8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f

Analysis

max time kernel
183s
max time network
181s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
Size

138KB
MD5

9b09ed30a99f63b39ec9708e42ba0480
SHA1

26237c48e83bb99d7406a6e6c15e72b94575a2e7
SHA256

8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f
SHA512

696655909c45e57f1aa6897bb028415fc16eb22b38153398e5009be9e6e49778abb76fb100b24b0a999fb69ac21f7c637913e4faaa7a583021bd74647558b1f5
SSDEEP

3072:qzr1LZQEduEgsW2UPqxUEXqkC0i50/YXiQXT+t/8XIgfUTaXD3kz1QNI:qzr1L+QHhUPqxUEVQiQwkXhfUThQi

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

zoyv.exe

pid process

300 zoyv.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1364 cmd.exe

pid	process
1364	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe

pid	process
1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zoyv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\Currentversion\Run	zoyv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\{381B0BFE-D51D-989F-4657-F339EAC47B68} = "C:\\Users\\Admin\\AppData\\Roaming\\Zozeem\\zoyv.exe"	zoyv.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe

description	pid	process	target process
PID 1044 set thread context of 1364	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Privacy	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\381768C4-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

zoyv.exe

pid	process
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe
300	zoyv.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
Token: SeSecurityPrivilege	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
Token: SeSecurityPrivilege	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
Token: SeSecurityPrivilege	1364	cmd.exe
Token: SeManageVolumePrivilege	1952	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1952 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1952 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1952 WinMail.exe

pid	process
1952	WinMail.exe

pid	process
1952	WinMail.exe

pid	process
1952	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exezoyv.exe

description	pid	process	target process
PID 1044 wrote to memory of 300	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	zoyv.exe
PID 1044 wrote to memory of 300	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	zoyv.exe
PID 1044 wrote to memory of 300	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	zoyv.exe
PID 1044 wrote to memory of 300	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	zoyv.exe
PID 300 wrote to memory of 1112	300	zoyv.exe	taskhost.exe
PID 300 wrote to memory of 1112	300	zoyv.exe	taskhost.exe
PID 300 wrote to memory of 1112	300	zoyv.exe	taskhost.exe
PID 300 wrote to memory of 1112	300	zoyv.exe	taskhost.exe
PID 300 wrote to memory of 1112	300	zoyv.exe	taskhost.exe
PID 300 wrote to memory of 1168	300	zoyv.exe	Dwm.exe
PID 300 wrote to memory of 1168	300	zoyv.exe	Dwm.exe
PID 300 wrote to memory of 1168	300	zoyv.exe	Dwm.exe
PID 300 wrote to memory of 1168	300	zoyv.exe	Dwm.exe
PID 300 wrote to memory of 1168	300	zoyv.exe	Dwm.exe
PID 300 wrote to memory of 1200	300	zoyv.exe	Explorer.EXE
PID 300 wrote to memory of 1200	300	zoyv.exe	Explorer.EXE
PID 300 wrote to memory of 1200	300	zoyv.exe	Explorer.EXE
PID 300 wrote to memory of 1200	300	zoyv.exe	Explorer.EXE
PID 300 wrote to memory of 1200	300	zoyv.exe	Explorer.EXE
PID 300 wrote to memory of 1044	300	zoyv.exe	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
PID 300 wrote to memory of 1044	300	zoyv.exe	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
PID 300 wrote to memory of 1044	300	zoyv.exe	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
PID 300 wrote to memory of 1044	300	zoyv.exe	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
PID 300 wrote to memory of 1044	300	zoyv.exe	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
PID 1044 wrote to memory of 1364	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	cmd.exe
PID 1044 wrote to memory of 1364	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	cmd.exe
PID 1044 wrote to memory of 1364	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	cmd.exe
PID 1044 wrote to memory of 1364	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	cmd.exe
PID 1044 wrote to memory of 1364	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	cmd.exe
PID 1044 wrote to memory of 1364	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	cmd.exe
PID 1044 wrote to memory of 1364	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	cmd.exe
PID 1044 wrote to memory of 1364	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	cmd.exe
PID 1044 wrote to memory of 1364	1044	8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe	cmd.exe
PID 300 wrote to memory of 1088	300	zoyv.exe	conhost.exe
PID 300 wrote to memory of 1088	300	zoyv.exe	conhost.exe
PID 300 wrote to memory of 1088	300	zoyv.exe	conhost.exe
PID 300 wrote to memory of 1088	300	zoyv.exe	conhost.exe
PID 300 wrote to memory of 1088	300	zoyv.exe	conhost.exe
PID 300 wrote to memory of 1952	300	zoyv.exe	WinMail.exe
PID 300 wrote to memory of 1952	300	zoyv.exe	WinMail.exe
PID 300 wrote to memory of 1952	300	zoyv.exe	WinMail.exe
PID 300 wrote to memory of 1952	300	zoyv.exe	WinMail.exe
PID 300 wrote to memory of 1952	300	zoyv.exe	WinMail.exe
PID 300 wrote to memory of 1340	300	zoyv.exe	DllHost.exe
PID 300 wrote to memory of 1340	300	zoyv.exe	DllHost.exe
PID 300 wrote to memory of 1340	300	zoyv.exe	DllHost.exe
PID 300 wrote to memory of 1340	300	zoyv.exe	DllHost.exe
PID 300 wrote to memory of 1340	300	zoyv.exe	DllHost.exe
PID 300 wrote to memory of 948	300	zoyv.exe	DllHost.exe
PID 300 wrote to memory of 948	300	zoyv.exe	DllHost.exe
PID 300 wrote to memory of 948	300	zoyv.exe	DllHost.exe
PID 300 wrote to memory of 948	300	zoyv.exe	DllHost.exe
PID 300 wrote to memory of 948	300	zoyv.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe
"C:\Users\Admin\AppData\Local\Temp\8e63d2132a48ad8c1ed9300d922b4ba41f45a542030dab78f332942b3490ce6f.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Roaming\Zozeem\zoyv.exe
"C:\Users\Admin\AppData\Roaming\Zozeem\zoyv.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp49af9f90.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-435356513550955307-858507945-1099116131890109002425751437-299715345898930950"
1⤵
PID:1088

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp49af9f90.bat

Filesize
307B

MD5
32cffec74123b53a8da0e15777223da8

SHA1
3215b64f0267d6de5f7216858bca5cf4911b3e1f

SHA256
cf69df717fc8e77b4a9327a6b872cf7c47565e8ccda392f58e3e18bd7279f604

SHA512
206622076b4bc196605b02b596e1d8ae7b2a36dba468d896fa30b5d8f8c9ea7125d220375aa8a8718288993a1f6448ad5553501bb170d9e027526aad91e8085a

Download Submit
C:\Users\Admin\AppData\Roaming\Sutyso\vyakl.esp

Filesize
398B

MD5
8fb62c71e73590360e5ec1cbe43a33ef

SHA1
c5ef49235a55419485baeb69fada0335cc74f2a7

SHA256
dd2b136db4a09340bcf9a61951b0f1984e6bca500eee70b0682c8b18aaf3a964

SHA512
6fd3106f8ec1fb584d2a28ad35d5cc2c97f5383424fa019f37407f12f58e6e960fabfde7e20a8074c41ebd51d0aab118bcd8dfda923acf8c46fbb50c67dbace0

Download Submit
C:\Users\Admin\AppData\Roaming\Zozeem\zoyv.exe

Filesize
138KB

MD5
75ec7e314b8a2320085a8085154df895

SHA1
103f555c516fb301fed909341392a234c640a6d4

SHA256
356e03164c42b4e351acdabcb0fc28c1a6f32f745aca55a437ec9091c1bf2467

SHA512
7db1b62c64786755a46db663d53c9bd1b118e85a5d2984bbb0ca172c333acc1fa951189f7b80f003da20f44b18560ef2c623bdd6e6ead6ac9a562cc43504f856

Download Submit
C:\Users\Admin\AppData\Roaming\Zozeem\zoyv.exe

Filesize
138KB

MD5
75ec7e314b8a2320085a8085154df895

SHA1
103f555c516fb301fed909341392a234c640a6d4

SHA256
356e03164c42b4e351acdabcb0fc28c1a6f32f745aca55a437ec9091c1bf2467

SHA512
7db1b62c64786755a46db663d53c9bd1b118e85a5d2984bbb0ca172c333acc1fa951189f7b80f003da20f44b18560ef2c623bdd6e6ead6ac9a562cc43504f856

Download Submit
\Users\Admin\AppData\Roaming\Zozeem\zoyv.exe

Filesize
138KB

MD5
75ec7e314b8a2320085a8085154df895

SHA1
103f555c516fb301fed909341392a234c640a6d4

SHA256
356e03164c42b4e351acdabcb0fc28c1a6f32f745aca55a437ec9091c1bf2467

SHA512
7db1b62c64786755a46db663d53c9bd1b118e85a5d2984bbb0ca172c333acc1fa951189f7b80f003da20f44b18560ef2c623bdd6e6ead6ac9a562cc43504f856

Download Submit
\Users\Admin\AppData\Roaming\Zozeem\zoyv.exe

Filesize
138KB

MD5
75ec7e314b8a2320085a8085154df895

SHA1
103f555c516fb301fed909341392a234c640a6d4

SHA256
356e03164c42b4e351acdabcb0fc28c1a6f32f745aca55a437ec9091c1bf2467

SHA512
7db1b62c64786755a46db663d53c9bd1b118e85a5d2984bbb0ca172c333acc1fa951189f7b80f003da20f44b18560ef2c623bdd6e6ead6ac9a562cc43504f856

Download Submit
memory/300-57-0x0000000000000000-mapping.dmp

Download
memory/1044-81-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1044-83-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1044-84-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1044-82-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1044-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1044-85-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1044-95-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1088-114-0x0000000001A80000-0x0000000001AA7000-memory.dmp

Filesize
156KB

Download
memory/1088-117-0x0000000001A80000-0x0000000001AA7000-memory.dmp

Filesize
156KB

Download
memory/1088-115-0x0000000001A80000-0x0000000001AA7000-memory.dmp

Filesize
156KB

Download
memory/1088-116-0x0000000001A80000-0x0000000001AA7000-memory.dmp

Filesize
156KB

Download
memory/1112-66-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1112-65-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1112-64-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1112-63-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1112-61-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1168-69-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1168-71-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1168-72-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1168-70-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1200-75-0x0000000002A10000-0x0000000002A37000-memory.dmp

Filesize
156KB

Download
memory/1200-76-0x0000000002A10000-0x0000000002A37000-memory.dmp

Filesize
156KB

Download
memory/1200-78-0x0000000002A10000-0x0000000002A37000-memory.dmp

Filesize
156KB

Download
memory/1200-77-0x0000000002A10000-0x0000000002A37000-memory.dmp

Filesize
156KB

Download
memory/1340-126-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1340-127-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1364-97-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1364-94-0x0000000000066A07-mapping.dmp

Download
memory/1364-93-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1364-92-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1364-91-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1364-89-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1952-100-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1952-121-0x0000000002530000-0x0000000002557000-memory.dmp

Filesize
156KB

Download
memory/1952-120-0x0000000002530000-0x0000000002557000-memory.dmp

Filesize
156KB

Download
memory/1952-122-0x0000000002530000-0x0000000002557000-memory.dmp

Filesize
156KB

Download
memory/1952-123-0x0000000002530000-0x0000000002557000-memory.dmp

Filesize
156KB

Download
memory/1952-106-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/1952-99-0x000007FEF6E41000-0x000007FEF6E43000-memory.dmp

Filesize
8KB

Download
memory/1952-98-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

Filesize
8KB

Download