bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525

Analysis

max time kernel
152s
max time network
124s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe
Size

127KB
MD5

c44e5004816f80cee5e6e71bac7c63b6
SHA1

a7ca5e713c635e4dff4998d43d4d61c3c4891449
SHA256

bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525
SHA512

86c826fe55f7a542e3bc88eba73aff453167edd96ee5418dfae0758e2e96e16e3b8e56fd09aa55c69851a8dffde74c4c50c16355af34a470973bc247781ef75f
SSDEEP

3072:7f7Zf6dOG+VLg7w+BH31GcNdUYK6vvMAVW:Hl6dYx+BFGcn/sAA

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1776	yzfyw.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122e5-58.dat	upx
behavioral1/files/0x000a0000000122e5-60.dat	upx
behavioral1/files/0x000a0000000122e5-62.dat	upx

Deletes itself 1 IoCs

pid	Process
552	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7AA8550B-BAAE-56C6-2FE4-53924BD62553} = "C:\\Users\\Admin\\AppData\\Roaming\\Quum\\yzfyw.exe"	yzfyw.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	yzfyw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 552	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe
1776	yzfyw.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe
Token: SeSecurityPrivilege	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe
Token: SeSecurityPrivilege	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1776	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	28
PID 1788 wrote to memory of 1776	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	28
PID 1788 wrote to memory of 1776	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	28
PID 1788 wrote to memory of 1776	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	28
PID 1776 wrote to memory of 1124	1776	yzfyw.exe	17
PID 1776 wrote to memory of 1124	1776	yzfyw.exe	17
PID 1776 wrote to memory of 1124	1776	yzfyw.exe	17
PID 1776 wrote to memory of 1124	1776	yzfyw.exe	17
PID 1776 wrote to memory of 1124	1776	yzfyw.exe	17
PID 1776 wrote to memory of 1192	1776	yzfyw.exe	16
PID 1776 wrote to memory of 1192	1776	yzfyw.exe	16
PID 1776 wrote to memory of 1192	1776	yzfyw.exe	16
PID 1776 wrote to memory of 1192	1776	yzfyw.exe	16
PID 1776 wrote to memory of 1192	1776	yzfyw.exe	16
PID 1776 wrote to memory of 1236	1776	yzfyw.exe	15
PID 1776 wrote to memory of 1236	1776	yzfyw.exe	15
PID 1776 wrote to memory of 1236	1776	yzfyw.exe	15
PID 1776 wrote to memory of 1236	1776	yzfyw.exe	15
PID 1776 wrote to memory of 1236	1776	yzfyw.exe	15
PID 1776 wrote to memory of 1788	1776	yzfyw.exe	13
PID 1776 wrote to memory of 1788	1776	yzfyw.exe	13
PID 1776 wrote to memory of 1788	1776	yzfyw.exe	13
PID 1776 wrote to memory of 1788	1776	yzfyw.exe	13
PID 1776 wrote to memory of 1788	1776	yzfyw.exe	13
PID 1788 wrote to memory of 552	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	29
PID 1788 wrote to memory of 552	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	29
PID 1788 wrote to memory of 552	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	29
PID 1788 wrote to memory of 552	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	29
PID 1788 wrote to memory of 552	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	29
PID 1788 wrote to memory of 552	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	29
PID 1788 wrote to memory of 552	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	29
PID 1788 wrote to memory of 552	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	29
PID 1788 wrote to memory of 552	1788	bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe	29
PID 1776 wrote to memory of 1368	1776	yzfyw.exe	31
PID 1776 wrote to memory of 1368	1776	yzfyw.exe	31
PID 1776 wrote to memory of 1368	1776	yzfyw.exe	31
PID 1776 wrote to memory of 1368	1776	yzfyw.exe	31
PID 1776 wrote to memory of 1368	1776	yzfyw.exe	31
PID 1776 wrote to memory of 1016	1776	yzfyw.exe	32
PID 1776 wrote to memory of 1016	1776	yzfyw.exe	32
PID 1776 wrote to memory of 1016	1776	yzfyw.exe	32
PID 1776 wrote to memory of 1016	1776	yzfyw.exe	32
PID 1776 wrote to memory of 1016	1776	yzfyw.exe	32
PID 1776 wrote to memory of 1640	1776	yzfyw.exe	33
PID 1776 wrote to memory of 1640	1776	yzfyw.exe	33
PID 1776 wrote to memory of 1640	1776	yzfyw.exe	33
PID 1776 wrote to memory of 1640	1776	yzfyw.exe	33
PID 1776 wrote to memory of 1640	1776	yzfyw.exe	33

C:\Users\Admin\AppData\Local\Temp\bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe
"C:\Users\Admin\AppData\Local\Temp\bdabe2bdb1fd5ffcf8d99f12d67bf97748d4c91dd9a43656c17984f392088525.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Roaming\Quum\yzfyw.exe
  "C:\Users\Admin\AppData\Roaming\Quum\yzfyw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpab59fa3f.bat"
  2⤵
  - Deletes itself
  PID:552

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpab59fa3f.bat

Filesize
307B

MD5
4ea33bb886d9da9739807eccf257ab95

SHA1
aeaf1b51ca6b9dc5854693ad087a87a77e46d036

SHA256
e337208743092fc12b840be8ee8581e054edefd4a5b6b58ad6d68878b64f5b9f

SHA512
5fb1e71fde959f94063514bb99a53a35871d2a76d87fc27b5a39fb7646a3f25ef1e9ae593375c759a8b47057385ff443957ab5a0dad3d37daa6583da9c1f60cf

Download Submit
C:\Users\Admin\AppData\Roaming\Miylyq\ynleu.fye

Filesize
398B

MD5
474063b62065b5fb056e303ee2420f05

SHA1
44b657ecbf4b9f8fc34f92dde3173e4280e24db1

SHA256
546342c40e0b84f2ddb8b6575f8f5cea57ecdd891fccd89bea78558057048ba6

SHA512
abca7c10850d8361aebe62c29ff300e21c10b8dace8349bf7dea07d6aad9fbecc6d364a9053b4d665c8013544721e650f0f5df1e17891f929bdca575fe6bf48e

Download Submit
C:\Users\Admin\AppData\Roaming\Quum\yzfyw.exe

Filesize
127KB

MD5
804b79b812b33dd0a3fcbd4b6b6cf036

SHA1
ca88853cbaf32143be4ab7a5e3c004a9d045eca1

SHA256
c491d8b54c7dd611b4fcfbe928515fc2de93433c31d9a36e425a086c3a2ee9ec

SHA512
944cbfe1dc825fdede3402afd64728c17962e471f8eef186411dceb0555ff108b5e3938ef6eb7c7164fdcabc4f2d3a9237801e5afe26f6a02758f45cc91e5339

Download Submit
C:\Users\Admin\AppData\Roaming\Quum\yzfyw.exe

Filesize
127KB

MD5
804b79b812b33dd0a3fcbd4b6b6cf036

SHA1
ca88853cbaf32143be4ab7a5e3c004a9d045eca1

SHA256
c491d8b54c7dd611b4fcfbe928515fc2de93433c31d9a36e425a086c3a2ee9ec

SHA512
944cbfe1dc825fdede3402afd64728c17962e471f8eef186411dceb0555ff108b5e3938ef6eb7c7164fdcabc4f2d3a9237801e5afe26f6a02758f45cc91e5339

Download Submit
\Users\Admin\AppData\Roaming\Quum\yzfyw.exe

Filesize
127KB

MD5
804b79b812b33dd0a3fcbd4b6b6cf036

SHA1
ca88853cbaf32143be4ab7a5e3c004a9d045eca1

SHA256
c491d8b54c7dd611b4fcfbe928515fc2de93433c31d9a36e425a086c3a2ee9ec

SHA512
944cbfe1dc825fdede3402afd64728c17962e471f8eef186411dceb0555ff108b5e3938ef6eb7c7164fdcabc4f2d3a9237801e5afe26f6a02758f45cc91e5339

Download Submit
memory/552-93-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/552-103-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/552-96-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/552-97-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/552-95-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/1016-114-0x0000000003A50000-0x0000000003A6E000-memory.dmp

Filesize
120KB

Download
memory/1016-113-0x0000000003A50000-0x0000000003A6E000-memory.dmp

Filesize
120KB

Download
memory/1016-115-0x0000000003A50000-0x0000000003A6E000-memory.dmp

Filesize
120KB

Download
memory/1016-116-0x0000000003A50000-0x0000000003A6E000-memory.dmp

Filesize
120KB

Download
memory/1124-68-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/1124-63-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/1124-67-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/1124-66-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/1124-65-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/1192-74-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/1192-73-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/1192-72-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/1192-71-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/1236-80-0x0000000002A70000-0x0000000002A8E000-memory.dmp

Filesize
120KB

Download
memory/1236-79-0x0000000002A70000-0x0000000002A8E000-memory.dmp

Filesize
120KB

Download
memory/1236-78-0x0000000002A70000-0x0000000002A8E000-memory.dmp

Filesize
120KB

Download
memory/1236-77-0x0000000002A70000-0x0000000002A8E000-memory.dmp

Filesize
120KB

Download
memory/1368-107-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/1368-108-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/1368-110-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/1368-109-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/1640-121-0x0000000000110000-0x000000000012E000-memory.dmp

Filesize
120KB

Download
memory/1640-119-0x0000000000110000-0x000000000012E000-memory.dmp

Filesize
120KB

Download
memory/1640-122-0x0000000000110000-0x000000000012E000-memory.dmp

Filesize
120KB

Download
memory/1640-120-0x0000000000110000-0x000000000012E000-memory.dmp

Filesize
120KB

Download
memory/1776-88-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1776-89-0x00000000001D0000-0x00000000001E8000-memory.dmp

Filesize
96KB

Download
memory/1776-104-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1788-86-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/1788-100-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1788-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1788-90-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/1788-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1788-56-0x00000000002C0000-0x00000000002D8000-memory.dmp

Filesize
96KB

Download
memory/1788-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1788-87-0x0000000000360000-0x00000000003AC000-memory.dmp

Filesize
304KB

Download
memory/1788-85-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/1788-84-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/1788-83-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download