3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81

Analysis

max time kernel
151s
max time network
117s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe
Size

264KB
MD5

5de907aab38f8c125fbdf5ad2c904a20
SHA1

96e6f089140b1983c5926f7cc039a1e7e0cae44c
SHA256

3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81
SHA512

7f5aba3fb14df8de300f1b74c1bbc046c140eb47fe6a45e7f4ea58286497f7fbc627a487e7459a587910c8057846aafd9a3bfd26babd81b567d0234ea0c13d1d
SSDEEP

1536:Yd3zJp2gfyzgfQlgDCbC04+KG1K6CkKBKodSwfX0hrIYQY2gCDd:ulw5z9bbjAAK6CtD/krIjtDd

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1256	xeizy.exe

Deletes itself 1 IoCs

pid	Process
528	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe
1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeizy.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Huynuv\\xeizy.exe"	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\068845AD-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
944	explorer.exe
1256	xeizy.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe
Token: SeManageVolumePrivilege	1412	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1412	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1412	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1412	WinMail.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1256	1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe	26
PID 1348 wrote to memory of 1256	1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe	26
PID 1348 wrote to memory of 1256	1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe	26
PID 1348 wrote to memory of 1256	1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe	26
PID 1256 wrote to memory of 944	1256	xeizy.exe	27
PID 1256 wrote to memory of 944	1256	xeizy.exe	27
PID 1256 wrote to memory of 944	1256	xeizy.exe	27
PID 1256 wrote to memory of 944	1256	xeizy.exe	27
PID 1256 wrote to memory of 944	1256	xeizy.exe	27
PID 1256 wrote to memory of 944	1256	xeizy.exe	27
PID 1256 wrote to memory of 944	1256	xeizy.exe	27
PID 1256 wrote to memory of 944	1256	xeizy.exe	27
PID 1256 wrote to memory of 944	1256	xeizy.exe	27
PID 944 wrote to memory of 1104	944	explorer.exe	16
PID 944 wrote to memory of 1104	944	explorer.exe	16
PID 944 wrote to memory of 1104	944	explorer.exe	16
PID 944 wrote to memory of 1104	944	explorer.exe	16
PID 944 wrote to memory of 1104	944	explorer.exe	16
PID 944 wrote to memory of 1164	944	explorer.exe	15
PID 944 wrote to memory of 1164	944	explorer.exe	15
PID 944 wrote to memory of 1164	944	explorer.exe	15
PID 944 wrote to memory of 1164	944	explorer.exe	15
PID 944 wrote to memory of 1164	944	explorer.exe	15
PID 944 wrote to memory of 1188	944	explorer.exe	14
PID 944 wrote to memory of 1188	944	explorer.exe	14
PID 944 wrote to memory of 1188	944	explorer.exe	14
PID 944 wrote to memory of 1188	944	explorer.exe	14
PID 944 wrote to memory of 1188	944	explorer.exe	14
PID 944 wrote to memory of 1348	944	explorer.exe	25
PID 944 wrote to memory of 1348	944	explorer.exe	25
PID 944 wrote to memory of 1348	944	explorer.exe	25
PID 944 wrote to memory of 1348	944	explorer.exe	25
PID 944 wrote to memory of 1348	944	explorer.exe	25
PID 1348 wrote to memory of 528	1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe	28
PID 1348 wrote to memory of 528	1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe	28
PID 1348 wrote to memory of 528	1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe	28
PID 1348 wrote to memory of 528	1348	3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe	28
PID 944 wrote to memory of 528	944	explorer.exe	28
PID 944 wrote to memory of 528	944	explorer.exe	28
PID 944 wrote to memory of 528	944	explorer.exe	28
PID 944 wrote to memory of 528	944	explorer.exe	28
PID 944 wrote to memory of 528	944	explorer.exe	28
PID 944 wrote to memory of 912	944	explorer.exe	29
PID 944 wrote to memory of 1412	944	explorer.exe	30
PID 944 wrote to memory of 1412	944	explorer.exe	30
PID 944 wrote to memory of 1412	944	explorer.exe	30
PID 944 wrote to memory of 1412	944	explorer.exe	30
PID 944 wrote to memory of 1412	944	explorer.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe
  "C:\Users\Admin\AppData\Local\Temp\3f7d9a8ad4d12ec90b9fdfaf7245b512198497d1b80099681dc712ddb4edea81.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Roaming\Huynuv\xeizy.exe
    "C:\Users\Admin\AppData\Roaming\Huynuv\xeizy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp80c3ea18.bat"
    3⤵
    - Deletes itself
    PID:528

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "116470757920838702501930424064334264672415507779023149081018302032434652415"
1⤵
PID:912

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp80c3ea18.bat

Filesize
307B

MD5
7f9b9b62d9b64b6275cd072c07e105b7

SHA1
fb9031aa153f631b138fbabc2fcf0d5cdf13b146

SHA256
4c2b10a0ee37596e0806b7e61613778176a53ec73651a7176e8c2b4fb378b177

SHA512
7ca5df08822c323c9c0a04ae8e0e3d449118a41e81df23def0c7c2b1a955ffcd8f56bea5f3e30ba7d4c8533bed143c7e3eaac0a526e367c9e515bea0dc31c560

Download Submit
C:\Users\Admin\AppData\Roaming\Huynuv\xeizy.exe

Filesize
264KB

MD5
4bdae123f373c9bc3f8c939c055366a9

SHA1
1b4fe00fa8e0bb3001fbddf07f0cdfee4ac3df34

SHA256
a0e57b175433c2ab1a16601cc0ce0b2a7c37c0c0600645b5d878e4b11d657a8d

SHA512
d9286c7537d3c394db4fde125e3cee1100ddbfbf9ca189aa421dd1dd079290ebb58fa807d3edd8f0577bf077eedb0aa3b96771496b9015088d509f696282b621

Download Submit
C:\Users\Admin\AppData\Roaming\Huynuv\xeizy.exe

Filesize
264KB

MD5
4bdae123f373c9bc3f8c939c055366a9

SHA1
1b4fe00fa8e0bb3001fbddf07f0cdfee4ac3df34

SHA256
a0e57b175433c2ab1a16601cc0ce0b2a7c37c0c0600645b5d878e4b11d657a8d

SHA512
d9286c7537d3c394db4fde125e3cee1100ddbfbf9ca189aa421dd1dd079290ebb58fa807d3edd8f0577bf077eedb0aa3b96771496b9015088d509f696282b621

Download Submit
\Users\Admin\AppData\Roaming\Huynuv\xeizy.exe

Filesize
264KB

MD5
4bdae123f373c9bc3f8c939c055366a9

SHA1
1b4fe00fa8e0bb3001fbddf07f0cdfee4ac3df34

SHA256
a0e57b175433c2ab1a16601cc0ce0b2a7c37c0c0600645b5d878e4b11d657a8d

SHA512
d9286c7537d3c394db4fde125e3cee1100ddbfbf9ca189aa421dd1dd079290ebb58fa807d3edd8f0577bf077eedb0aa3b96771496b9015088d509f696282b621

Download Submit
\Users\Admin\AppData\Roaming\Huynuv\xeizy.exe

Filesize
264KB

MD5
4bdae123f373c9bc3f8c939c055366a9

SHA1
1b4fe00fa8e0bb3001fbddf07f0cdfee4ac3df34

SHA256
a0e57b175433c2ab1a16601cc0ce0b2a7c37c0c0600645b5d878e4b11d657a8d

SHA512
d9286c7537d3c394db4fde125e3cee1100ddbfbf9ca189aa421dd1dd079290ebb58fa807d3edd8f0577bf077eedb0aa3b96771496b9015088d509f696282b621

Download Submit
memory/528-111-0x00000000000F0000-0x0000000000127000-memory.dmp

Filesize
220KB

Download
memory/528-109-0x00000000000F0000-0x0000000000127000-memory.dmp

Filesize
220KB

Download
memory/528-110-0x00000000000F0000-0x0000000000127000-memory.dmp

Filesize
220KB

Download
memory/528-112-0x00000000000F0000-0x0000000000127000-memory.dmp

Filesize
220KB

Download
memory/944-76-0x00000000749C1000-0x00000000749C3000-memory.dmp

Filesize
8KB

Download
memory/944-73-0x0000000000100000-0x0000000000137000-memory.dmp

Filesize
220KB

Download
memory/944-77-0x0000000000100000-0x0000000000137000-memory.dmp

Filesize
220KB

Download
memory/944-68-0x0000000000100000-0x0000000000137000-memory.dmp

Filesize
220KB

Download
memory/944-70-0x0000000000100000-0x0000000000137000-memory.dmp

Filesize
220KB

Download
memory/944-72-0x0000000000100000-0x0000000000137000-memory.dmp

Filesize
220KB

Download
memory/944-135-0x0000000000100000-0x0000000000137000-memory.dmp

Filesize
220KB

Download
memory/1104-80-0x0000000001BB0000-0x0000000001BE7000-memory.dmp

Filesize
220KB

Download
memory/1104-81-0x0000000001BB0000-0x0000000001BE7000-memory.dmp

Filesize
220KB

Download
memory/1104-82-0x0000000001BB0000-0x0000000001BE7000-memory.dmp

Filesize
220KB

Download
memory/1104-83-0x0000000001BB0000-0x0000000001BE7000-memory.dmp

Filesize
220KB

Download
memory/1164-89-0x0000000001BF0000-0x0000000001C27000-memory.dmp

Filesize
220KB

Download
memory/1164-86-0x0000000001BF0000-0x0000000001C27000-memory.dmp

Filesize
220KB

Download
memory/1164-87-0x0000000001BF0000-0x0000000001C27000-memory.dmp

Filesize
220KB

Download
memory/1164-88-0x0000000001BF0000-0x0000000001C27000-memory.dmp

Filesize
220KB

Download
memory/1188-93-0x0000000003BC0000-0x0000000003BF7000-memory.dmp

Filesize
220KB

Download
memory/1188-95-0x0000000003BC0000-0x0000000003BF7000-memory.dmp

Filesize
220KB

Download
memory/1188-94-0x0000000003BC0000-0x0000000003BF7000-memory.dmp

Filesize
220KB

Download
memory/1188-92-0x0000000003BC0000-0x0000000003BF7000-memory.dmp

Filesize
220KB

Download
memory/1256-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1256-103-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1256-67-0x0000000000260000-0x00000000002D0000-memory.dmp

Filesize
448KB

Download
memory/1348-65-0x0000000002020000-0x0000000002091000-memory.dmp

Filesize
452KB

Download
memory/1348-56-0x00000000002F0000-0x0000000000360000-memory.dmp

Filesize
448KB

Download
memory/1348-102-0x0000000002020000-0x0000000002091000-memory.dmp

Filesize
452KB

Download
memory/1348-100-0x0000000002020000-0x0000000002057000-memory.dmp

Filesize
220KB

Download
memory/1348-99-0x0000000002020000-0x0000000002057000-memory.dmp

Filesize
220KB

Download
memory/1348-105-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1348-108-0x0000000002020000-0x0000000002057000-memory.dmp

Filesize
220KB

Download
memory/1348-98-0x0000000002020000-0x0000000002057000-memory.dmp

Filesize
220KB

Download
memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1348-58-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1348-57-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1348-101-0x0000000002020000-0x0000000002057000-memory.dmp

Filesize
220KB

Download
memory/1348-55-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1412-118-0x00000000000D0000-0x0000000000107000-memory.dmp

Filesize
220KB

Download
memory/1412-119-0x00000000000D0000-0x0000000000107000-memory.dmp

Filesize
220KB

Download
memory/1412-120-0x00000000000D0000-0x0000000000107000-memory.dmp

Filesize
220KB

Download
memory/1412-121-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1412-122-0x000007FEF64E1000-0x000007FEF64E3000-memory.dmp

Filesize
8KB

Download
memory/1412-123-0x0000000001FD0000-0x0000000001FE0000-memory.dmp

Filesize
64KB

Download
memory/1412-129-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/1412-117-0x00000000000D0000-0x0000000000107000-memory.dmp

Filesize
220KB

Download