Overview

overview

8

Static

static

756444a61f...4d.exe

windows7-x64

8

756444a61f...4d.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    204s
  • max time network
    199s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 05:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    756444a61fc55e3e35b9f52fa4fba1bc8e7e77451745b643a0a12eb35b72fb4d.exe

  • Size

    288KB

  • MD5

    f53b47a30d06f7dad7b0c8bca5090561

  • SHA1

    316cc7d23a93c64fad286dcad46bb6cc8bf6b497

  • SHA256

    756444a61fc55e3e35b9f52fa4fba1bc8e7e77451745b643a0a12eb35b72fb4d

  • SHA512

    4e06c32afda87a94fcdf9f44ad0dea7dcbb8df1cad11b6d5290ec97f1ae48d602abe7f7f112abb38a07164eca400536126a85bde4c287b85647dcb3e529711ac

  • SSDEEP

    3072:5IwuPE5GCEGeDQ6zeNzagdBvlyRUYRjUQKhsh/wzDmmRbWCcI4NHcaCVEOuPB:5qukGeDPUdByR5lqsh43VRbUD

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1124
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1224
        • C:\Users\Admin\AppData\Local\Temp\756444a61fc55e3e35b9f52fa4fba1bc8e7e77451745b643a0a12eb35b72fb4d.exe
          "C:\Users\Admin\AppData\Local\Temp\756444a61fc55e3e35b9f52fa4fba1bc8e7e77451745b643a0a12eb35b72fb4d.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Users\Admin\AppData\Local\Temp\756444a61fc55e3e35b9f52fa4fba1bc8e7e77451745b643a0a12eb35b72fb4d.exe
            "C:\Users\Admin\AppData\Local\Temp\756444a61fc55e3e35b9f52fa4fba1bc8e7e77451745b643a0a12eb35b72fb4d.exe"
            3⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1988
            • C:\Users\Admin\AppData\Roaming\Zeecc\ymsa.exe
              "C:\Users\Admin\AppData\Roaming\Zeecc\ymsa.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:772
              • C:\Users\Admin\AppData\Roaming\Zeecc\ymsa.exe
                "C:\Users\Admin\AppData\Roaming\Zeecc\ymsa.exe"
                5⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1264
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfd9bc66a.bat"
              4⤵
              • Deletes itself
              • Suspicious use of AdjustPrivilegeToken
              PID:828
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1188
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-59692412517553327411145760937-10461819371498973835-1860809728-942872279573587585"
          1⤵
            PID:1440
          • C:\Program Files\Windows Mail\WinMail.exe
            "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
            1⤵
            • NTFS ADS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:868
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:1616
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:1284

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\tmpfd9bc66a.bat
                Filesize

                307B

                MD5

                c0f054c27c0d8247faf11fd2bb278c53

                SHA1

                798bdc2793d0c009ee37b8bb2fb77a2aa4c5aae5

                SHA256

                5f31d033bf6779594a8143b6396c8df10771c34978db0ec14f16f8c9809b328c

                SHA512

                cf1116450ac6b55631122a9d17d7b20714fd34b89c711dad5e20836d96e5edd91e374c44b3f1381ae8db58c4ebb643891e6e6d9f18ebf24ea82499012e1198f0

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Riymok\yvsei.ill
                Filesize

                721B

                MD5

                4a8be24910a49dc62617c79095271182

                SHA1

                9852ae597d4666d8afacc1b973f132fb62351b34

                SHA256

                ce1c10854e9d89abb2a1ffdc46ba3e59ad0012c4a30adeac01995aa826e66855

                SHA512

                9c9794c3d74f436242ced1568f0dbf0a5cbb117a0221750930071e6bda81d621b593e5204e0d167e471938bea001d59aa5e3ac85c99140ebe2bbff1448f3209d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Riymok\yvsei.ill
                Filesize

                721B

                MD5

                4a8be24910a49dc62617c79095271182

                SHA1

                9852ae597d4666d8afacc1b973f132fb62351b34

                SHA256

                ce1c10854e9d89abb2a1ffdc46ba3e59ad0012c4a30adeac01995aa826e66855

                SHA512

                9c9794c3d74f436242ced1568f0dbf0a5cbb117a0221750930071e6bda81d621b593e5204e0d167e471938bea001d59aa5e3ac85c99140ebe2bbff1448f3209d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Zeecc\ymsa.exe
                Filesize

                288KB

                MD5

                d5729a4b0cd54287cc939876723538dc

                SHA1

                b8de4ab43a1f829044c1b64b22df59d647362bb0

                SHA256

                d9c72f6e417bb3b98b0422656a7a07ce7934c7baca61c86acb95552d80ffc015

                SHA512

                05c6b8e1c0bd845b453083511084c1c6498a320c657f84586244040f420abd1f9a51e21d5242294642cef9abb289e86b8e69cde5bbe7d6e2bcf6bb5c60eed852

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Zeecc\ymsa.exe
                Filesize

                288KB

                MD5

                d5729a4b0cd54287cc939876723538dc

                SHA1

                b8de4ab43a1f829044c1b64b22df59d647362bb0

                SHA256

                d9c72f6e417bb3b98b0422656a7a07ce7934c7baca61c86acb95552d80ffc015

                SHA512

                05c6b8e1c0bd845b453083511084c1c6498a320c657f84586244040f420abd1f9a51e21d5242294642cef9abb289e86b8e69cde5bbe7d6e2bcf6bb5c60eed852

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Zeecc\ymsa.exe
                Filesize

                288KB

                MD5

                d5729a4b0cd54287cc939876723538dc

                SHA1

                b8de4ab43a1f829044c1b64b22df59d647362bb0

                SHA256

                d9c72f6e417bb3b98b0422656a7a07ce7934c7baca61c86acb95552d80ffc015

                SHA512

                05c6b8e1c0bd845b453083511084c1c6498a320c657f84586244040f420abd1f9a51e21d5242294642cef9abb289e86b8e69cde5bbe7d6e2bcf6bb5c60eed852

                Download Submit

              • \Users\Admin\AppData\Roaming\Zeecc\ymsa.exe
                Filesize

                288KB

                MD5

                d5729a4b0cd54287cc939876723538dc

                SHA1

                b8de4ab43a1f829044c1b64b22df59d647362bb0

                SHA256

                d9c72f6e417bb3b98b0422656a7a07ce7934c7baca61c86acb95552d80ffc015

                SHA512

                05c6b8e1c0bd845b453083511084c1c6498a320c657f84586244040f420abd1f9a51e21d5242294642cef9abb289e86b8e69cde5bbe7d6e2bcf6bb5c60eed852

                Download Submit

              • \Users\Admin\AppData\Roaming\Zeecc\ymsa.exe
                Filesize

                288KB

                MD5

                d5729a4b0cd54287cc939876723538dc

                SHA1

                b8de4ab43a1f829044c1b64b22df59d647362bb0

                SHA256

                d9c72f6e417bb3b98b0422656a7a07ce7934c7baca61c86acb95552d80ffc015

                SHA512

                05c6b8e1c0bd845b453083511084c1c6498a320c657f84586244040f420abd1f9a51e21d5242294642cef9abb289e86b8e69cde5bbe7d6e2bcf6bb5c60eed852

                Download Submit

              • memory/772-69-0x00000000005BA000-0x00000000005BC000-memory.dmp

                Filesize

                8KB

                Download

              • memory/772-65-0x0000000000000000-mapping.dmp

                Download

              • memory/828-108-0x0000000000050000-0x0000000000077000-memory.dmp

                Filesize

                156KB

                Download

              • memory/828-107-0x0000000000050000-0x0000000000077000-memory.dmp

                Filesize

                156KB

                Download

              • memory/828-104-0x0000000000050000-0x0000000000077000-memory.dmp

                Filesize

                156KB

                Download

              • memory/828-109-0x0000000000062CBA-mapping.dmp

                Download

              • memory/828-106-0x0000000000050000-0x0000000000077000-memory.dmp

                Filesize

                156KB

                Download

              • memory/828-122-0x0000000000050000-0x0000000000077000-memory.dmp

                Filesize

                156KB

                Download

              • memory/868-124-0x00000000023A0000-0x00000000023B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/868-130-0x0000000002400000-0x0000000002410000-memory.dmp

                Filesize

                64KB

                Download

              • memory/868-121-0x000007FEFB971000-0x000007FEFB973000-memory.dmp

                Filesize

                8KB

                Download

              • memory/868-141-0x0000000003D10000-0x0000000003D37000-memory.dmp

                Filesize

                156KB

                Download

              • memory/868-140-0x0000000003D10000-0x0000000003D37000-memory.dmp

                Filesize

                156KB

                Download

              • memory/868-139-0x0000000003D10000-0x0000000003D37000-memory.dmp

                Filesize

                156KB

                Download

              • memory/868-123-0x000007FEF6371000-0x000007FEF6373000-memory.dmp

                Filesize

                8KB

                Download

              • memory/868-138-0x0000000003D10000-0x0000000003D37000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1124-81-0x0000000001F30000-0x0000000001F57000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1124-80-0x0000000001F30000-0x0000000001F57000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1124-76-0x0000000001F30000-0x0000000001F57000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1124-78-0x0000000001F30000-0x0000000001F57000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1124-79-0x0000000001F30000-0x0000000001F57000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1188-87-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1188-86-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1188-85-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1188-84-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1224-94-0x0000000002AE0000-0x0000000002B07000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1224-93-0x0000000002AE0000-0x0000000002B07000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1224-92-0x0000000002AE0000-0x0000000002B07000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1224-91-0x0000000002AE0000-0x0000000002B07000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1264-72-0x0000000000413048-mapping.dmp

                Download

              • memory/1264-89-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1264-142-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1440-118-0x0000000000250000-0x0000000000277000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1440-116-0x0000000000250000-0x0000000000277000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1440-119-0x0000000000250000-0x0000000000277000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1440-117-0x0000000000250000-0x0000000000277000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-99-0x00000000003C0000-0x00000000003E7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-112-0x00000000003C0000-0x00000000003E7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-111-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-101-0x00000000003C0000-0x00000000003E7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-100-0x00000000003C0000-0x00000000003E7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-98-0x00000000003C0000-0x00000000003E7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-97-0x00000000003C0000-0x00000000003E7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-62-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-61-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-60-0x0000000075531000-0x0000000075533000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1988-57-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1988-58-0x0000000000413048-mapping.dmp

                Download

              • memory/2044-56-0x000000000060B000-0x000000000060D000-memory.dmp

                Filesize

                8KB

                Download