47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1

Analysis

max time kernel
151s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe
Size

993KB
MD5

095501e94845992bd4e7a391d64fc2b4
SHA1

6e72a1f189c34b61ce66b7548c538bd30d242659
SHA256

47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1
SHA512

c2085477aedb3650464a2d79808a545e672ce935a51e8efcb1676b273b2ae233a98f9e8dc4dbca6e4fdeaba093a6a52f1d5c027d3f2eec437b02f7231eebfd26
SSDEEP

24576:P4lavt0LkLL9IMixoEgeaBwktAuq9MmCS:Kkwkn9IMHeaBVDaPCS

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1356	2202.exe
1612	piud.exe

Loads dropped DLL 6 IoCs

pid	Process
1872	47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe
1872	47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe
1872	47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe
1872	47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe
1356	2202.exe
1356	2202.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2B367161-4E63-15BC-9E2F-8E2166DD60B5} = "C:\\Users\\Admin\\AppData\\Roaming\\Awsyi\\piud.exe"	piud.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	piud.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 536	1356	2202.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2202.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	2202.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\324224B5-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe
1612	piud.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1356	2202.exe
Token: SeSecurityPrivilege	1356	2202.exe
Token: SeSecurityPrivilege	1356	2202.exe
Token: SeManageVolumePrivilege	1808	WinMail.exe
Token: SeSecurityPrivilege	536	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1808	WinMail.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1356	1872	47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe	27
PID 1872 wrote to memory of 1356	1872	47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe	27
PID 1872 wrote to memory of 1356	1872	47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe	27
PID 1872 wrote to memory of 1356	1872	47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe	27
PID 1356 wrote to memory of 1612	1356	2202.exe	28
PID 1356 wrote to memory of 1612	1356	2202.exe	28
PID 1356 wrote to memory of 1612	1356	2202.exe	28
PID 1356 wrote to memory of 1612	1356	2202.exe	28
PID 1612 wrote to memory of 1252	1612	piud.exe	14
PID 1612 wrote to memory of 1252	1612	piud.exe	14
PID 1612 wrote to memory of 1252	1612	piud.exe	14
PID 1612 wrote to memory of 1252	1612	piud.exe	14
PID 1612 wrote to memory of 1252	1612	piud.exe	14
PID 1612 wrote to memory of 1344	1612	piud.exe	19
PID 1612 wrote to memory of 1344	1612	piud.exe	19
PID 1612 wrote to memory of 1344	1612	piud.exe	19
PID 1612 wrote to memory of 1344	1612	piud.exe	19
PID 1612 wrote to memory of 1344	1612	piud.exe	19
PID 1612 wrote to memory of 1408	1612	piud.exe	21
PID 1612 wrote to memory of 1408	1612	piud.exe	21
PID 1612 wrote to memory of 1408	1612	piud.exe	21
PID 1612 wrote to memory of 1408	1612	piud.exe	21
PID 1612 wrote to memory of 1408	1612	piud.exe	21
PID 1612 wrote to memory of 1356	1612	piud.exe	27
PID 1612 wrote to memory of 1356	1612	piud.exe	27
PID 1612 wrote to memory of 1356	1612	piud.exe	27
PID 1612 wrote to memory of 1356	1612	piud.exe	27
PID 1612 wrote to memory of 1356	1612	piud.exe	27
PID 1612 wrote to memory of 1808	1612	piud.exe	29
PID 1612 wrote to memory of 1808	1612	piud.exe	29
PID 1612 wrote to memory of 1808	1612	piud.exe	29
PID 1612 wrote to memory of 1808	1612	piud.exe	29
PID 1612 wrote to memory of 1808	1612	piud.exe	29
PID 1356 wrote to memory of 536	1356	2202.exe	30
PID 1356 wrote to memory of 536	1356	2202.exe	30
PID 1356 wrote to memory of 536	1356	2202.exe	30
PID 1356 wrote to memory of 536	1356	2202.exe	30
PID 1356 wrote to memory of 536	1356	2202.exe	30
PID 1356 wrote to memory of 536	1356	2202.exe	30
PID 1356 wrote to memory of 536	1356	2202.exe	30
PID 1356 wrote to memory of 536	1356	2202.exe	30
PID 1356 wrote to memory of 536	1356	2202.exe	30
PID 1612 wrote to memory of 1896	1612	piud.exe	32
PID 1612 wrote to memory of 1896	1612	piud.exe	32
PID 1612 wrote to memory of 1896	1612	piud.exe	32
PID 1612 wrote to memory of 1896	1612	piud.exe	32
PID 1612 wrote to memory of 1896	1612	piud.exe	32
PID 1612 wrote to memory of 1708	1612	piud.exe	33
PID 1612 wrote to memory of 1708	1612	piud.exe	33
PID 1612 wrote to memory of 1708	1612	piud.exe	33
PID 1612 wrote to memory of 1708	1612	piud.exe	33
PID 1612 wrote to memory of 1708	1612	piud.exe	33
PID 1612 wrote to memory of 1816	1612	piud.exe	34
PID 1612 wrote to memory of 1816	1612	piud.exe	34
PID 1612 wrote to memory of 1816	1612	piud.exe	34
PID 1612 wrote to memory of 1816	1612	piud.exe	34
PID 1612 wrote to memory of 1816	1612	piud.exe	34
PID 1612 wrote to memory of 1576	1612	piud.exe	35
PID 1612 wrote to memory of 1576	1612	piud.exe	35
PID 1612 wrote to memory of 1576	1612	piud.exe	35
PID 1612 wrote to memory of 1576	1612	piud.exe	35
PID 1612 wrote to memory of 1576	1612	piud.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1252

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe
  "C:\Users\Admin\AppData\Local\Temp\47d2dd01fdd570406adf66c7ebec26348f6cab6c73718b701f4dcedab38867f1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\2202\2202.exe
    "C:\Users\Admin\AppData\Local\Temp\2202\2202.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Roaming\Awsyi\piud.exe
      "C:\Users\Admin\AppData\Roaming\Awsyi\piud.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9271078c.bat"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:536

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1708

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2202\2202.exe

Filesize
138KB

MD5
b0b75d345f2c65c7e44f827f58225517

SHA1
ac0f12110c64e507d06367d81302e818ec37a856

SHA256
c7bf96b45684eff510710e3727ed43b64bc13b327400e99cc238713718a10ebd

SHA512
3a52b31eb7a381e7bac0f8b6dc564bb8297ea857670d991696c19058d9d0cd499fa1fc8a767e0aa0cf3a31b42e279048868eabc1790cf7402a0ce05581650f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2202\2202.exe

Filesize
138KB

MD5
b0b75d345f2c65c7e44f827f58225517

SHA1
ac0f12110c64e507d06367d81302e818ec37a856

SHA256
c7bf96b45684eff510710e3727ed43b64bc13b327400e99cc238713718a10ebd

SHA512
3a52b31eb7a381e7bac0f8b6dc564bb8297ea857670d991696c19058d9d0cd499fa1fc8a767e0aa0cf3a31b42e279048868eabc1790cf7402a0ce05581650f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9271078c.bat

Filesize
197B

MD5
bc4de361d0ca6e73dafd474425390307

SHA1
2c4a6dd13781c7563f753295bcc25f1289061877

SHA256
dc7e320c6aa47d6f5faceca6391aad24dcf02e4a27e59fa525f8d881d1a8e373

SHA512
5b21eca99eba23dde02a4c4e960e767d25f7304c32252703adef3edd52260e48e80ce1eec923da4db5299b71cfe4a26016b702c51e03a2a062900ca97015f3bc

Download Submit
C:\Users\Admin\AppData\Roaming\Awsyi\piud.exe

Filesize
138KB

MD5
312ce1950448f2b46e603666f5f749aa

SHA1
4ad1fb10c3f4ff3c38193ee238e83df3eb43bc23

SHA256
3dbfa13d9e307c62b194f969e877a009bb24da63a068be796001a128f2680eda

SHA512
d2e3abf576accd336a7d34f89896b1bcecf82239d30506b9949eec93235abe4eb748d8c389f6e4fec0e3696fdc0ad504ab001a9b9884c2ea0dc95f07554cebc2

Download Submit
C:\Users\Admin\AppData\Roaming\Awsyi\piud.exe

Filesize
138KB

MD5
312ce1950448f2b46e603666f5f749aa

SHA1
4ad1fb10c3f4ff3c38193ee238e83df3eb43bc23

SHA256
3dbfa13d9e307c62b194f969e877a009bb24da63a068be796001a128f2680eda

SHA512
d2e3abf576accd336a7d34f89896b1bcecf82239d30506b9949eec93235abe4eb748d8c389f6e4fec0e3696fdc0ad504ab001a9b9884c2ea0dc95f07554cebc2

Download Submit
C:\Users\Admin\AppData\Roaming\Ucicu\heobp.biw

Filesize
343B

MD5
da0dd941aa44c78237ccc29578af02e6

SHA1
681b5862069c1e845674b1361ac6d36d2c12247c

SHA256
078a7a941e4a517b88dd6576e26b1370d48ba94b56580bda5806f89abf1fbf8d

SHA512
7384fad2b8cde4956a6c5f146846a3eaf2b4c33e5a3ffe978ac32cfca9d08265e069f61943d8345a47f9d84fb424f70119734ffdcc6a9f19c17ed303c062c8da

Download Submit
\Users\Admin\AppData\Local\Temp\2202\2202.exe

Filesize
138KB

MD5
b0b75d345f2c65c7e44f827f58225517

SHA1
ac0f12110c64e507d06367d81302e818ec37a856

SHA256
c7bf96b45684eff510710e3727ed43b64bc13b327400e99cc238713718a10ebd

SHA512
3a52b31eb7a381e7bac0f8b6dc564bb8297ea857670d991696c19058d9d0cd499fa1fc8a767e0aa0cf3a31b42e279048868eabc1790cf7402a0ce05581650f8c

Download Submit
\Users\Admin\AppData\Local\Temp\2202\2202.exe

Filesize
138KB

MD5
b0b75d345f2c65c7e44f827f58225517

SHA1
ac0f12110c64e507d06367d81302e818ec37a856

SHA256
c7bf96b45684eff510710e3727ed43b64bc13b327400e99cc238713718a10ebd

SHA512
3a52b31eb7a381e7bac0f8b6dc564bb8297ea857670d991696c19058d9d0cd499fa1fc8a767e0aa0cf3a31b42e279048868eabc1790cf7402a0ce05581650f8c

Download Submit
\Users\Admin\AppData\Local\Temp\2202\2202.exe

Filesize
138KB

MD5
b0b75d345f2c65c7e44f827f58225517

SHA1
ac0f12110c64e507d06367d81302e818ec37a856

SHA256
c7bf96b45684eff510710e3727ed43b64bc13b327400e99cc238713718a10ebd

SHA512
3a52b31eb7a381e7bac0f8b6dc564bb8297ea857670d991696c19058d9d0cd499fa1fc8a767e0aa0cf3a31b42e279048868eabc1790cf7402a0ce05581650f8c

Download Submit
\Users\Admin\AppData\Local\Temp\2202\2202.exe

Filesize
138KB

MD5
b0b75d345f2c65c7e44f827f58225517

SHA1
ac0f12110c64e507d06367d81302e818ec37a856

SHA256
c7bf96b45684eff510710e3727ed43b64bc13b327400e99cc238713718a10ebd

SHA512
3a52b31eb7a381e7bac0f8b6dc564bb8297ea857670d991696c19058d9d0cd499fa1fc8a767e0aa0cf3a31b42e279048868eabc1790cf7402a0ce05581650f8c

Download Submit
\Users\Admin\AppData\Roaming\Awsyi\piud.exe

Filesize
138KB

MD5
312ce1950448f2b46e603666f5f749aa

SHA1
4ad1fb10c3f4ff3c38193ee238e83df3eb43bc23

SHA256
3dbfa13d9e307c62b194f969e877a009bb24da63a068be796001a128f2680eda

SHA512
d2e3abf576accd336a7d34f89896b1bcecf82239d30506b9949eec93235abe4eb748d8c389f6e4fec0e3696fdc0ad504ab001a9b9884c2ea0dc95f07554cebc2

Download Submit
\Users\Admin\AppData\Roaming\Awsyi\piud.exe

Filesize
138KB

MD5
312ce1950448f2b46e603666f5f749aa

SHA1
4ad1fb10c3f4ff3c38193ee238e83df3eb43bc23

SHA256
3dbfa13d9e307c62b194f969e877a009bb24da63a068be796001a128f2680eda

SHA512
d2e3abf576accd336a7d34f89896b1bcecf82239d30506b9949eec93235abe4eb748d8c389f6e4fec0e3696fdc0ad504ab001a9b9884c2ea0dc95f07554cebc2

Download Submit
memory/536-124-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/536-118-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/536-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/536-121-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/536-119-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1252-69-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1252-71-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1252-72-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1252-73-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1252-74-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1344-78-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1344-80-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1344-79-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1344-77-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1356-90-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1356-89-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1356-92-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1356-93-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1356-91-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1408-86-0x00000000039A0000-0x00000000039C7000-memory.dmp

Filesize
156KB

Download
memory/1408-85-0x00000000039A0000-0x00000000039C7000-memory.dmp

Filesize
156KB

Download
memory/1408-83-0x00000000039A0000-0x00000000039C7000-memory.dmp

Filesize
156KB

Download
memory/1408-84-0x00000000039A0000-0x00000000039C7000-memory.dmp

Filesize
156KB

Download
memory/1708-134-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1808-113-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/1808-95-0x000007FEF6201000-0x000007FEF6203000-memory.dmp

Filesize
8KB

Download
memory/1808-96-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1808-102-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/1808-112-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/1808-111-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/1808-94-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download
memory/1808-110-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/1872-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1896-128-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1896-131-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1896-130-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1896-129-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download