abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b

Analysis

max time kernel
133s
max time network
147s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 14:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe
Size

264KB
MD5

f7e85a61ce697299223fed18c428e6f0
SHA1

7936563709db9f68251735409a1d40a7cb188a80
SHA256

abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b
SHA512

d99e5722461969cda9659b57a6016f2a6e297f48f8500a9e98f95238ee01fd989daaa5b5fe4255bea2c6af7315792f609dcc3581ccd845620ed1ee259c2d1a73
SSDEEP

6144:O9w8T9c1lBzcMZF7bwwBGY4EheDBxe8E:Mi1lB9F70wH4Mebe8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2028	xeek.exe
304	xeek.exe

Deletes itself 1 IoCs

pid	Process
892	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe
1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 2028 set thread context of 304	2028	xeek.exe	29

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\596258CF-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
304	xeek.exe
304	xeek.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe
Token: SeManageVolumePrivilege	384	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
384	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
384	WinMail.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe
2028	xeek.exe
384	WinMail.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1500 wrote to memory of 1404	1500	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	27
PID 1404 wrote to memory of 2028	1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	28
PID 1404 wrote to memory of 2028	1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	28
PID 1404 wrote to memory of 2028	1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	28
PID 1404 wrote to memory of 2028	1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	28
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 2028 wrote to memory of 304	2028	xeek.exe	29
PID 1404 wrote to memory of 892	1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	30
PID 1404 wrote to memory of 892	1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	30
PID 1404 wrote to memory of 892	1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	30
PID 1404 wrote to memory of 892	1404	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	30
PID 304 wrote to memory of 772	304	xeek.exe	31
PID 304 wrote to memory of 772	304	xeek.exe	31
PID 304 wrote to memory of 772	304	xeek.exe	31
PID 304 wrote to memory of 772	304	xeek.exe	31
PID 304 wrote to memory of 772	304	xeek.exe	31
PID 304 wrote to memory of 772	304	xeek.exe	31
PID 304 wrote to memory of 772	304	xeek.exe	31
PID 304 wrote to memory of 772	304	xeek.exe	31
PID 304 wrote to memory of 772	304	xeek.exe	31
PID 304 wrote to memory of 772	304	xeek.exe	31
PID 772 wrote to memory of 1344	772	explorer.exe	15
PID 772 wrote to memory of 1344	772	explorer.exe	15
PID 772 wrote to memory of 1344	772	explorer.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe
  "C:\Users\Admin\AppData\Local\Temp\abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe
    "C:\Users\Admin\AppData\Local\Temp\abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Users\Admin\AppData\Roaming\Hyal\xeek.exe
      "C:\Users\Admin\AppData\Roaming\Hyal\xeek.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Users\Admin\AppData\Roaming\Hyal\xeek.exe
        
        "C:\Users\Admin\AppData\Roaming\Hyal\xeek.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:304
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb2f6f449.bat"
      4⤵
      Deletes itself
      PID:892

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb2f6f449.bat

Filesize
307B

MD5
592dc8bad80251abda2d41cd7a1fca27

SHA1
0c8d3d8a7e2001d1d426bc27bdf8023c44958f3b

SHA256
6a82abfceddfcc7c779ddd848cc78c19c1c989e62dd758feac3422fb9557f8e7

SHA512
2ac2beac143e3c6caa6f905c57c093375bbbf7d259f897537bdf9d352f7dcdc2442dad53cfac1752c2b1f386cb967016c2fd82fe4f305f7bb02737b636b901f7

Download Submit
C:\Users\Admin\AppData\Roaming\Hyal\xeek.exe

Filesize
264KB

MD5
9caacd1e0e7faea8b1d9a623c7cb414b

SHA1
68b5cd1269d15f2e3b9a375bcc2334a172b4d180

SHA256
6f8ec20e5bb96f6673039c4d1cb6edefccc7c6bdd4eb038eeb025948313f1d64

SHA512
95789558341344640e6938f9cf670bb562de5e8a0f679fbdbf5a703e69627ad06fff487bcd3bd3e1a1a6e612187db6fe4b3dd351cb7654f1cdccc0dbaa6ecfcc

Download Submit
C:\Users\Admin\AppData\Roaming\Hyal\xeek.exe

Filesize
264KB

MD5
9caacd1e0e7faea8b1d9a623c7cb414b

SHA1
68b5cd1269d15f2e3b9a375bcc2334a172b4d180

SHA256
6f8ec20e5bb96f6673039c4d1cb6edefccc7c6bdd4eb038eeb025948313f1d64

SHA512
95789558341344640e6938f9cf670bb562de5e8a0f679fbdbf5a703e69627ad06fff487bcd3bd3e1a1a6e612187db6fe4b3dd351cb7654f1cdccc0dbaa6ecfcc

Download Submit
C:\Users\Admin\AppData\Roaming\Hyal\xeek.exe

Filesize
264KB

MD5
9caacd1e0e7faea8b1d9a623c7cb414b

SHA1
68b5cd1269d15f2e3b9a375bcc2334a172b4d180

SHA256
6f8ec20e5bb96f6673039c4d1cb6edefccc7c6bdd4eb038eeb025948313f1d64

SHA512
95789558341344640e6938f9cf670bb562de5e8a0f679fbdbf5a703e69627ad06fff487bcd3bd3e1a1a6e612187db6fe4b3dd351cb7654f1cdccc0dbaa6ecfcc

Download Submit
\Users\Admin\AppData\Roaming\Hyal\xeek.exe

Filesize
264KB

MD5
9caacd1e0e7faea8b1d9a623c7cb414b

SHA1
68b5cd1269d15f2e3b9a375bcc2334a172b4d180

SHA256
6f8ec20e5bb96f6673039c4d1cb6edefccc7c6bdd4eb038eeb025948313f1d64

SHA512
95789558341344640e6938f9cf670bb562de5e8a0f679fbdbf5a703e69627ad06fff487bcd3bd3e1a1a6e612187db6fe4b3dd351cb7654f1cdccc0dbaa6ecfcc

Download Submit
\Users\Admin\AppData\Roaming\Hyal\xeek.exe

Filesize
264KB

MD5
9caacd1e0e7faea8b1d9a623c7cb414b

SHA1
68b5cd1269d15f2e3b9a375bcc2334a172b4d180

SHA256
6f8ec20e5bb96f6673039c4d1cb6edefccc7c6bdd4eb038eeb025948313f1d64

SHA512
95789558341344640e6938f9cf670bb562de5e8a0f679fbdbf5a703e69627ad06fff487bcd3bd3e1a1a6e612187db6fe4b3dd351cb7654f1cdccc0dbaa6ecfcc

Download Submit
memory/304-109-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/304-96-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/384-94-0x000007FEF6761000-0x000007FEF6763000-memory.dmp

Filesize
8KB

Download
memory/384-93-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/384-103-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/384-97-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/772-95-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/772-92-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/772-81-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/772-84-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/772-86-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/772-87-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/772-88-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/772-85-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/772-110-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1404-57-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1404-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1404-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1404-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1404-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1404-82-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1500-56-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1500-60-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download