43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2

General

Target

43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
Size

138KB
MD5

009cb00803d3ad2e13f7f06f2849e544
SHA1

dfdb209f947d45f9b590b23d40c66d2a7b6ad8c6
SHA256

43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2
SHA512

577356d4a539bfcc867781d115470e0bef45a36dec18be5cc4f4258cd764073edc1415650111207a5f509dea3c53328c3f708357cb5bb634ab4b3334e7b3cf53

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

itow.exe

pid process

944 itow.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1168 cmd.exe

pid	process
1168	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe

pid	process
2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

itow.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\Currentversion\Run	itow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E2A545C6-6F16-2E4D-838C-A6DECC3EE491} = "C:\\Users\\Admin\\AppData\\Roaming\\Izuxys\\itow.exe"	itow.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe

description	pid	process	target process
PID 2044 set thread context of 1168	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Privacy	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\6C836614-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

itow.exe

pid	process
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe
944	itow.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
Token: SeSecurityPrivilege	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
Token: SeSecurityPrivilege	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
Token: SeManageVolumePrivilege	1480	WinMail.exe
Token: SeSecurityPrivilege	1168	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1480 WinMail.exe

pid	process
1480	WinMail.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exeitow.exe

description	pid	process	target process
PID 2044 wrote to memory of 944	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	itow.exe
PID 2044 wrote to memory of 944	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	itow.exe
PID 2044 wrote to memory of 944	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	itow.exe
PID 2044 wrote to memory of 944	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	itow.exe
PID 944 wrote to memory of 1248	944	itow.exe	taskhost.exe
PID 944 wrote to memory of 1248	944	itow.exe	taskhost.exe
PID 944 wrote to memory of 1248	944	itow.exe	taskhost.exe
PID 944 wrote to memory of 1248	944	itow.exe	taskhost.exe
PID 944 wrote to memory of 1248	944	itow.exe	taskhost.exe
PID 944 wrote to memory of 1340	944	itow.exe	Dwm.exe
PID 944 wrote to memory of 1340	944	itow.exe	Dwm.exe
PID 944 wrote to memory of 1340	944	itow.exe	Dwm.exe
PID 944 wrote to memory of 1340	944	itow.exe	Dwm.exe
PID 944 wrote to memory of 1340	944	itow.exe	Dwm.exe
PID 944 wrote to memory of 1392	944	itow.exe	Explorer.EXE
PID 944 wrote to memory of 1392	944	itow.exe	Explorer.EXE
PID 944 wrote to memory of 1392	944	itow.exe	Explorer.EXE
PID 944 wrote to memory of 1392	944	itow.exe	Explorer.EXE
PID 944 wrote to memory of 1392	944	itow.exe	Explorer.EXE
PID 944 wrote to memory of 2044	944	itow.exe	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
PID 944 wrote to memory of 2044	944	itow.exe	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
PID 944 wrote to memory of 2044	944	itow.exe	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
PID 944 wrote to memory of 2044	944	itow.exe	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
PID 944 wrote to memory of 2044	944	itow.exe	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
PID 944 wrote to memory of 1480	944	itow.exe	WinMail.exe
PID 944 wrote to memory of 1480	944	itow.exe	WinMail.exe
PID 944 wrote to memory of 1480	944	itow.exe	WinMail.exe
PID 944 wrote to memory of 1480	944	itow.exe	WinMail.exe
PID 944 wrote to memory of 1480	944	itow.exe	WinMail.exe
PID 2044 wrote to memory of 1168	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	cmd.exe
PID 2044 wrote to memory of 1168	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	cmd.exe
PID 2044 wrote to memory of 1168	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	cmd.exe
PID 2044 wrote to memory of 1168	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	cmd.exe
PID 2044 wrote to memory of 1168	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	cmd.exe
PID 2044 wrote to memory of 1168	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	cmd.exe
PID 2044 wrote to memory of 1168	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	cmd.exe
PID 2044 wrote to memory of 1168	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	cmd.exe
PID 2044 wrote to memory of 1168	2044	43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe	cmd.exe
PID 944 wrote to memory of 1796	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1796	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1796	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1796	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1796	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1604	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1604	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1604	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1604	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1604	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1544	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1544	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1544	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1544	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1544	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1156	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1156	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1156	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1156	944	itow.exe	DllHost.exe
PID 944 wrote to memory of 1156	944	itow.exe	DllHost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe
"C:\Users\Admin\AppData\Local\Temp\43c094ba16917ed041a595400d1eb4cc25a403405627d41745afcfab5c3bf0a2.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Roaming\Izuxys\itow.exe
"C:\Users\Admin\AppData\Roaming\Izuxys\itow.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp23ab6524.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1248

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp23ab6524.bat
Filesize
307B

MD5
9e8ccf456972ef5e3955e4d60bc824cc

SHA1
951846dd18b5287b7085e3d0be4197ab6b2a183a

SHA256
4b782601d54f0b4271259124ca0f6062232d7a5b0d4e1ca04fa709f0d7f6be3f

SHA512
986ce7fb28889bae8e2b00b9c7fcfe7a442d6c2db1dc3d5c83b6c8b9a41ce32a701be42199e5e3b0e7ee572ee98879b51f2c9e3e73b1eaad6989c84c030745a2

Download Submit
C:\Users\Admin\AppData\Roaming\Izuxys\itow.exe
Filesize
138KB

MD5
fc3b7bf850b71e229736e7e49e1fc8de

SHA1
e3d538d4589037b07f7a6fe5f7b5f9827c3f7a9b

SHA256
fc9d85a0d3d513983db1b9de0e6d3e5ad486941256264e186fe07437a0421f24

SHA512
5ca6d20f000c68e75124e7a36a6007cebebc95bdfc899748dcfee6cb142b3fcdc8cd760d42c5ef8944f73fdfb1295211d5e3103053e8e63ba39a41571a28656d

Download Submit
C:\Users\Admin\AppData\Roaming\Izuxys\itow.exe
Filesize
138KB

MD5
fc3b7bf850b71e229736e7e49e1fc8de

SHA1
e3d538d4589037b07f7a6fe5f7b5f9827c3f7a9b

SHA256
fc9d85a0d3d513983db1b9de0e6d3e5ad486941256264e186fe07437a0421f24

SHA512
5ca6d20f000c68e75124e7a36a6007cebebc95bdfc899748dcfee6cb142b3fcdc8cd760d42c5ef8944f73fdfb1295211d5e3103053e8e63ba39a41571a28656d

Download Submit
C:\Users\Admin\AppData\Roaming\Keeqdy\peno.ima
Filesize
398B

MD5
e1c28b24cf605cedd0cd45e94a90c429

SHA1
d93b530942e5504773cafe20233b21beb4c2a80c

SHA256
026a275b0a007dc94dbaaaea0da48e56d698e517b07f4218c524af795b6f0dba

SHA512
a460b8666eb81964fecd1116b15a005a2e37546bc24b89b379a77ea018c45bd0ee593f539ed91e312ab382a97b4b3c2607276bfc58bd818ea320929c52ac705a

Download Submit
\Users\Admin\AppData\Roaming\Izuxys\itow.exe
Filesize
138KB

MD5
fc3b7bf850b71e229736e7e49e1fc8de

SHA1
e3d538d4589037b07f7a6fe5f7b5f9827c3f7a9b

SHA256
fc9d85a0d3d513983db1b9de0e6d3e5ad486941256264e186fe07437a0421f24

SHA512
5ca6d20f000c68e75124e7a36a6007cebebc95bdfc899748dcfee6cb142b3fcdc8cd760d42c5ef8944f73fdfb1295211d5e3103053e8e63ba39a41571a28656d

Download Submit
\Users\Admin\AppData\Roaming\Izuxys\itow.exe
Filesize
138KB

MD5
fc3b7bf850b71e229736e7e49e1fc8de

SHA1
e3d538d4589037b07f7a6fe5f7b5f9827c3f7a9b

SHA256
fc9d85a0d3d513983db1b9de0e6d3e5ad486941256264e186fe07437a0421f24

SHA512
5ca6d20f000c68e75124e7a36a6007cebebc95bdfc899748dcfee6cb142b3fcdc8cd760d42c5ef8944f73fdfb1295211d5e3103053e8e63ba39a41571a28656d

Download Submit
memory/944-57-0x0000000000000000-mapping.dmp

Download
memory/1168-116-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/1168-114-0x0000000000166A07-mapping.dmp

Download
memory/1168-113-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/1168-112-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/1168-111-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/1168-109-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/1248-64-0x0000000001EF0000-0x0000000001F17000-memory.dmp

Filesize
156KB

Download
memory/1248-65-0x0000000001EF0000-0x0000000001F17000-memory.dmp

Filesize
156KB

Download
memory/1248-66-0x0000000001EF0000-0x0000000001F17000-memory.dmp

Filesize
156KB

Download
memory/1248-63-0x0000000001EF0000-0x0000000001F17000-memory.dmp

Filesize
156KB

Download
memory/1248-61-0x0000000001EF0000-0x0000000001F17000-memory.dmp

Filesize
156KB

Download
memory/1340-69-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/1340-70-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/1340-71-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/1340-72-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/1392-78-0x00000000025E0000-0x0000000002607000-memory.dmp

Filesize
156KB

Download
memory/1392-75-0x00000000025E0000-0x0000000002607000-memory.dmp

Filesize
156KB

Download
memory/1392-76-0x00000000025E0000-0x0000000002607000-memory.dmp

Filesize
156KB

Download
memory/1392-77-0x00000000025E0000-0x0000000002607000-memory.dmp

Filesize
156KB

Download
memory/1480-87-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/1480-85-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

Filesize
8KB

Download
memory/1480-102-0x00000000042B0000-0x00000000042D7000-memory.dmp

Filesize
156KB

Download
memory/1480-105-0x00000000042B0000-0x00000000042D7000-memory.dmp

Filesize
156KB

Download
memory/1480-104-0x00000000042B0000-0x00000000042D7000-memory.dmp

Filesize
156KB

Download
memory/1480-103-0x00000000042B0000-0x00000000042D7000-memory.dmp

Filesize
156KB

Download
memory/1480-93-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/1480-86-0x000007FEFAD21000-0x000007FEFAD23000-memory.dmp

Filesize
8KB

Download
memory/1604-126-0x0000000002670000-0x0000000002697000-memory.dmp

Filesize
156KB

Download
memory/1604-127-0x0000000002670000-0x0000000002697000-memory.dmp

Filesize
156KB

Download
memory/1796-120-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1796-121-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1796-122-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1796-123-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/2044-81-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/2044-99-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/2044-84-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/2044-83-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/2044-82-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/2044-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads