4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10

General

Target

4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe
Size

282KB
MD5

afb5c434971203b49eeb6fcdc0628959
SHA1

a526310823858272babf9e6e87ec338d788c9a0b
SHA256

4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10
SHA512

a82227cb5525191ab15ee1d1aa67665af8d0156de3cf8a8694c2c4036fd2dfb8bdf0d60fc063306583fe56da8129e7d66d0987bafd126202ab29024b99507d9b
SSDEEP

6144:uCdcF+JoOBrwtEcc6ozxm2xUfOflaswez:E+RBUjAm2xqYas1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

safyl.exe

pid process

1568 safyl.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1988 cmd.exe

pid	process
1568	safyl.exe

pid	process
1988	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe

pid	process
1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe
1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{BD310F29-9853-2378-2E53-FD1C0C909532} = "\"C:\\Users\\Admin\\AppData\\Roaming\\Wikio\\safyl.exe\""	explorer.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\346C4294-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exesafyl.exeexplorer.exe

pid	process
1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe
1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe
1568	safyl.exe
1568	safyl.exe
1568	safyl.exe
1568	safyl.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

safyl.exe

pid process

1568 safyl.exe

pid	process
1568	safyl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe
Token: SeManageVolumePrivilege	628	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

628 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

628 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

628 WinMail.exe

pid	process
628	WinMail.exe

pid	process
628	WinMail.exe

pid	process
628	WinMail.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exesafyl.exeexplorer.exe

description	pid	process	target process
PID 1956 wrote to memory of 1568	1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe	safyl.exe
PID 1956 wrote to memory of 1568	1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe	safyl.exe
PID 1956 wrote to memory of 1568	1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe	safyl.exe
PID 1956 wrote to memory of 1568	1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe	safyl.exe
PID 1568 wrote to memory of 1496	1568	safyl.exe	explorer.exe
PID 1568 wrote to memory of 1496	1568	safyl.exe	explorer.exe
PID 1568 wrote to memory of 1496	1568	safyl.exe	explorer.exe
PID 1568 wrote to memory of 1496	1568	safyl.exe	explorer.exe
PID 1496 wrote to memory of 1296	1496	explorer.exe	Explorer.EXE
PID 1496 wrote to memory of 1296	1496	explorer.exe	Explorer.EXE
PID 1496 wrote to memory of 1296	1496	explorer.exe	Explorer.EXE
PID 1956 wrote to memory of 1988	1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe	cmd.exe
PID 1956 wrote to memory of 1988	1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe	cmd.exe
PID 1956 wrote to memory of 1988	1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe	cmd.exe
PID 1956 wrote to memory of 1988	1956	4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe
"C:\Users\Admin\AppData\Local\Temp\4ce6f5b6bfc61a8a4a209699e9350d82d3dea797f62510c9f82f140df3027d10.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\Wikio\safyl.exe
"C:\Users\Admin\AppData\Roaming\Wikio\safyl.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0ba1b65f.bat"
3⤵
- Deletes itself
PID:1988

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0ba1b65f.bat

Filesize
307B

MD5
86fd1185d740bc6213c87e4331ed2b6b

SHA1
1f57202493d4239fdc439cfdec6b873d0591c61b

SHA256
daac2b915683a36ec9c78af00df841102b2042d9fc6190894feffd1f6e9afbde

SHA512
d267474a839db1e47edea6f99113b72187599a15e51a6f93f5ad36f336db535f178d878b3c86cefaa964e423766bb78d9e05aee3184d2dd8eb43641ea89c82e4

Download Submit
C:\Users\Admin\AppData\Roaming\Wikio\safyl.exe

Filesize
282KB

MD5
43bfd24b5045124e893c5954fcc7e32b

SHA1
4a4e3774c5e40580853218539544f0d4d502be58

SHA256
e7a54dc7727ec417e6324fdafe1232d4eb1fdc5e2616d53ad176a8db01299060

SHA512
94d58e67b0ad1c72f102a00746ce02d2c292d41520a9308ee58f212f340919be634e05297f6340995b13a8c5c0552470ac381049e1ba5364f1dda4472e97010a

Download Submit
C:\Users\Admin\AppData\Roaming\Wikio\safyl.exe

Filesize
282KB

MD5
43bfd24b5045124e893c5954fcc7e32b

SHA1
4a4e3774c5e40580853218539544f0d4d502be58

SHA256
e7a54dc7727ec417e6324fdafe1232d4eb1fdc5e2616d53ad176a8db01299060

SHA512
94d58e67b0ad1c72f102a00746ce02d2c292d41520a9308ee58f212f340919be634e05297f6340995b13a8c5c0552470ac381049e1ba5364f1dda4472e97010a

Download Submit
\Users\Admin\AppData\Roaming\Wikio\safyl.exe

Filesize
282KB

MD5
43bfd24b5045124e893c5954fcc7e32b

SHA1
4a4e3774c5e40580853218539544f0d4d502be58

SHA256
e7a54dc7727ec417e6324fdafe1232d4eb1fdc5e2616d53ad176a8db01299060

SHA512
94d58e67b0ad1c72f102a00746ce02d2c292d41520a9308ee58f212f340919be634e05297f6340995b13a8c5c0552470ac381049e1ba5364f1dda4472e97010a

Download Submit
\Users\Admin\AppData\Roaming\Wikio\safyl.exe

Filesize
282KB

MD5
43bfd24b5045124e893c5954fcc7e32b

SHA1
4a4e3774c5e40580853218539544f0d4d502be58

SHA256
e7a54dc7727ec417e6324fdafe1232d4eb1fdc5e2616d53ad176a8db01299060

SHA512
94d58e67b0ad1c72f102a00746ce02d2c292d41520a9308ee58f212f340919be634e05297f6340995b13a8c5c0552470ac381049e1ba5364f1dda4472e97010a

Download Submit
memory/628-69-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/628-75-0x0000000001ED0000-0x0000000001EE0000-memory.dmp

Filesize
64KB

Download
memory/628-67-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/628-68-0x000007FEF6191000-0x000007FEF6193000-memory.dmp

Filesize
8KB

Download
memory/1496-85-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1496-63-0x0000000000000000-mapping.dmp

Download
memory/1496-65-0x0000000074701000-0x0000000074703000-memory.dmp

Filesize
8KB

Download
memory/1496-66-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1568-81-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1568-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1568-57-0x0000000000000000-mapping.dmp

Download
memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1956-83-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1956-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1988-82-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads