dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
Size

234KB
MD5

228e58f796e7835549f6e075e7a9da81
SHA1

7d5aff02a94c32dd860823efdbbf896049004351
SHA256

dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466
SHA512

b53dee006a03f0245ef98b4681f70f13d478fc27079b106ddf44ff76c06bf3521bed226cc4129c5f8c306af283908625048b62ab1ab68eb81e69531d90375927
SSDEEP

6144:yEK6XbRw6rXobqBoCygkSKyF1h+8T+nLcCG://XbS6piCwSKsCY9

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
468	vuopg.exe
268	vuopg.exe

Deletes itself 1 IoCs

pid	Process
336	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuopg.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Hyusy\\vuopg.exe"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 1388	1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	27
PID 468 set thread context of 268	468	vuopg.exe	29

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\2EB73D5D-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1820	explorer.exe
268	vuopg.exe
268	vuopg.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
Token: SeManageVolumePrivilege	856	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
856	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
856	WinMail.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
468	vuopg.exe
468	vuopg.exe
856	WinMail.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1388	1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	27
PID 1048 wrote to memory of 1388	1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	27
PID 1048 wrote to memory of 1388	1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	27
PID 1048 wrote to memory of 1388	1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	27
PID 1048 wrote to memory of 1388	1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	27
PID 1048 wrote to memory of 1388	1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	27
PID 1048 wrote to memory of 1388	1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	27
PID 1048 wrote to memory of 1388	1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	27
PID 1048 wrote to memory of 1388	1048	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	27
PID 1388 wrote to memory of 468	1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	28
PID 1388 wrote to memory of 468	1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	28
PID 1388 wrote to memory of 468	1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	28
PID 1388 wrote to memory of 468	1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	28
PID 468 wrote to memory of 268	468	vuopg.exe	29
PID 468 wrote to memory of 268	468	vuopg.exe	29
PID 468 wrote to memory of 268	468	vuopg.exe	29
PID 468 wrote to memory of 268	468	vuopg.exe	29
PID 468 wrote to memory of 268	468	vuopg.exe	29
PID 468 wrote to memory of 268	468	vuopg.exe	29
PID 468 wrote to memory of 268	468	vuopg.exe	29
PID 468 wrote to memory of 268	468	vuopg.exe	29
PID 468 wrote to memory of 268	468	vuopg.exe	29
PID 1388 wrote to memory of 336	1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	30
PID 1388 wrote to memory of 336	1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	30
PID 1388 wrote to memory of 336	1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	30
PID 1388 wrote to memory of 336	1388	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	30
PID 268 wrote to memory of 1820	268	vuopg.exe	31
PID 268 wrote to memory of 1820	268	vuopg.exe	31
PID 268 wrote to memory of 1820	268	vuopg.exe	31
PID 268 wrote to memory of 1820	268	vuopg.exe	31
PID 268 wrote to memory of 1820	268	vuopg.exe	31
PID 268 wrote to memory of 1820	268	vuopg.exe	31
PID 268 wrote to memory of 1820	268	vuopg.exe	31
PID 268 wrote to memory of 1820	268	vuopg.exe	31
PID 268 wrote to memory of 1820	268	vuopg.exe	31
PID 1820 wrote to memory of 1264	1820	explorer.exe	17
PID 1820 wrote to memory of 1264	1820	explorer.exe	17
PID 1820 wrote to memory of 1264	1820	explorer.exe	17
PID 1820 wrote to memory of 1264	1820	explorer.exe	17
PID 1820 wrote to memory of 1264	1820	explorer.exe	17
PID 1820 wrote to memory of 1340	1820	explorer.exe	16
PID 1820 wrote to memory of 1340	1820	explorer.exe	16
PID 1820 wrote to memory of 1340	1820	explorer.exe	16
PID 1820 wrote to memory of 1340	1820	explorer.exe	16
PID 1820 wrote to memory of 1340	1820	explorer.exe	16
PID 1820 wrote to memory of 1400	1820	explorer.exe	15
PID 1820 wrote to memory of 1400	1820	explorer.exe	15
PID 1820 wrote to memory of 1400	1820	explorer.exe	15
PID 1820 wrote to memory of 1400	1820	explorer.exe	15
PID 1820 wrote to memory of 1400	1820	explorer.exe	15
PID 1820 wrote to memory of 268	1820	explorer.exe	29
PID 1820 wrote to memory of 268	1820	explorer.exe	29
PID 1820 wrote to memory of 268	1820	explorer.exe	29
PID 1820 wrote to memory of 268	1820	explorer.exe	29
PID 1820 wrote to memory of 268	1820	explorer.exe	29
PID 268 wrote to memory of 856	268	vuopg.exe	33
PID 268 wrote to memory of 856	268	vuopg.exe	33
PID 268 wrote to memory of 856	268	vuopg.exe	33
PID 268 wrote to memory of 856	268	vuopg.exe	33
PID 268 wrote to memory of 856	268	vuopg.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
  "C:\Users\Admin\AppData\Local\Temp\dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
    C:\Users\Admin\AppData\Local\Temp\dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Users\Admin\AppData\Roaming\Hyusy\vuopg.exe
      "C:\Users\Admin\AppData\Roaming\Hyusy\vuopg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Users\Admin\AppData\Roaming\Hyusy\vuopg.exe
        
        C:\Users\Admin\AppData\Roaming\Hyusy\vuopg.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:268
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp443c0612.bat"
      4⤵
      Deletes itself
      PID:336

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1264

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp443c0612.bat

Filesize
307B

MD5
05a055a844d8db76c113b6f2bfad9276

SHA1
5b361f6a30a04d067de27ab729422f00116625fc

SHA256
c453cd7a3ea32a5e08d2662578a95fa8537e8b5dfc09a7f0971d52be06da3afb

SHA512
3fa3fa6dbbf04868ed8dfc39a866f1226e88fa206d5fa2cfbda18fa65087584f94d114661b62ab8d787d8655e5dcd590558f67581e820559b7e9332b2cd5f11d

Download Submit
C:\Users\Admin\AppData\Roaming\Hyusy\vuopg.exe

Filesize
234KB

MD5
35d94b26212a62bf208aa52093913c74

SHA1
b66fa71d323957cfd66ac08eae7c408da3d45c4f

SHA256
f921251444d6241ad03aed5c50a1f128dc10bca7d1b480b762bb6bbf72d2bd96

SHA512
16b96cd6f541989329c92bbcaa16d0b7f15f56f49219605b0a78d7ce6a0dbdf7e8a00f768a299f1b0223283dfc6b58c29cb28a506db8564419c8d85dd538e831

Download Submit
C:\Users\Admin\AppData\Roaming\Hyusy\vuopg.exe

Filesize
234KB

MD5
35d94b26212a62bf208aa52093913c74

SHA1
b66fa71d323957cfd66ac08eae7c408da3d45c4f

SHA256
f921251444d6241ad03aed5c50a1f128dc10bca7d1b480b762bb6bbf72d2bd96

SHA512
16b96cd6f541989329c92bbcaa16d0b7f15f56f49219605b0a78d7ce6a0dbdf7e8a00f768a299f1b0223283dfc6b58c29cb28a506db8564419c8d85dd538e831

Download Submit
C:\Users\Admin\AppData\Roaming\Hyusy\vuopg.exe

Filesize
234KB

MD5
35d94b26212a62bf208aa52093913c74

SHA1
b66fa71d323957cfd66ac08eae7c408da3d45c4f

SHA256
f921251444d6241ad03aed5c50a1f128dc10bca7d1b480b762bb6bbf72d2bd96

SHA512
16b96cd6f541989329c92bbcaa16d0b7f15f56f49219605b0a78d7ce6a0dbdf7e8a00f768a299f1b0223283dfc6b58c29cb28a506db8564419c8d85dd538e831

Download Submit
\Users\Admin\AppData\Roaming\Hyusy\vuopg.exe

Filesize
234KB

MD5
35d94b26212a62bf208aa52093913c74

SHA1
b66fa71d323957cfd66ac08eae7c408da3d45c4f

SHA256
f921251444d6241ad03aed5c50a1f128dc10bca7d1b480b762bb6bbf72d2bd96

SHA512
16b96cd6f541989329c92bbcaa16d0b7f15f56f49219605b0a78d7ce6a0dbdf7e8a00f768a299f1b0223283dfc6b58c29cb28a506db8564419c8d85dd538e831

Download Submit
\Users\Admin\AppData\Roaming\Hyusy\vuopg.exe

Filesize
234KB

MD5
35d94b26212a62bf208aa52093913c74

SHA1
b66fa71d323957cfd66ac08eae7c408da3d45c4f

SHA256
f921251444d6241ad03aed5c50a1f128dc10bca7d1b480b762bb6bbf72d2bd96

SHA512
16b96cd6f541989329c92bbcaa16d0b7f15f56f49219605b0a78d7ce6a0dbdf7e8a00f768a299f1b0223283dfc6b58c29cb28a506db8564419c8d85dd538e831

Download Submit
memory/268-112-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/268-133-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/268-144-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/268-137-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/268-134-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/856-97-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/856-105-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/856-99-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/856-98-0x000007FEF6901000-0x000007FEF6903000-memory.dmp

Filesize
8KB

Download
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1048-64-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1264-118-0x0000000001D20000-0x0000000001D50000-memory.dmp

Filesize
192KB

Download
memory/1264-115-0x0000000001D20000-0x0000000001D50000-memory.dmp

Filesize
192KB

Download
memory/1264-116-0x0000000001D20000-0x0000000001D50000-memory.dmp

Filesize
192KB

Download
memory/1264-117-0x0000000001D20000-0x0000000001D50000-memory.dmp

Filesize
192KB

Download
memory/1340-122-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/1340-123-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/1340-124-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/1340-121-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/1388-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1388-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1388-58-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1388-59-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1388-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1388-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1388-66-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1388-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1400-128-0x0000000002A50000-0x0000000002A80000-memory.dmp

Filesize
192KB

Download
memory/1400-127-0x0000000002A50000-0x0000000002A80000-memory.dmp

Filesize
192KB

Download
memory/1400-129-0x0000000002A50000-0x0000000002A80000-memory.dmp

Filesize
192KB

Download
memory/1400-130-0x0000000002A50000-0x0000000002A80000-memory.dmp

Filesize
192KB

Download
memory/1820-89-0x00000000000C0000-0x00000000000F0000-memory.dmp

Filesize
192KB

Download
memory/1820-96-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1820-111-0x00000000000C0000-0x00000000000F0000-memory.dmp

Filesize
192KB

Download
memory/1820-92-0x00000000000C0000-0x00000000000F0000-memory.dmp

Filesize
192KB

Download
memory/1820-91-0x00000000000C0000-0x00000000000F0000-memory.dmp

Filesize
192KB

Download
memory/1820-145-0x00000000000C0000-0x00000000000F0000-memory.dmp

Filesize
192KB

Download