596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe
Size

138KB
MD5

9fa6e37933b29ec5e45dffa56b95fa7d
SHA1

281dee9f021d1b4c06d115be4c5b26e4ee7c6d04
SHA256

596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2
SHA512

323cde86992b416492e94dfbd41b3cd9bf5e94f7c7d5146086032dd6fe6676ed3385dbe75de920035133755dcdaf004488c3b8ab7f31e14cda8cb58f81498b08
SSDEEP

3072:KTMx50VJqtHGbu5XCniylWrtGA1GHvGXaCH1Fukp1YPm3wQGC:KTMoGtmiYlW4A1QvGXjBY5QGC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	yftau.exe

Deletes itself 1 IoCs

pid	Process
2004	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe
2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	yftau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6358F804-0BBB-ACFF-85DE-C4959FB19243} = "C:\\Users\\Admin\\AppData\\Roaming\\Puweiq\\yftau.exe"	yftau.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 2004	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\74D6402E-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe
1992	yftau.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe
Token: SeSecurityPrivilege	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe
Token: SeSecurityPrivilege	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe
Token: SeManageVolumePrivilege	696	WinMail.exe
Token: SeSecurityPrivilege	2004	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
696	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1992	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	27
PID 2032 wrote to memory of 1992	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	27
PID 2032 wrote to memory of 1992	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	27
PID 2032 wrote to memory of 1992	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	27
PID 1992 wrote to memory of 1232	1992	yftau.exe	10
PID 1992 wrote to memory of 1232	1992	yftau.exe	10
PID 1992 wrote to memory of 1232	1992	yftau.exe	10
PID 1992 wrote to memory of 1232	1992	yftau.exe	10
PID 1992 wrote to memory of 1232	1992	yftau.exe	10
PID 1992 wrote to memory of 1328	1992	yftau.exe	9
PID 1992 wrote to memory of 1328	1992	yftau.exe	9
PID 1992 wrote to memory of 1328	1992	yftau.exe	9
PID 1992 wrote to memory of 1328	1992	yftau.exe	9
PID 1992 wrote to memory of 1328	1992	yftau.exe	9
PID 1992 wrote to memory of 1368	1992	yftau.exe	8
PID 1992 wrote to memory of 1368	1992	yftau.exe	8
PID 1992 wrote to memory of 1368	1992	yftau.exe	8
PID 1992 wrote to memory of 1368	1992	yftau.exe	8
PID 1992 wrote to memory of 1368	1992	yftau.exe	8
PID 1992 wrote to memory of 2032	1992	yftau.exe	26
PID 1992 wrote to memory of 2032	1992	yftau.exe	26
PID 1992 wrote to memory of 2032	1992	yftau.exe	26
PID 1992 wrote to memory of 2032	1992	yftau.exe	26
PID 1992 wrote to memory of 2032	1992	yftau.exe	26
PID 1992 wrote to memory of 696	1992	yftau.exe	28
PID 1992 wrote to memory of 696	1992	yftau.exe	28
PID 1992 wrote to memory of 696	1992	yftau.exe	28
PID 1992 wrote to memory of 696	1992	yftau.exe	28
PID 1992 wrote to memory of 696	1992	yftau.exe	28
PID 2032 wrote to memory of 2004	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	29
PID 2032 wrote to memory of 2004	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	29
PID 2032 wrote to memory of 2004	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	29
PID 2032 wrote to memory of 2004	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	29
PID 2032 wrote to memory of 2004	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	29
PID 2032 wrote to memory of 2004	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	29
PID 2032 wrote to memory of 2004	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	29
PID 2032 wrote to memory of 2004	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	29
PID 2032 wrote to memory of 2004	2032	596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe	29
PID 1992 wrote to memory of 884	1992	yftau.exe	30
PID 1992 wrote to memory of 884	1992	yftau.exe	30
PID 1992 wrote to memory of 884	1992	yftau.exe	30
PID 1992 wrote to memory of 884	1992	yftau.exe	30
PID 1992 wrote to memory of 884	1992	yftau.exe	30
PID 1992 wrote to memory of 852	1992	yftau.exe	31
PID 1992 wrote to memory of 852	1992	yftau.exe	31
PID 1992 wrote to memory of 852	1992	yftau.exe	31
PID 1992 wrote to memory of 852	1992	yftau.exe	31
PID 1992 wrote to memory of 852	1992	yftau.exe	31
PID 1992 wrote to memory of 1676	1992	yftau.exe	32
PID 1992 wrote to memory of 1676	1992	yftau.exe	32
PID 1992 wrote to memory of 1676	1992	yftau.exe	32
PID 1992 wrote to memory of 1676	1992	yftau.exe	32
PID 1992 wrote to memory of 1676	1992	yftau.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe
  "C:\Users\Admin\AppData\Local\Temp\596554d63dce5dc476c121ec9c57bb6d8fd100d2edb74ebe64c0420c994269a2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Roaming\Puweiq\yftau.exe
    "C:\Users\Admin\AppData\Roaming\Puweiq\yftau.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp53de9cf6.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:2004

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "95036919215964192354743884261089658069-1474475517914217601045104048-730833611"
1⤵
PID:884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:852

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp53de9cf6.bat

Filesize
307B

MD5
e717005a06f9fcc35f61b9919d9424ff

SHA1
0cf40e5c4e0abd21831dd297a850d4695c798b66

SHA256
148f090021b51e25e967bb9d2969609e054f09b24456fbb1013804ce3afb092d

SHA512
1f02c6a7128b6e1e82583ac89b6b77fe3953d798852594ff9acf432502a3ff459b055f56b8998c89dcc6151a6150eb8eff40359c6f360c736b8f787c00ca2f25

Download Submit
C:\Users\Admin\AppData\Roaming\Puweiq\yftau.exe

Filesize
138KB

MD5
64827ca37de26f33d4b3aea1c243ea00

SHA1
4ca64dd937bddc8145a4690beab0f836294b1bac

SHA256
9c069d1fccea2d6608c5f43fa90af48b6592edc592e58614bbd19c69f1a2375a

SHA512
00d789e9de3da43c1bdb48c32641775b0723493344263be296b0d45ca500d3972839d46ba31100d6e1548bcc3f84c6c014d20ee35f22e7ba4b297de89553f2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Puweiq\yftau.exe

Filesize
138KB

MD5
64827ca37de26f33d4b3aea1c243ea00

SHA1
4ca64dd937bddc8145a4690beab0f836294b1bac

SHA256
9c069d1fccea2d6608c5f43fa90af48b6592edc592e58614bbd19c69f1a2375a

SHA512
00d789e9de3da43c1bdb48c32641775b0723493344263be296b0d45ca500d3972839d46ba31100d6e1548bcc3f84c6c014d20ee35f22e7ba4b297de89553f2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Uxaz\fyfin.hea

Filesize
398B

MD5
b104f90d2b590e60cbeeb257859340f1

SHA1
04804b6479eda1c0fd79b0d378d82d415ca54bcf

SHA256
0ff7d174641af179ea0f3226ef14721eff45b69e185c7eda88b9125d806dc76a

SHA512
d58da341892855a6f678d440db7af1d296fbabe113a19a173fac3f3e4d9335b6913729bf9044ff3f99092904702641e4f65cf10c245ab86067ce9b27a8d25115

Download Submit
\Users\Admin\AppData\Roaming\Puweiq\yftau.exe

Filesize
138KB

MD5
64827ca37de26f33d4b3aea1c243ea00

SHA1
4ca64dd937bddc8145a4690beab0f836294b1bac

SHA256
9c069d1fccea2d6608c5f43fa90af48b6592edc592e58614bbd19c69f1a2375a

SHA512
00d789e9de3da43c1bdb48c32641775b0723493344263be296b0d45ca500d3972839d46ba31100d6e1548bcc3f84c6c014d20ee35f22e7ba4b297de89553f2d0

Download Submit
\Users\Admin\AppData\Roaming\Puweiq\yftau.exe

Filesize
138KB

MD5
64827ca37de26f33d4b3aea1c243ea00

SHA1
4ca64dd937bddc8145a4690beab0f836294b1bac

SHA256
9c069d1fccea2d6608c5f43fa90af48b6592edc592e58614bbd19c69f1a2375a

SHA512
00d789e9de3da43c1bdb48c32641775b0723493344263be296b0d45ca500d3972839d46ba31100d6e1548bcc3f84c6c014d20ee35f22e7ba4b297de89553f2d0

Download Submit
memory/696-104-0x0000000003C60000-0x0000000003C87000-memory.dmp

Filesize
156KB

Download
memory/696-87-0x000007FEF6D11000-0x000007FEF6D13000-memory.dmp

Filesize
8KB

Download
memory/696-86-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/696-103-0x0000000003C60000-0x0000000003C87000-memory.dmp

Filesize
156KB

Download
memory/696-102-0x0000000003C60000-0x0000000003C87000-memory.dmp

Filesize
156KB

Download
memory/696-105-0x0000000003C60000-0x0000000003C87000-memory.dmp

Filesize
156KB

Download
memory/696-94-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/696-88-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/852-126-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/852-127-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/884-120-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/884-121-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/884-122-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/884-119-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/1232-64-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/1232-66-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/1232-61-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/1232-63-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/1232-65-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/1328-71-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1328-72-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1328-70-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1328-69-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1368-78-0x0000000002930000-0x0000000002957000-memory.dmp

Filesize
156KB

Download
memory/1368-75-0x0000000002930000-0x0000000002957000-memory.dmp

Filesize
156KB

Download
memory/1368-76-0x0000000002930000-0x0000000002957000-memory.dmp

Filesize
156KB

Download
memory/1368-77-0x0000000002930000-0x0000000002957000-memory.dmp

Filesize
156KB

Download
memory/2004-110-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2004-112-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2004-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2004-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2004-108-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2032-85-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/2032-84-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/2032-83-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/2032-82-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/2032-81-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download