aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95

Analysis

max time kernel
186s
max time network
188s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe
Size

267KB
MD5

6baec7b6ecca82208835f101f24029a6
SHA1

65ceee9b1bcbc8f25a68951bca201005f02b9f50
SHA256

aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95
SHA512

da76809a2c79c70b272e52f66f875851dc282473c511ad1f4e2f065263a60874a2bdbc007106dae6ac4542ac7ae1938f3e7d917f2cae055604f1be9e82d484b6
SSDEEP

6144:jIXlmPop0uwXYGgbYaciL6WYLWe1BqY/j:jbPou3gsB/bL/1Bv/j

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1500	qaxyb.exe
1800	qaxyb.exe

Deletes itself 1 IoCs

pid	Process
1684	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe
1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	qaxyb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Baakolbe = "C:\\Users\\Admin\\AppData\\Roaming\\Uhecv\\qaxyb.exe"	qaxyb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 844 set thread context of 1656	844	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	28
PID 1500 set thread context of 1800	1500	qaxyb.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe
1800	qaxyb.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe
Token: SeSecurityPrivilege	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe
Token: SeSecurityPrivilege	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe
Token: SeSecurityPrivilege	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1656	844	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	28
PID 844 wrote to memory of 1656	844	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	28
PID 844 wrote to memory of 1656	844	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	28
PID 844 wrote to memory of 1656	844	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	28
PID 844 wrote to memory of 1656	844	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	28
PID 844 wrote to memory of 1656	844	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	28
PID 844 wrote to memory of 1656	844	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	28
PID 844 wrote to memory of 1656	844	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	28
PID 1656 wrote to memory of 1500	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	29
PID 1656 wrote to memory of 1500	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	29
PID 1656 wrote to memory of 1500	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	29
PID 1656 wrote to memory of 1500	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	29
PID 1500 wrote to memory of 1800	1500	qaxyb.exe	30
PID 1500 wrote to memory of 1800	1500	qaxyb.exe	30
PID 1500 wrote to memory of 1800	1500	qaxyb.exe	30
PID 1500 wrote to memory of 1800	1500	qaxyb.exe	30
PID 1500 wrote to memory of 1800	1500	qaxyb.exe	30
PID 1500 wrote to memory of 1800	1500	qaxyb.exe	30
PID 1500 wrote to memory of 1800	1500	qaxyb.exe	30
PID 1500 wrote to memory of 1800	1500	qaxyb.exe	30
PID 1800 wrote to memory of 1132	1800	qaxyb.exe	7
PID 1800 wrote to memory of 1132	1800	qaxyb.exe	7
PID 1800 wrote to memory of 1132	1800	qaxyb.exe	7
PID 1800 wrote to memory of 1132	1800	qaxyb.exe	7
PID 1800 wrote to memory of 1132	1800	qaxyb.exe	7
PID 1800 wrote to memory of 1184	1800	qaxyb.exe	15
PID 1800 wrote to memory of 1184	1800	qaxyb.exe	15
PID 1800 wrote to memory of 1184	1800	qaxyb.exe	15
PID 1800 wrote to memory of 1184	1800	qaxyb.exe	15
PID 1800 wrote to memory of 1184	1800	qaxyb.exe	15
PID 1800 wrote to memory of 1224	1800	qaxyb.exe	14
PID 1800 wrote to memory of 1224	1800	qaxyb.exe	14
PID 1800 wrote to memory of 1224	1800	qaxyb.exe	14
PID 1800 wrote to memory of 1224	1800	qaxyb.exe	14
PID 1800 wrote to memory of 1224	1800	qaxyb.exe	14
PID 1800 wrote to memory of 1656	1800	qaxyb.exe	28
PID 1800 wrote to memory of 1656	1800	qaxyb.exe	28
PID 1800 wrote to memory of 1656	1800	qaxyb.exe	28
PID 1800 wrote to memory of 1656	1800	qaxyb.exe	28
PID 1800 wrote to memory of 1656	1800	qaxyb.exe	28
PID 1656 wrote to memory of 1684	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	31
PID 1656 wrote to memory of 1684	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	31
PID 1656 wrote to memory of 1684	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	31
PID 1656 wrote to memory of 1684	1656	aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe	31
PID 1800 wrote to memory of 1684	1800	qaxyb.exe	31
PID 1800 wrote to memory of 1684	1800	qaxyb.exe	31
PID 1800 wrote to memory of 1684	1800	qaxyb.exe	31
PID 1800 wrote to memory of 1684	1800	qaxyb.exe	31
PID 1800 wrote to memory of 1684	1800	qaxyb.exe	31
PID 1800 wrote to memory of 772	1800	qaxyb.exe	33
PID 1800 wrote to memory of 772	1800	qaxyb.exe	33
PID 1800 wrote to memory of 772	1800	qaxyb.exe	33
PID 1800 wrote to memory of 772	1800	qaxyb.exe	33
PID 1800 wrote to memory of 772	1800	qaxyb.exe	33
PID 1800 wrote to memory of 2036	1800	qaxyb.exe	34
PID 1800 wrote to memory of 2036	1800	qaxyb.exe	34
PID 1800 wrote to memory of 2036	1800	qaxyb.exe	34
PID 1800 wrote to memory of 2036	1800	qaxyb.exe	34
PID 1800 wrote to memory of 2036	1800	qaxyb.exe	34
PID 1800 wrote to memory of 1332	1800	qaxyb.exe	35
PID 1800 wrote to memory of 1332	1800	qaxyb.exe	35
PID 1800 wrote to memory of 1332	1800	qaxyb.exe	35
PID 1800 wrote to memory of 1332	1800	qaxyb.exe	35
PID 1800 wrote to memory of 1332	1800	qaxyb.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe
  "C:\Users\Admin\AppData\Local\Temp\aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe
    "C:\Users\Admin\AppData\Local\Temp\aeaf0b9eaac74430f8bb3e147fc154561c436675f5e4b107a82eb2c37c7d7f95.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Roaming\Uhecv\qaxyb.exe
      "C:\Users\Admin\AppData\Roaming\Uhecv\qaxyb.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Users\Admin\AppData\Roaming\Uhecv\qaxyb.exe
        
        "C:\Users\Admin\AppData\Roaming\Uhecv\qaxyb.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp330b3d63.bat"
      4⤵
      Deletes itself
      PID:1684

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:772

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2036

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp330b3d63.bat

Filesize
307B

MD5
c5c2cfedab1020499fe713773595c0a3

SHA1
2bc5de70f18bc2d813c3ff3530d92c9cc0ba4a01

SHA256
14d09792b1bd9a50dd0918844a6e825da8612b51426b654f2e1de1e0202f45dd

SHA512
9a270bdea0bff1930287a00bdf7651a85ab6c3a0f2c26c71565595f7ad7bdff3bd4e3c9105d54ae15f18df38a55a70a8280fe1960a1f99e81d5f651fc71ecc80

Download Submit
C:\Users\Admin\AppData\Roaming\Uhecv\qaxyb.exe

Filesize
267KB

MD5
d6f3faaf641729ef344185a599aad9af

SHA1
c948c3c6a1e53a203d1704701c8f3a54b50d5df7

SHA256
42726b008a3371964f3798325d78b4dfd359e8c96ec2e9cebb996d4228fd1dbf

SHA512
e1cebe88d4ae1e13d618fcdaff61a2148f7554c2de2efcc314396bc91eeded8d4323cbba7d6bb07812a2ebe35fedf08cbd12956c9781a521897fb9c824467c98

Download Submit
C:\Users\Admin\AppData\Roaming\Uhecv\qaxyb.exe

Filesize
267KB

MD5
d6f3faaf641729ef344185a599aad9af

SHA1
c948c3c6a1e53a203d1704701c8f3a54b50d5df7

SHA256
42726b008a3371964f3798325d78b4dfd359e8c96ec2e9cebb996d4228fd1dbf

SHA512
e1cebe88d4ae1e13d618fcdaff61a2148f7554c2de2efcc314396bc91eeded8d4323cbba7d6bb07812a2ebe35fedf08cbd12956c9781a521897fb9c824467c98

Download Submit
C:\Users\Admin\AppData\Roaming\Uhecv\qaxyb.exe

Filesize
267KB

MD5
d6f3faaf641729ef344185a599aad9af

SHA1
c948c3c6a1e53a203d1704701c8f3a54b50d5df7

SHA256
42726b008a3371964f3798325d78b4dfd359e8c96ec2e9cebb996d4228fd1dbf

SHA512
e1cebe88d4ae1e13d618fcdaff61a2148f7554c2de2efcc314396bc91eeded8d4323cbba7d6bb07812a2ebe35fedf08cbd12956c9781a521897fb9c824467c98

Download Submit
C:\Users\Admin\AppData\Roaming\Yxoq\leax.etm

Filesize
421B

MD5
a3e673da73efdf9d3400d0615109a9a3

SHA1
9df89744273cfa700f45aa4f6d3e02185bea0154

SHA256
c08c027fae4505ef15b6734eaaa897e247b0e5ad4363fdedd40f676ef8d10396

SHA512
f9adc198c8bbafde76b140b2aeb14f6419d462bc5e151c16fbac1e2902cfc0ff57e7e323a6e2a1aab55696394971d33be95029a3f14bc1a1b1be6c496f53ddb9

Download Submit
\Users\Admin\AppData\Roaming\Uhecv\qaxyb.exe

Filesize
267KB

MD5
d6f3faaf641729ef344185a599aad9af

SHA1
c948c3c6a1e53a203d1704701c8f3a54b50d5df7

SHA256
42726b008a3371964f3798325d78b4dfd359e8c96ec2e9cebb996d4228fd1dbf

SHA512
e1cebe88d4ae1e13d618fcdaff61a2148f7554c2de2efcc314396bc91eeded8d4323cbba7d6bb07812a2ebe35fedf08cbd12956c9781a521897fb9c824467c98

Download Submit
\Users\Admin\AppData\Roaming\Uhecv\qaxyb.exe

Filesize
267KB

MD5
d6f3faaf641729ef344185a599aad9af

SHA1
c948c3c6a1e53a203d1704701c8f3a54b50d5df7

SHA256
42726b008a3371964f3798325d78b4dfd359e8c96ec2e9cebb996d4228fd1dbf

SHA512
e1cebe88d4ae1e13d618fcdaff61a2148f7554c2de2efcc314396bc91eeded8d4323cbba7d6bb07812a2ebe35fedf08cbd12956c9781a521897fb9c824467c98

Download Submit
memory/1132-88-0x0000000001B50000-0x0000000001B89000-memory.dmp

Filesize
228KB

Download
memory/1132-87-0x0000000001B50000-0x0000000001B89000-memory.dmp

Filesize
228KB

Download
memory/1132-86-0x0000000001B50000-0x0000000001B89000-memory.dmp

Filesize
228KB

Download
memory/1132-85-0x0000000001B50000-0x0000000001B89000-memory.dmp

Filesize
228KB

Download
memory/1184-93-0x0000000001B70000-0x0000000001BA9000-memory.dmp

Filesize
228KB

Download
memory/1184-91-0x0000000001B70000-0x0000000001BA9000-memory.dmp

Filesize
228KB

Download
memory/1184-94-0x0000000001B70000-0x0000000001BA9000-memory.dmp

Filesize
228KB

Download
memory/1184-92-0x0000000001B70000-0x0000000001BA9000-memory.dmp

Filesize
228KB

Download
memory/1224-98-0x00000000029E0000-0x0000000002A19000-memory.dmp

Filesize
228KB

Download
memory/1224-97-0x00000000029E0000-0x0000000002A19000-memory.dmp

Filesize
228KB

Download
memory/1224-100-0x00000000029E0000-0x0000000002A19000-memory.dmp

Filesize
228KB

Download
memory/1224-99-0x00000000029E0000-0x0000000002A19000-memory.dmp

Filesize
228KB

Download
memory/1656-106-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-108-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-104-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-105-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-103-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-69-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-63-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1656-107-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-110-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-112-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-114-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-116-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-118-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-120-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-122-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-124-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-126-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-128-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-234-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-233-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1800-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download