7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af

Analysis

max time kernel
152s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 22:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
Size

339KB
MD5

90eafe9e457828e746d0d8ae9146ffaf
SHA1

4953560bc1182ec5d60698163d8be0597c3ff526
SHA256

7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af
SHA512

8996c3bb1edc2842c0d802d4bfd956f798545b0c49cdf5782ae340d895984908a58febd2d1c3bf785a9cfe0ea4f46e67d21ffbdb5aa83b498e718e39d3f4a8e0
SSDEEP

6144:NkDptg1n2ViUpLBHYK0GuiksInuULEKxgkmYk+8enu:kptI3oLBH9XuikjFvukmchu

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5052	meade.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\Currentversion\Run	meade.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	meade.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yradyq = "C:\\Users\\Admin\\AppData\\Roaming\\Fowuro\\meade.exe"	meade.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1280	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe	85

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Privacy	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe
5052	meade.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
Token: SeSecurityPrivilege	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
Token: SeSecurityPrivilege	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
Token: SeSecurityPrivilege	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
Token: SeSecurityPrivilege	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
Token: SeSecurityPrivilege	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
Token: SeSecurityPrivilege	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
Token: SeSecurityPrivilege	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
Token: SeSecurityPrivilege	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 5052	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe	84
PID 1752 wrote to memory of 5052	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe	84
PID 1752 wrote to memory of 5052	1752	7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe	84
PID 5052 wrote to memory of 2436	5052	meade.exe	78
PID 5052 wrote to memory of 2436	5052	meade.exe	78
PID 5052 wrote to memory of 2436	5052	meade.exe	78
PID 5052 wrote to memory of 2436	5052	meade.exe	78
PID 5052 wrote to memory of 2436	5052	meade.exe	78
PID 5052 wrote to memory of 2444	5052	meade.exe	77
PID 5052 wrote to memory of 2444	5052	meade.exe	77
PID 5052 wrote to memory of 2444	5052	meade.exe	77
PID 5052 wrote to memory of 2444	5052	meade.exe	77
PID 5052 wrote to memory of 2444	5052	meade.exe	77
PID 5052 wrote to memory of 2580	5052	meade.exe	74
PID 5052 wrote to memory of 2580	5052	meade.exe	74
PID 5052 wrote to memory of 2580	5052	meade.exe	74
PID 5052 wrote to memory of 2580	5052	meade.exe	74
PID 5052 wrote to memory of 2580	5052	meade.exe	74
PID 5052 wrote to memory of 3076	5052	meade.exe	69
PID 5052 wrote to memory of 3076	5052	meade.exe	69
PID 5052 wrote to memory of 3076	5052	meade.exe	69
PID 5052 wrote to memory of 3076	5052	meade.exe	69
PID 5052 wrote to memory of 3076	5052	meade.exe	69
PID 5052 wrote to memory of 3216	5052	meade.exe	68
PID 5052 wrote to memory of 3216	5052	meade.exe	68
PID 5052 wrote to memory of 3216	5052	meade.exe	68
PID 5052 wrote to memory of 3216	5052	meade.exe	68
PID 5052 wrote to memory of 3216	5052	meade.exe	68
PID 5052 wrote to memory of 3416	5052	meade.exe	47
PID 5052 wrote to memory of 3416	5052	meade.exe	47
PID 5052 wrote to memory of 3416	5052	meade.exe	47
PID 5052 wrote to memory of 3416	5052	meade.exe	47
PID 5052 wrote to memory of 3416	5052	meade.exe	47
PID 5052 wrote to memory of 3508	5052	meade.exe	46
PID 5052 wrote to memory of 3508	5052	meade.exe	46
PID 5052 wrote to memory of 3508	5052	meade.exe	46
PID 5052 wrote to memory of 3508	5052	meade.exe	46
PID 5052 wrote to memory of 3508	5052	meade.exe	46
PID 5052 wrote to memory of 3572	5052	meade.exe	43
PID 5052 wrote to memory of 3572	5052	meade.exe	43
PID 5052 wrote to memory of 3572	5052	meade.exe	43
PID 5052 wrote to memory of 3572	5052	meade.exe	43
PID 5052 wrote to memory of 3572	5052	meade.exe	43
PID 5052 wrote to memory of 3660	5052	meade.exe	44
PID 5052 wrote to memory of 3660	5052	meade.exe	44
PID 5052 wrote to memory of 3660	5052	meade.exe	44
PID 5052 wrote to memory of 3660	5052	meade.exe	44
PID 5052 wrote to memory of 3660	5052	meade.exe	44
PID 5052 wrote to memory of 3832	5052	meade.exe	45
PID 5052 wrote to memory of 3832	5052	meade.exe	45
PID 5052 wrote to memory of 3832	5052	meade.exe	45
PID 5052 wrote to memory of 3832	5052	meade.exe	45
PID 5052 wrote to memory of 3832	5052	meade.exe	45
PID 5052 wrote to memory of 4604	5052	meade.exe	52
PID 5052 wrote to memory of 4604	5052	meade.exe	52
PID 5052 wrote to memory of 4604	5052	meade.exe	52
PID 5052 wrote to memory of 4604	5052	meade.exe	52
PID 5052 wrote to memory of 4604	5052	meade.exe	52
PID 5052 wrote to memory of 4300	5052	meade.exe	57
PID 5052 wrote to memory of 4300	5052	meade.exe	57
PID 5052 wrote to memory of 4300	5052	meade.exe	57
PID 5052 wrote to memory of 4300	5052	meade.exe	57
PID 5052 wrote to memory of 4300	5052	meade.exe	57
PID 5052 wrote to memory of 1752	5052	meade.exe	81

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3660

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3416

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4604

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3216

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe
  "C:\Users\Admin\AppData\Local\Temp\7f7ffa7537820329427b9a55149081ea930a209536166163787817c675a4d4af.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Roaming\Fowuro\meade.exe
    "C:\Users\Admin\AppData\Roaming\Fowuro\meade.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp864b7bfb.bat"
    3⤵
    PID:1280

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2444

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Duams\opzib.utv

Filesize
2KB

MD5
6c26bbd87eb5b10aab7b5c52192aa744

SHA1
b867c42aca5be891df54e01e22f4054dbf1e7e22

SHA256
6a9d647f6510fd22ea702b905a0a11f4d9b18b9d1ff264090e6bfb7cce15e1cc

SHA512
083067296e57e5a053fb20542af8bffd147cf1f08c41bb3dde250d6fd1ba766cd4a282da805e347ac31f0d9138c57c777965c51da6b87f3414852ed3fffec38f

Download Submit
C:\Users\Admin\AppData\Roaming\Fowuro\meade.exe

Filesize
339KB

MD5
36369416068ea47af82c9a939fc2ffb9

SHA1
462cee23c860b699a6aaffb371caaf4ca0977f03

SHA256
bd507e8cce0f7688f73d514cd0858e4e68421496640901c2e9b8ec2fe1b8b8db

SHA512
f859026e0ad0741527aafb5deb35d358bcf5809f84863a262bce9c90fef2f56ae62c0b3893e3e95de8062f9f64346e5bffe4318577fbf752ecd5bfb9860324e0

Download Submit
C:\Users\Admin\AppData\Roaming\Fowuro\meade.exe

Filesize
339KB

MD5
36369416068ea47af82c9a939fc2ffb9

SHA1
462cee23c860b699a6aaffb371caaf4ca0977f03

SHA256
bd507e8cce0f7688f73d514cd0858e4e68421496640901c2e9b8ec2fe1b8b8db

SHA512
f859026e0ad0741527aafb5deb35d358bcf5809f84863a262bce9c90fef2f56ae62c0b3893e3e95de8062f9f64346e5bffe4318577fbf752ecd5bfb9860324e0

Download Submit
memory/1280-147-0x0000000000B40000-0x0000000000B7B000-memory.dmp

Filesize
236KB

Download
memory/1280-150-0x0000000000B40000-0x0000000000B7B000-memory.dmp

Filesize
236KB

Download
memory/1752-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-132-0x0000000000A60000-0x0000000000A9B000-memory.dmp

Filesize
236KB

Download
memory/1752-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-149-0x0000000002320000-0x000000000235B000-memory.dmp

Filesize
236KB

Download
memory/1752-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-143-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1752-144-0x0000000002320000-0x000000000235B000-memory.dmp

Filesize
236KB

Download
memory/1752-134-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1752-133-0x0000000000AA0000-0x0000000000AF7000-memory.dmp

Filesize
348KB

Download
memory/5052-142-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5052-141-0x0000000000700000-0x0000000000757000-memory.dmp

Filesize
348KB

Download
memory/5052-140-0x00000000006C0000-0x00000000006FB000-memory.dmp

Filesize
236KB

Download
memory/5052-151-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download