arrow_back
search
close

PUA.Win32.InstallCore.MANHOCFC

September 06, 2023
 Analysis by: Neljorn Nathaniel Aguas
 ALIASES:

PUA/OfferCore.Gen (ANTIVIR)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes


  TECHNICAL DETAILS

File Size:

1,734,816 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

31 Aug 2023

Payload:

Connects to URLs/IPs, Drops files

Installation

This Potentially Unwanted Application drops the following files:

  • %User Temp%\is-{Random Characters 1}.tmp\{Malware File Name}.tmp → Deleted afterwards
  • %User Temp%\is-{Random Characters 2}.tmp\is-{Random Characters 3}.tmp → Renamed afterwards to file_.exe
  • %User Temp%\is-{Random Characters 4}.tmp\file_.tmp → Deleted afterwards
  • %User Temp%\is-{Random Characters 5}.tmp\botva2.dll → Deleted afterwards
  • %User Temp%\is-{Random Characters 5}.tmp\Helper.dll → Deleted afterwards

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

  • "%User Temp%\is-{Random Characters 1}.tmp\{Malware File Name}.tmp" /SL5="$1F05E8,831488,831488,{Malware Path}\{Malware File Name}.exe"
  • "%User Temp%\is-{Random Characters 2}.tmp\file_.exe" /LANG=en /NA=Rh85hR64
  • "%User Temp%\is-{Random Characters 4}.tmp\file_.tmp" /SL5="$2F05AA,1559708,780800,%User Temp%\is-{Random Characters 2}.tmp\file_.exe" /LANG=en /NA=Rh85hR64

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

  • %User Temp%\is-{Random Characters 1}.tmp → Deleted afterwards
  • %User Temp%\is-{Random Characters 2}.tmp
  • %User Temp%\is-{Random Characters 2}.tmp\_isetup
  • %User Temp%\is-{Random Characters 4}.tmp → Deleted afterwards
  • %User Temp%\is-{Random Characters 5}.tmp → Deleted afterwards
  • %User Temp%\is-{Random Characters 5}.tmp\_isetup → Deleted afterwards

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Potentially Unwanted Application adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000
Owner = {Hex Values}

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000
SessionHash = {Hex Values}

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000
Sequence = 1

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0001
Owner = {Hex Values} → Deleted afterwards

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0001
SessionHash = {Hex Values} → Deleted afterwards

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0001
Sequence = 1 → Deleted afterwards

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
{Hash Value}
Blob = {Hex Values}

Other Details

This Potentially Unwanted Application connects to the following possibly malicious URL:

  • http://{BLOCKED}9k18f2wb.cloudfront.net
  • http://{BLOCKED}ha0gj0a4.cloudfront.net