.exe 2108 remotesetup.exe 2108 remotesetup.exe 2108 remotesetup.exe -
Drops file in Windows directory 1 IoCs
Processes:
remotesetup.exedescription ioc process File created C:\Windows\Tasks\DDD_Install_Program.job remotesetup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
DUDU_HH.exedescription pid process target process PID 2204 wrote to memory of 2108 2204 DUDU_HH.exe remotesetup.exe PID 2204 wrote to memory of 2108 2204 DUDU_HH.exe remotesetup.exe PID 2204 wrote to memory of 2108 2204 DUDU_HH.exe remotesetup.exe PID 2204 wrote to memory of 2108 2204 DUDU_HH.exe remotesetup.exe PID 2204 wrote to memory of 2108 2204 DUDU_HH.exe remotesetup.exe PID 2204 wrote to memory of 2108 2204 DUDU_HH.exe remotesetup.exe PID 2204 wrote to memory of 2108 2204 DUDU_HH.exe remotesetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\remotesetup.exeC:\Users\Admin\AppData\Local\Temp\remotesetup.exe2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5431f73f47db54f39affaf01d059ddc19
SHA1494a98579d991201f79bc62138f3614eba7a6bf4
SHA256432ce523edf6eac5d01b085ebb8ccda80c16e72618ed4ef75312884b171fe281
SHA51294d5f6d28dbb9934013b2908e95a69374fcb93384c8333807a7bcf437b6e3638bf1aad92e894fbb282c28eebdcbda770752f2e43d9c6c7ac9e892c647ccab79b