37259fff5937e8c92679a70cff7fc4b81043451ce705c982398865b17c7fd2a5

General

Target

uncategorized_1.7.2.1.vir.exe
Size

146KB
MD5

840641f9291b990b4b70295ef9c93ff9
SHA1

ee5d02be081bdd4838404a6efb36e18425824665
SHA256

37259fff5937e8c92679a70cff7fc4b81043451ce705c982398865b17c7fd2a5
SHA512

b9fb63ac3bbd6d51f2e62078a5ed54f67247e3633fa0e16a25294435e13b3b37d75aea8e3dae56d1dceb3c42f7712995c7e39c305a2dc38bd42b7d93db20444e

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 75 IoCs

Processes:

uncategorized_1.7.2.1.vir.exenet.exenet.exeaveq.exenet.exenet.exe

description	pid	process	target process
PID 1456 wrote to memory of 1488	1456	uncategorized_1.7.2.1.vir.exe	net.exe
PID 1456 wrote to memory of 1488	1456	uncategorized_1.7.2.1.vir.exe	net.exe
PID 1456 wrote to memory of 1488	1456	uncategorized_1.7.2.1.vir.exe	net.exe
PID 1456 wrote to memory of 1488	1456	uncategorized_1.7.2.1.vir.exe	net.exe
PID 1488 wrote to memory of 1608	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1608	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1608	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1608	1488	net.exe	net1.exe
PID 1456 wrote to memory of 788	1456	uncategorized_1.7.2.1.vir.exe	net.exe
PID 1456 wrote to memory of 788	1456	uncategorized_1.7.2.1.vir.exe	net.exe
PID 1456 wrote to memory of 788	1456	uncategorized_1.7.2.1.vir.exe	net.exe
PID 1456 wrote to memory of 788	1456	uncategorized_1.7.2.1.vir.exe	net.exe
PID 788 wrote to memory of 380	788	net.exe	net1.exe
PID 788 wrote to memory of 380	788	net.exe	net1.exe
PID 788 wrote to memory of 380	788	net.exe	net1.exe
PID 788 wrote to memory of 380	788	net.exe	net1.exe
PID 1456 wrote to memory of 1104	1456	uncategorized_1.7.2.1.vir.exe	aveq.exe
PID 1456 wrote to memory of 1104	1456	uncategorized_1.7.2.1.vir.exe	aveq.exe
PID 1456 wrote to memory of 1104	1456	uncategorized_1.7.2.1.vir.exe	aveq.exe
PID 1456 wrote to memory of 1104	1456	uncategorized_1.7.2.1.vir.exe	aveq.exe
PID 1104 wrote to memory of 1076	1104	aveq.exe	net.exe
PID 1104 wrote to memory of 1076	1104	aveq.exe	net.exe
PID 1104 wrote to memory of 1076	1104	aveq.exe	net.exe
PID 1104 wrote to memory of 1076	1104	aveq.exe	net.exe
PID 1076 wrote to memory of 1660	1076	net.exe	net1.exe
PID 1076 wrote to memory of 1660	1076	net.exe	net1.exe
PID 1076 wrote to memory of 1660	1076	net.exe	net1.exe
PID 1076 wrote to memory of 1660	1076	net.exe	net1.exe
PID 1104 wrote to memory of 1344	1104	aveq.exe	net.exe
PID 1104 wrote to memory of 1344	1104	aveq.exe	net.exe
PID 1104 wrote to memory of 1344	1104	aveq.exe	net.exe
PID 1104 wrote to memory of 1344	1104	aveq.exe	net.exe
PID 1104 wrote to memory of 1176	1104	aveq.exe	taskhost.exe
PID 1104 wrote to memory of 1176	1104	aveq.exe	taskhost.exe
PID 1104 wrote to memory of 1176	1104	aveq.exe	taskhost.exe
PID 1104 wrote to memory of 1176	1104	aveq.exe	taskhost.exe
PID 1104 wrote to memory of 1176	1104	aveq.exe	taskhost.exe
PID 1104 wrote to memory of 1256	1104	aveq.exe	Dwm.exe
PID 1104 wrote to memory of 1256	1104	aveq.exe	Dwm.exe
PID 1104 wrote to memory of 1256	1104	aveq.exe	Dwm.exe
PID 1104 wrote to memory of 1256	1104	aveq.exe	Dwm.exe
PID 1104 wrote to memory of 1256	1104	aveq.exe	Dwm.exe
PID 1104 wrote to memory of 1320	1104	aveq.exe	Explorer.EXE
PID 1104 wrote to memory of 1320	1104	aveq.exe	Explorer.EXE
PID 1104 wrote to memory of 1320	1104	aveq.exe	Explorer.EXE
PID 1104 wrote to memory of 1320	1104	aveq.exe	Explorer.EXE
PID 1104 wrote to memory of 1320	1104	aveq.exe	Explorer.EXE
PID 1104 wrote to memory of 1456	1104	aveq.exe	uncategorized_1.7.2.1.vir.exe
PID 1104 wrote to memory of 1456	1104	aveq.exe	uncategorized_1.7.2.1.vir.exe
PID 1104 wrote to memory of 1456	1104	aveq.exe	uncategorized_1.7.2.1.vir.exe
PID 1104 wrote to memory of 1456	1104	aveq.exe	uncategorized_1.7.2.1.vir.exe
PID 1104 wrote to memory of 1456	1104	aveq.exe	uncategorized_1.7.2.1.vir.exe
PID 1344 wrote to memory of 1820	1344	net.exe	net1.exe
PID 1344 wrote to memory of 1820	1344	net.exe	net1.exe
PID 1344 wrote to memory of 1820	1344	net.exe	net1.exe
PID 1344 wrote to memory of 1820	1344	net.exe	net1.exe
PID 1456 wrote to memory of 1584	1456	uncategorized_1.7.2.1.vir.exe	cmd.exe
PID 1456 wrote to memory of 1584	1456	uncategorized_1.7.2.1.vir.exe	cmd.exe
PID 1456 wrote to memory of 1584	1456	uncategorized_1.7.2.1.vir.exe	cmd.exe
PID 1456 wrote to memory of 1584	1456	uncategorized_1.7.2.1.vir.exe	cmd.exe
PID 1456 wrote to memory of 1584	1456	uncategorized_1.7.2.1.vir.exe	cmd.exe
PID 1456 wrote to memory of 1584	1456	uncategorized_1.7.2.1.vir.exe	cmd.exe
PID 1456 wrote to memory of 1584	1456	uncategorized_1.7.2.1.vir.exe	cmd.exe
PID 1456 wrote to memory of 1584	1456	uncategorized_1.7.2.1.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

aveq.exe

pid process

1104 aveq.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

uncategorized_1.7.2.1.vir.exe

description pid process target process

PID 1456 set thread context of 1584 1456 uncategorized_1.7.2.1.vir.exe cmd.exe

description	pid	process	target process
PID 1456 set thread context of 1584	1456	uncategorized_1.7.2.1.vir.exe	cmd.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\7ACD342E-00000001.eml:OECustomProperty	WinMail.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aveq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	aveq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{5024BAAA-DA91-C00D-D931-B9D28358C325} = "C:\\Users\\Admin\\AppData\\Roaming\\Enifox\\aveq.exe"	aveq.exe

Loads dropped DLL 2 IoCs

Processes:

uncategorized_1.7.2.1.vir.exe

pid process

1456 uncategorized_1.7.2.1.vir.exe
1456 uncategorized_1.7.2.1.vir.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1772 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1772 WinMail.exe

pid	process
1456	uncategorized_1.7.2.1.vir.exe
1456	uncategorized_1.7.2.1.vir.exe

pid	process
1772	WinMail.exe

pid	process
1772	WinMail.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

uncategorized_1.7.2.1.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy	uncategorized_1.7.2.1.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	uncategorized_1.7.2.1.vir.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

uncategorized_1.7.2.1.vir.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1456	uncategorized_1.7.2.1.vir.exe
Token: SeSecurityPrivilege	1456	uncategorized_1.7.2.1.vir.exe
Token: SeSecurityPrivilege	1456	uncategorized_1.7.2.1.vir.exe
Token: SeManageVolumePrivilege	1772	WinMail.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

aveq.exe

pid	process
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe
1104	aveq.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1772 WinMail.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1584 cmd.exe

pid	process
1772	WinMail.exe

pid	process
1584	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1176

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\uncategorized_1.7.2.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.7.2.1.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\net.exe
net stop wscsvc
3⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
4⤵
PID:1608

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
3⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
4⤵
PID:380

C:\Users\Admin\AppData\Roaming\Enifox\aveq.exe
"C:\Users\Admin\AppData\Roaming\Enifox\aveq.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\SysWOW64\net.exe
net stop wscsvc
4⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
5⤵
PID:1660

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
4⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
5⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4b4021e6.bat"
3⤵
- Deletes itself
PID:1584

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1772

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:268

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4b4021e6.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Enifox\aveq.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Enifox\aveq.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ikibbu\axyz.qeu

Download Submit
\Users\Admin\AppData\Roaming\Enifox\aveq.exe

Download Submit
\Users\Admin\AppData\Roaming\Enifox\aveq.exe

Download Submit
memory/380-3-0x0000000000000000-mapping.dmp

Download
memory/788-2-0x0000000000000000-mapping.dmp

Download
memory/1076-8-0x0000000000000000-mapping.dmp

Download
memory/1104-6-0x0000000000000000-mapping.dmp

Download
memory/1344-10-0x0000000000000000-mapping.dmp

Download
memory/1488-0-0x0000000000000000-mapping.dmp

Download
memory/1584-76-0x000000000006749F-mapping.dmp

Download
memory/1584-74-0x0000000000050000-0x0000000000078000-memory.dmp

Filesize
160KB

Download
memory/1608-1-0x0000000000000000-mapping.dmp

Download
memory/1660-9-0x0000000000000000-mapping.dmp

Download
memory/1772-35-0x0000000004CC0000-0x0000000004CC2000-memory.dmp

Filesize
8KB

Download
memory/1772-44-0x0000000003C80000-0x0000000003C82000-memory.dmp

Filesize
8KB

Download
memory/1772-23-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1772-24-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1772-25-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/1772-26-0x0000000003C40000-0x0000000003C42000-memory.dmp

Filesize
8KB

Download
memory/1772-27-0x0000000003C80000-0x0000000003C82000-memory.dmp

Filesize
8KB

Download
memory/1772-28-0x0000000003D80000-0x0000000003D82000-memory.dmp

Filesize
8KB

Download
memory/1772-29-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1772-30-0x0000000003D60000-0x0000000003D62000-memory.dmp

Filesize
8KB

Download
memory/1772-31-0x0000000003C80000-0x0000000003C82000-memory.dmp

Filesize
8KB

Download
memory/1772-32-0x0000000004AF0000-0x0000000004AF2000-memory.dmp

Filesize
8KB

Download
memory/1772-33-0x0000000004CA0000-0x0000000004CA2000-memory.dmp

Filesize
8KB

Download
memory/1772-34-0x0000000004CB0000-0x0000000004CB2000-memory.dmp

Filesize
8KB

Download
memory/1772-18-0x0000000003890000-0x0000000003A90000-memory.dmp

Filesize
2.0MB

Download
memory/1772-36-0x0000000004CD0000-0x0000000004CD2000-memory.dmp

Filesize
8KB

Download
memory/1772-37-0x00000000056F0000-0x00000000056F2000-memory.dmp

Filesize
8KB

Download
memory/1772-38-0x0000000005700000-0x0000000005702000-memory.dmp

Filesize
8KB

Download
memory/1772-39-0x0000000003CC0000-0x0000000003CC2000-memory.dmp

Filesize
8KB

Download
memory/1772-40-0x0000000003B90000-0x0000000003B92000-memory.dmp

Filesize
8KB

Download
memory/1772-41-0x0000000004B00000-0x0000000004B02000-memory.dmp

Filesize
8KB

Download
memory/1772-42-0x0000000003C40000-0x0000000003C42000-memory.dmp

Filesize
8KB

Download
memory/1772-43-0x0000000003D90000-0x0000000003D92000-memory.dmp

Filesize
8KB

Download
memory/1772-19-0x0000000003990000-0x0000000003A90000-memory.dmp

Filesize
1024KB

Download
memory/1772-45-0x0000000003B50000-0x0000000003B52000-memory.dmp

Filesize
8KB

Download
memory/1772-46-0x0000000003C50000-0x0000000003C52000-memory.dmp

Filesize
8KB

Download
memory/1772-47-0x0000000003CA0000-0x0000000003CA2000-memory.dmp

Filesize
8KB

Download
memory/1772-48-0x0000000003D80000-0x0000000003D82000-memory.dmp

Filesize
8KB

Download
memory/1772-49-0x0000000005710000-0x0000000005712000-memory.dmp

Filesize
8KB

Download
memory/1772-50-0x00000000044B0000-0x00000000044B2000-memory.dmp

Filesize
8KB

Download
memory/1772-51-0x0000000004BE0000-0x0000000004BE2000-memory.dmp

Filesize
8KB

Download
memory/1772-52-0x0000000004540000-0x0000000004542000-memory.dmp

Filesize
8KB

Download
memory/1772-53-0x0000000004BD0000-0x0000000004BD2000-memory.dmp

Filesize
8KB

Download
memory/1772-54-0x00000000049D0000-0x00000000049D2000-memory.dmp

Filesize
8KB

Download
memory/1772-55-0x0000000004BC0000-0x0000000004BC2000-memory.dmp

Filesize
8KB

Download
memory/1772-56-0x0000000004BB0000-0x0000000004BB2000-memory.dmp

Filesize
8KB

Download
memory/1772-57-0x0000000004BA0000-0x0000000004BA2000-memory.dmp

Filesize
8KB

Download
memory/1772-58-0x0000000004C10000-0x0000000004C12000-memory.dmp

Filesize
8KB

Download
memory/1772-59-0x0000000003BB0000-0x0000000003BB2000-memory.dmp

Filesize
8KB

Download
memory/1772-60-0x0000000003890000-0x0000000003990000-memory.dmp

Filesize
1024KB

Download
memory/1772-62-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/1772-68-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1772-17-0x0000000003890000-0x0000000003990000-memory.dmp

Filesize
1024KB

Download
memory/1772-15-0x0000000003890000-0x0000000003A90000-memory.dmp

Filesize
2.0MB

Download
memory/1772-13-0x0000000003890000-0x0000000003990000-memory.dmp

Filesize
1024KB

Download
memory/1820-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads