d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
Size

442KB
MD5

698ae325c1ea96b365a5dfed5e747856
SHA1

45182cf082818fa3bec5c587ce346ba297dfdb76
SHA256

d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e
SHA512

43ed818f7ab21e0d935592202b5e0e352afdd264f419aa55af2974d512ea9f5db106d2547b835f08235af2dd265cd9384605363c3691d9447a3b34830a704cf2
SSDEEP

12288:zNjaSdaJquKjXoCiM5ECSeR1RR9LzSCpBswx3i1cq5:zNjaTJquKcG5ENEzR9K8xx3+c

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ulef.exe

pid process

980 ulef.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1700 cmd.exe

pid	process
1700	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe

pid	process
948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ulef.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	ulef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F932B98A-E184-D692-6971-E3B6223A5F48} = "C:\\Users\\Admin\\AppData\\Roaming\\Biduyg\\ulef.exe"	ulef.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe

description pid process target process

PID 948 set thread context of 1700 948 d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe cmd.exe

description	pid	process	target process
PID 948 set thread context of 1700	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\6A4C7489-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ulef.exe

pid	process
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe
980	ulef.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
Token: SeSecurityPrivilege	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
Token: SeSecurityPrivilege	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
Token: SeManageVolumePrivilege	2016	WinMail.exe
Token: SeSecurityPrivilege	1700	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

2016 WinMail.exe

pid	process
2016	WinMail.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exeulef.exe

description	pid	process	target process
PID 948 wrote to memory of 980	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	ulef.exe
PID 948 wrote to memory of 980	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	ulef.exe
PID 948 wrote to memory of 980	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	ulef.exe
PID 948 wrote to memory of 980	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	ulef.exe
PID 980 wrote to memory of 1128	980	ulef.exe	taskhost.exe
PID 980 wrote to memory of 1128	980	ulef.exe	taskhost.exe
PID 980 wrote to memory of 1128	980	ulef.exe	taskhost.exe
PID 980 wrote to memory of 1128	980	ulef.exe	taskhost.exe
PID 980 wrote to memory of 1128	980	ulef.exe	taskhost.exe
PID 980 wrote to memory of 1192	980	ulef.exe	Dwm.exe
PID 980 wrote to memory of 1192	980	ulef.exe	Dwm.exe
PID 980 wrote to memory of 1192	980	ulef.exe	Dwm.exe
PID 980 wrote to memory of 1192	980	ulef.exe	Dwm.exe
PID 980 wrote to memory of 1192	980	ulef.exe	Dwm.exe
PID 980 wrote to memory of 1268	980	ulef.exe	Explorer.EXE
PID 980 wrote to memory of 1268	980	ulef.exe	Explorer.EXE
PID 980 wrote to memory of 1268	980	ulef.exe	Explorer.EXE
PID 980 wrote to memory of 1268	980	ulef.exe	Explorer.EXE
PID 980 wrote to memory of 1268	980	ulef.exe	Explorer.EXE
PID 980 wrote to memory of 948	980	ulef.exe	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
PID 980 wrote to memory of 948	980	ulef.exe	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
PID 980 wrote to memory of 948	980	ulef.exe	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
PID 980 wrote to memory of 948	980	ulef.exe	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
PID 980 wrote to memory of 948	980	ulef.exe	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
PID 980 wrote to memory of 2016	980	ulef.exe	WinMail.exe
PID 980 wrote to memory of 2016	980	ulef.exe	WinMail.exe
PID 980 wrote to memory of 2016	980	ulef.exe	WinMail.exe
PID 980 wrote to memory of 2016	980	ulef.exe	WinMail.exe
PID 980 wrote to memory of 2016	980	ulef.exe	WinMail.exe
PID 948 wrote to memory of 1700	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	cmd.exe
PID 948 wrote to memory of 1700	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	cmd.exe
PID 948 wrote to memory of 1700	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	cmd.exe
PID 948 wrote to memory of 1700	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	cmd.exe
PID 948 wrote to memory of 1700	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	cmd.exe
PID 948 wrote to memory of 1700	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	cmd.exe
PID 948 wrote to memory of 1700	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	cmd.exe
PID 948 wrote to memory of 1700	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	cmd.exe
PID 948 wrote to memory of 1700	948	d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe	cmd.exe
PID 980 wrote to memory of 1804	980	ulef.exe	conhost.exe
PID 980 wrote to memory of 1804	980	ulef.exe	conhost.exe
PID 980 wrote to memory of 1804	980	ulef.exe	conhost.exe
PID 980 wrote to memory of 1804	980	ulef.exe	conhost.exe
PID 980 wrote to memory of 1804	980	ulef.exe	conhost.exe
PID 980 wrote to memory of 1720	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 1720	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 1720	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 1720	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 1720	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 1608	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 1608	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 1608	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 1608	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 1608	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 652	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 652	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 652	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 652	980	ulef.exe	DllHost.exe
PID 980 wrote to memory of 652	980	ulef.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe
"C:\Users\Admin\AppData\Local\Temp\d7b9385cd06fe9320dade0ce3ae6d31cc748d61aaea5b71c3534d07ee1d3087e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Roaming\Biduyg\ulef.exe
"C:\Users\Admin\AppData\Roaming\Biduyg\ulef.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa2b78323.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8864392381396318077-645945528-1939301066-1949555070612896913-1635879234-620616008"
1⤵
PID:1804

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa2b78323.bat

Filesize
307B

MD5
3eb5638687291a4b2c7dbe9733b67209

SHA1
a5893d3abcb72b142454613e80986e3887bc6ef8

SHA256
d0ee2654e8dad5222679c78fb446575fb8d63ae7be3bd679844604e41662f4e2

SHA512
009327cb199b31a4162c51ac96db7c1f0cfef51bc0e6d5ac705e30b102a1e982708176c2dfa384efd0df3bffa271d42d7bb79a69ec4389830b6e2698f4cbbb21

Download Submit
C:\Users\Admin\AppData\Roaming\Biduyg\ulef.exe

Filesize
442KB

MD5
a98e7a1be655d3f056968e0047b6c223

SHA1
65dce259ecf2054dc44363e0893b4f66e897f6c7

SHA256
ef343167104b564a553a9d128e4c5a578fbbf15a2b7fa6da47a5582ef2d87592

SHA512
2263bb9394ea37897097772791793fb24cc38ee66b71d02a8014bfaec1e34bdc10041aa26b4ec1c244ee9276df860995d81a6c13d432436c71ee9f61ada01928

Download Submit
C:\Users\Admin\AppData\Roaming\Biduyg\ulef.exe

Filesize
442KB

MD5
a98e7a1be655d3f056968e0047b6c223

SHA1
65dce259ecf2054dc44363e0893b4f66e897f6c7

SHA256
ef343167104b564a553a9d128e4c5a578fbbf15a2b7fa6da47a5582ef2d87592

SHA512
2263bb9394ea37897097772791793fb24cc38ee66b71d02a8014bfaec1e34bdc10041aa26b4ec1c244ee9276df860995d81a6c13d432436c71ee9f61ada01928

Download Submit
C:\Users\Admin\AppData\Roaming\Lufu\iwtoi.vop

Filesize
398B

MD5
afc3268e25fadf4b7213e4289b457113

SHA1
749ac81fc28a8eb1e7f6994ca5f80e9aef1b0f82

SHA256
117aa6c08db6d43f4f6f0308d5299039eafce31a2b800a94773cb23e687d0fe4

SHA512
3a69a6e57798427309580f9f92696a9a61ec94ef86ad46feb336c3f0a8f043a008e4d803a55ab9d4f48658d600bc914f2965250adaf0d0f869ca4c801de3e48f

Download Submit
\Users\Admin\AppData\Roaming\Biduyg\ulef.exe

Filesize
442KB

MD5
a98e7a1be655d3f056968e0047b6c223

SHA1
65dce259ecf2054dc44363e0893b4f66e897f6c7

SHA256
ef343167104b564a553a9d128e4c5a578fbbf15a2b7fa6da47a5582ef2d87592

SHA512
2263bb9394ea37897097772791793fb24cc38ee66b71d02a8014bfaec1e34bdc10041aa26b4ec1c244ee9276df860995d81a6c13d432436c71ee9f61ada01928

Download Submit
\Users\Admin\AppData\Roaming\Biduyg\ulef.exe

Filesize
442KB

MD5
a98e7a1be655d3f056968e0047b6c223

SHA1
65dce259ecf2054dc44363e0893b4f66e897f6c7

SHA256
ef343167104b564a553a9d128e4c5a578fbbf15a2b7fa6da47a5582ef2d87592

SHA512
2263bb9394ea37897097772791793fb24cc38ee66b71d02a8014bfaec1e34bdc10041aa26b4ec1c244ee9276df860995d81a6c13d432436c71ee9f61ada01928

Download Submit
memory/948-56-0x0000000001E60000-0x0000000001E65000-memory.dmp

Filesize
20KB

Download
memory/948-55-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/948-89-0x0000000001DD0000-0x0000000001DF7000-memory.dmp

Filesize
156KB

Download
memory/948-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/948-85-0x0000000001DD0000-0x0000000001DF7000-memory.dmp

Filesize
156KB

Download
memory/948-88-0x0000000001DD0000-0x0000000001DF7000-memory.dmp

Filesize
156KB

Download
memory/948-87-0x0000000001DD0000-0x0000000001DF7000-memory.dmp

Filesize
156KB

Download
memory/948-86-0x0000000001DD0000-0x0000000001DF7000-memory.dmp

Filesize
156KB

Download
memory/980-61-0x0000000002010000-0x0000000002015000-memory.dmp

Filesize
20KB

Download
memory/980-59-0x0000000000000000-mapping.dmp

Download
memory/1128-65-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-69-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-70-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-67-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-68-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1192-75-0x00000000019E0000-0x0000000001A07000-memory.dmp

Filesize
156KB

Download
memory/1192-74-0x00000000019E0000-0x0000000001A07000-memory.dmp

Filesize
156KB

Download
memory/1192-73-0x00000000019E0000-0x0000000001A07000-memory.dmp

Filesize
156KB

Download
memory/1192-76-0x00000000019E0000-0x0000000001A07000-memory.dmp

Filesize
156KB

Download
memory/1268-79-0x0000000002610000-0x0000000002637000-memory.dmp

Filesize
156KB

Download
memory/1268-80-0x0000000002610000-0x0000000002637000-memory.dmp

Filesize
156KB

Download
memory/1268-81-0x0000000002610000-0x0000000002637000-memory.dmp

Filesize
156KB

Download
memory/1268-82-0x0000000002610000-0x0000000002637000-memory.dmp

Filesize
156KB

Download
memory/1700-117-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1700-115-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1700-120-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1700-113-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1700-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1700-118-0x0000000000058F00-mapping.dmp

Download
memory/1804-126-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/1804-125-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/1804-124-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/1804-123-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/2016-106-0x0000000003CC0000-0x0000000003CE7000-memory.dmp

Filesize
156KB

Download
memory/2016-91-0x000007FEFA741000-0x000007FEFA743000-memory.dmp

Filesize
8KB

Download
memory/2016-92-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/2016-98-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2016-107-0x0000000003CC0000-0x0000000003CE7000-memory.dmp

Filesize
156KB

Download
memory/2016-108-0x0000000003CC0000-0x0000000003CE7000-memory.dmp

Filesize
156KB

Download
memory/2016-109-0x0000000003CC0000-0x0000000003CE7000-memory.dmp

Filesize
156KB

Download
memory/2016-90-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download