Overview
overview
6Static
static
3CapCut_737...er.exe
windows7-x64
6CapCut_737...er.exe
windows10-2004-x64
4$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ed.dll
windows7-x64
1$PLUGINSDI...ed.dll
windows10-2004-x64
1$PLUGINSDI...in.dll
windows7-x64
3$PLUGINSDI...in.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3Analysis
-
max time kernel
425s -
max time network
448s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 17:00
Static task
static1
Behavioral task
behavioral1
Sample
CapCut_7376209657305497617_installer.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
CapCut_7376209657305497617_installer.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgWorker.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgWorker.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/deviceregister_shared.dll
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/deviceregister_shared.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/downloader_nsis_plugin.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/downloader_nsis_plugin.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/shell_downloader.dll
Resource
win7-20240611-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/shell_downloader.dll
Resource
win10v2004-20240508-en
General
-
Target
$PLUGINSDIR/downloader_nsis_plugin.dll
-
Size
1.2MB
-
MD5
f181413906a465fd0dd68cc4a3d98803
-
SHA1
5aa28be48047dd0b672ab98d5e7cbd8260486b4b
-
SHA256
e28ff7b8fc4b1eb2d1f394ce15de2fc031cda58db645038c8c07581c31e79dda
-
SHA512
8d0116bcbc3938b2ebdddf77dec87e4b6c872382d20b555571b0bc3e4a35f88d16bc450004f875a8271165b71bdbae5d4d474a5bfda4c7787da63f4325009c25
-
SSDEEP
24576:UtF94NRXKCK8gEM4Vn8rHmAumkpF6sBE:Ut/uXTianGmAumkpFe
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4188 4352 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3152 WINWORD.EXE 3152 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3152 WINWORD.EXE 3152 WINWORD.EXE 3152 WINWORD.EXE 3152 WINWORD.EXE 3152 WINWORD.EXE 3152 WINWORD.EXE 3152 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1384 wrote to memory of 4352 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 4352 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 4352 1384 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\downloader_nsis_plugin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\downloader_nsis_plugin.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 8963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4352 -ip 43521⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3992,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
201B
MD535375f95b1430c8b11ebeb931fba0dda
SHA15122d139ac357db969c191b941bd479ceb9dc59f
SHA256fd5691afe44306226fa973037fe144c3214867067cf88cb2285394888d959d5b
SHA512b9043a4d4470ac90f83244a81fad5de8944b83ba1e8ab6bbc7d29fb216c2ded74bf1c7b1ca8c84535b989075660e83f676e273a1b524f9e5dd8e04fee412cc6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD51f2339051c704c48b25e3e27cfe9b8f5
SHA122230e78ae3ca9ebd13fdf59fcfb54bb8f0a40fa
SHA2565dbe38468bf0444e4df3a9f76eeafda3bdbdbb98d57ad6676e5f50be0e175783
SHA5128cb33bbec66ad0f250e68bc47829ea561e5b791cde0451eeae293dd2692236d3d65cf23e5015779e2c1976a05e77f23007da8267a3da03683d52ff7fd308ed43
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD54f6539f61b9bfaabec0acf12505d6456
SHA1efb9295d72b52e2d855c951cb04bb54a89d746c5
SHA256a32beed1300f256fada02e30d709fd8d5c888efa2a3d220ee3651a8598524a2e
SHA5127955d4e474ad181b24efc80ae7ec734beb7196c975cfb881cc6a5fb23d89fa26491e3c94ea2e3bf2f120c6f8e82d5cb9387058412ff5e757c7d0ba0116b4be7f
-
memory/3152-9-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-20-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-6-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-8-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-7-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-10-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-13-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-14-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-12-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-11-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-0-0x00007FF821030000-0x00007FF821040000-memory.dmpFilesize
64KB
-
memory/3152-15-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-16-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-5-0x00007FF86104D000-0x00007FF86104E000-memory.dmpFilesize
4KB
-
memory/3152-19-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-18-0x00007FF81E9C0000-0x00007FF81E9D0000-memory.dmpFilesize
64KB
-
memory/3152-17-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-22-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-21-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB
-
memory/3152-23-0x00007FF81E9C0000-0x00007FF81E9D0000-memory.dmpFilesize
64KB
-
memory/3152-4-0x00007FF821030000-0x00007FF821040000-memory.dmpFilesize
64KB
-
memory/3152-3-0x00007FF821030000-0x00007FF821040000-memory.dmpFilesize
64KB
-
memory/3152-2-0x00007FF821030000-0x00007FF821040000-memory.dmpFilesize
64KB
-
memory/3152-1-0x00007FF821030000-0x00007FF821040000-memory.dmpFilesize
64KB
-
memory/3152-537-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmpFilesize
2.0MB