Overview

overview

7

Static

static

7

0e33b00d35...18.exe

windows7-x64

7

0e33b00d35...18.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$TEMP/Tool...ke.exe

windows7-x64

7

$TEMP/Tool...ke.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...om.dll

windows7-x64

5

$PLUGINSDI...om.dll

windows10-2004-x64

5

$PLUGINSDI...dt.dll

windows7-x64

3

$PLUGINSDI...dt.dll

windows10-2004-x64

3

$R0.dll

windows7-x64

6

$R0.dll

windows10-2004-x64

6

$R2/NSIS.L...4_.exe

windows7-x64

1

$R2/NSIS.L...4_.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    94s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/Toolbar_Phpnuke.exe

  • Size

    210KB

  • MD5

    1e3e68a0a110922361890ff0de710d74

  • SHA1

    adf466a53c099099541e48655118e2dfeea75be2

  • SHA256

    0930a168d6c22438d2d55cda730b93b330e849325d6ac47590682b3417541baf

  • SHA512

    3a769923b6822dc4d62f3bde718efa87c3da8d5fa7237128236c6249e0d4a1345c0c1b23fdf669052ae30551ac79258ab9e654eb44480b7f0033ea460562f565

  • SSDEEP

    3072:OLk395hYXJN3rSx0M1BnmSplKPl/L49qqw2LsFLK2pJBdEjy4RP/tsFLK2pJBdEb:OQq3W2M3mWsoBL8N7jEjt5V8N7jEjt/5

Score
7/10
adwarediscoveryspywarestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 21 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar_Phpnuke.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar_Phpnuke.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\DealPly\DealPlyIE.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3608
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dealply.com/go/postinstall/?partner=vn&channel=tgldpo
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\DealPly\DealPlyIE.dll
    Filesize

    76KB

    MD5

    ee5fb0fd8c2d19d90e8fad8e8636a38e

    SHA1

    5d41abc6c1e69e72466eeb4e4f2128ac0343bb16

    SHA256

    02e1d44c854de1f8400a1cc24c2ba89efec402cf327dd192b0c581c6e01dede9

    SHA512

    607212af21ecd1d0bb0f308f566a457c8ed57d71eb4848242f5efe450de149b232c0953dde49140a8b4e6571fabbc21196272a1a856a6b34cb2da27c38def68f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    823fe1de5451b6ea9c69599b131233db

    SHA1

    af8b9b46bbe4b0b996abc996cc5f000f8c498348

    SHA256

    a13b5fcb02fe68cd72e236cec1284e80ef9aa37bcbb596f57fa0d32f9bdb5a32

    SHA512

    043c555804f19aa482e5419fd0a27b3cf3ca5369cf4f9941608358a7cca8f524515041881b35af63b02dd915abca4a51f45c2b60f1070a293b652d6fbe3ca782

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    399295af02067e3e80668a7258162c2f

    SHA1

    b50a65fe627ab568397215888332b837602678a9

    SHA256

    4320a207811cff434c9996e09f4be2e4001e23d98f69ba63be7b7b01ea39342b

    SHA512

    c03b6336a32b77f1bcf4f5c8672c671b6479d9bc50dc8c543a11aaa86d55f7852d6c632851d2c145db3a21d11f3daa981c38f5f0a61dd18e918fa93423826efe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4541.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T369AOZZ\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nss98B7.tmp\InstallOptions.dll
    Filesize

    14KB

    MD5

    325b008aec81e5aaa57096f05d4212b5

    SHA1

    27a2d89747a20305b6518438eff5b9f57f7df5c3

    SHA256

    c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

    SHA512

    18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nss98B7.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    9384f4007c492d4fa040924f31c00166

    SHA1

    aba37faef30d7c445584c688a0b5638f5db31c7b

    SHA256

    60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

    SHA512

    68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nss98B7.tmp\NSISdl.dll
    Filesize

    14KB

    MD5

    a5f8399a743ab7f9c88c645c35b1ebb5

    SHA1

    168f3c158913b0367bf79fa413357fbe97018191

    SHA256

    dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

    SHA512

    824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nss98B7.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nss98B7.tmp\ioSpecial.ini
    Filesize

    721B

    MD5

    94891f7c3788b1ba1e6f82c1876c1003

    SHA1

    f972e9555afcb38a391a02d4348c23fc6fcad3a2

    SHA256

    a1f1fda3625fb0dccbac1022bc625299f8ec9eaaa5939df9df099c49ae53befe

    SHA512

    a05bba3e8c6a422cfc10954092298e6a343f2072fc04c86ec6a570cc8771a16375ff25009c2afd6b72092d9c0c70fc2e1476fa1a13db4d6ba09e98de9676ca04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nss98B7.tmp\nsRandom.dll
    Filesize

    21KB

    MD5

    ab467b8dfaa660a0f0e5b26e28af5735

    SHA1

    596abd2c31eaff3479edf2069db1c155b59ce74d

    SHA256

    db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

    SHA512

    7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nss98B7.tmp\nsisdt.dll
    Filesize

    5KB

    MD5

    df4795dfabe3bc9278a73d496cc4b40d

    SHA1

    2648ded47e29ecf3e1a1cc20c631e83caf566897

    SHA256

    2261027077f23c8dba6b72af28862832aaa059740d0f5634b46cabb14326dd10

    SHA512

    013d9712c3d699a7f41ab3e55931c9abb421fb2eda3542da5a4831ad2f073a1b0643120cc78147db0bfcd01df98ade3045ecb2f1e252fff1dc40be845e5ae303

    Download Submit

  • memory/1640-129-0x0000000005220000-0x0000000005232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1640-152-0x0000000005220000-0x0000000005232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1640-154-0x0000000005220000-0x0000000005232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1640-143-0x0000000005220000-0x0000000005232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1640-145-0x0000000005220000-0x0000000005232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1640-137-0x0000000005220000-0x0000000005232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1640-130-0x0000000005220000-0x0000000005232000-memory.dmp

    Filesize

    72KB

    Download