aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 12:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe
Size

246KB
MD5

46fde05dabc1ab5b496b9eab0ce75eb1
SHA1

17ee6a1974dc00ccc1be8f4b0f9d04373317b62a
SHA256

aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303
SHA512

27dc1258ec8bf7b4513ddd4badb12201eadfa1c94182a8312c426a1c4debf8b092c083f5fd5676ac0a64d910cfeb2e1ac154e1d93c6c536ef0950f34914519ea
SSDEEP

6144:E9AcSqn006eGoxcyvJHugXYXh5unBqUAaB5C2PtlYZd:Ef6eGoqQ1I7m/TPgH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1112	ysen.exe
904	ysen.exe

Deletes itself 1 IoCs

pid	Process
332	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe
952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ysen.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Fyfin\\ysen.exe"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 952	1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	28
PID 1112 set thread context of 904	1112	ysen.exe	30

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\742540C9-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe
1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe
1112	ysen.exe
1112	ysen.exe
1740	explorer.exe
904	ysen.exe
904	ysen.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe
Token: SeManageVolumePrivilege	1376	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1376	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1376	WinMail.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe
1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe
1112	ysen.exe
1112	ysen.exe
1376	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 952	1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	28
PID 1736 wrote to memory of 952	1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	28
PID 1736 wrote to memory of 952	1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	28
PID 1736 wrote to memory of 952	1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	28
PID 1736 wrote to memory of 952	1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	28
PID 1736 wrote to memory of 952	1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	28
PID 1736 wrote to memory of 952	1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	28
PID 1736 wrote to memory of 952	1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	28
PID 1736 wrote to memory of 952	1736	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	28
PID 952 wrote to memory of 1112	952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	29
PID 952 wrote to memory of 1112	952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	29
PID 952 wrote to memory of 1112	952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	29
PID 952 wrote to memory of 1112	952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	29
PID 1112 wrote to memory of 904	1112	ysen.exe	30
PID 1112 wrote to memory of 904	1112	ysen.exe	30
PID 1112 wrote to memory of 904	1112	ysen.exe	30
PID 1112 wrote to memory of 904	1112	ysen.exe	30
PID 1112 wrote to memory of 904	1112	ysen.exe	30
PID 1112 wrote to memory of 904	1112	ysen.exe	30
PID 1112 wrote to memory of 904	1112	ysen.exe	30
PID 1112 wrote to memory of 904	1112	ysen.exe	30
PID 1112 wrote to memory of 904	1112	ysen.exe	30
PID 952 wrote to memory of 332	952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	31
PID 952 wrote to memory of 332	952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	31
PID 952 wrote to memory of 332	952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	31
PID 952 wrote to memory of 332	952	aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe	31
PID 904 wrote to memory of 1740	904	ysen.exe	33
PID 904 wrote to memory of 1740	904	ysen.exe	33
PID 904 wrote to memory of 1740	904	ysen.exe	33
PID 904 wrote to memory of 1740	904	ysen.exe	33
PID 904 wrote to memory of 1740	904	ysen.exe	33
PID 904 wrote to memory of 1740	904	ysen.exe	33
PID 904 wrote to memory of 1740	904	ysen.exe	33
PID 904 wrote to memory of 1740	904	ysen.exe	33
PID 904 wrote to memory of 1740	904	ysen.exe	33
PID 1740 wrote to memory of 1300	1740	explorer.exe	7
PID 1740 wrote to memory of 1300	1740	explorer.exe	7
PID 1740 wrote to memory of 1300	1740	explorer.exe	7
PID 1740 wrote to memory of 1300	1740	explorer.exe	7
PID 1740 wrote to memory of 1300	1740	explorer.exe	7
PID 1740 wrote to memory of 1360	1740	explorer.exe	15
PID 1740 wrote to memory of 1360	1740	explorer.exe	15
PID 1740 wrote to memory of 1360	1740	explorer.exe	15
PID 1740 wrote to memory of 1360	1740	explorer.exe	15
PID 1740 wrote to memory of 1360	1740	explorer.exe	15
PID 1740 wrote to memory of 1432	1740	explorer.exe	14
PID 1740 wrote to memory of 1432	1740	explorer.exe	14
PID 1740 wrote to memory of 1432	1740	explorer.exe	14
PID 1740 wrote to memory of 1432	1740	explorer.exe	14
PID 1740 wrote to memory of 1432	1740	explorer.exe	14
PID 1740 wrote to memory of 904	1740	explorer.exe	30
PID 1740 wrote to memory of 904	1740	explorer.exe	30
PID 1740 wrote to memory of 904	1740	explorer.exe	30
PID 1740 wrote to memory of 904	1740	explorer.exe	30
PID 1740 wrote to memory of 904	1740	explorer.exe	30
PID 904 wrote to memory of 1376	904	ysen.exe	34
PID 904 wrote to memory of 1376	904	ysen.exe	34
PID 904 wrote to memory of 1376	904	ysen.exe	34
PID 904 wrote to memory of 1376	904	ysen.exe	34
PID 904 wrote to memory of 1376	904	ysen.exe	34
PID 1740 wrote to memory of 1136	1740	explorer.exe	35
PID 1740 wrote to memory of 1136	1740	explorer.exe	35
PID 1740 wrote to memory of 1136	1740	explorer.exe	35
PID 1740 wrote to memory of 1136	1740	explorer.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1432
- C:\Users\Admin\AppData\Local\Temp\aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe
  "C:\Users\Admin\AppData\Local\Temp\aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe
    C:\Users\Admin\AppData\Local\Temp\aa0d96982544e9179d0f2c4ed89977f1c7a4c5c68ef1df38f36cc31f6315d303.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Users\Admin\AppData\Roaming\Fyfin\ysen.exe
      "C:\Users\Admin\AppData\Roaming\Fyfin\ysen.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Users\Admin\AppData\Roaming\Fyfin\ysen.exe
        
        C:\Users\Admin\AppData\Roaming\Fyfin\ysen.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:904
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpff691bb4.bat"
      4⤵
      Deletes itself
      PID:332

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1360

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1136

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpff691bb4.bat

Filesize
307B

MD5
e8386d556a9b16527d6be9a5003859b0

SHA1
b5fd84d340642a33158203534efb1bfa22a59bf0

SHA256
c3c703e6e6616004d72fc9050f93277fe0b7359dba0c4b0bd02e70a12d0539ac

SHA512
2985768337fba0e3f207fc94b63e19170b9383320921c3b2484497109641ac62ca8f0c64da45fcf4d6813662ce06bf395b8233eecab4931734ffcc9544f58e53

Download Submit
C:\Users\Admin\AppData\Roaming\Fyfin\ysen.exe

Filesize
246KB

MD5
00a79cdc4860e727513f694a6b11f286

SHA1
74d4ab7406a10cba4b92db3dcc20009d43e01890

SHA256
c6a8552f0e0137e1c5ea117f132c95519f14240208221f9987245867af58e7b8

SHA512
dbdbc955f6ee8eba3433ec9c01c9c82e57a9aa4145d117b1f8050af5c7227cf8200e239f74a276587012a1abf9028bb7a2912e86f460541c5ca0e4fdc2c0ffbe

Download Submit
C:\Users\Admin\AppData\Roaming\Fyfin\ysen.exe

Filesize
246KB

MD5
00a79cdc4860e727513f694a6b11f286

SHA1
74d4ab7406a10cba4b92db3dcc20009d43e01890

SHA256
c6a8552f0e0137e1c5ea117f132c95519f14240208221f9987245867af58e7b8

SHA512
dbdbc955f6ee8eba3433ec9c01c9c82e57a9aa4145d117b1f8050af5c7227cf8200e239f74a276587012a1abf9028bb7a2912e86f460541c5ca0e4fdc2c0ffbe

Download Submit
C:\Users\Admin\AppData\Roaming\Fyfin\ysen.exe

Filesize
246KB

MD5
00a79cdc4860e727513f694a6b11f286

SHA1
74d4ab7406a10cba4b92db3dcc20009d43e01890

SHA256
c6a8552f0e0137e1c5ea117f132c95519f14240208221f9987245867af58e7b8

SHA512
dbdbc955f6ee8eba3433ec9c01c9c82e57a9aa4145d117b1f8050af5c7227cf8200e239f74a276587012a1abf9028bb7a2912e86f460541c5ca0e4fdc2c0ffbe

Download Submit
\Users\Admin\AppData\Roaming\Fyfin\ysen.exe

Filesize
246KB

MD5
00a79cdc4860e727513f694a6b11f286

SHA1
74d4ab7406a10cba4b92db3dcc20009d43e01890

SHA256
c6a8552f0e0137e1c5ea117f132c95519f14240208221f9987245867af58e7b8

SHA512
dbdbc955f6ee8eba3433ec9c01c9c82e57a9aa4145d117b1f8050af5c7227cf8200e239f74a276587012a1abf9028bb7a2912e86f460541c5ca0e4fdc2c0ffbe

Download Submit
\Users\Admin\AppData\Roaming\Fyfin\ysen.exe

Filesize
246KB

MD5
00a79cdc4860e727513f694a6b11f286

SHA1
74d4ab7406a10cba4b92db3dcc20009d43e01890

SHA256
c6a8552f0e0137e1c5ea117f132c95519f14240208221f9987245867af58e7b8

SHA512
dbdbc955f6ee8eba3433ec9c01c9c82e57a9aa4145d117b1f8050af5c7227cf8200e239f74a276587012a1abf9028bb7a2912e86f460541c5ca0e4fdc2c0ffbe

Download Submit
memory/904-134-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/904-133-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/904-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/904-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/904-137-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/952-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-86-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-61-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-67-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1300-115-0x0000000001ED0000-0x0000000001F01000-memory.dmp

Filesize
196KB

Download
memory/1300-118-0x0000000001ED0000-0x0000000001F01000-memory.dmp

Filesize
196KB

Download
memory/1300-117-0x0000000001ED0000-0x0000000001F01000-memory.dmp

Filesize
196KB

Download
memory/1300-116-0x0000000001ED0000-0x0000000001F01000-memory.dmp

Filesize
196KB

Download
memory/1360-124-0x0000000001AE0000-0x0000000001B11000-memory.dmp

Filesize
196KB

Download
memory/1360-123-0x0000000001AE0000-0x0000000001B11000-memory.dmp

Filesize
196KB

Download
memory/1360-122-0x0000000001AE0000-0x0000000001B11000-memory.dmp

Filesize
196KB

Download
memory/1360-121-0x0000000001AE0000-0x0000000001B11000-memory.dmp

Filesize
196KB

Download
memory/1376-101-0x0000000002010000-0x0000000002020000-memory.dmp

Filesize
64KB

Download
memory/1376-100-0x000007FEF6191000-0x000007FEF6193000-memory.dmp

Filesize
8KB

Download
memory/1376-99-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1376-107-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/1432-129-0x00000000026E0000-0x0000000002711000-memory.dmp

Filesize
196KB

Download
memory/1432-130-0x00000000026E0000-0x0000000002711000-memory.dmp

Filesize
196KB

Download
memory/1432-127-0x00000000026E0000-0x0000000002711000-memory.dmp

Filesize
196KB

Download
memory/1432-128-0x00000000026E0000-0x0000000002711000-memory.dmp

Filesize
196KB

Download
memory/1736-63-0x0000000000250000-0x0000000000254000-memory.dmp

Filesize
16KB

Download
memory/1736-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1740-98-0x00000000000C0000-0x00000000000F1000-memory.dmp

Filesize
196KB

Download
memory/1740-92-0x00000000000C0000-0x00000000000F1000-memory.dmp

Filesize
196KB

Download
memory/1740-89-0x00000000000C0000-0x00000000000F1000-memory.dmp

Filesize
196KB

Download
memory/1740-97-0x0000000074671000-0x0000000074673000-memory.dmp

Filesize
8KB

Download
memory/1740-91-0x00000000000C0000-0x00000000000F1000-memory.dmp

Filesize
196KB

Download
memory/1740-145-0x00000000000C0000-0x00000000000F1000-memory.dmp

Filesize
196KB

Download