0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0

Analysis

max time kernel
158s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
Size

138KB
MD5

6d8819c8210134eb975c152c08279a72
SHA1

4f44d19399ddfb84ff1fdbd8f1881ab77d65cf2b
SHA256

0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0
SHA512

1737e0d3076192d94cc8ebfb0babac39f027a73f4c72e40d669cbaf71b2cf645c09c40da413913c294d239dae20e66d915ce95f3e5cb3fbc96e5acca6102c9dd
SSDEEP

3072:KTSx50VJqtHGbu5XCniylWrtGA1GHvGXaCH1Fukp1b3wQGl:KTSoGtmiYlW4A1QvGXjBkQGl

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

loafq.exe

pid process

1412 loafq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

840 cmd.exe

pid	process
840	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe

pid	process
1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

loafq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	loafq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{EDE94C82-C746-F1C9-96B2-C3D51FF873D9} = "C:\\Users\\Admin\\AppData\\Roaming\\Qyrul\\loafq.exe"	loafq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe

description pid process target process

PID 1356 set thread context of 840 1356 0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe cmd.exe

description	pid	process	target process
PID 1356 set thread context of 840	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\3E8A765B-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

loafq.exe

pid	process
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe
1412	loafq.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
Token: SeSecurityPrivilege	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
Token: SeSecurityPrivilege	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
Token: SeSecurityPrivilege	840	cmd.exe
Token: SeManageVolumePrivilege	1280	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1280 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1280 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1280 WinMail.exe

pid	process
1280	WinMail.exe

pid	process
1280	WinMail.exe

pid	process
1280	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exeloafq.exe

description	pid	process	target process
PID 1356 wrote to memory of 1412	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	loafq.exe
PID 1356 wrote to memory of 1412	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	loafq.exe
PID 1356 wrote to memory of 1412	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	loafq.exe
PID 1356 wrote to memory of 1412	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	loafq.exe
PID 1412 wrote to memory of 1148	1412	loafq.exe	taskhost.exe
PID 1412 wrote to memory of 1148	1412	loafq.exe	taskhost.exe
PID 1412 wrote to memory of 1148	1412	loafq.exe	taskhost.exe
PID 1412 wrote to memory of 1148	1412	loafq.exe	taskhost.exe
PID 1412 wrote to memory of 1148	1412	loafq.exe	taskhost.exe
PID 1412 wrote to memory of 1236	1412	loafq.exe	Dwm.exe
PID 1412 wrote to memory of 1236	1412	loafq.exe	Dwm.exe
PID 1412 wrote to memory of 1236	1412	loafq.exe	Dwm.exe
PID 1412 wrote to memory of 1236	1412	loafq.exe	Dwm.exe
PID 1412 wrote to memory of 1236	1412	loafq.exe	Dwm.exe
PID 1412 wrote to memory of 1272	1412	loafq.exe	Explorer.EXE
PID 1412 wrote to memory of 1272	1412	loafq.exe	Explorer.EXE
PID 1412 wrote to memory of 1272	1412	loafq.exe	Explorer.EXE
PID 1412 wrote to memory of 1272	1412	loafq.exe	Explorer.EXE
PID 1412 wrote to memory of 1272	1412	loafq.exe	Explorer.EXE
PID 1412 wrote to memory of 1356	1412	loafq.exe	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
PID 1412 wrote to memory of 1356	1412	loafq.exe	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
PID 1412 wrote to memory of 1356	1412	loafq.exe	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
PID 1412 wrote to memory of 1356	1412	loafq.exe	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
PID 1412 wrote to memory of 1356	1412	loafq.exe	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
PID 1356 wrote to memory of 840	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe	cmd.exe
PID 1412 wrote to memory of 1684	1412	loafq.exe	conhost.exe
PID 1412 wrote to memory of 1684	1412	loafq.exe	conhost.exe
PID 1412 wrote to memory of 1684	1412	loafq.exe	conhost.exe
PID 1412 wrote to memory of 1684	1412	loafq.exe	conhost.exe
PID 1412 wrote to memory of 1684	1412	loafq.exe	conhost.exe
PID 1412 wrote to memory of 1280	1412	loafq.exe	WinMail.exe
PID 1412 wrote to memory of 1280	1412	loafq.exe	WinMail.exe
PID 1412 wrote to memory of 1280	1412	loafq.exe	WinMail.exe
PID 1412 wrote to memory of 1280	1412	loafq.exe	WinMail.exe
PID 1412 wrote to memory of 1280	1412	loafq.exe	WinMail.exe
PID 1412 wrote to memory of 1200	1412	loafq.exe	DllHost.exe
PID 1412 wrote to memory of 1200	1412	loafq.exe	DllHost.exe
PID 1412 wrote to memory of 1200	1412	loafq.exe	DllHost.exe
PID 1412 wrote to memory of 1200	1412	loafq.exe	DllHost.exe
PID 1412 wrote to memory of 1200	1412	loafq.exe	DllHost.exe
PID 1412 wrote to memory of 1388	1412	loafq.exe	DllHost.exe
PID 1412 wrote to memory of 1388	1412	loafq.exe	DllHost.exe
PID 1412 wrote to memory of 1388	1412	loafq.exe	DllHost.exe
PID 1412 wrote to memory of 1388	1412	loafq.exe	DllHost.exe
PID 1412 wrote to memory of 1388	1412	loafq.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe
"C:\Users\Admin\AppData\Local\Temp\0fb2acc83d60301102cda6e78db8cd4546e774bac836bf87c633c3fd1a86b1e0.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Roaming\Qyrul\loafq.exe
"C:\Users\Admin\AppData\Roaming\Qyrul\loafq.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb7b18f31.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1321468786-305325399-1247776549-1709128616-37231726905878190-334584036-1070824153"
1⤵
PID:1684

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb7b18f31.bat

Filesize
307B

MD5
9f6b34714a614645a72b11d581db0725

SHA1
a21485c437b1b244dd543d9abeee7f86c84093c3

SHA256
c4aefd7bcfb36491e0c1eabb080d3fb39d632df98f1747c3eeaf5d5c765e9301

SHA512
29df5eb0c8d8194803774bb27e60ad509bf9b08a9665035610c6a289b1428439348d384cf1e079c2d0c369c059b9179cfbd081a42c55856b5ab0879a43bcedc0

Download Submit
C:\Users\Admin\AppData\Roaming\Guri\uvyq.xay

Filesize
398B

MD5
68223d3e82f956293c362b7b5a21a87f

SHA1
094d469eddf15d62399e87fa5335fa5979a9fdb1

SHA256
2d6658da29479dc21f8cc7b4ca1f1d2706ccc7ae219e3f5b59dfdfb432b3bb23

SHA512
019af572c0bd828adcc15b4df347bf2643f09b53358630e595247788a5321399ce852b8aa3143cd77c363aa1c167c87360b7c17494ef3a54c8df7acda85dbc83

Download Submit
C:\Users\Admin\AppData\Roaming\Qyrul\loafq.exe

Filesize
138KB

MD5
8a5ca5926331d6edc8603a3927a9ec72

SHA1
7f5fa9708200b9405a1a3c62ae41722940e01bb9

SHA256
af773dad442b162d9c8731f0259a65dee1870e8bfc5953a8ef0627b55cadd11e

SHA512
700c09ac172ab5dbe23cef3899bcd91b56de94fde8a4f0e9139f9651c0a90828199213f2465618a0105e03a5f0a562b2da9d518e37cc30fd6711574dcd6fc9b4

Download Submit
C:\Users\Admin\AppData\Roaming\Qyrul\loafq.exe

Filesize
138KB

MD5
8a5ca5926331d6edc8603a3927a9ec72

SHA1
7f5fa9708200b9405a1a3c62ae41722940e01bb9

SHA256
af773dad442b162d9c8731f0259a65dee1870e8bfc5953a8ef0627b55cadd11e

SHA512
700c09ac172ab5dbe23cef3899bcd91b56de94fde8a4f0e9139f9651c0a90828199213f2465618a0105e03a5f0a562b2da9d518e37cc30fd6711574dcd6fc9b4

Download Submit
\Users\Admin\AppData\Roaming\Qyrul\loafq.exe

Filesize
138KB

MD5
8a5ca5926331d6edc8603a3927a9ec72

SHA1
7f5fa9708200b9405a1a3c62ae41722940e01bb9

SHA256
af773dad442b162d9c8731f0259a65dee1870e8bfc5953a8ef0627b55cadd11e

SHA512
700c09ac172ab5dbe23cef3899bcd91b56de94fde8a4f0e9139f9651c0a90828199213f2465618a0105e03a5f0a562b2da9d518e37cc30fd6711574dcd6fc9b4

Download Submit
\Users\Admin\AppData\Roaming\Qyrul\loafq.exe

Filesize
138KB

MD5
8a5ca5926331d6edc8603a3927a9ec72

SHA1
7f5fa9708200b9405a1a3c62ae41722940e01bb9

SHA256
af773dad442b162d9c8731f0259a65dee1870e8bfc5953a8ef0627b55cadd11e

SHA512
700c09ac172ab5dbe23cef3899bcd91b56de94fde8a4f0e9139f9651c0a90828199213f2465618a0105e03a5f0a562b2da9d518e37cc30fd6711574dcd6fc9b4

Download Submit
memory/840-88-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/840-96-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/840-94-0x0000000000062CBA-mapping.dmp

Download
memory/840-91-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/840-92-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/840-90-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1148-64-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1148-61-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1148-63-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1148-65-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1148-66-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1200-126-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1200-125-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1236-72-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1236-71-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1236-69-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1236-70-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1272-78-0x00000000029C0000-0x00000000029E7000-memory.dmp

Filesize
156KB

Download
memory/1272-77-0x00000000029C0000-0x00000000029E7000-memory.dmp

Filesize
156KB

Download
memory/1272-76-0x00000000029C0000-0x00000000029E7000-memory.dmp

Filesize
156KB

Download
memory/1272-75-0x00000000029C0000-0x00000000029E7000-memory.dmp

Filesize
156KB

Download
memory/1280-122-0x0000000003D70000-0x0000000003D97000-memory.dmp

Filesize
156KB

Download
memory/1280-121-0x0000000003D70000-0x0000000003D97000-memory.dmp

Filesize
156KB

Download
memory/1280-120-0x0000000003D70000-0x0000000003D97000-memory.dmp

Filesize
156KB

Download
memory/1280-103-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1280-119-0x0000000003D70000-0x0000000003D97000-memory.dmp

Filesize
156KB

Download
memory/1280-111-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/1280-105-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/1280-104-0x000007FEF63E1000-0x000007FEF63E3000-memory.dmp

Filesize
8KB

Download
memory/1356-83-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1356-85-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1356-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1356-84-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1356-82-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1356-81-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1412-57-0x0000000000000000-mapping.dmp

Download
memory/1684-102-0x0000000001AA0000-0x0000000001AC7000-memory.dmp

Filesize
156KB

Download
memory/1684-100-0x0000000001AA0000-0x0000000001AC7000-memory.dmp

Filesize
156KB

Download
memory/1684-101-0x0000000001AA0000-0x0000000001AC7000-memory.dmp

Filesize
156KB

Download
memory/1684-99-0x0000000001AA0000-0x0000000001AC7000-memory.dmp

Filesize
156KB

Download