98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8

Analysis

max time kernel
77s
max time network
76s
platform
windows7_x64
resource
win7v20201028
submitted
28-03-2021 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
Size

140KB
MD5

ac98d2d71f3a4998abe80dd6e0695fba
SHA1

76b5d3fd16c3e761022ebd7f3f5fc34f022fcc04
SHA256

98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8
SHA512

190893c1511573db160bcfae275ac4b7ac43b6a1cb67f348e1043a98698241c96b44bfd65ebef1a18b80e8955118ae71e4384bf061781984427cee6251bafff7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

duku.exe

pid process

1152 duku.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1852 cmd.exe

pid	process
1152	duku.exe

pid	process
1852	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe

pid	process
776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe

description pid process target process

PID 776 set thread context of 1852 776 98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe cmd.exe

description	pid	process	target process
PID 776 set thread context of 1852	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Privacy	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\3C5B7C16-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

duku.exe

pid process

1152 duku.exe
1152 duku.exe
1152 duku.exe

pid	process
1152	duku.exe
1152	duku.exe
1152	duku.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exeWinMail.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
Token: SeSecurityPrivilege	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
Token: SeSecurityPrivilege	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
Token: SeManageVolumePrivilege	1496	WinMail.exe
Token: SeSecurityPrivilege	1852	cmd.exe
Token: SeManageVolumePrivilege	1716	WinMail.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

1496 WinMail.exe
1716 WinMail.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

1496 WinMail.exe
1716 WinMail.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

1496 WinMail.exe
1716 WinMail.exe

pid	process
1496	WinMail.exe
1716	WinMail.exe

pid	process
1496	WinMail.exe
1716	WinMail.exe

pid	process
1496	WinMail.exe
1716	WinMail.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exeduku.exe

description	pid	process	target process
PID 776 wrote to memory of 1152	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	duku.exe
PID 776 wrote to memory of 1152	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	duku.exe
PID 776 wrote to memory of 1152	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	duku.exe
PID 776 wrote to memory of 1152	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	duku.exe
PID 1152 wrote to memory of 1116	1152	duku.exe	taskhost.exe
PID 1152 wrote to memory of 1116	1152	duku.exe	taskhost.exe
PID 1152 wrote to memory of 1116	1152	duku.exe	taskhost.exe
PID 1152 wrote to memory of 1116	1152	duku.exe	taskhost.exe
PID 1152 wrote to memory of 1116	1152	duku.exe	taskhost.exe
PID 1152 wrote to memory of 1180	1152	duku.exe	Dwm.exe
PID 1152 wrote to memory of 1180	1152	duku.exe	Dwm.exe
PID 1152 wrote to memory of 1180	1152	duku.exe	Dwm.exe
PID 1152 wrote to memory of 1180	1152	duku.exe	Dwm.exe
PID 1152 wrote to memory of 1180	1152	duku.exe	Dwm.exe
PID 1152 wrote to memory of 776	1152	duku.exe	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
PID 1152 wrote to memory of 776	1152	duku.exe	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
PID 1152 wrote to memory of 776	1152	duku.exe	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
PID 1152 wrote to memory of 776	1152	duku.exe	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
PID 1152 wrote to memory of 776	1152	duku.exe	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
PID 1152 wrote to memory of 1496	1152	duku.exe	WinMail.exe
PID 1152 wrote to memory of 1496	1152	duku.exe	WinMail.exe
PID 1152 wrote to memory of 1496	1152	duku.exe	WinMail.exe
PID 1152 wrote to memory of 1496	1152	duku.exe	WinMail.exe
PID 1152 wrote to memory of 1496	1152	duku.exe	WinMail.exe
PID 776 wrote to memory of 1852	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	cmd.exe
PID 776 wrote to memory of 1852	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	cmd.exe
PID 776 wrote to memory of 1852	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	cmd.exe
PID 776 wrote to memory of 1852	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	cmd.exe
PID 776 wrote to memory of 1852	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	cmd.exe
PID 776 wrote to memory of 1852	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	cmd.exe
PID 776 wrote to memory of 1852	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	cmd.exe
PID 776 wrote to memory of 1852	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	cmd.exe
PID 776 wrote to memory of 1852	776	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe	cmd.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe
"C:\Users\Admin\AppData\Local\Temp\98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Roaming\Gebo\duku.exe
"C:\Users\Admin\AppData\Roaming\Gebo\duku.exe" (null)
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc1490e73.bat"
2⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
MD5
3cc0012f96f8f44164c18d7de05023d9

SHA1
c8feb560d751fe720c8bdb53f5e78aa92abb9a9e

SHA256
2654c273c211ae1afc60a7736153a853142e3db028417206948576d1d57bf5d5

SHA512
626746176663e2460b18f1eb245306107060c172c4e65ad710dd75ec0b348d8f000342c0dd2f7ea3bb2e0796f61e1ddd2cd77c312d6a177ff2e70a10b68cc6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
2cc71ffa8f1b0a5e07956bf138320cec

SHA1
895f13fffad1e63b5e773b7989eb05a9c0844816

SHA256
75d4cd8553e926d4f944f4be5219b001b672cc8cad2e9d0b94a1228663452478

SHA512
5b198662321b0ef2c0a96594160682bc695d490f325b5af8fb5ede1de63877e9a17093e1407b706654bdd0230662913215bd72261596504986af97e730e9c505

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
MD5
7e1d5e0e0b8bc4cf4ef27fe643f9f1f1

SHA1
776760254607f68c37db3964dc24feb449fe45fc

SHA256
ab772ed906f5c77f8a54a430ea1bc1843b89bb1bd36c1f1cbbb1bc058051ed7b

SHA512
78a7b676fbe9364037c9445ce28265b5f097dc2baee5857e77a720684dedf74b03325a05ff56fa41004e468755d61ab4d86107b793c2af74d0c007d9b1241ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
MD5
f0e00dbb0ee623d824e294b80ce25cb3

SHA1
4e8c88ba1c996b83fa7d7d7f69a9f261a421b1d4

SHA256
770a526a91e31cadf753b4348b28ea37dcc52d237d9cab40103856937db213ae

SHA512
26251a00ec36ea36ffc723f3ed4f95b2d67d4106b71c849a4a60e2c77bbf18d14a61d6169c46d75befd39787c7d4b28af7c1116e7cc5346f934691cc7f5a9bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk
MD5
ea0dd0bbaf320bb3fbf54a0b57e4dab8

SHA1
cbae64084885a4cb11194d3ef7fb837dbb0a3f21

SHA256
3ecc271bc2cf0c6cbd1c709821ad4da23733d19eb6c67fabc756e2ac9e4742d6

SHA512
008a200fd5579a28e7b65298a5ab3b85d0fe9ef0106567af2e35bb3bdd7b0c14ebb7c4c36ac2d1e77fdd5b2a1314db5633357210c971f7fe1c7eb984b70f0254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
MD5
120cf68816eb0dfb1c2bd69b8e27a9b9

SHA1
da800f2391a89b68e247172ac6afd4dd6ba75a28

SHA256
287cba19c46c32f72c11ffa78dc62fcef468a179d20085e8dc28a303f93c29db

SHA512
076ea3cfdaa1ded6666f14bc3e1f2ae09a75eb0d61bdc91d48b605e5920f346097b1a9fc3e23fa7c19cc37926cfc79885d59f226ab6922e4a39d2759462aa094

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpc1490e73.bat
MD5
3540279f58b9962538dff8961188412d

SHA1
108e0117b1409bc34f687e2a35e2dd18e6e9bbf3

SHA256
794b21ab63e4a85288ad993446c2592e8cca66f2d3441e203a371d8d28dcc6ef

SHA512
5b77d76aa95264e602d2272a9bcbd4ebd723e7189a1fcec19a599db639a931ce11acbdc3c77b545ab10de8ca26a3ac5469ebbae2755079c6ae3739bc0efabeb3

Download Submit
C:\Users\Admin\AppData\Roaming\Gebo\duku.exe
MD5
a52e55872f6c406c7cd6f2d27c94d9fe

SHA1
a13dc513fb9d4c5a44fd5f8b4402fb51c78f0e92

SHA256
401ffc238fad698bdbbd060e96fec25ee49b026dab509ca882164e7255de8323

SHA512
77b4257b6337fa458a3c5d9eb14a48aa91e13fd89e9c61066808a13db61a185ebd2fc5ea3b5879872759e1b5337caa63dcf7dda6bc21a66ae2b1ecdd1daffd90

Download Submit
C:\Users\Admin\AppData\Roaming\Gebo\duku.exe
MD5
a52e55872f6c406c7cd6f2d27c94d9fe

SHA1
a13dc513fb9d4c5a44fd5f8b4402fb51c78f0e92

SHA256
401ffc238fad698bdbbd060e96fec25ee49b026dab509ca882164e7255de8323

SHA512
77b4257b6337fa458a3c5d9eb14a48aa91e13fd89e9c61066808a13db61a185ebd2fc5ea3b5879872759e1b5337caa63dcf7dda6bc21a66ae2b1ecdd1daffd90

Download Submit
C:\Users\Admin\AppData\Roaming\Hireb\miuq.bio
MD5
2277cb214dadd1a19988d7cc0e1e7a39

SHA1
cbb77d9b105225d434d893166e6d191a7b464f7e

SHA256
4cec5492d9d796177e54660aabff03468d179c82fdea7156a722b6ae414f04d4

SHA512
ef67fd19136c455910c83a2bec8eb3432d49f39d240915fc2dcf149566bd18ea471acadeee0e29c194191c29d61d10a1629c3d79d7814c071c6ac4bfa549ce0a

Download Submit
C:\Users\Admin\AppData\Roaming\Hireb\vily.tii
MD5
ed3d1d7d81f5046d7a3099755ecd6598

SHA1
1bff1757529fc950dc903dd2b6d1a10f595e6514

SHA256
eb5d2f1edb22ad7ecccfae67444c56de66ee3c6fbed9a268e9cc24409fc3a0d7

SHA512
c693d8af40e96871a85d53a4aea470bc50c70e80a42dce420c3930bcdfbb7494bdbd5f1577fad01f403479b60d65a85635a6cfef4fba2a17ea67f0442c58e270

Download Submit
\Users\Admin\AppData\Roaming\Gebo\duku.exe
MD5
a52e55872f6c406c7cd6f2d27c94d9fe

SHA1
a13dc513fb9d4c5a44fd5f8b4402fb51c78f0e92

SHA256
401ffc238fad698bdbbd060e96fec25ee49b026dab509ca882164e7255de8323

SHA512
77b4257b6337fa458a3c5d9eb14a48aa91e13fd89e9c61066808a13db61a185ebd2fc5ea3b5879872759e1b5337caa63dcf7dda6bc21a66ae2b1ecdd1daffd90

Download Submit
\Users\Admin\AppData\Roaming\Gebo\duku.exe
MD5
a52e55872f6c406c7cd6f2d27c94d9fe

SHA1
a13dc513fb9d4c5a44fd5f8b4402fb51c78f0e92

SHA256
401ffc238fad698bdbbd060e96fec25ee49b026dab509ca882164e7255de8323

SHA512
77b4257b6337fa458a3c5d9eb14a48aa91e13fd89e9c61066808a13db61a185ebd2fc5ea3b5879872759e1b5337caa63dcf7dda6bc21a66ae2b1ecdd1daffd90

Download Submit
memory/776-10-0x0000000073C80000-0x0000000073E23000-memory.dmp

Filesize
1.6MB

Download
memory/776-2-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/776-9-0x0000000000570000-0x0000000000597000-memory.dmp

Filesize
156KB

Download
memory/776-15-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/1152-5-0x0000000000000000-mapping.dmp

Download
memory/1496-12-0x000007FEF63C1000-0x000007FEF63C3000-memory.dmp

Filesize
8KB

Download
memory/1496-20-0x00000000038C0000-0x00000000039C0000-memory.dmp

Filesize
1024KB

Download
memory/1496-21-0x00000000038C0000-0x0000000003AC0000-memory.dmp

Filesize
2.0MB

Download
memory/1496-22-0x00000000039C0000-0x0000000003AC0000-memory.dmp

Filesize
1024KB

Download
memory/1496-25-0x00000000038C0000-0x0000000003AC0000-memory.dmp

Filesize
2.0MB

Download
memory/1496-33-0x00000000038C0000-0x00000000039C0000-memory.dmp

Filesize
1024KB

Download
memory/1496-35-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/1496-41-0x0000000002040000-0x0000000002050000-memory.dmp

Filesize
64KB

Download
memory/1496-11-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1496-13-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

Filesize
2.5MB

Download
memory/1496-18-0x00000000038C0000-0x0000000003AC0000-memory.dmp

Filesize
2.0MB

Download
memory/1496-16-0x00000000038C0000-0x00000000039C0000-memory.dmp

Filesize
1024KB

Download
memory/1716-63-0x0000000003760000-0x0000000003960000-memory.dmp

Filesize
2.0MB

Download
memory/1716-58-0x0000000003760000-0x0000000003860000-memory.dmp

Filesize
1024KB

Download
memory/1716-59-0x0000000003760000-0x0000000003960000-memory.dmp

Filesize
2.0MB

Download
memory/1716-60-0x0000000003860000-0x0000000003960000-memory.dmp

Filesize
1024KB

Download
memory/1716-48-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

Filesize
2.5MB

Download
memory/1716-67-0x0000000003760000-0x0000000003860000-memory.dmp

Filesize
1024KB

Download
memory/1852-28-0x0000000000055B20-mapping.dmp

Download
memory/1852-51-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1852-31-0x00000000739F0000-0x0000000073B93000-memory.dmp

Filesize
1.6MB

Download
memory/1852-26-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download