f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe
Size

260KB
MD5

0de177ac36fadd32af63e5f8a78da5ba
SHA1

4e59c65d3de0b57b11cf67e7b2d3bc2a07683b31
SHA256

f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1
SHA512

d4792b3a5d933da71c5289888cc0ea1977b71647f7a3fb2e09cdeb1bfce959d5e252f972f2814ffb26bd6414a28020fac0bf4a5a3827d11bb9a64290932d9750
SSDEEP

6144:NzK1gF5AC2z44Em6Tvr9mP/qB8i0Ea0heJQ2C6z:jDw44Emqro3qB8RwhODZz

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1952	elilk.exe

Deletes itself 1 IoCs

pid	Process
756	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe
1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	elilk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vytyupi = "C:\\Users\\Admin\\AppData\\Roaming\\Veaxym\\elilk.exe"	elilk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 756	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\36003DB8-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe
1952	elilk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe
Token: SeSecurityPrivilege	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe
Token: SeSecurityPrivilege	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe
Token: SeSecurityPrivilege	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe
Token: SeManageVolumePrivilege	1804	WinMail.exe
Token: SeSecurityPrivilege	756	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1804	WinMail.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe
1952	elilk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1952	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	26
PID 1968 wrote to memory of 1952	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	26
PID 1968 wrote to memory of 1952	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	26
PID 1968 wrote to memory of 1952	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	26
PID 1952 wrote to memory of 1108	1952	elilk.exe	12
PID 1952 wrote to memory of 1108	1952	elilk.exe	12
PID 1952 wrote to memory of 1108	1952	elilk.exe	12
PID 1952 wrote to memory of 1108	1952	elilk.exe	12
PID 1952 wrote to memory of 1108	1952	elilk.exe	12
PID 1952 wrote to memory of 1156	1952	elilk.exe	18
PID 1952 wrote to memory of 1156	1952	elilk.exe	18
PID 1952 wrote to memory of 1156	1952	elilk.exe	18
PID 1952 wrote to memory of 1156	1952	elilk.exe	18
PID 1952 wrote to memory of 1156	1952	elilk.exe	18
PID 1952 wrote to memory of 1192	1952	elilk.exe	13
PID 1952 wrote to memory of 1192	1952	elilk.exe	13
PID 1952 wrote to memory of 1192	1952	elilk.exe	13
PID 1952 wrote to memory of 1192	1952	elilk.exe	13
PID 1952 wrote to memory of 1192	1952	elilk.exe	13
PID 1952 wrote to memory of 1968	1952	elilk.exe	25
PID 1952 wrote to memory of 1968	1952	elilk.exe	25
PID 1952 wrote to memory of 1968	1952	elilk.exe	25
PID 1952 wrote to memory of 1968	1952	elilk.exe	25
PID 1952 wrote to memory of 1968	1952	elilk.exe	25
PID 1952 wrote to memory of 1804	1952	elilk.exe	27
PID 1952 wrote to memory of 1804	1952	elilk.exe	27
PID 1952 wrote to memory of 1804	1952	elilk.exe	27
PID 1952 wrote to memory of 1804	1952	elilk.exe	27
PID 1952 wrote to memory of 1804	1952	elilk.exe	27
PID 1968 wrote to memory of 756	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	28
PID 1968 wrote to memory of 756	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	28
PID 1968 wrote to memory of 756	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	28
PID 1968 wrote to memory of 756	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	28
PID 1968 wrote to memory of 756	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	28
PID 1968 wrote to memory of 756	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	28
PID 1968 wrote to memory of 756	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	28
PID 1968 wrote to memory of 756	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	28
PID 1968 wrote to memory of 756	1968	f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe	28
PID 1952 wrote to memory of 948	1952	elilk.exe	29
PID 1952 wrote to memory of 948	1952	elilk.exe	29
PID 1952 wrote to memory of 948	1952	elilk.exe	29
PID 1952 wrote to memory of 948	1952	elilk.exe	29
PID 1952 wrote to memory of 948	1952	elilk.exe	29
PID 1952 wrote to memory of 1688	1952	elilk.exe	30
PID 1952 wrote to memory of 1688	1952	elilk.exe	30
PID 1952 wrote to memory of 1688	1952	elilk.exe	30
PID 1952 wrote to memory of 1688	1952	elilk.exe	30
PID 1952 wrote to memory of 1688	1952	elilk.exe	30
PID 1952 wrote to memory of 612	1952	elilk.exe	31
PID 1952 wrote to memory of 612	1952	elilk.exe	31
PID 1952 wrote to memory of 612	1952	elilk.exe	31
PID 1952 wrote to memory of 612	1952	elilk.exe	31
PID 1952 wrote to memory of 612	1952	elilk.exe	31
PID 1952 wrote to memory of 1224	1952	elilk.exe	32
PID 1952 wrote to memory of 1224	1952	elilk.exe	32
PID 1952 wrote to memory of 1224	1952	elilk.exe	32
PID 1952 wrote to memory of 1224	1952	elilk.exe	32
PID 1952 wrote to memory of 1224	1952	elilk.exe	32
PID 1952 wrote to memory of 336	1952	elilk.exe	33
PID 1952 wrote to memory of 336	1952	elilk.exe	33
PID 1952 wrote to memory of 336	1952	elilk.exe	33
PID 1952 wrote to memory of 336	1952	elilk.exe	33
PID 1952 wrote to memory of 336	1952	elilk.exe	33
PID 1952 wrote to memory of 1792	1952	elilk.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe
  "C:\Users\Admin\AppData\Local\Temp\f716d011693a7f678eabf3fc0c1840a71abe433b6c237fd55b557f67b0d351d1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Roaming\Veaxym\elilk.exe
    "C:\Users\Admin\AppData\Roaming\Veaxym\elilk.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp385c3ea4.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:756

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2049233077964267822225697450-127024363732839615-1590310072-470065834552501639"
1⤵
PID:948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1688

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1224

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp385c3ea4.bat

Filesize
307B

MD5
45d8b648fbc9a71cb2af6d9a64afbf17

SHA1
08f08a0d16ab6fd68d812c858c4004f266ed9879

SHA256
796612e04951cff70ab34a569c6ece1c0bb871547e6b930091d5e7dda76d8123

SHA512
733e5791324f5f7f96b3c6d362e6ef3645f2585b525522f5902fc2d6877f51e4defaff2e6a7f86805fd36ae56a08eff38029d015fc7e3a17379f7449fbbca507

Download Submit
C:\Users\Admin\AppData\Roaming\Veaxym\elilk.exe

Filesize
260KB

MD5
c864f67c7249633321e955681d5d7b02

SHA1
e09b3c4cdb1593a1ccda743eeb9ca796004a6f87

SHA256
ff38dd540daa365b3ebc6577bfd1eb0b00f3a1f39f1adc8c1f2e0dab942e2187

SHA512
ab6c3d391da61e4dac43537948adc84b3f64ae51599e3009389c6313b2592497a22ba669040c4cc6de82bd143b3a791ba6bf11106bbc471a331f039176f0e790

Download Submit
C:\Users\Admin\AppData\Roaming\Veaxym\elilk.exe

Filesize
260KB

MD5
c864f67c7249633321e955681d5d7b02

SHA1
e09b3c4cdb1593a1ccda743eeb9ca796004a6f87

SHA256
ff38dd540daa365b3ebc6577bfd1eb0b00f3a1f39f1adc8c1f2e0dab942e2187

SHA512
ab6c3d391da61e4dac43537948adc84b3f64ae51599e3009389c6313b2592497a22ba669040c4cc6de82bd143b3a791ba6bf11106bbc471a331f039176f0e790

Download Submit
C:\Users\Admin\AppData\Roaming\Wyic\ebcae.kig

Filesize
421B

MD5
fc5d93560725c0cc4b4f938272d1012b

SHA1
80f7d783f09f5132e002d206b357a2cf3da00a47

SHA256
98e8144d500306cea92634d84acf98ab19c258afdbf30c007d225b0be57e1097

SHA512
447417885f9477dfbec1750fddaf4966345ea29184149533c8e55c24c2e5e344ec994b9d4bb7c8949eea174b94223419d9bd297e4c8cdf363b492960a564dfd3

Download Submit
\Users\Admin\AppData\Roaming\Veaxym\elilk.exe

Filesize
260KB

MD5
c864f67c7249633321e955681d5d7b02

SHA1
e09b3c4cdb1593a1ccda743eeb9ca796004a6f87

SHA256
ff38dd540daa365b3ebc6577bfd1eb0b00f3a1f39f1adc8c1f2e0dab942e2187

SHA512
ab6c3d391da61e4dac43537948adc84b3f64ae51599e3009389c6313b2592497a22ba669040c4cc6de82bd143b3a791ba6bf11106bbc471a331f039176f0e790

Download Submit
\Users\Admin\AppData\Roaming\Veaxym\elilk.exe

Filesize
260KB

MD5
c864f67c7249633321e955681d5d7b02

SHA1
e09b3c4cdb1593a1ccda743eeb9ca796004a6f87

SHA256
ff38dd540daa365b3ebc6577bfd1eb0b00f3a1f39f1adc8c1f2e0dab942e2187

SHA512
ab6c3d391da61e4dac43537948adc84b3f64ae51599e3009389c6313b2592497a22ba669040c4cc6de82bd143b3a791ba6bf11106bbc471a331f039176f0e790

Download Submit
memory/756-132-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/756-130-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/756-134-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/756-128-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/756-252-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/756-126-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/756-124-0x0000000000065C71-mapping.dmp

Download
memory/756-123-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/756-122-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/756-121-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/756-119-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1108-70-0x0000000001BC0000-0x0000000001BFB000-memory.dmp

Filesize
236KB

Download
memory/1108-66-0x0000000001BC0000-0x0000000001BFB000-memory.dmp

Filesize
236KB

Download
memory/1108-68-0x0000000001BC0000-0x0000000001BFB000-memory.dmp

Filesize
236KB

Download
memory/1108-69-0x0000000001BC0000-0x0000000001BFB000-memory.dmp

Filesize
236KB

Download
memory/1108-71-0x0000000001BC0000-0x0000000001BFB000-memory.dmp

Filesize
236KB

Download
memory/1156-76-0x0000000001CB0000-0x0000000001CEB000-memory.dmp

Filesize
236KB

Download
memory/1156-77-0x0000000001CB0000-0x0000000001CEB000-memory.dmp

Filesize
236KB

Download
memory/1156-74-0x0000000001CB0000-0x0000000001CEB000-memory.dmp

Filesize
236KB

Download
memory/1156-75-0x0000000001CB0000-0x0000000001CEB000-memory.dmp

Filesize
236KB

Download
memory/1192-80-0x00000000029E0000-0x0000000002A1B000-memory.dmp

Filesize
236KB

Download
memory/1192-81-0x00000000029E0000-0x0000000002A1B000-memory.dmp

Filesize
236KB

Download
memory/1192-82-0x00000000029E0000-0x0000000002A1B000-memory.dmp

Filesize
236KB

Download
memory/1192-83-0x00000000029E0000-0x0000000002A1B000-memory.dmp

Filesize
236KB

Download
memory/1804-114-0x00000000042B0000-0x00000000042EB000-memory.dmp

Filesize
236KB

Download
memory/1804-113-0x00000000042B0000-0x00000000042EB000-memory.dmp

Filesize
236KB

Download
memory/1804-112-0x00000000042B0000-0x00000000042EB000-memory.dmp

Filesize
236KB

Download
memory/1804-95-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp

Filesize
8KB

Download
memory/1804-96-0x000007FEFB091000-0x000007FEFB093000-memory.dmp

Filesize
8KB

Download
memory/1804-97-0x0000000001F50000-0x0000000001F60000-memory.dmp

Filesize
64KB

Download
memory/1804-103-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/1804-115-0x00000000042B0000-0x00000000042EB000-memory.dmp

Filesize
236KB

Download
memory/1952-92-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/1952-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1952-265-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-91-0x00000000002F0000-0x000000000032B000-memory.dmp

Filesize
236KB

Download
memory/1952-61-0x0000000000000000-mapping.dmp

Download
memory/1968-109-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-88-0x0000000001CD0000-0x0000000001D0B000-memory.dmp

Filesize
236KB

Download
memory/1968-87-0x0000000001CD0000-0x0000000001D0B000-memory.dmp

Filesize
236KB

Download
memory/1968-86-0x0000000001CD0000-0x0000000001D0B000-memory.dmp

Filesize
236KB

Download
memory/1968-89-0x0000000001CD0000-0x0000000001D0B000-memory.dmp

Filesize
236KB

Download
memory/1968-90-0x0000000001CD0000-0x0000000001D0B000-memory.dmp

Filesize
236KB

Download
memory/1968-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1968-57-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/1968-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1968-162-0x0000000001CD0000-0x0000000001D0B000-memory.dmp

Filesize
236KB

Download
memory/1968-56-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/1968-94-0x0000000001CD0000-0x0000000001D12000-memory.dmp

Filesize
264KB

Download
memory/1968-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download