e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f

Analysis

max time kernel
152s
max time network
124s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe
Size

139KB
MD5

725c8f8a33a716a39db6c219b88f9b89
SHA1

8db082975d044e979a8cbf3aaead0d07c410b6cc
SHA256

e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f
SHA512

dab88c76c1cbfa241663ef0da89a4eaf63b8d0ccbd7f5b3eb19553fb6492c2cd456df612b9fa47bb1f69fb5b8262566d754ac2ffe4987b3be4bf0274b4a14137
SSDEEP

3072:3pgeClEc0sPDo6tSEwRwErxjqfMj7MTRhzQGys3t/xO+2FxgHUR9T+GRNqHYu:3Oe80s86pMT5qEmRhzQY3p0JSyCT

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1112	yqyk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000133ab-60.dat	upx
behavioral1/files/0x000a0000000133ab-61.dat	upx
behavioral1/files/0x000a0000000133ab-63.dat	upx
behavioral1/files/0x000a0000000133ab-65.dat	upx

Deletes itself 1 IoCs

pid	Process
1600	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe
1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	yqyk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{DA38D66A-46B9-5E1B-0C4A-2A423A3DAAC7} = "C:\\Users\\Admin\\AppData\\Roaming\\Ikut\\yqyk.exe"	yqyk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 1600	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	27

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe
1112	yqyk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe
Token: SeSecurityPrivilege	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe
Token: SeSecurityPrivilege	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1112	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	26
PID 1388 wrote to memory of 1112	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	26
PID 1388 wrote to memory of 1112	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	26
PID 1388 wrote to memory of 1112	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	26
PID 1112 wrote to memory of 1260	1112	yqyk.exe	11
PID 1112 wrote to memory of 1260	1112	yqyk.exe	11
PID 1112 wrote to memory of 1260	1112	yqyk.exe	11
PID 1112 wrote to memory of 1260	1112	yqyk.exe	11
PID 1112 wrote to memory of 1260	1112	yqyk.exe	11
PID 1112 wrote to memory of 1344	1112	yqyk.exe	10
PID 1112 wrote to memory of 1344	1112	yqyk.exe	10
PID 1112 wrote to memory of 1344	1112	yqyk.exe	10
PID 1112 wrote to memory of 1344	1112	yqyk.exe	10
PID 1112 wrote to memory of 1344	1112	yqyk.exe	10
PID 1112 wrote to memory of 1396	1112	yqyk.exe	5
PID 1112 wrote to memory of 1396	1112	yqyk.exe	5
PID 1112 wrote to memory of 1396	1112	yqyk.exe	5
PID 1112 wrote to memory of 1396	1112	yqyk.exe	5
PID 1112 wrote to memory of 1396	1112	yqyk.exe	5
PID 1112 wrote to memory of 1388	1112	yqyk.exe	25
PID 1112 wrote to memory of 1388	1112	yqyk.exe	25
PID 1112 wrote to memory of 1388	1112	yqyk.exe	25
PID 1112 wrote to memory of 1388	1112	yqyk.exe	25
PID 1112 wrote to memory of 1388	1112	yqyk.exe	25
PID 1388 wrote to memory of 1600	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	27
PID 1388 wrote to memory of 1600	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	27
PID 1388 wrote to memory of 1600	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	27
PID 1388 wrote to memory of 1600	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	27
PID 1388 wrote to memory of 1600	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	27
PID 1388 wrote to memory of 1600	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	27
PID 1388 wrote to memory of 1600	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	27
PID 1388 wrote to memory of 1600	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	27
PID 1388 wrote to memory of 1600	1388	e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe	27
PID 1112 wrote to memory of 924	1112	yqyk.exe	29
PID 1112 wrote to memory of 924	1112	yqyk.exe	29
PID 1112 wrote to memory of 924	1112	yqyk.exe	29
PID 1112 wrote to memory of 924	1112	yqyk.exe	29
PID 1112 wrote to memory of 924	1112	yqyk.exe	29
PID 1112 wrote to memory of 856	1112	yqyk.exe	30
PID 1112 wrote to memory of 856	1112	yqyk.exe	30
PID 1112 wrote to memory of 856	1112	yqyk.exe	30
PID 1112 wrote to memory of 856	1112	yqyk.exe	30
PID 1112 wrote to memory of 856	1112	yqyk.exe	30
PID 1112 wrote to memory of 1812	1112	yqyk.exe	31
PID 1112 wrote to memory of 1812	1112	yqyk.exe	31
PID 1112 wrote to memory of 1812	1112	yqyk.exe	31
PID 1112 wrote to memory of 1812	1112	yqyk.exe	31
PID 1112 wrote to memory of 1812	1112	yqyk.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe
  "C:\Users\Admin\AppData\Local\Temp\e153b654720dd92a95ec265fa477197f287a65de10b2b3b28a16d5abe8f0806f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Roaming\Ikut\yqyk.exe
    "C:\Users\Admin\AppData\Roaming\Ikut\yqyk.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb097b467.bat"
    3⤵
    - Deletes itself
    PID:1600

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb097b467.bat

Filesize
307B

MD5
35e1fac2db5ccd2379394d1552e22432

SHA1
06bd8373ba07f9339dc3b8d0fb53ac6aae11e02b

SHA256
c6c9fc1963d7d4c24c5587e5e2760cff5c99c898445b1432f9834e0e8fa6fe26

SHA512
98fab514ec2bb2a8b013fad7c210bd1030eab923a6843333a6a521a1b70116d25cf2696af6cbbf8186b85f0d449dcfe8ce72314ce9bdd610bdeaeb777215fb54

Download Submit
C:\Users\Admin\AppData\Roaming\Ikut\yqyk.exe

Filesize
139KB

MD5
27ee250ccb466c6fda4f5c7ceaa80d3a

SHA1
26c2b61e0b442e9ca9de0597c3a6f289fb34a8ac

SHA256
1e54a55ec1dca45e482e08df908b69cd107d41476d8d9e6c9e12d131a41fcab9

SHA512
efac6de96a7189795cc95d34ae535196252b2860622e0235a40187f0f3d7e41d8230a3b2dc84b948d74ac9f92ec3c2e7405280702b1fa74d011cfbd1eef3e95a

Download Submit
C:\Users\Admin\AppData\Roaming\Ikut\yqyk.exe

Filesize
139KB

MD5
27ee250ccb466c6fda4f5c7ceaa80d3a

SHA1
26c2b61e0b442e9ca9de0597c3a6f289fb34a8ac

SHA256
1e54a55ec1dca45e482e08df908b69cd107d41476d8d9e6c9e12d131a41fcab9

SHA512
efac6de96a7189795cc95d34ae535196252b2860622e0235a40187f0f3d7e41d8230a3b2dc84b948d74ac9f92ec3c2e7405280702b1fa74d011cfbd1eef3e95a

Download Submit
C:\Users\Admin\AppData\Roaming\Vinae\kaos.sul

Filesize
398B

MD5
3c1b4f524b5272f52afd11202d2c153e

SHA1
6c4746b8c5acd92a02a80eb8671f4d695afc8294

SHA256
77cde8e774ddf8e6108acc57789b33597306610283acbc0eb017d4170c7f04d4

SHA512
4ce83710ec5c4e6621f657f33a0c6c1a247534480a26f342efa8d4032ace18d8be661c648b4cbe73e658bcc1836599f502a58958aa4f2584db61242ad5f9658a

Download Submit
\Users\Admin\AppData\Roaming\Ikut\yqyk.exe

Filesize
139KB

MD5
27ee250ccb466c6fda4f5c7ceaa80d3a

SHA1
26c2b61e0b442e9ca9de0597c3a6f289fb34a8ac

SHA256
1e54a55ec1dca45e482e08df908b69cd107d41476d8d9e6c9e12d131a41fcab9

SHA512
efac6de96a7189795cc95d34ae535196252b2860622e0235a40187f0f3d7e41d8230a3b2dc84b948d74ac9f92ec3c2e7405280702b1fa74d011cfbd1eef3e95a

Download Submit
\Users\Admin\AppData\Roaming\Ikut\yqyk.exe

Filesize
139KB

MD5
27ee250ccb466c6fda4f5c7ceaa80d3a

SHA1
26c2b61e0b442e9ca9de0597c3a6f289fb34a8ac

SHA256
1e54a55ec1dca45e482e08df908b69cd107d41476d8d9e6c9e12d131a41fcab9

SHA512
efac6de96a7189795cc95d34ae535196252b2860622e0235a40187f0f3d7e41d8230a3b2dc84b948d74ac9f92ec3c2e7405280702b1fa74d011cfbd1eef3e95a

Download Submit
memory/856-116-0x00000000027D0000-0x00000000027EE000-memory.dmp

Filesize
120KB

Download
memory/856-115-0x00000000027D0000-0x00000000027EE000-memory.dmp

Filesize
120KB

Download
memory/856-117-0x00000000027D0000-0x00000000027EE000-memory.dmp

Filesize
120KB

Download
memory/856-118-0x00000000027D0000-0x00000000027EE000-memory.dmp

Filesize
120KB

Download
memory/924-112-0x0000000001B50000-0x0000000001B6E000-memory.dmp

Filesize
120KB

Download
memory/924-109-0x0000000001B50000-0x0000000001B6E000-memory.dmp

Filesize
120KB

Download
memory/924-110-0x0000000001B50000-0x0000000001B6E000-memory.dmp

Filesize
120KB

Download
memory/924-111-0x0000000001B50000-0x0000000001B6E000-memory.dmp

Filesize
120KB

Download
memory/1112-92-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1112-119-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1260-68-0x0000000001C40000-0x0000000001C5E000-memory.dmp

Filesize
120KB

Download
memory/1260-71-0x0000000001C40000-0x0000000001C5E000-memory.dmp

Filesize
120KB

Download
memory/1260-70-0x0000000001C40000-0x0000000001C5E000-memory.dmp

Filesize
120KB

Download
memory/1260-69-0x0000000001C40000-0x0000000001C5E000-memory.dmp

Filesize
120KB

Download
memory/1260-66-0x0000000001C40000-0x0000000001C5E000-memory.dmp

Filesize
120KB

Download
memory/1344-75-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/1344-74-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/1344-76-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/1344-77-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/1388-88-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/1388-59-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1388-90-0x0000000001ED0000-0x0000000001F26000-memory.dmp

Filesize
344KB

Download
memory/1388-91-0x0000000001ED0000-0x0000000001F26000-memory.dmp

Filesize
344KB

Download
memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1388-93-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/1388-87-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/1388-55-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1388-56-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1388-57-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1388-58-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1388-89-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/1388-103-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1388-86-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/1396-80-0x0000000002540000-0x000000000255E000-memory.dmp

Filesize
120KB

Download
memory/1396-83-0x0000000002540000-0x000000000255E000-memory.dmp

Filesize
120KB

Download
memory/1396-82-0x0000000002540000-0x000000000255E000-memory.dmp

Filesize
120KB

Download
memory/1396-81-0x0000000002540000-0x000000000255E000-memory.dmp

Filesize
120KB

Download
memory/1600-101-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/1600-105-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/1600-100-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/1600-99-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/1600-97-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/1812-123-0x00000000021B0000-0x00000000021CE000-memory.dmp

Filesize
120KB

Download
memory/1812-122-0x00000000021B0000-0x00000000021CE000-memory.dmp

Filesize
120KB

Download
memory/1812-124-0x00000000021B0000-0x00000000021CE000-memory.dmp

Filesize
120KB

Download
memory/1812-125-0x00000000021B0000-0x00000000021CE000-memory.dmp

Filesize
120KB

Download