Overview

overview

8

Static

static

144fd205af...cd.exe

windows7-x64

8

144fd205af...cd.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    248s
  • max time network
    346s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    144fd205af08918f076e95c1627677d6736d06864c42c2124fd6288cb8defacd.exe

  • Size

    138KB

  • MD5

    6451caab830185967cceece215c76c13

  • SHA1

    2ca0f4657a8976b344975c3532c5d043ce98ddf3

  • SHA256

    144fd205af08918f076e95c1627677d6736d06864c42c2124fd6288cb8defacd

  • SHA512

    971ccbe668ae82a2d8dc2fb098329584ac5bf38ea8864f100f35c4d44bd3756df5d6ab01c5f6dc542bd17aaa1ddea3afb3e27b16e0e0ba9c938ceb574554656b

  • SSDEEP

    3072:KTFx50VJqtHGbu5XCniylWrtGA1GHvGXaCH1Fukp1r3wQGxC:KTFoGtmiYlW4A1QvGXjBUQGxC

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\144fd205af08918f076e95c1627677d6736d06864c42c2124fd6288cb8defacd.exe
        "C:\Users\Admin\AppData\Local\Temp\144fd205af08918f076e95c1627677d6736d06864c42c2124fd6288cb8defacd.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Users\Admin\AppData\Roaming\Datula\ilux.exe
          "C:\Users\Admin\AppData\Roaming\Datula\ilux.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1448
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4d744a76.bat"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:772
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1192
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1132
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "18384591207301281711714364056707320209-470974169-638785921831421913-903701249"
          1⤵
            PID:316
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:1660
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:1712
              • C:\Program Files\Windows Mail\WinMail.exe
                "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:1584

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Datula\ilux.exe
                Filesize

                138KB

                MD5

                c2f1782ef9318d3a03499c5e383f4085

                SHA1

                dbf11a81f445210ba0683514b046b04631fd5385

                SHA256

                2ec57f3a1d790469dc8a537a0442f20b3e9517173ac2c123f6b48299763a40dd

                SHA512

                9f3d6e632866ec3440e3cf2e043e0af9bc4b54baa4180b82aa4bfb6f175d5ea832a81a1f8665ce0bd28f80b2b04b96fe566f30bd0ea42eb575b5633337aace0d

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Datula\ilux.exe
                Filesize

                138KB

                MD5

                c2f1782ef9318d3a03499c5e383f4085

                SHA1

                dbf11a81f445210ba0683514b046b04631fd5385

                SHA256

                2ec57f3a1d790469dc8a537a0442f20b3e9517173ac2c123f6b48299763a40dd

                SHA512

                9f3d6e632866ec3440e3cf2e043e0af9bc4b54baa4180b82aa4bfb6f175d5ea832a81a1f8665ce0bd28f80b2b04b96fe566f30bd0ea42eb575b5633337aace0d

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Ycacag\piqyu.piw
                Filesize

                398B

                MD5

                fe8eabf6dccbce2379b3b72e0995eb12

                SHA1

                e79ab81a798504a4678ce881b6761f664087906f

                SHA256

                67f244957b0c93c101344cdc10112c1df76fb42c22cbf253ff7e681fd1ca3327

                SHA512

                c46636d126b9401736d6a29f6b06e5ad9d894302393e9c2b1552d2581152580bcade624f1c82e4a8ba850d8f1941a2ea16d1cc74a3ca6ad1868644380c967623

                Download Submit
              • \Users\Admin\AppData\Roaming\Datula\ilux.exe
                Filesize

                138KB

                MD5

                c2f1782ef9318d3a03499c5e383f4085

                SHA1

                dbf11a81f445210ba0683514b046b04631fd5385

                SHA256

                2ec57f3a1d790469dc8a537a0442f20b3e9517173ac2c123f6b48299763a40dd

                SHA512

                9f3d6e632866ec3440e3cf2e043e0af9bc4b54baa4180b82aa4bfb6f175d5ea832a81a1f8665ce0bd28f80b2b04b96fe566f30bd0ea42eb575b5633337aace0d

                Download Submit
              • \Users\Admin\AppData\Roaming\Datula\ilux.exe
                Filesize

                138KB

                MD5

                c2f1782ef9318d3a03499c5e383f4085

                SHA1

                dbf11a81f445210ba0683514b046b04631fd5385

                SHA256

                2ec57f3a1d790469dc8a537a0442f20b3e9517173ac2c123f6b48299763a40dd

                SHA512

                9f3d6e632866ec3440e3cf2e043e0af9bc4b54baa4180b82aa4bfb6f175d5ea832a81a1f8665ce0bd28f80b2b04b96fe566f30bd0ea42eb575b5633337aace0d

                Download Submit
              • memory/316-99-0x0000000000230000-0x0000000000257000-memory.dmp
                Filesize

                156KB

                Download
              • memory/316-102-0x0000000000230000-0x0000000000257000-memory.dmp
                Filesize

                156KB

                Download
              • memory/316-100-0x0000000000230000-0x0000000000257000-memory.dmp
                Filesize

                156KB

                Download
              • memory/316-101-0x0000000000230000-0x0000000000257000-memory.dmp
                Filesize

                156KB

                Download
              • memory/772-89-0x0000000000050000-0x0000000000077000-memory.dmp
                Filesize

                156KB

                Download
              • memory/772-103-0x0000000000050000-0x0000000000077000-memory.dmp
                Filesize

                156KB

                Download
              • memory/772-95-0x0000000000062CBA-mapping.dmp
                Download
              • memory/772-104-0x0000000000050000-0x0000000000077000-memory.dmp
                Filesize

                156KB

                Download
              • memory/772-93-0x0000000000050000-0x0000000000077000-memory.dmp
                Filesize

                156KB

                Download
              • memory/772-91-0x0000000000050000-0x0000000000077000-memory.dmp
                Filesize

                156KB

                Download
              • memory/772-92-0x0000000000050000-0x0000000000077000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1132-66-0x0000000001CD0000-0x0000000001CF7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1132-65-0x0000000001CD0000-0x0000000001CF7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1132-64-0x0000000001CD0000-0x0000000001CF7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1132-63-0x0000000001CD0000-0x0000000001CF7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1132-61-0x0000000001CD0000-0x0000000001CF7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1192-70-0x0000000001AC0000-0x0000000001AE7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1192-69-0x0000000001AC0000-0x0000000001AE7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1192-71-0x0000000001AC0000-0x0000000001AE7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1192-72-0x0000000001AC0000-0x0000000001AE7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1260-76-0x00000000029F0000-0x0000000002A17000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1260-75-0x00000000029F0000-0x0000000002A17000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1260-78-0x00000000029F0000-0x0000000002A17000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1260-77-0x00000000029F0000-0x0000000002A17000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1448-57-0x0000000000000000-mapping.dmp
                Download
              • memory/1480-54-0x0000000075491000-0x0000000075493000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1480-82-0x0000000000270000-0x0000000000297000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1480-83-0x0000000000270000-0x0000000000297000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1480-84-0x0000000000270000-0x0000000000297000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1480-86-0x0000000000270000-0x0000000000297000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1480-85-0x0000000000270000-0x0000000000297000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1480-81-0x0000000000270000-0x0000000000297000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1584-117-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1584-125-0x00000000024E0000-0x00000000024F0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1584-119-0x00000000023B0000-0x00000000023C0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1584-118-0x000007FEF67A1000-0x000007FEF67A3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1660-109-0x0000000000220000-0x0000000000247000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1660-110-0x0000000000220000-0x0000000000247000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1660-108-0x0000000000220000-0x0000000000247000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1660-107-0x0000000000220000-0x0000000000247000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1712-114-0x0000000003880000-0x00000000038A7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1712-115-0x0000000003880000-0x00000000038A7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1712-116-0x0000000003880000-0x00000000038A7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1712-113-0x0000000003880000-0x00000000038A7000-memory.dmp
                Filesize

                156KB

                Download