3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74

Analysis

max time kernel
185s
max time network
205s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
Size

138KB
MD5

a9f1463eff20e510692df682d038b684
SHA1

78c8fbee393c44076fbd83964710a376accf3069
SHA256

3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74
SHA512

e72d3ab0698309322660b010b0a3adecc363e2a46fb9b36331c28fb51accff498a51c15ad578577853434980ae84cf7b6a14e746af6f91c2757c58254be5400c
SSDEEP

3072:/caqyte6GV77snHLLxtByaXOqdPNbnhW4IxZx5kCZuubFrhU1wKKrONmg:/caBtw77snHRCY7PNNW4IxZ7zbC0rONV

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ised.exe

pid process

1192 ised.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

872 cmd.exe

pid	process
872	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe

pid	process
1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ised.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\Currentversion\Run	ised.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A4EB06D5-268A-CC18-BF69-117D399E4F5D} = "C:\\Users\\Admin\\AppData\\Roaming\\Evwe\\ised.exe"	ised.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe

description pid process target process

PID 1744 set thread context of 872 1744 3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe cmd.exe

description	pid	process	target process
PID 1744 set thread context of 872	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Privacy	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\098F7576-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

ised.exe

pid	process
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe
1192	ised.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
Token: SeSecurityPrivilege	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
Token: SeSecurityPrivilege	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
Token: SeManageVolumePrivilege	1536	WinMail.exe
Token: SeSecurityPrivilege	872	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1536 WinMail.exe

pid	process
1536	WinMail.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exeised.exe

description	pid	process	target process
PID 1744 wrote to memory of 1192	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	ised.exe
PID 1744 wrote to memory of 1192	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	ised.exe
PID 1744 wrote to memory of 1192	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	ised.exe
PID 1744 wrote to memory of 1192	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	ised.exe
PID 1192 wrote to memory of 1128	1192	ised.exe	taskhost.exe
PID 1192 wrote to memory of 1128	1192	ised.exe	taskhost.exe
PID 1192 wrote to memory of 1128	1192	ised.exe	taskhost.exe
PID 1192 wrote to memory of 1128	1192	ised.exe	taskhost.exe
PID 1192 wrote to memory of 1128	1192	ised.exe	taskhost.exe
PID 1192 wrote to memory of 1240	1192	ised.exe	Dwm.exe
PID 1192 wrote to memory of 1240	1192	ised.exe	Dwm.exe
PID 1192 wrote to memory of 1240	1192	ised.exe	Dwm.exe
PID 1192 wrote to memory of 1240	1192	ised.exe	Dwm.exe
PID 1192 wrote to memory of 1240	1192	ised.exe	Dwm.exe
PID 1192 wrote to memory of 1276	1192	ised.exe	Explorer.EXE
PID 1192 wrote to memory of 1276	1192	ised.exe	Explorer.EXE
PID 1192 wrote to memory of 1276	1192	ised.exe	Explorer.EXE
PID 1192 wrote to memory of 1276	1192	ised.exe	Explorer.EXE
PID 1192 wrote to memory of 1276	1192	ised.exe	Explorer.EXE
PID 1192 wrote to memory of 1744	1192	ised.exe	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
PID 1192 wrote to memory of 1744	1192	ised.exe	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
PID 1192 wrote to memory of 1744	1192	ised.exe	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
PID 1192 wrote to memory of 1744	1192	ised.exe	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
PID 1192 wrote to memory of 1744	1192	ised.exe	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
PID 1192 wrote to memory of 1536	1192	ised.exe	WinMail.exe
PID 1192 wrote to memory of 1536	1192	ised.exe	WinMail.exe
PID 1192 wrote to memory of 1536	1192	ised.exe	WinMail.exe
PID 1192 wrote to memory of 1536	1192	ised.exe	WinMail.exe
PID 1192 wrote to memory of 1536	1192	ised.exe	WinMail.exe
PID 1744 wrote to memory of 872	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	cmd.exe
PID 1744 wrote to memory of 872	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	cmd.exe
PID 1744 wrote to memory of 872	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	cmd.exe
PID 1744 wrote to memory of 872	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	cmd.exe
PID 1744 wrote to memory of 872	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	cmd.exe
PID 1744 wrote to memory of 872	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	cmd.exe
PID 1744 wrote to memory of 872	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	cmd.exe
PID 1744 wrote to memory of 872	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	cmd.exe
PID 1744 wrote to memory of 872	1744	3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe	cmd.exe
PID 1192 wrote to memory of 1148	1192	ised.exe	conhost.exe
PID 1192 wrote to memory of 1148	1192	ised.exe	conhost.exe
PID 1192 wrote to memory of 1148	1192	ised.exe	conhost.exe
PID 1192 wrote to memory of 1148	1192	ised.exe	conhost.exe
PID 1192 wrote to memory of 1148	1192	ised.exe	conhost.exe
PID 1192 wrote to memory of 1108	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 1108	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 1108	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 1108	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 1108	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 896	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 896	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 896	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 896	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 896	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 1876	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 1876	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 1876	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 1876	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 1876	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 624	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 624	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 624	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 624	1192	ised.exe	DllHost.exe
PID 1192 wrote to memory of 624	1192	ised.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
"C:\Users\Admin\AppData\Local\Temp\3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Roaming\Evwe\ised.exe
"C:\Users\Admin\AppData\Roaming\Evwe\ised.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp849b589e.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "55757468412371585496638908662017951898-1752156825683475568-396636982851569537"
1⤵
PID:1148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1108

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1876

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp849b589e.bat

Filesize
307B

MD5
3794af9c6b68aa687be0fdc0f337c92a

SHA1
d43e69c0fbc2230f2f7204e30d515e492e7551fa

SHA256
90849d64c7e9558935cc5e903441a6e15a92c222df40fca023819b0c4495541f

SHA512
dd725e91c19fbf88165cf3c1166a1e2b3968a72c459da3265fe270589ea98348b43e0bf04366cc736dc7041d13fc235f2bf9a706cb8c41bfe8b1d9db828a678f

Download Submit
C:\Users\Admin\AppData\Roaming\Evwe\ised.exe

Filesize
138KB

MD5
a41ecadd1a92c8d1a9353210f44d0a4b

SHA1
b2d96ecfc533cc7fd276532abe2bdd38264c9617

SHA256
7a568c16b253aab4eb190e7c2dc2350da258b625174ba7eeb0f410a9faa678c0

SHA512
1f7edcbb816ac233dd3463946bbd08169abf991272d80ff108b8bfd2e4ac20138d53a2f761654505af96adf825d61d3c0fff9c3525b5600eb28901f3ad12ed4c

Download Submit
C:\Users\Admin\AppData\Roaming\Evwe\ised.exe

Filesize
138KB

MD5
a41ecadd1a92c8d1a9353210f44d0a4b

SHA1
b2d96ecfc533cc7fd276532abe2bdd38264c9617

SHA256
7a568c16b253aab4eb190e7c2dc2350da258b625174ba7eeb0f410a9faa678c0

SHA512
1f7edcbb816ac233dd3463946bbd08169abf991272d80ff108b8bfd2e4ac20138d53a2f761654505af96adf825d61d3c0fff9c3525b5600eb28901f3ad12ed4c

Download Submit
C:\Users\Admin\AppData\Roaming\Nyuvky\ifapw.lek

Filesize
398B

MD5
1648096775297417d5692ee3bbfe1ba5

SHA1
f39ecc077357e717a9b1cc5020f6db72eb542ea5

SHA256
3d24a05cc1907f55dd5dab505cfa6d37a8274c8f5e165938986385ae11175eca

SHA512
e9caf3dd0b39b7c1c7b0b7920fc4e81d8087225c5a257b529178cda8f21d5615ee825332fffd0b4b3b16d64bdd32087ccdd471aa85d44d6acff41ca3ab3f1131

Download Submit
\Users\Admin\AppData\Roaming\Evwe\ised.exe

Filesize
138KB

MD5
a41ecadd1a92c8d1a9353210f44d0a4b

SHA1
b2d96ecfc533cc7fd276532abe2bdd38264c9617

SHA256
7a568c16b253aab4eb190e7c2dc2350da258b625174ba7eeb0f410a9faa678c0

SHA512
1f7edcbb816ac233dd3463946bbd08169abf991272d80ff108b8bfd2e4ac20138d53a2f761654505af96adf825d61d3c0fff9c3525b5600eb28901f3ad12ed4c

Download Submit
\Users\Admin\AppData\Roaming\Evwe\ised.exe

Filesize
138KB

MD5
a41ecadd1a92c8d1a9353210f44d0a4b

SHA1
b2d96ecfc533cc7fd276532abe2bdd38264c9617

SHA256
7a568c16b253aab4eb190e7c2dc2350da258b625174ba7eeb0f410a9faa678c0

SHA512
1f7edcbb816ac233dd3463946bbd08169abf991272d80ff108b8bfd2e4ac20138d53a2f761654505af96adf825d61d3c0fff9c3525b5600eb28901f3ad12ed4c

Download Submit
memory/872-102-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/872-105-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/872-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/872-106-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/872-114-0x000000000006D12E-mapping.dmp

Download
memory/872-104-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/872-135-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1108-126-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/1108-125-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/1128-61-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-66-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-65-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-64-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-63-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1148-122-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1148-120-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1148-119-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1148-121-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1192-57-0x0000000000000000-mapping.dmp

Download
memory/1240-69-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1240-70-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1240-71-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1240-72-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1276-78-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1276-75-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1276-76-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1276-77-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1536-86-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp

Filesize
8KB

Download
memory/1536-108-0x0000000002070000-0x0000000002080000-memory.dmp

Filesize
64KB

Download
memory/1536-91-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1536-87-0x000007FEF5DB1000-0x000007FEF5DB3000-memory.dmp

Filesize
8KB

Download
memory/1536-94-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/1536-90-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1536-93-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1744-83-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1744-82-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1744-81-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1744-84-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1744-85-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1744-54-0x0000000076301000-0x0000000076303000-memory.dmp

Filesize
8KB

Download