Analysis
-
max time kernel
185s -
max time network
205s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
23-11-2022 09:45
General
-
Target
3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe
-
Size
138KB
-
MD5
a9f1463eff20e510692df682d038b684
-
SHA1
78c8fbee393c44076fbd83964710a376accf3069
-
SHA256
3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74
-
SHA512
e72d3ab0698309322660b010b0a3adecc363e2a46fb9b36331c28fb51accff498a51c15ad578577853434980ae84cf7b6a14e746af6f91c2757c58254be5400c
-
SSDEEP
3072:/caqyte6GV77snHLLxtByaXOqdPNbnhW4IxZx5kCZuubFrhU1wKKrONmg:/caBtw77snHRCY7PNNW4IxZ7zbC0rONV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe"C:\Users\Admin\AppData\Local\Temp\3982c767d814e68cb965d6c33acb9ffa7f844a9d5aa9a02b22014ee3875f1a74.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Evwe\ised.exe"C:\Users\Admin\AppData\Roaming\Evwe\ised.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp849b589e.bat"3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "55757468412371585496638908662017951898-1752156825683475568-396636982851569537"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp849b589e.batFilesize
307B
MD53794af9c6b68aa687be0fdc0f337c92a
SHA1d43e69c0fbc2230f2f7204e30d515e492e7551fa
SHA25690849d64c7e9558935cc5e903441a6e15a92c222df40fca023819b0c4495541f
SHA512dd725e91c19fbf88165cf3c1166a1e2b3968a72c459da3265fe270589ea98348b43e0bf04366cc736dc7041d13fc235f2bf9a706cb8c41bfe8b1d9db828a678f
-
C:\Users\Admin\AppData\Roaming\Evwe\ised.exeFilesize
138KB
MD5a41ecadd1a92c8d1a9353210f44d0a4b
SHA1b2d96ecfc533cc7fd276532abe2bdd38264c9617
SHA2567a568c16b253aab4eb190e7c2dc2350da258b625174ba7eeb0f410a9faa678c0
SHA5121f7edcbb816ac233dd3463946bbd08169abf991272d80ff108b8bfd2e4ac20138d53a2f761654505af96adf825d61d3c0fff9c3525b5600eb28901f3ad12ed4c
-
C:\Users\Admin\AppData\Roaming\Evwe\ised.exeFilesize
138KB
MD5a41ecadd1a92c8d1a9353210f44d0a4b
SHA1b2d96ecfc533cc7fd276532abe2bdd38264c9617
SHA2567a568c16b253aab4eb190e7c2dc2350da258b625174ba7eeb0f410a9faa678c0
SHA5121f7edcbb816ac233dd3463946bbd08169abf991272d80ff108b8bfd2e4ac20138d53a2f761654505af96adf825d61d3c0fff9c3525b5600eb28901f3ad12ed4c
-
C:\Users\Admin\AppData\Roaming\Nyuvky\ifapw.lekFilesize
398B
MD51648096775297417d5692ee3bbfe1ba5
SHA1f39ecc077357e717a9b1cc5020f6db72eb542ea5
SHA2563d24a05cc1907f55dd5dab505cfa6d37a8274c8f5e165938986385ae11175eca
SHA512e9caf3dd0b39b7c1c7b0b7920fc4e81d8087225c5a257b529178cda8f21d5615ee825332fffd0b4b3b16d64bdd32087ccdd471aa85d44d6acff41ca3ab3f1131
-
\Users\Admin\AppData\Roaming\Evwe\ised.exeFilesize
138KB
MD5a41ecadd1a92c8d1a9353210f44d0a4b
SHA1b2d96ecfc533cc7fd276532abe2bdd38264c9617
SHA2567a568c16b253aab4eb190e7c2dc2350da258b625174ba7eeb0f410a9faa678c0
SHA5121f7edcbb816ac233dd3463946bbd08169abf991272d80ff108b8bfd2e4ac20138d53a2f761654505af96adf825d61d3c0fff9c3525b5600eb28901f3ad12ed4c
-
\Users\Admin\AppData\Roaming\Evwe\ised.exeFilesize
138KB
MD5a41ecadd1a92c8d1a9353210f44d0a4b
SHA1b2d96ecfc533cc7fd276532abe2bdd38264c9617
SHA2567a568c16b253aab4eb190e7c2dc2350da258b625174ba7eeb0f410a9faa678c0
SHA5121f7edcbb816ac233dd3463946bbd08169abf991272d80ff108b8bfd2e4ac20138d53a2f761654505af96adf825d61d3c0fff9c3525b5600eb28901f3ad12ed4c
-
memory/872-102-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/872-105-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/872-116-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/872-106-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/872-114-0x000000000006D12E-mapping.dmp
-
memory/872-104-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/872-135-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/1108-126-0x0000000001C40000-0x0000000001C67000-memory.dmpFilesize
156KB
-
memory/1108-125-0x0000000001C40000-0x0000000001C67000-memory.dmpFilesize
156KB
-
memory/1128-61-0x0000000001CB0000-0x0000000001CD7000-memory.dmpFilesize
156KB
-
memory/1128-66-0x0000000001CB0000-0x0000000001CD7000-memory.dmpFilesize
156KB
-
memory/1128-65-0x0000000001CB0000-0x0000000001CD7000-memory.dmpFilesize
156KB
-
memory/1128-64-0x0000000001CB0000-0x0000000001CD7000-memory.dmpFilesize
156KB
-
memory/1128-63-0x0000000001CB0000-0x0000000001CD7000-memory.dmpFilesize
156KB
-
memory/1148-122-0x0000000000240000-0x0000000000267000-memory.dmpFilesize
156KB
-
memory/1148-120-0x0000000000240000-0x0000000000267000-memory.dmpFilesize
156KB
-
memory/1148-119-0x0000000000240000-0x0000000000267000-memory.dmpFilesize
156KB
-
memory/1148-121-0x0000000000240000-0x0000000000267000-memory.dmpFilesize
156KB
-
memory/1192-57-0x0000000000000000-mapping.dmp
-
memory/1240-69-0x0000000000120000-0x0000000000147000-memory.dmpFilesize
156KB
-
memory/1240-70-0x0000000000120000-0x0000000000147000-memory.dmpFilesize
156KB
-
memory/1240-71-0x0000000000120000-0x0000000000147000-memory.dmpFilesize
156KB
-
memory/1240-72-0x0000000000120000-0x0000000000147000-memory.dmpFilesize
156KB
-
memory/1276-78-0x0000000002A00000-0x0000000002A27000-memory.dmpFilesize
156KB
-
memory/1276-75-0x0000000002A00000-0x0000000002A27000-memory.dmpFilesize
156KB
-
memory/1276-76-0x0000000002A00000-0x0000000002A27000-memory.dmpFilesize
156KB
-
memory/1276-77-0x0000000002A00000-0x0000000002A27000-memory.dmpFilesize
156KB
-
memory/1536-86-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmpFilesize
8KB
-
memory/1536-108-0x0000000002070000-0x0000000002080000-memory.dmpFilesize
64KB
-
memory/1536-91-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1536-87-0x000007FEF5DB1000-0x000007FEF5DB3000-memory.dmpFilesize
8KB
-
memory/1536-94-0x0000000000450000-0x0000000000460000-memory.dmpFilesize
64KB
-
memory/1536-90-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1536-93-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1744-83-0x0000000000230000-0x0000000000257000-memory.dmpFilesize
156KB
-
memory/1744-82-0x0000000000230000-0x0000000000257000-memory.dmpFilesize
156KB
-
memory/1744-81-0x0000000000230000-0x0000000000257000-memory.dmpFilesize
156KB
-
memory/1744-84-0x0000000000230000-0x0000000000257000-memory.dmpFilesize
156KB
-
memory/1744-85-0x0000000000230000-0x0000000000257000-memory.dmpFilesize
156KB
-
memory/1744-54-0x0000000076301000-0x0000000076303000-memory.dmpFilesize
8KB