9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243

Analysis

max time kernel
152s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe
Size

303KB
MD5

350b3d01b32a7a59549c3c238147ef46
SHA1

6fd1f251697bf235173161de440fd0fdd09cac57
SHA256

9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243
SHA512

7051135d89fa6e60d49450b568c93e0d842516ff05700ad8e4c46584eba2f68c9213f74bd71937e0edbf7180072eef8aa5e61d9dee3b71085f9af033ff6d4fac
SSDEEP

6144:ljFbxMdwB442mNFzpKbkYAstrnem80uZe:lt/lpz+TB8Re

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1728	xiehv.exe

Deletes itself 1 IoCs

pid	Process
696	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	xiehv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Yzqou\\xiehv.exe"	xiehv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 696	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe
1728	xiehv.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe
1728	xiehv.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1728	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	28
PID 1132 wrote to memory of 1728	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	28
PID 1132 wrote to memory of 1728	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	28
PID 1132 wrote to memory of 1728	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	28
PID 1728 wrote to memory of 1116	1728	xiehv.exe	21
PID 1728 wrote to memory of 1116	1728	xiehv.exe	21
PID 1728 wrote to memory of 1116	1728	xiehv.exe	21
PID 1728 wrote to memory of 1116	1728	xiehv.exe	21
PID 1728 wrote to memory of 1116	1728	xiehv.exe	21
PID 1728 wrote to memory of 1176	1728	xiehv.exe	20
PID 1728 wrote to memory of 1176	1728	xiehv.exe	20
PID 1728 wrote to memory of 1176	1728	xiehv.exe	20
PID 1728 wrote to memory of 1176	1728	xiehv.exe	20
PID 1728 wrote to memory of 1176	1728	xiehv.exe	20
PID 1728 wrote to memory of 1216	1728	xiehv.exe	13
PID 1728 wrote to memory of 1216	1728	xiehv.exe	13
PID 1728 wrote to memory of 1216	1728	xiehv.exe	13
PID 1728 wrote to memory of 1216	1728	xiehv.exe	13
PID 1728 wrote to memory of 1216	1728	xiehv.exe	13
PID 1728 wrote to memory of 1132	1728	xiehv.exe	27
PID 1728 wrote to memory of 1132	1728	xiehv.exe	27
PID 1728 wrote to memory of 1132	1728	xiehv.exe	27
PID 1728 wrote to memory of 1132	1728	xiehv.exe	27
PID 1728 wrote to memory of 1132	1728	xiehv.exe	27
PID 1132 wrote to memory of 696	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	29
PID 1132 wrote to memory of 696	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	29
PID 1132 wrote to memory of 696	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	29
PID 1132 wrote to memory of 696	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	29
PID 1132 wrote to memory of 696	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	29
PID 1132 wrote to memory of 696	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	29
PID 1132 wrote to memory of 696	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	29
PID 1132 wrote to memory of 696	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	29
PID 1132 wrote to memory of 696	1132	9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe
  "C:\Users\Admin\AppData\Local\Temp\9d6fe6d45536ea310c293686c9af3944ff6cfdc92655b1f8a581c995245d8243.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Roaming\Yzqou\xiehv.exe
    "C:\Users\Admin\AppData\Roaming\Yzqou\xiehv.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbea62cbf.bat"
    3⤵
    - Deletes itself
    PID:696

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbea62cbf.bat

Filesize
307B

MD5
b11ba999f410aa0dc2607796006346c1

SHA1
dfe35f721221788b1f690c29f8915d97b397cb8b

SHA256
85f6ff94635a5dc54f08a8201bb4f721b5fe68c8e534c73bcef25bc916378851

SHA512
09c58e47a49de799d4aac1470c3db45457d79570def919425fda2a9a20ea715a217060fc7418edda7b2d5bbf889fae7e230279e8d22997b4c3812f868da270f7

Download Submit
C:\Users\Admin\AppData\Roaming\Yzqou\xiehv.exe

Filesize
303KB

MD5
dca0c059061d95d1bcfc71100d3b35e2

SHA1
2ad6a1c611bd28b08e1f4a68933dc2557a60d67c

SHA256
6c9c90057fdfc01b2bf257ce8763bd380f9abee362f8f60b51e309bfab4a4e2e

SHA512
c10eab3ad1a38da30ba02e3ac12fe16ef87e87000a92a551cb5dba74404125f06e5fa1935a525b21111253341e8892abe708b0e708b5039e1fb9f46bb4680a1a

Download Submit
C:\Users\Admin\AppData\Roaming\Yzqou\xiehv.exe

Filesize
303KB

MD5
dca0c059061d95d1bcfc71100d3b35e2

SHA1
2ad6a1c611bd28b08e1f4a68933dc2557a60d67c

SHA256
6c9c90057fdfc01b2bf257ce8763bd380f9abee362f8f60b51e309bfab4a4e2e

SHA512
c10eab3ad1a38da30ba02e3ac12fe16ef87e87000a92a551cb5dba74404125f06e5fa1935a525b21111253341e8892abe708b0e708b5039e1fb9f46bb4680a1a

Download Submit
\Users\Admin\AppData\Roaming\Yzqou\xiehv.exe

Filesize
303KB

MD5
dca0c059061d95d1bcfc71100d3b35e2

SHA1
2ad6a1c611bd28b08e1f4a68933dc2557a60d67c

SHA256
6c9c90057fdfc01b2bf257ce8763bd380f9abee362f8f60b51e309bfab4a4e2e

SHA512
c10eab3ad1a38da30ba02e3ac12fe16ef87e87000a92a551cb5dba74404125f06e5fa1935a525b21111253341e8892abe708b0e708b5039e1fb9f46bb4680a1a

Download Submit
memory/696-98-0x00000000000A0000-0x00000000000E3000-memory.dmp

Filesize
268KB

Download
memory/696-99-0x00000000000A0000-0x00000000000E3000-memory.dmp

Filesize
268KB

Download
memory/696-95-0x00000000000A0000-0x00000000000E3000-memory.dmp

Filesize
268KB

Download
memory/696-106-0x00000000000A0000-0x00000000000E3000-memory.dmp

Filesize
268KB

Download
memory/696-97-0x00000000000A0000-0x00000000000E3000-memory.dmp

Filesize
268KB

Download
memory/1116-64-0x0000000001CD0000-0x0000000001D13000-memory.dmp

Filesize
268KB

Download
memory/1116-66-0x0000000001CD0000-0x0000000001D13000-memory.dmp

Filesize
268KB

Download
memory/1116-67-0x0000000001CD0000-0x0000000001D13000-memory.dmp

Filesize
268KB

Download
memory/1116-68-0x0000000001CD0000-0x0000000001D13000-memory.dmp

Filesize
268KB

Download
memory/1116-69-0x0000000001CD0000-0x0000000001D13000-memory.dmp

Filesize
268KB

Download
memory/1132-92-0x0000000001DD0000-0x0000000001E1E000-memory.dmp

Filesize
312KB

Download
memory/1132-58-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-55-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1132-56-0x00000000004C0000-0x000000000050E000-memory.dmp

Filesize
312KB

Download
memory/1132-103-0x0000000001DD0000-0x0000000001E13000-memory.dmp

Filesize
268KB

Download
memory/1132-102-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-101-0x00000000004C0000-0x000000000050E000-memory.dmp

Filesize
312KB

Download
memory/1132-84-0x0000000001DD0000-0x0000000001E13000-memory.dmp

Filesize
268KB

Download
memory/1132-85-0x0000000001DD0000-0x0000000001E13000-memory.dmp

Filesize
268KB

Download
memory/1132-86-0x0000000001DD0000-0x0000000001E13000-memory.dmp

Filesize
268KB

Download
memory/1132-87-0x0000000001DD0000-0x0000000001E13000-memory.dmp

Filesize
268KB

Download
memory/1132-88-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1176-73-0x0000000001C60000-0x0000000001CA3000-memory.dmp

Filesize
268KB

Download
memory/1176-72-0x0000000001C60000-0x0000000001CA3000-memory.dmp

Filesize
268KB

Download
memory/1176-74-0x0000000001C60000-0x0000000001CA3000-memory.dmp

Filesize
268KB

Download
memory/1176-75-0x0000000001C60000-0x0000000001CA3000-memory.dmp

Filesize
268KB

Download
memory/1216-81-0x0000000002240000-0x0000000002283000-memory.dmp

Filesize
268KB

Download
memory/1216-80-0x0000000002240000-0x0000000002283000-memory.dmp

Filesize
268KB

Download
memory/1216-79-0x0000000002240000-0x0000000002283000-memory.dmp

Filesize
268KB

Download
memory/1216-78-0x0000000002240000-0x0000000002283000-memory.dmp

Filesize
268KB

Download
memory/1728-91-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1728-90-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1728-89-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download