3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5

Analysis

max time kernel
154s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Size

280KB
MD5

0852ebe4950dc5c01e81e123cb20f5d0
SHA1

1aeb77ea59355c6747a66be43e20916f3fde215d
SHA256

3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5
SHA512

35974817a670f932c8c0ecedd0b15f5d884b3d85e7383736271106f68815d130243947cc8d0bfd61bcb8d6c32975453a9f4b58b31373405bd5ed76c4f51adbb1
SSDEEP

6144:pT8lj6/LTbJ8j7q4qFNLG0mvT0YhBdF5VWiFDL6u:pgleTZe7q4eNLS0YXdFBv6

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1396	uwar.exe

Loads dropped DLL 2 IoCs

pid	Process
1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wubuyfy = "C:\\Users\\Admin\\AppData\\Roaming\\Adon\\uwar.exe"	uwar.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	uwar.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1588 set thread context of 1312	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\3F5B3C3F-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe
1396	uwar.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeManageVolumePrivilege	1704	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1704	WinMail.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
1396	uwar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1396	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	27
PID 1588 wrote to memory of 1396	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	27
PID 1588 wrote to memory of 1396	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	27
PID 1588 wrote to memory of 1396	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	27
PID 1396 wrote to memory of 1092	1396	uwar.exe	17
PID 1396 wrote to memory of 1092	1396	uwar.exe	17
PID 1396 wrote to memory of 1092	1396	uwar.exe	17
PID 1396 wrote to memory of 1092	1396	uwar.exe	17
PID 1396 wrote to memory of 1092	1396	uwar.exe	17
PID 1396 wrote to memory of 1180	1396	uwar.exe	16
PID 1396 wrote to memory of 1180	1396	uwar.exe	16
PID 1396 wrote to memory of 1180	1396	uwar.exe	16
PID 1396 wrote to memory of 1180	1396	uwar.exe	16
PID 1396 wrote to memory of 1180	1396	uwar.exe	16
PID 1396 wrote to memory of 1208	1396	uwar.exe	15
PID 1396 wrote to memory of 1208	1396	uwar.exe	15
PID 1396 wrote to memory of 1208	1396	uwar.exe	15
PID 1396 wrote to memory of 1208	1396	uwar.exe	15
PID 1396 wrote to memory of 1208	1396	uwar.exe	15
PID 1396 wrote to memory of 1588	1396	uwar.exe	19
PID 1396 wrote to memory of 1588	1396	uwar.exe	19
PID 1396 wrote to memory of 1588	1396	uwar.exe	19
PID 1396 wrote to memory of 1588	1396	uwar.exe	19
PID 1396 wrote to memory of 1588	1396	uwar.exe	19
PID 1588 wrote to memory of 1312	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	28
PID 1588 wrote to memory of 1312	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	28
PID 1588 wrote to memory of 1312	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	28
PID 1588 wrote to memory of 1312	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	28
PID 1588 wrote to memory of 1312	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	28
PID 1588 wrote to memory of 1312	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	28
PID 1588 wrote to memory of 1312	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	28
PID 1588 wrote to memory of 1312	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	28
PID 1588 wrote to memory of 1312	1588	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	28
PID 1396 wrote to memory of 1884	1396	uwar.exe	29
PID 1396 wrote to memory of 1884	1396	uwar.exe	29
PID 1396 wrote to memory of 1884	1396	uwar.exe	29
PID 1396 wrote to memory of 1884	1396	uwar.exe	29
PID 1396 wrote to memory of 1884	1396	uwar.exe	29
PID 1396 wrote to memory of 324	1396	uwar.exe	30
PID 1396 wrote to memory of 324	1396	uwar.exe	30
PID 1396 wrote to memory of 324	1396	uwar.exe	30
PID 1396 wrote to memory of 324	1396	uwar.exe	30
PID 1396 wrote to memory of 324	1396	uwar.exe	30
PID 1396 wrote to memory of 1704	1396	uwar.exe	31
PID 1396 wrote to memory of 1704	1396	uwar.exe	31
PID 1396 wrote to memory of 1704	1396	uwar.exe	31
PID 1396 wrote to memory of 1704	1396	uwar.exe	31
PID 1396 wrote to memory of 1704	1396	uwar.exe	31
PID 1396 wrote to memory of 1864	1396	uwar.exe	32
PID 1396 wrote to memory of 1864	1396	uwar.exe	32
PID 1396 wrote to memory of 1864	1396	uwar.exe	32
PID 1396 wrote to memory of 1864	1396	uwar.exe	32
PID 1396 wrote to memory of 1864	1396	uwar.exe	32
PID 1396 wrote to memory of 112	1396	uwar.exe	33
PID 1396 wrote to memory of 112	1396	uwar.exe	33
PID 1396 wrote to memory of 112	1396	uwar.exe	33
PID 1396 wrote to memory of 112	1396	uwar.exe	33
PID 1396 wrote to memory of 112	1396	uwar.exe	33
PID 1396 wrote to memory of 1308	1396	uwar.exe	34
PID 1396 wrote to memory of 1308	1396	uwar.exe	34
PID 1396 wrote to memory of 1308	1396	uwar.exe	34
PID 1396 wrote to memory of 1308	1396	uwar.exe	34
PID 1396 wrote to memory of 1308	1396	uwar.exe	34
PID 1396 wrote to memory of 1684	1396	uwar.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
  "C:\Users\Admin\AppData\Local\Temp\3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Roaming\Adon\uwar.exe
    "C:\Users\Admin\AppData\Roaming\Adon\uwar.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaf11b363.bat"
    3⤵
    PID:1312

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1092

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2138139825208155229746120174346465385-1401367999-1778201770-1009192326-1593754064"
1⤵
PID:324

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1308

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adon\uwar.exe

Filesize
280KB

MD5
cc40e1be51769f78db2299c8b96951a1

SHA1
03877ead470ff752077b7718cf16764cb6aa513a

SHA256
3214eb07e44fef8eb3e583b3382e5311c1e7da1b628be8f03978f3181edd0917

SHA512
926e4bb16ddd46eada892f1ef802e782c29ff015046a55417ebd49daf69e8802f96cf97e6b5d27d2e6aeaf71ec1e9e640ac2355d02e7e12a81ed6993d51d1279

Download Submit
C:\Users\Admin\AppData\Roaming\Adon\uwar.exe

Filesize
280KB

MD5
cc40e1be51769f78db2299c8b96951a1

SHA1
03877ead470ff752077b7718cf16764cb6aa513a

SHA256
3214eb07e44fef8eb3e583b3382e5311c1e7da1b628be8f03978f3181edd0917

SHA512
926e4bb16ddd46eada892f1ef802e782c29ff015046a55417ebd49daf69e8802f96cf97e6b5d27d2e6aeaf71ec1e9e640ac2355d02e7e12a81ed6993d51d1279

Download Submit
C:\Users\Admin\AppData\Roaming\Zeagsi\baawe.uzo

Filesize
4KB

MD5
e47a9deb7d87cf15a35e1f57946d9e28

SHA1
779aac1762f9677fb1950ede1937ab2a0ae46000

SHA256
b3423dbdf242f664751dfd8da1790aa0966ee7203c2b7a38b6fc6589d46244d4

SHA512
5a1401556c1cc4d809899175a15b79a79b3290b06a0afd2fa2ee853c286d69dbdcb06911dfa805e84cc6c5d4cd22ffe646cdcdc3c7c4b3637aeb77385018873a

Download Submit
\Users\Admin\AppData\Roaming\Adon\uwar.exe

Filesize
280KB

MD5
cc40e1be51769f78db2299c8b96951a1

SHA1
03877ead470ff752077b7718cf16764cb6aa513a

SHA256
3214eb07e44fef8eb3e583b3382e5311c1e7da1b628be8f03978f3181edd0917

SHA512
926e4bb16ddd46eada892f1ef802e782c29ff015046a55417ebd49daf69e8802f96cf97e6b5d27d2e6aeaf71ec1e9e640ac2355d02e7e12a81ed6993d51d1279

Download Submit
\Users\Admin\AppData\Roaming\Adon\uwar.exe

Filesize
280KB

MD5
cc40e1be51769f78db2299c8b96951a1

SHA1
03877ead470ff752077b7718cf16764cb6aa513a

SHA256
3214eb07e44fef8eb3e583b3382e5311c1e7da1b628be8f03978f3181edd0917

SHA512
926e4bb16ddd46eada892f1ef802e782c29ff015046a55417ebd49daf69e8802f96cf97e6b5d27d2e6aeaf71ec1e9e640ac2355d02e7e12a81ed6993d51d1279

Download Submit
memory/1092-68-0x0000000001CB0000-0x0000000001CEB000-memory.dmp

Filesize
236KB

Download
memory/1092-65-0x0000000001CB0000-0x0000000001CEB000-memory.dmp

Filesize
236KB

Download
memory/1092-67-0x0000000001CB0000-0x0000000001CEB000-memory.dmp

Filesize
236KB

Download
memory/1092-69-0x0000000001CB0000-0x0000000001CEB000-memory.dmp

Filesize
236KB

Download
memory/1092-70-0x0000000001CB0000-0x0000000001CEB000-memory.dmp

Filesize
236KB

Download
memory/1180-76-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1180-73-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1180-74-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1180-75-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1208-80-0x0000000002940000-0x000000000297B000-memory.dmp

Filesize
236KB

Download
memory/1208-81-0x0000000002940000-0x000000000297B000-memory.dmp

Filesize
236KB

Download
memory/1208-79-0x0000000002940000-0x000000000297B000-memory.dmp

Filesize
236KB

Download
memory/1208-82-0x0000000002940000-0x000000000297B000-memory.dmp

Filesize
236KB

Download
memory/1312-114-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-120-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-270-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-183-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-132-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-130-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-128-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-124-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-126-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-122-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-116-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-118-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-112-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-109-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-96-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-98-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-99-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-100-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-103-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-105-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1312-107-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1396-90-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/1396-263-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1396-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1396-91-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1588-88-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1588-92-0x0000000001E40000-0x0000000001E8A000-memory.dmp

Filesize
296KB

Download
memory/1588-89-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1588-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1588-87-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1588-86-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1588-85-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1588-56-0x00000000003B0000-0x00000000003EB000-memory.dmp

Filesize
236KB

Download
memory/1588-57-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1588-229-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1588-230-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1588-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1588-93-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download