d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5

Analysis

max time kernel
150s
max time network
109s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
Size

138KB
MD5

b230ce98acb17af9f89d681911734c44
SHA1

f5aab843ed1521bf3f0fc9dd6790528371460446
SHA256

d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5
SHA512

70ef55508a9881bc0979307c4816ff9c217223d4ead7b5e9b9d3d2d84922be0679d6a7e372f571be05eb1a5b771aa9597fca647f825747d6cb7a39f0eab796f9
SSDEEP

3072:KTmx50VJqtHGbu5XCniylWrtGA1GHvGXaCH1Fukp1j3wQG5:KTmoGtmiYlW4A1QvGXjBsQG5

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tafu.exe

pid process

1620 tafu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1668 cmd.exe

pid	process
1668	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe

pid	process
1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tafu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	tafu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4F1EECAA-D85A-D679-B744-220C9C4FFF64} = "C:\\Users\\Admin\\AppData\\Roaming\\Utzil\\tafu.exe"	tafu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe

description	pid	process	target process
PID 1972 set thread context of 1668	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1C676E55-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

tafu.exe

pid	process
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe
1620	tafu.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
Token: SeSecurityPrivilege	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
Token: SeSecurityPrivilege	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
Token: SeManageVolumePrivilege	864	WinMail.exe
Token: SeSecurityPrivilege	1668	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

864 WinMail.exe

pid	process
864	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exetafu.exe

description	pid	process	target process
PID 1972 wrote to memory of 1620	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	tafu.exe
PID 1972 wrote to memory of 1620	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	tafu.exe
PID 1972 wrote to memory of 1620	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	tafu.exe
PID 1972 wrote to memory of 1620	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	tafu.exe
PID 1620 wrote to memory of 1128	1620	tafu.exe	taskhost.exe
PID 1620 wrote to memory of 1128	1620	tafu.exe	taskhost.exe
PID 1620 wrote to memory of 1128	1620	tafu.exe	taskhost.exe
PID 1620 wrote to memory of 1128	1620	tafu.exe	taskhost.exe
PID 1620 wrote to memory of 1128	1620	tafu.exe	taskhost.exe
PID 1620 wrote to memory of 1192	1620	tafu.exe	Dwm.exe
PID 1620 wrote to memory of 1192	1620	tafu.exe	Dwm.exe
PID 1620 wrote to memory of 1192	1620	tafu.exe	Dwm.exe
PID 1620 wrote to memory of 1192	1620	tafu.exe	Dwm.exe
PID 1620 wrote to memory of 1192	1620	tafu.exe	Dwm.exe
PID 1620 wrote to memory of 1224	1620	tafu.exe	Explorer.EXE
PID 1620 wrote to memory of 1224	1620	tafu.exe	Explorer.EXE
PID 1620 wrote to memory of 1224	1620	tafu.exe	Explorer.EXE
PID 1620 wrote to memory of 1224	1620	tafu.exe	Explorer.EXE
PID 1620 wrote to memory of 1224	1620	tafu.exe	Explorer.EXE
PID 1620 wrote to memory of 1972	1620	tafu.exe	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
PID 1620 wrote to memory of 1972	1620	tafu.exe	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
PID 1620 wrote to memory of 1972	1620	tafu.exe	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
PID 1620 wrote to memory of 1972	1620	tafu.exe	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
PID 1620 wrote to memory of 1972	1620	tafu.exe	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
PID 1620 wrote to memory of 864	1620	tafu.exe	WinMail.exe
PID 1620 wrote to memory of 864	1620	tafu.exe	WinMail.exe
PID 1620 wrote to memory of 864	1620	tafu.exe	WinMail.exe
PID 1620 wrote to memory of 864	1620	tafu.exe	WinMail.exe
PID 1620 wrote to memory of 864	1620	tafu.exe	WinMail.exe
PID 1972 wrote to memory of 1668	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	cmd.exe
PID 1972 wrote to memory of 1668	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	cmd.exe
PID 1972 wrote to memory of 1668	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	cmd.exe
PID 1972 wrote to memory of 1668	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	cmd.exe
PID 1972 wrote to memory of 1668	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	cmd.exe
PID 1972 wrote to memory of 1668	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	cmd.exe
PID 1972 wrote to memory of 1668	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	cmd.exe
PID 1972 wrote to memory of 1668	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	cmd.exe
PID 1972 wrote to memory of 1668	1972	d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe	cmd.exe
PID 1620 wrote to memory of 1600	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 1600	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 1600	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 1600	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 1600	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 1864	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 1864	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 1864	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 1864	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 1864	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 944	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 944	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 944	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 944	1620	tafu.exe	DllHost.exe
PID 1620 wrote to memory of 944	1620	tafu.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe
"C:\Users\Admin\AppData\Local\Temp\d5ba3f1b8150837b19e8fd1982d05919c629f2da97cf5300f5358ef28f4559d5.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\Utzil\tafu.exe
"C:\Users\Admin\AppData\Roaming\Utzil\tafu.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbcaecf6f.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbcaecf6f.bat

Filesize
307B

MD5
8367c713d115693b39a56a44afde04b7

SHA1
63d260330e93bcbf6a05be83aceebc23d7fabfd9

SHA256
32f0b6a975ccb0293c0ed70249dc6f5b4a33a5c7dd1f7075b3f17eb25cc4df72

SHA512
516a478ecb9cbb9447bc42270192ad65b7e3ab5cd92d7c49bf94f43a598bf19cc35f1ee7735e8b97ddcc34c3ddb5db20dea989316e30e002169e0d302e6f712f

Download Submit
C:\Users\Admin\AppData\Roaming\Oruzm\egpa.tod

Filesize
398B

MD5
814ca48c19b1fdf6f26468b8a912d8ab

SHA1
f5a53891e2ef3976707f722b71d9ac014a727501

SHA256
fb76309dec28fea43e7edfe0c6996abfda605629901b2528c6a038bd55c3cd24

SHA512
88e04b7c710cb7fbd5d7de43da7f0b40e7b0d9d9cb2d37c1fdc310a49225eed34155194f7a405357a557e09d4737f351fd9f5185fcd3d89f08e98675949be016

Download Submit
C:\Users\Admin\AppData\Roaming\Utzil\tafu.exe

Filesize
138KB

MD5
fd60cdaaad1a284f5784107ee3b42e42

SHA1
01170882fda72bc9d3458cc0882244a5c49b743c

SHA256
5b547ae570fff9840130e7239b5e299711a835aa71b3be4ff850ef4011ec48de

SHA512
b6a20045b234866f59317210e692b350a233a7edb735eaee12378ddd9cf5b367dcd5f62810af1074479a4e8751d22fc5c5abc2be03151586c9bb48386678b3ea

Download Submit
C:\Users\Admin\AppData\Roaming\Utzil\tafu.exe

Filesize
138KB

MD5
fd60cdaaad1a284f5784107ee3b42e42

SHA1
01170882fda72bc9d3458cc0882244a5c49b743c

SHA256
5b547ae570fff9840130e7239b5e299711a835aa71b3be4ff850ef4011ec48de

SHA512
b6a20045b234866f59317210e692b350a233a7edb735eaee12378ddd9cf5b367dcd5f62810af1074479a4e8751d22fc5c5abc2be03151586c9bb48386678b3ea

Download Submit
\Users\Admin\AppData\Roaming\Utzil\tafu.exe

Filesize
138KB

MD5
fd60cdaaad1a284f5784107ee3b42e42

SHA1
01170882fda72bc9d3458cc0882244a5c49b743c

SHA256
5b547ae570fff9840130e7239b5e299711a835aa71b3be4ff850ef4011ec48de

SHA512
b6a20045b234866f59317210e692b350a233a7edb735eaee12378ddd9cf5b367dcd5f62810af1074479a4e8751d22fc5c5abc2be03151586c9bb48386678b3ea

Download Submit
\Users\Admin\AppData\Roaming\Utzil\tafu.exe

Filesize
138KB

MD5
fd60cdaaad1a284f5784107ee3b42e42

SHA1
01170882fda72bc9d3458cc0882244a5c49b743c

SHA256
5b547ae570fff9840130e7239b5e299711a835aa71b3be4ff850ef4011ec48de

SHA512
b6a20045b234866f59317210e692b350a233a7edb735eaee12378ddd9cf5b367dcd5f62810af1074479a4e8751d22fc5c5abc2be03151586c9bb48386678b3ea

Download Submit
memory/864-103-0x0000000004440000-0x0000000004467000-memory.dmp

Filesize
156KB

Download
memory/864-105-0x0000000004440000-0x0000000004467000-memory.dmp

Filesize
156KB

Download
memory/864-102-0x0000000004440000-0x0000000004467000-memory.dmp

Filesize
156KB

Download
memory/864-104-0x0000000004440000-0x0000000004467000-memory.dmp

Filesize
156KB

Download
memory/864-94-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/864-88-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/864-87-0x000007FEF6741000-0x000007FEF6743000-memory.dmp

Filesize
8KB

Download
memory/864-86-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

Filesize
8KB

Download
memory/1128-64-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1128-66-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1128-61-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1128-63-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1128-65-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1192-72-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1192-71-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1192-70-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1192-69-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1224-75-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1224-78-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1224-77-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1224-76-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1600-122-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1600-121-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1600-120-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1600-123-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1620-57-0x0000000000000000-mapping.dmp

Download
memory/1668-110-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1668-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1668-112-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1668-108-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1668-114-0x0000000000062CBA-mapping.dmp

Download
memory/1668-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1864-126-0x0000000000200000-0x0000000000227000-memory.dmp

Filesize
156KB

Download
memory/1864-127-0x0000000000200000-0x0000000000227000-memory.dmp

Filesize
156KB

Download
memory/1972-85-0x0000000000570000-0x0000000000597000-memory.dmp

Filesize
156KB

Download
memory/1972-83-0x0000000000570000-0x0000000000597000-memory.dmp

Filesize
156KB

Download
memory/1972-82-0x0000000000570000-0x0000000000597000-memory.dmp

Filesize
156KB

Download
memory/1972-81-0x0000000000570000-0x0000000000597000-memory.dmp

Filesize
156KB

Download
memory/1972-84-0x0000000000570000-0x0000000000597000-memory.dmp

Filesize
156KB

Download
memory/1972-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download