fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
Size

138KB
MD5

f8d337ef98fef5067c336bcd81bb5029
SHA1

3f48bf2c642a1f8654bb2f31347f7392e259a7d6
SHA256

fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b
SHA512

474e725065b5acdc5572086ba70ff9e1131beddbaf131cc4b665a1b674c7724f74fffbb26769b7a5cd28c3a7142679cb3cdf62b39dbb510fcb111bde95eb11fe
SSDEEP

3072:KTIx50VJqtHGbu5XCniylWrtGA1GHvGXaCH1Fukp1r3wQGu:KTIoGtmiYlW4A1QvGXjBUQGu

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dosyl.exe

pid process

2008 dosyl.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

772 cmd.exe

pid	process
772	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe

pid	process
576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dosyl.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	dosyl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{DF09CD79-D9CF-2352-45E3-F0058F4E9DC8} = "C:\\Users\\Admin\\AppData\\Roaming\\Etycfa\\dosyl.exe"	dosyl.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe

description pid process target process

PID 576 set thread context of 772 576 fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe cmd.exe

description	pid	process	target process
PID 576 set thread context of 772	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\7ADC0098-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

dosyl.exe

pid	process
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe
2008	dosyl.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
Token: SeSecurityPrivilege	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
Token: SeSecurityPrivilege	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
Token: SeManageVolumePrivilege	112	WinMail.exe
Token: SeSecurityPrivilege	772	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

112 WinMail.exe

pid	process
112	WinMail.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exedosyl.exe

description	pid	process	target process
PID 576 wrote to memory of 2008	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	dosyl.exe
PID 576 wrote to memory of 2008	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	dosyl.exe
PID 576 wrote to memory of 2008	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	dosyl.exe
PID 576 wrote to memory of 2008	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	dosyl.exe
PID 2008 wrote to memory of 1216	2008	dosyl.exe	taskhost.exe
PID 2008 wrote to memory of 1216	2008	dosyl.exe	taskhost.exe
PID 2008 wrote to memory of 1216	2008	dosyl.exe	taskhost.exe
PID 2008 wrote to memory of 1216	2008	dosyl.exe	taskhost.exe
PID 2008 wrote to memory of 1216	2008	dosyl.exe	taskhost.exe
PID 2008 wrote to memory of 1316	2008	dosyl.exe	Dwm.exe
PID 2008 wrote to memory of 1316	2008	dosyl.exe	Dwm.exe
PID 2008 wrote to memory of 1316	2008	dosyl.exe	Dwm.exe
PID 2008 wrote to memory of 1316	2008	dosyl.exe	Dwm.exe
PID 2008 wrote to memory of 1316	2008	dosyl.exe	Dwm.exe
PID 2008 wrote to memory of 1384	2008	dosyl.exe	Explorer.EXE
PID 2008 wrote to memory of 1384	2008	dosyl.exe	Explorer.EXE
PID 2008 wrote to memory of 1384	2008	dosyl.exe	Explorer.EXE
PID 2008 wrote to memory of 1384	2008	dosyl.exe	Explorer.EXE
PID 2008 wrote to memory of 1384	2008	dosyl.exe	Explorer.EXE
PID 2008 wrote to memory of 576	2008	dosyl.exe	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
PID 2008 wrote to memory of 576	2008	dosyl.exe	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
PID 2008 wrote to memory of 576	2008	dosyl.exe	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
PID 2008 wrote to memory of 576	2008	dosyl.exe	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
PID 2008 wrote to memory of 576	2008	dosyl.exe	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
PID 2008 wrote to memory of 112	2008	dosyl.exe	WinMail.exe
PID 2008 wrote to memory of 112	2008	dosyl.exe	WinMail.exe
PID 2008 wrote to memory of 112	2008	dosyl.exe	WinMail.exe
PID 2008 wrote to memory of 112	2008	dosyl.exe	WinMail.exe
PID 2008 wrote to memory of 112	2008	dosyl.exe	WinMail.exe
PID 576 wrote to memory of 772	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	cmd.exe
PID 576 wrote to memory of 772	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	cmd.exe
PID 576 wrote to memory of 772	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	cmd.exe
PID 576 wrote to memory of 772	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	cmd.exe
PID 576 wrote to memory of 772	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	cmd.exe
PID 576 wrote to memory of 772	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	cmd.exe
PID 576 wrote to memory of 772	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	cmd.exe
PID 576 wrote to memory of 772	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	cmd.exe
PID 576 wrote to memory of 772	576	fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe	cmd.exe
PID 2008 wrote to memory of 800	2008	dosyl.exe	conhost.exe
PID 2008 wrote to memory of 800	2008	dosyl.exe	conhost.exe
PID 2008 wrote to memory of 800	2008	dosyl.exe	conhost.exe
PID 2008 wrote to memory of 800	2008	dosyl.exe	conhost.exe
PID 2008 wrote to memory of 800	2008	dosyl.exe	conhost.exe
PID 2008 wrote to memory of 968	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 968	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 968	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 968	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 968	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1860	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1860	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1860	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1860	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1860	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1508	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1508	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1508	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1508	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1508	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1088	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1088	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1088	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1088	2008	dosyl.exe	DllHost.exe
PID 2008 wrote to memory of 1088	2008	dosyl.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1216

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe
"C:\Users\Admin\AppData\Local\Temp\fa83d8205d2898d5363eb0a71b38ce6c03699b158fb5e7288b1ea1bee790357b.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Roaming\Etycfa\dosyl.exe
"C:\Users\Admin\AppData\Roaming\Etycfa\dosyl.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb2fa219d.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1446658263-1339523300-753965598-227977199164476895119719313621729516100977601142"
1⤵
PID:800

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb2fa219d.bat

Filesize
307B

MD5
dd61257551d0db1785b3156a0ebeef47

SHA1
35efcb50a60b26547f596f5b9ca3e8a24f51d950

SHA256
c725dd69706bf06301a985d8bf6daee9d43bd1ddc31d43045053433e03be6057

SHA512
e4670e7dc6d707236d5d31cd21bf7dad8d470e13ba3a96fba88ce1ad374b88231ad4abfc0fbe1ec1e379d1dc13f8f088d53b4d064d926b21d4d884b22e6bbf88

Download Submit
C:\Users\Admin\AppData\Roaming\Enyfo\etop.voh

Filesize
398B

MD5
0574696605e2ef34f257ddf7755ca08e

SHA1
4d040dcbada8cdf71761fe43be6389e5969f5704

SHA256
311d5671224ff6094255c288063b3491f9701e033400008ee5848f40e229a876

SHA512
78ef97ef356f2454b27601a59b8d80913e9396540274c75de0e39408b2cdea3bbf679ea1e44e09285bf1f5cf37a6a22513878aa60f9a77db072c463048d06953

Download Submit
C:\Users\Admin\AppData\Roaming\Etycfa\dosyl.exe

Filesize
138KB

MD5
0e1117f0d898b0e6b368c6ad959c4953

SHA1
9b28b8753d07fbbb7e3f8ec73f337da5c4fd6a0e

SHA256
ad806d80da89271daa600d601d128dbeaaa4343145fbbd9204de82283fe60232

SHA512
94e085acbbd0bd698bbbdbcb88f167e6ecb1c9c3c59f8b42fd4484c1fae7d7f28c96d219b21d477a53930a6a6678dfc4299cd635ad529f83aa0a907fe3b72b73

Download Submit
C:\Users\Admin\AppData\Roaming\Etycfa\dosyl.exe

Filesize
138KB

MD5
0e1117f0d898b0e6b368c6ad959c4953

SHA1
9b28b8753d07fbbb7e3f8ec73f337da5c4fd6a0e

SHA256
ad806d80da89271daa600d601d128dbeaaa4343145fbbd9204de82283fe60232

SHA512
94e085acbbd0bd698bbbdbcb88f167e6ecb1c9c3c59f8b42fd4484c1fae7d7f28c96d219b21d477a53930a6a6678dfc4299cd635ad529f83aa0a907fe3b72b73

Download Submit
\Users\Admin\AppData\Roaming\Etycfa\dosyl.exe

Filesize
138KB

MD5
0e1117f0d898b0e6b368c6ad959c4953

SHA1
9b28b8753d07fbbb7e3f8ec73f337da5c4fd6a0e

SHA256
ad806d80da89271daa600d601d128dbeaaa4343145fbbd9204de82283fe60232

SHA512
94e085acbbd0bd698bbbdbcb88f167e6ecb1c9c3c59f8b42fd4484c1fae7d7f28c96d219b21d477a53930a6a6678dfc4299cd635ad529f83aa0a907fe3b72b73

Download Submit
\Users\Admin\AppData\Roaming\Etycfa\dosyl.exe

Filesize
138KB

MD5
0e1117f0d898b0e6b368c6ad959c4953

SHA1
9b28b8753d07fbbb7e3f8ec73f337da5c4fd6a0e

SHA256
ad806d80da89271daa600d601d128dbeaaa4343145fbbd9204de82283fe60232

SHA512
94e085acbbd0bd698bbbdbcb88f167e6ecb1c9c3c59f8b42fd4484c1fae7d7f28c96d219b21d477a53930a6a6678dfc4299cd635ad529f83aa0a907fe3b72b73

Download Submit
memory/112-103-0x0000000003B70000-0x0000000003B97000-memory.dmp

Filesize
156KB

Download
memory/112-86-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download
memory/112-87-0x000007FEF6921000-0x000007FEF6923000-memory.dmp

Filesize
8KB

Download
memory/112-102-0x0000000003B70000-0x0000000003B97000-memory.dmp

Filesize
156KB

Download
memory/112-88-0x0000000001FD0000-0x0000000001FE0000-memory.dmp

Filesize
64KB

Download
memory/112-105-0x0000000003B70000-0x0000000003B97000-memory.dmp

Filesize
156KB

Download
memory/112-104-0x0000000003B70000-0x0000000003B97000-memory.dmp

Filesize
156KB

Download
memory/112-94-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/576-84-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/576-116-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/576-54-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/576-85-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/576-83-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/576-81-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/576-82-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/772-109-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/772-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/772-117-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/772-114-0x0000000000062CBA-mapping.dmp

Download
memory/772-113-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/772-112-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/800-120-0x0000000001A50000-0x0000000001A77000-memory.dmp

Filesize
156KB

Download
memory/800-123-0x0000000001A50000-0x0000000001A77000-memory.dmp

Filesize
156KB

Download
memory/800-121-0x0000000001A50000-0x0000000001A77000-memory.dmp

Filesize
156KB

Download
memory/800-122-0x0000000001A50000-0x0000000001A77000-memory.dmp

Filesize
156KB

Download
memory/968-126-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/968-127-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1216-65-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1216-63-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1216-61-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1216-64-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1216-66-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1316-71-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/1316-72-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/1316-70-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/1316-69-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/1384-75-0x00000000025C0000-0x00000000025E7000-memory.dmp

Filesize
156KB

Download
memory/1384-78-0x00000000025C0000-0x00000000025E7000-memory.dmp

Filesize
156KB

Download
memory/1384-77-0x00000000025C0000-0x00000000025E7000-memory.dmp

Filesize
156KB

Download
memory/1384-76-0x00000000025C0000-0x00000000025E7000-memory.dmp

Filesize
156KB

Download
memory/2008-57-0x0000000000000000-mapping.dmp

Download