537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385

Analysis

max time kernel
153s
max time network
186s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
Size

288KB
MD5

fc80a8ae94d93c2f7c38efa234dd4502
SHA1

63607c3a39321d884d54555d6214b4f4fefe0cc7
SHA256

537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385
SHA512

2375b2174af1ddd7817f67d135ca8f23e81850b9e60be3e86093ed1e1e62744f9d5025f8d58ef74cde510f827a921008f4e62f9c1800e1d026e1057666a59e2a
SSDEEP

6144:1xLHZdXMuU/Dyy+BXJJ91Jc2jbUjO5/g9Cl2:j5d8uULyPv5cqGO5Cy

Score

9^/10

persistence

Malware Config

Signatures

Molebox Virtualization software 5 IoCs

Detects file using Molebox Virtualization software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Hoqua\evyz.exe	molebox
\Users\Admin\AppData\Roaming\Hoqua\evyz.exe	molebox
C:\Users\Admin\AppData\Roaming\Hoqua\evyz.exe	molebox
C:\Users\Admin\AppData\Roaming\Hoqua\evyz.exe	molebox
C:\Users\Admin\AppData\Roaming\Hoqua\evyz.exe	molebox

Executes dropped EXE 2 IoCs

Processes:

evyz.exeevyz.exe

pid process

640 evyz.exe
1128 evyz.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1420 cmd.exe

pid	process
640	evyz.exe
1128	evyz.exe

pid	process
1420	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe

pid	process
1396	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
1396	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

evyz.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	evyz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Hoqua\\evyz.exe"	evyz.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exeevyz.exe

description	pid	process	target process
PID 1232 set thread context of 1396	1232	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 640 set thread context of 1128	640	evyz.exe	evyz.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

evyz.exe

pid	process
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe
1128	evyz.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exeevyz.exeevyz.exe

description	pid	process	target process
PID 1232 wrote to memory of 1396	1232	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1232 wrote to memory of 1396	1232	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1232 wrote to memory of 1396	1232	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1232 wrote to memory of 1396	1232	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1232 wrote to memory of 1396	1232	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1232 wrote to memory of 1396	1232	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1232 wrote to memory of 1396	1232	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1232 wrote to memory of 1396	1232	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1232 wrote to memory of 1396	1232	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1396 wrote to memory of 640	1396	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	evyz.exe
PID 1396 wrote to memory of 640	1396	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	evyz.exe
PID 1396 wrote to memory of 640	1396	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	evyz.exe
PID 1396 wrote to memory of 640	1396	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	evyz.exe
PID 640 wrote to memory of 1128	640	evyz.exe	evyz.exe
PID 640 wrote to memory of 1128	640	evyz.exe	evyz.exe
PID 640 wrote to memory of 1128	640	evyz.exe	evyz.exe
PID 640 wrote to memory of 1128	640	evyz.exe	evyz.exe
PID 640 wrote to memory of 1128	640	evyz.exe	evyz.exe
PID 640 wrote to memory of 1128	640	evyz.exe	evyz.exe
PID 640 wrote to memory of 1128	640	evyz.exe	evyz.exe
PID 640 wrote to memory of 1128	640	evyz.exe	evyz.exe
PID 640 wrote to memory of 1128	640	evyz.exe	evyz.exe
PID 1128 wrote to memory of 1152	1128	evyz.exe	taskhost.exe
PID 1128 wrote to memory of 1152	1128	evyz.exe	taskhost.exe
PID 1128 wrote to memory of 1152	1128	evyz.exe	taskhost.exe
PID 1128 wrote to memory of 1152	1128	evyz.exe	taskhost.exe
PID 1128 wrote to memory of 1152	1128	evyz.exe	taskhost.exe
PID 1128 wrote to memory of 1252	1128	evyz.exe	Dwm.exe
PID 1128 wrote to memory of 1252	1128	evyz.exe	Dwm.exe
PID 1128 wrote to memory of 1252	1128	evyz.exe	Dwm.exe
PID 1128 wrote to memory of 1252	1128	evyz.exe	Dwm.exe
PID 1128 wrote to memory of 1252	1128	evyz.exe	Dwm.exe
PID 1128 wrote to memory of 1336	1128	evyz.exe	Explorer.EXE
PID 1128 wrote to memory of 1336	1128	evyz.exe	Explorer.EXE
PID 1128 wrote to memory of 1336	1128	evyz.exe	Explorer.EXE
PID 1128 wrote to memory of 1336	1128	evyz.exe	Explorer.EXE
PID 1128 wrote to memory of 1336	1128	evyz.exe	Explorer.EXE
PID 1128 wrote to memory of 1396	1128	evyz.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1128 wrote to memory of 1396	1128	evyz.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1128 wrote to memory of 1396	1128	evyz.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1128 wrote to memory of 1396	1128	evyz.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1128 wrote to memory of 1396	1128	evyz.exe	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
PID 1128 wrote to memory of 1420	1128	evyz.exe	cmd.exe
PID 1128 wrote to memory of 1420	1128	evyz.exe	cmd.exe
PID 1128 wrote to memory of 1420	1128	evyz.exe	cmd.exe
PID 1128 wrote to memory of 1420	1128	evyz.exe	cmd.exe
PID 1128 wrote to memory of 1420	1128	evyz.exe	cmd.exe
PID 1396 wrote to memory of 1420	1396	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	cmd.exe
PID 1396 wrote to memory of 1420	1396	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	cmd.exe
PID 1396 wrote to memory of 1420	1396	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	cmd.exe
PID 1396 wrote to memory of 1420	1396	537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
  "C:\Users\Admin\AppData\Local\Temp\537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe
    "C:\Users\Admin\AppData\Local\Temp\537e717a6810f2185975e05febe28252adfc8049be8c5dc424b0f6af2dab6385.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Users\Admin\AppData\Roaming\Hoqua\evyz.exe
      "C:\Users\Admin\AppData\Roaming\Hoqua\evyz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Users\Admin\AppData\Roaming\Hoqua\evyz.exe
        
        "C:\Users\Admin\AppData\Roaming\Hoqua\evyz.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1128
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9a2e9f6c.bat"
      4⤵
      Deletes itself
      PID:1420

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1252

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9a2e9f6c.bat

Filesize
307B

MD5
201b876e22c651e1e1961e37bb49069b

SHA1
5162f405d4c36d792b283881944b888e97c4dab9

SHA256
d74d7312772f055924734caa051a13c9c7e5119f3402443f8c581ae933110584

SHA512
89533adc2d9b63e8dee02ab7486ca185db141503c8d9fea7946e986f39b1aaf1a1bbd8043c3facd47bbbff044ab2806c04dc125e6a367e30e877ec1cc0e7b7fa

Download Submit
C:\Users\Admin\AppData\Roaming\Hoqua\evyz.exe

Filesize
288KB

MD5
dd43801a989589107f5c0fb31a30dd3e

SHA1
3f07932467b40df720770a5faea3f51c5ffa945b

SHA256
a6fc4fbe2685c2764d3f674a90bb3cc00838ac9ae4cf8990c0850aaf2c4d3657

SHA512
d8dcac4887a3f1c6546234b0e89ace6e01ce0fcfc6aacd2edd592551507070a843c896ceae879c3e2d5d0d6d90d0666a0ffd626130c3d1bcdba98c10ecffda95

Download Submit
C:\Users\Admin\AppData\Roaming\Hoqua\evyz.exe

Filesize
288KB

MD5
dd43801a989589107f5c0fb31a30dd3e

SHA1
3f07932467b40df720770a5faea3f51c5ffa945b

SHA256
a6fc4fbe2685c2764d3f674a90bb3cc00838ac9ae4cf8990c0850aaf2c4d3657

SHA512
d8dcac4887a3f1c6546234b0e89ace6e01ce0fcfc6aacd2edd592551507070a843c896ceae879c3e2d5d0d6d90d0666a0ffd626130c3d1bcdba98c10ecffda95

Download Submit
C:\Users\Admin\AppData\Roaming\Hoqua\evyz.exe

Filesize
288KB

MD5
dd43801a989589107f5c0fb31a30dd3e

SHA1
3f07932467b40df720770a5faea3f51c5ffa945b

SHA256
a6fc4fbe2685c2764d3f674a90bb3cc00838ac9ae4cf8990c0850aaf2c4d3657

SHA512
d8dcac4887a3f1c6546234b0e89ace6e01ce0fcfc6aacd2edd592551507070a843c896ceae879c3e2d5d0d6d90d0666a0ffd626130c3d1bcdba98c10ecffda95

Download Submit
\Users\Admin\AppData\Roaming\Hoqua\evyz.exe

Filesize
288KB

MD5
dd43801a989589107f5c0fb31a30dd3e

SHA1
3f07932467b40df720770a5faea3f51c5ffa945b

SHA256
a6fc4fbe2685c2764d3f674a90bb3cc00838ac9ae4cf8990c0850aaf2c4d3657

SHA512
d8dcac4887a3f1c6546234b0e89ace6e01ce0fcfc6aacd2edd592551507070a843c896ceae879c3e2d5d0d6d90d0666a0ffd626130c3d1bcdba98c10ecffda95

Download Submit
\Users\Admin\AppData\Roaming\Hoqua\evyz.exe

Filesize
288KB

MD5
dd43801a989589107f5c0fb31a30dd3e

SHA1
3f07932467b40df720770a5faea3f51c5ffa945b

SHA256
a6fc4fbe2685c2764d3f674a90bb3cc00838ac9ae4cf8990c0850aaf2c4d3657

SHA512
d8dcac4887a3f1c6546234b0e89ace6e01ce0fcfc6aacd2edd592551507070a843c896ceae879c3e2d5d0d6d90d0666a0ffd626130c3d1bcdba98c10ecffda95

Download Submit
memory/640-81-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/640-68-0x0000000000000000-mapping.dmp

Download
memory/1128-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-78-0x0000000000413CAB-mapping.dmp

Download
memory/1152-91-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1152-88-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1152-90-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1152-89-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1232-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1232-54-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1252-94-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1252-96-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1252-95-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1252-97-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1336-102-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/1336-103-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/1336-100-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/1336-101-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/1396-108-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1396-117-0x0000000000370000-0x00000000003BD000-memory.dmp

Filesize
308KB

Download
memory/1396-107-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1396-65-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1396-109-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1396-106-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1396-84-0x0000000000370000-0x00000000003BD000-memory.dmp

Filesize
308KB

Download
memory/1396-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1396-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1396-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1396-62-0x0000000000413CAB-mapping.dmp

Download
memory/1396-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1396-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1396-119-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1396-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1396-85-0x0000000000370000-0x00000000003BD000-memory.dmp

Filesize
308KB

Download
memory/1420-112-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1420-114-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1420-118-0x0000000000000000-mapping.dmp

Download
memory/1420-115-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1420-113-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download