93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d

Analysis

max time kernel
152s
max time network
184s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe
Size

138KB
MD5

da4f2c514e0d3bafb432c9e6a9ae13ed
SHA1

e43102428eb63d6d4995792a442dece79990b66b
SHA256

93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d
SHA512

658edf16d9121e9a4c34986b16e858e865e552ec67daf7386d9808b0165e1260485f7165416fa3f76227c674984807a0e15208fbad3c38b5069d45d199920a7a
SSDEEP

3072:KTg+x50VJqtHGbu5XCniylWrtGA1GHvGXaCH1Fukp1o2Yo3wQGr:KTLoGtmiYlW4A1QvGXjBonnQGr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1256	ukuw.exe

Deletes itself 1 IoCs

pid	Process
1088	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe
1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	ukuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{AFFAE1AF-D084-FDFA-038F-ECD0FAA11F92} = "C:\\Users\\Admin\\AppData\\Roaming\\Sone\\ukuw.exe"	ukuw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 1088	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0F8B1F2B-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe
1256	ukuw.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe
Token: SeSecurityPrivilege	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe
Token: SeSecurityPrivilege	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe
Token: SeSecurityPrivilege	1088	cmd.exe
Token: SeManageVolumePrivilege	992	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
992	WinMail.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1256	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	28
PID 1260 wrote to memory of 1256	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	28
PID 1260 wrote to memory of 1256	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	28
PID 1260 wrote to memory of 1256	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	28
PID 1256 wrote to memory of 1128	1256	ukuw.exe	18
PID 1256 wrote to memory of 1128	1256	ukuw.exe	18
PID 1256 wrote to memory of 1128	1256	ukuw.exe	18
PID 1256 wrote to memory of 1128	1256	ukuw.exe	18
PID 1256 wrote to memory of 1128	1256	ukuw.exe	18
PID 1256 wrote to memory of 1192	1256	ukuw.exe	19
PID 1256 wrote to memory of 1192	1256	ukuw.exe	19
PID 1256 wrote to memory of 1192	1256	ukuw.exe	19
PID 1256 wrote to memory of 1192	1256	ukuw.exe	19
PID 1256 wrote to memory of 1192	1256	ukuw.exe	19
PID 1256 wrote to memory of 1244	1256	ukuw.exe	20
PID 1256 wrote to memory of 1244	1256	ukuw.exe	20
PID 1256 wrote to memory of 1244	1256	ukuw.exe	20
PID 1256 wrote to memory of 1244	1256	ukuw.exe	20
PID 1256 wrote to memory of 1244	1256	ukuw.exe	20
PID 1256 wrote to memory of 1260	1256	ukuw.exe	27
PID 1256 wrote to memory of 1260	1256	ukuw.exe	27
PID 1256 wrote to memory of 1260	1256	ukuw.exe	27
PID 1256 wrote to memory of 1260	1256	ukuw.exe	27
PID 1256 wrote to memory of 1260	1256	ukuw.exe	27
PID 1256 wrote to memory of 992	1256	ukuw.exe	29
PID 1256 wrote to memory of 992	1256	ukuw.exe	29
PID 1256 wrote to memory of 992	1256	ukuw.exe	29
PID 1256 wrote to memory of 992	1256	ukuw.exe	29
PID 1256 wrote to memory of 992	1256	ukuw.exe	29
PID 1260 wrote to memory of 1088	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	30
PID 1260 wrote to memory of 1088	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	30
PID 1260 wrote to memory of 1088	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	30
PID 1260 wrote to memory of 1088	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	30
PID 1260 wrote to memory of 1088	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	30
PID 1260 wrote to memory of 1088	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	30
PID 1260 wrote to memory of 1088	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	30
PID 1260 wrote to memory of 1088	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	30
PID 1260 wrote to memory of 1088	1260	93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe	30
PID 1256 wrote to memory of 956	1256	ukuw.exe	31
PID 1256 wrote to memory of 956	1256	ukuw.exe	31
PID 1256 wrote to memory of 956	1256	ukuw.exe	31
PID 1256 wrote to memory of 956	1256	ukuw.exe	31
PID 1256 wrote to memory of 956	1256	ukuw.exe	31
PID 1256 wrote to memory of 1772	1256	ukuw.exe	32
PID 1256 wrote to memory of 1772	1256	ukuw.exe	32
PID 1256 wrote to memory of 1772	1256	ukuw.exe	32
PID 1256 wrote to memory of 1772	1256	ukuw.exe	32
PID 1256 wrote to memory of 1772	1256	ukuw.exe	32
PID 1256 wrote to memory of 1060	1256	ukuw.exe	33
PID 1256 wrote to memory of 1060	1256	ukuw.exe	33
PID 1256 wrote to memory of 1060	1256	ukuw.exe	33
PID 1256 wrote to memory of 1060	1256	ukuw.exe	33
PID 1256 wrote to memory of 1060	1256	ukuw.exe	33
PID 1256 wrote to memory of 1616	1256	ukuw.exe	34
PID 1256 wrote to memory of 1616	1256	ukuw.exe	34
PID 1256 wrote to memory of 1616	1256	ukuw.exe	34
PID 1256 wrote to memory of 1616	1256	ukuw.exe	34
PID 1256 wrote to memory of 1616	1256	ukuw.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe
  "C:\Users\Admin\AppData\Local\Temp\93f8a146571dbe06d8b4c6df10a2637f3f0a4c408af5aa3574198174c9a9f10d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Roaming\Sone\ukuw.exe
    "C:\Users\Admin\AppData\Roaming\Sone\ukuw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp47863ad5.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:1088

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-522998858-2100644627-1192300921-364256560-1724140054-1091759942-13410084001638321678"
1⤵
PID:956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1772

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1060

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp47863ad5.bat

Filesize
307B

MD5
f45cf2d4b182f782cac028905f68e76c

SHA1
ee773c97eadd8159d80941490c603d3390d6d901

SHA256
f0bf06a23f1c5624c091152cb2aaf2fb08aa03ce406653f86c4ffd90e7869e56

SHA512
a9393b98b4e6b8be267dcd1796c5ff1dcc65b58b71c3e93154877cee8d102404c647249ecb02e45c659391dbf095dca1c0c8b5f6a70fdf56506042c6ab777fdd

Download Submit
C:\Users\Admin\AppData\Roaming\Sone\ukuw.exe

Filesize
138KB

MD5
c154df8ce44d650748ac1a8a4677494e

SHA1
442f71e52e30a24fed557ee836fd01d0d3cd8364

SHA256
0604a20641c7249080fe5dc081c566d1492239a2a47ca2d803455c42adf359cf

SHA512
c1c8a01cab0052f232b09e204a124e1a57c09ffc6343d918c6ddfb3a056fe7ce00b54324cdb64b159490ed489206054c3acd8d14c2af4c78687325fa5a18915b

Download Submit
C:\Users\Admin\AppData\Roaming\Sone\ukuw.exe

Filesize
138KB

MD5
c154df8ce44d650748ac1a8a4677494e

SHA1
442f71e52e30a24fed557ee836fd01d0d3cd8364

SHA256
0604a20641c7249080fe5dc081c566d1492239a2a47ca2d803455c42adf359cf

SHA512
c1c8a01cab0052f232b09e204a124e1a57c09ffc6343d918c6ddfb3a056fe7ce00b54324cdb64b159490ed489206054c3acd8d14c2af4c78687325fa5a18915b

Download Submit
C:\Users\Admin\AppData\Roaming\Uwmee\ymap.ald

Filesize
398B

MD5
de9dc45c45410b644d179f2a3d0b6760

SHA1
36867633f593e3532485937bec27d4828a2ce352

SHA256
5223b0ebb956f414cce9ed2069278245c20e54083a5204fdb8cba52ac7a21aa9

SHA512
93582280f45ca87b12a29ae9fea7de658e3f748222fa13a70a01443c8c6e7f0dcb7a015cdb8773c60f09a09c0911ff57043717f69ff8a9a94ac810cea5b3418a

Download Submit
\Users\Admin\AppData\Roaming\Sone\ukuw.exe

Filesize
138KB

MD5
c154df8ce44d650748ac1a8a4677494e

SHA1
442f71e52e30a24fed557ee836fd01d0d3cd8364

SHA256
0604a20641c7249080fe5dc081c566d1492239a2a47ca2d803455c42adf359cf

SHA512
c1c8a01cab0052f232b09e204a124e1a57c09ffc6343d918c6ddfb3a056fe7ce00b54324cdb64b159490ed489206054c3acd8d14c2af4c78687325fa5a18915b

Download Submit
\Users\Admin\AppData\Roaming\Sone\ukuw.exe

Filesize
138KB

MD5
c154df8ce44d650748ac1a8a4677494e

SHA1
442f71e52e30a24fed557ee836fd01d0d3cd8364

SHA256
0604a20641c7249080fe5dc081c566d1492239a2a47ca2d803455c42adf359cf

SHA512
c1c8a01cab0052f232b09e204a124e1a57c09ffc6343d918c6ddfb3a056fe7ce00b54324cdb64b159490ed489206054c3acd8d14c2af4c78687325fa5a18915b

Download Submit
memory/956-121-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/956-120-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/956-123-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/956-122-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/992-90-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/992-91-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/992-92-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/992-86-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/992-103-0x000007FEF6D01000-0x000007FEF6D03000-memory.dmp

Filesize
8KB

Download
memory/992-112-0x0000000001FD0000-0x0000000001FE0000-memory.dmp

Filesize
64KB

Download
memory/992-106-0x0000000001F70000-0x0000000001F80000-memory.dmp

Filesize
64KB

Download
memory/992-89-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1088-98-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1088-105-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1088-95-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1088-99-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1088-97-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1128-66-0x0000000001E70000-0x0000000001E97000-memory.dmp

Filesize
156KB

Download
memory/1128-65-0x0000000001E70000-0x0000000001E97000-memory.dmp

Filesize
156KB

Download
memory/1128-64-0x0000000001E70000-0x0000000001E97000-memory.dmp

Filesize
156KB

Download
memory/1128-63-0x0000000001E70000-0x0000000001E97000-memory.dmp

Filesize
156KB

Download
memory/1128-61-0x0000000001E70000-0x0000000001E97000-memory.dmp

Filesize
156KB

Download
memory/1192-69-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/1192-72-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/1192-70-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/1192-71-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/1244-76-0x0000000002B60000-0x0000000002B87000-memory.dmp

Filesize
156KB

Download
memory/1244-75-0x0000000002B60000-0x0000000002B87000-memory.dmp

Filesize
156KB

Download
memory/1244-78-0x0000000002B60000-0x0000000002B87000-memory.dmp

Filesize
156KB

Download
memory/1244-77-0x0000000002B60000-0x0000000002B87000-memory.dmp

Filesize
156KB

Download
memory/1260-82-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/1260-85-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/1260-81-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/1260-83-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/1260-84-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/1260-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1260-102-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/1772-127-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1772-126-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download