20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Size

396KB
MD5

94e4e93965d8c6b1ef2792fef9398970
SHA1

96118a24c0296e26907defdb12f9c0a79e281081
SHA256

20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8
SHA512

ffa161cfbc123bb75214e578b5e49b23c1bb575c074cecf89b9183b12bc01993a94a4ad7eb6a749ad581ba7c4926c1f43995422641ba24e946aff7401ec76dce
SSDEEP

6144:r+Q4Ad6etwhtuxrhvo41zLwYci2v3p9sOv5DvPSXAc2M3K/m:zsetwht2amzkYZ215jPSQT80

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1716	obcie.exe

Loads dropped DLL 2 IoCs

pid	Process
1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	obcie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yshucai = "C:\\Users\\Admin\\AppData\\Roaming\\Yqmy\\obcie.exe"	obcie.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 1108	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\19B76396-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe
1716	obcie.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Token: SeSecurityPrivilege	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Token: SeSecurityPrivilege	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Token: SeSecurityPrivilege	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Token: SeSecurityPrivilege	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Token: SeSecurityPrivilege	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Token: SeSecurityPrivilege	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Token: SeSecurityPrivilege	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Token: SeSecurityPrivilege	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Token: SeSecurityPrivilege	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
Token: SeManageVolumePrivilege	1680	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1680	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1716	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	27
PID 1444 wrote to memory of 1716	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	27
PID 1444 wrote to memory of 1716	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	27
PID 1444 wrote to memory of 1716	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	27
PID 1716 wrote to memory of 1200	1716	obcie.exe	18
PID 1716 wrote to memory of 1200	1716	obcie.exe	18
PID 1716 wrote to memory of 1200	1716	obcie.exe	18
PID 1716 wrote to memory of 1200	1716	obcie.exe	18
PID 1716 wrote to memory of 1200	1716	obcie.exe	18
PID 1716 wrote to memory of 1304	1716	obcie.exe	17
PID 1716 wrote to memory of 1304	1716	obcie.exe	17
PID 1716 wrote to memory of 1304	1716	obcie.exe	17
PID 1716 wrote to memory of 1304	1716	obcie.exe	17
PID 1716 wrote to memory of 1304	1716	obcie.exe	17
PID 1716 wrote to memory of 1344	1716	obcie.exe	16
PID 1716 wrote to memory of 1344	1716	obcie.exe	16
PID 1716 wrote to memory of 1344	1716	obcie.exe	16
PID 1716 wrote to memory of 1344	1716	obcie.exe	16
PID 1716 wrote to memory of 1344	1716	obcie.exe	16
PID 1716 wrote to memory of 1444	1716	obcie.exe	26
PID 1716 wrote to memory of 1444	1716	obcie.exe	26
PID 1716 wrote to memory of 1444	1716	obcie.exe	26
PID 1716 wrote to memory of 1444	1716	obcie.exe	26
PID 1716 wrote to memory of 1444	1716	obcie.exe	26
PID 1716 wrote to memory of 1680	1716	obcie.exe	28
PID 1716 wrote to memory of 1680	1716	obcie.exe	28
PID 1716 wrote to memory of 1680	1716	obcie.exe	28
PID 1716 wrote to memory of 1680	1716	obcie.exe	28
PID 1716 wrote to memory of 1680	1716	obcie.exe	28
PID 1444 wrote to memory of 1108	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	29
PID 1444 wrote to memory of 1108	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	29
PID 1444 wrote to memory of 1108	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	29
PID 1444 wrote to memory of 1108	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	29
PID 1444 wrote to memory of 1108	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	29
PID 1444 wrote to memory of 1108	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	29
PID 1444 wrote to memory of 1108	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	29
PID 1444 wrote to memory of 1108	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	29
PID 1444 wrote to memory of 1108	1444	20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe	29
PID 1716 wrote to memory of 1076	1716	obcie.exe	30
PID 1716 wrote to memory of 1076	1716	obcie.exe	30
PID 1716 wrote to memory of 1076	1716	obcie.exe	30
PID 1716 wrote to memory of 1076	1716	obcie.exe	30
PID 1716 wrote to memory of 1076	1716	obcie.exe	30
PID 1716 wrote to memory of 1244	1716	obcie.exe	31
PID 1716 wrote to memory of 1244	1716	obcie.exe	31
PID 1716 wrote to memory of 1244	1716	obcie.exe	31
PID 1716 wrote to memory of 1244	1716	obcie.exe	31
PID 1716 wrote to memory of 1244	1716	obcie.exe	31
PID 1716 wrote to memory of 756	1716	obcie.exe	32
PID 1716 wrote to memory of 756	1716	obcie.exe	32
PID 1716 wrote to memory of 756	1716	obcie.exe	32
PID 1716 wrote to memory of 756	1716	obcie.exe	32
PID 1716 wrote to memory of 756	1716	obcie.exe	32
PID 1716 wrote to memory of 432	1716	obcie.exe	33
PID 1716 wrote to memory of 432	1716	obcie.exe	33
PID 1716 wrote to memory of 432	1716	obcie.exe	33
PID 1716 wrote to memory of 432	1716	obcie.exe	33
PID 1716 wrote to memory of 432	1716	obcie.exe	33
PID 1716 wrote to memory of 1436	1716	obcie.exe	34
PID 1716 wrote to memory of 1436	1716	obcie.exe	34
PID 1716 wrote to memory of 1436	1716	obcie.exe	34
PID 1716 wrote to memory of 1436	1716	obcie.exe	34
PID 1716 wrote to memory of 1436	1716	obcie.exe	34
PID 1716 wrote to memory of 1896	1716	obcie.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe
  "C:\Users\Admin\AppData\Local\Temp\20a8e4c7797a6dfecd28745ad020d185e8ede2d3fa7c088a4e9c90a92284cfc8.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Roaming\Yqmy\obcie.exe
    "C:\Users\Admin\AppData\Roaming\Yqmy\obcie.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1c2d86ac.bat"
    3⤵
    PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1304

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1200

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1031427006550025909-17646921081766979220-1346429501693761590305911455-1123108671"
1⤵
PID:1076

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1244

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:756

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:432

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1436

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ymvu\yqar.ypo

Filesize
4KB

MD5
f01566363a676e00a433dc7679bdc280

SHA1
a9c91de1a5a91f725a74be60b5d8578dcc0b1a56

SHA256
9a9043b3a0472459ed249f6faa933fc19a04a313963a5f37463810d7db2dc48e

SHA512
2918c100f254e57f71e068dc8fe507762b3dc20f41b3f4bea2a28c72df1c979efc61a736490d1c09291f593caafdbf1742b8f62ea10f905fad0531468c4864b2

Download Submit
C:\Users\Admin\AppData\Roaming\Yqmy\obcie.exe

Filesize
396KB

MD5
0adea3047a98b6ad20a3dbfe8f8c50fd

SHA1
4d1f821e7470cdf37c9b28f7655064707d9fdaac

SHA256
4844418308223480212d8136736f657a0c8db4c1ae8e5249c4ae6be36148b75c

SHA512
598a12666e96dce23a8a12af96a24e0059c9ed6492c2c861f1d7c407af4ac2bf943159afd7a9d7a2fe64c410b1dbf3ccf08ef83b7976b20c602a1e12792f7569

Download Submit
C:\Users\Admin\AppData\Roaming\Yqmy\obcie.exe

Filesize
396KB

MD5
0adea3047a98b6ad20a3dbfe8f8c50fd

SHA1
4d1f821e7470cdf37c9b28f7655064707d9fdaac

SHA256
4844418308223480212d8136736f657a0c8db4c1ae8e5249c4ae6be36148b75c

SHA512
598a12666e96dce23a8a12af96a24e0059c9ed6492c2c861f1d7c407af4ac2bf943159afd7a9d7a2fe64c410b1dbf3ccf08ef83b7976b20c602a1e12792f7569

Download Submit
\Users\Admin\AppData\Roaming\Yqmy\obcie.exe

Filesize
396KB

MD5
0adea3047a98b6ad20a3dbfe8f8c50fd

SHA1
4d1f821e7470cdf37c9b28f7655064707d9fdaac

SHA256
4844418308223480212d8136736f657a0c8db4c1ae8e5249c4ae6be36148b75c

SHA512
598a12666e96dce23a8a12af96a24e0059c9ed6492c2c861f1d7c407af4ac2bf943159afd7a9d7a2fe64c410b1dbf3ccf08ef83b7976b20c602a1e12792f7569

Download Submit
\Users\Admin\AppData\Roaming\Yqmy\obcie.exe

Filesize
396KB

MD5
0adea3047a98b6ad20a3dbfe8f8c50fd

SHA1
4d1f821e7470cdf37c9b28f7655064707d9fdaac

SHA256
4844418308223480212d8136736f657a0c8db4c1ae8e5249c4ae6be36148b75c

SHA512
598a12666e96dce23a8a12af96a24e0059c9ed6492c2c861f1d7c407af4ac2bf943159afd7a9d7a2fe64c410b1dbf3ccf08ef83b7976b20c602a1e12792f7569

Download Submit
memory/1108-242-0x0000000000068EA3-mapping.dmp

Download
memory/1108-248-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/1200-63-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1200-65-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1200-66-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1200-67-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1200-68-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1304-71-0x00000000001A0000-0x00000000001DC000-memory.dmp

Filesize
240KB

Download
memory/1304-74-0x00000000001A0000-0x00000000001DC000-memory.dmp

Filesize
240KB

Download
memory/1304-73-0x00000000001A0000-0x00000000001DC000-memory.dmp

Filesize
240KB

Download
memory/1304-72-0x00000000001A0000-0x00000000001DC000-memory.dmp

Filesize
240KB

Download
memory/1344-77-0x0000000002740000-0x000000000277C000-memory.dmp

Filesize
240KB

Download
memory/1344-78-0x0000000002740000-0x000000000277C000-memory.dmp

Filesize
240KB

Download
memory/1344-79-0x0000000002740000-0x000000000277C000-memory.dmp

Filesize
240KB

Download
memory/1344-80-0x0000000002740000-0x000000000277C000-memory.dmp

Filesize
240KB

Download
memory/1444-91-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-109-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-85-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-86-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-87-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-89-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-83-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-93-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-95-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-97-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-99-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-101-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-103-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-105-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-107-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-111-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-113-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-84-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-115-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-117-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-119-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-121-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-123-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1444-245-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-212-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/1444-227-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1444-56-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1444-55-0x00000000004A0000-0x0000000000530000-memory.dmp

Filesize
576KB

Download
memory/1444-244-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1716-211-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1716-59-0x0000000000000000-mapping.dmp

Download
memory/1716-261-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download