af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63

Analysis

max time kernel
151s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe
Size

138KB
MD5

65172a05f6cd0f7e3f0fed55bd13f5ff
SHA1

6e26e6f59b83f4ac67e13d5c975f841271b237bd
SHA256

af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63
SHA512

64bfd3b0bea2484fbb24129b6e922f24a148cdc607efdef6dad86186f9943bd040e58b1c7b1cf9889c94a64cdc587b958e32bb86e1fe0ee9311ad7e137626bcc
SSDEEP

3072:qzW1LZQEduEgsW2UPqxUEHqkC0i50/YXiQXT+t/8XIgfUTaXD3kz1QNm:qzW1L+QHhUPqxUEFQiQwkXhfUThQk

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1360	eqiwz.exe

Deletes itself 1 IoCs

pid	Process
1752	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe
1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	eqiwz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D9669BA1-1F64-87D8-3C61-30E05A407B6E} = "C:\\Users\\Admin\\AppData\\Roaming\\Hatey\\eqiwz.exe"	eqiwz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 1752	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\7B494DC5-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe
1360	eqiwz.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe
Token: SeSecurityPrivilege	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe
Token: SeSecurityPrivilege	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe
Token: SeManageVolumePrivilege	1128	WinMail.exe
Token: SeSecurityPrivilege	1752	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1128	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1360	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	27
PID 1996 wrote to memory of 1360	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	27
PID 1996 wrote to memory of 1360	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	27
PID 1996 wrote to memory of 1360	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	27
PID 1360 wrote to memory of 1132	1360	eqiwz.exe	19
PID 1360 wrote to memory of 1132	1360	eqiwz.exe	19
PID 1360 wrote to memory of 1132	1360	eqiwz.exe	19
PID 1360 wrote to memory of 1132	1360	eqiwz.exe	19
PID 1360 wrote to memory of 1132	1360	eqiwz.exe	19
PID 1360 wrote to memory of 1232	1360	eqiwz.exe	18
PID 1360 wrote to memory of 1232	1360	eqiwz.exe	18
PID 1360 wrote to memory of 1232	1360	eqiwz.exe	18
PID 1360 wrote to memory of 1232	1360	eqiwz.exe	18
PID 1360 wrote to memory of 1232	1360	eqiwz.exe	18
PID 1360 wrote to memory of 1304	1360	eqiwz.exe	20
PID 1360 wrote to memory of 1304	1360	eqiwz.exe	20
PID 1360 wrote to memory of 1304	1360	eqiwz.exe	20
PID 1360 wrote to memory of 1304	1360	eqiwz.exe	20
PID 1360 wrote to memory of 1304	1360	eqiwz.exe	20
PID 1360 wrote to memory of 1996	1360	eqiwz.exe	26
PID 1360 wrote to memory of 1996	1360	eqiwz.exe	26
PID 1360 wrote to memory of 1996	1360	eqiwz.exe	26
PID 1360 wrote to memory of 1996	1360	eqiwz.exe	26
PID 1360 wrote to memory of 1996	1360	eqiwz.exe	26
PID 1360 wrote to memory of 1128	1360	eqiwz.exe	28
PID 1360 wrote to memory of 1128	1360	eqiwz.exe	28
PID 1360 wrote to memory of 1128	1360	eqiwz.exe	28
PID 1360 wrote to memory of 1128	1360	eqiwz.exe	28
PID 1360 wrote to memory of 1128	1360	eqiwz.exe	28
PID 1996 wrote to memory of 1752	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	29
PID 1996 wrote to memory of 1752	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	29
PID 1996 wrote to memory of 1752	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	29
PID 1996 wrote to memory of 1752	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	29
PID 1996 wrote to memory of 1752	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	29
PID 1996 wrote to memory of 1752	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	29
PID 1996 wrote to memory of 1752	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	29
PID 1996 wrote to memory of 1752	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	29
PID 1996 wrote to memory of 1752	1996	af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe	29
PID 1360 wrote to memory of 1740	1360	eqiwz.exe	30
PID 1360 wrote to memory of 1740	1360	eqiwz.exe	30
PID 1360 wrote to memory of 1740	1360	eqiwz.exe	30
PID 1360 wrote to memory of 1740	1360	eqiwz.exe	30
PID 1360 wrote to memory of 1740	1360	eqiwz.exe	30
PID 1360 wrote to memory of 848	1360	eqiwz.exe	31
PID 1360 wrote to memory of 848	1360	eqiwz.exe	31
PID 1360 wrote to memory of 848	1360	eqiwz.exe	31
PID 1360 wrote to memory of 848	1360	eqiwz.exe	31
PID 1360 wrote to memory of 848	1360	eqiwz.exe	31
PID 1360 wrote to memory of 1840	1360	eqiwz.exe	32
PID 1360 wrote to memory of 1840	1360	eqiwz.exe	32
PID 1360 wrote to memory of 1840	1360	eqiwz.exe	32
PID 1360 wrote to memory of 1840	1360	eqiwz.exe	32
PID 1360 wrote to memory of 1840	1360	eqiwz.exe	32

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe
  "C:\Users\Admin\AppData\Local\Temp\af28218f896260f98df4e72290019cb6609022775a9cd453da326e3923608d63.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Roaming\Hatey\eqiwz.exe
    "C:\Users\Admin\AppData\Roaming\Hatey\eqiwz.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp62cb96a0.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:1752

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-830393744-16517309-9572191417910395531019536166-134066619-1984073341669795429"
1⤵
PID:1740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp62cb96a0.bat

Filesize
307B

MD5
dca2b605e021b91aa4fa034bf02eb46d

SHA1
33f7cee8060d5e54ed277d8eab20367ec9220102

SHA256
1f1b203f23c40d766d6b6784f4abce3b19c1989ec3c13a53334eeb4c84a752f6

SHA512
7725468cc43ffcf8c53c8497b789909db5e129272242927120a2fa01d21cc37a7d709bf2ae27312263922846d6ec67989a6779b9b17d1f7f6a97923ce9236796

Download Submit
C:\Users\Admin\AppData\Roaming\Hatey\eqiwz.exe

Filesize
138KB

MD5
9d5e14a66d5c6a0437e4f544b1fa4987

SHA1
36fe3f7b8fd01311c7ae22b1f174a98b152e93ad

SHA256
756bfa71c4d815ef350a7be7302e1f9a774ca087104506eae669cf4ca72e7007

SHA512
1d7c7edf70a1bf25c47752e75892d88f4d8c33ba6bee87861b6f37751191a13f7e4bcdf77bdb0010becfea4db14d220c0c8ffec1c6f3396b22c435f31782facf

Download Submit
C:\Users\Admin\AppData\Roaming\Hatey\eqiwz.exe

Filesize
138KB

MD5
9d5e14a66d5c6a0437e4f544b1fa4987

SHA1
36fe3f7b8fd01311c7ae22b1f174a98b152e93ad

SHA256
756bfa71c4d815ef350a7be7302e1f9a774ca087104506eae669cf4ca72e7007

SHA512
1d7c7edf70a1bf25c47752e75892d88f4d8c33ba6bee87861b6f37751191a13f7e4bcdf77bdb0010becfea4db14d220c0c8ffec1c6f3396b22c435f31782facf

Download Submit
C:\Users\Admin\AppData\Roaming\Ulque\alins.ycd

Filesize
398B

MD5
0d34dd3ba63faa6e72aab28fef249ac6

SHA1
bdd3dcff90c9a6f82e919c872d731de3448205dd

SHA256
0660d45c4151b34bfab629164029d46faec5d3cce22401e6429d4b823f3492ed

SHA512
3d3440b7350c85ab2c715743ae3aa6102360694129a017e0a5d7452c8c820c41caef452120f945b67fd31493a8982d22215fdaf420e5c2ad24acb6648d23a72e

Download Submit
\Users\Admin\AppData\Roaming\Hatey\eqiwz.exe

Filesize
138KB

MD5
9d5e14a66d5c6a0437e4f544b1fa4987

SHA1
36fe3f7b8fd01311c7ae22b1f174a98b152e93ad

SHA256
756bfa71c4d815ef350a7be7302e1f9a774ca087104506eae669cf4ca72e7007

SHA512
1d7c7edf70a1bf25c47752e75892d88f4d8c33ba6bee87861b6f37751191a13f7e4bcdf77bdb0010becfea4db14d220c0c8ffec1c6f3396b22c435f31782facf

Download Submit
\Users\Admin\AppData\Roaming\Hatey\eqiwz.exe

Filesize
138KB

MD5
9d5e14a66d5c6a0437e4f544b1fa4987

SHA1
36fe3f7b8fd01311c7ae22b1f174a98b152e93ad

SHA256
756bfa71c4d815ef350a7be7302e1f9a774ca087104506eae669cf4ca72e7007

SHA512
1d7c7edf70a1bf25c47752e75892d88f4d8c33ba6bee87861b6f37751191a13f7e4bcdf77bdb0010becfea4db14d220c0c8ffec1c6f3396b22c435f31782facf

Download Submit
memory/848-127-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/848-126-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1128-105-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/1128-102-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/1128-103-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/1128-104-0x0000000003DD0000-0x0000000003DF7000-memory.dmp

Filesize
156KB

Download
memory/1128-93-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/1128-87-0x0000000002010000-0x0000000002020000-memory.dmp

Filesize
64KB

Download
memory/1128-86-0x000007FEF6611000-0x000007FEF6613000-memory.dmp

Filesize
8KB

Download
memory/1128-85-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1132-64-0x00000000003E0000-0x0000000000407000-memory.dmp

Filesize
156KB

Download
memory/1132-66-0x00000000003E0000-0x0000000000407000-memory.dmp

Filesize
156KB

Download
memory/1132-61-0x00000000003E0000-0x0000000000407000-memory.dmp

Filesize
156KB

Download
memory/1132-63-0x00000000003E0000-0x0000000000407000-memory.dmp

Filesize
156KB

Download
memory/1132-65-0x00000000003E0000-0x0000000000407000-memory.dmp

Filesize
156KB

Download
memory/1232-72-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/1232-71-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/1232-70-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/1232-69-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/1304-77-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1304-75-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1304-76-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1304-78-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1740-119-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1740-120-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1740-121-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1740-122-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1752-109-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1752-112-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1752-113-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1752-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1752-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1996-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1996-99-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/1996-84-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/1996-83-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/1996-82-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/1996-81-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download