e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd

Analysis

max time kernel
143s
max time network
200s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd.exe
Size

468KB
MD5

3ea4a603d8682903f1158886ee4be057
SHA1

b99723d2c9c32eed437e8bcf545ecc73306c9f79
SHA256

e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd
SHA512

ca7f928236c668f17dd44671bf3347e92e63cefdde59a3f85bacecabc336be47215ced0545d08acad1495b7eda35b8b0474d66da64db1a7e1ffbffb1c21560e4
SSDEEP

12288:ZYeUJAy8nnHpMWI1W2o1ZgeH1JMnljQB2inK5:6JAyinH2rW2odVAug

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1208	ydlysekerzci.exe

Loads dropped DLL 2 IoCs

pid	Process
872	e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd.exe
872	e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	ydlysekerzci.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	ydlysekerzci.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1208	ydlysekerzci.exe
1208	ydlysekerzci.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1208	872	e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd.exe	27
PID 872 wrote to memory of 1208	872	e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd.exe	27
PID 872 wrote to memory of 1208	872	e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd.exe	27
PID 872 wrote to memory of 1208	872	e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd.exe	27

C:\Users\Admin\AppData\Local\Temp\e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd.exe
"C:\Users\Admin\AppData\Local\Temp\e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\ydlysekerzci.exe
  "C:\Users\Admin\AppData\Local\Temp\\ydlysekerzci.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\parent.txt

Filesize
468KB

MD5
3ea4a603d8682903f1158886ee4be057

SHA1
b99723d2c9c32eed437e8bcf545ecc73306c9f79

SHA256
e0415fdb84c6717059cc6893b78fb106d655c297d543e3bba84a25820e6368cd

SHA512
ca7f928236c668f17dd44671bf3347e92e63cefdde59a3f85bacecabc336be47215ced0545d08acad1495b7eda35b8b0474d66da64db1a7e1ffbffb1c21560e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydlysekerzci.exe

Filesize
17KB

MD5
a496226166890a5dac20fe739a454648

SHA1
ef5a76483e04fc9de642a0970cb132f72fd5c12e

SHA256
6bc25cf53dd76c9be6a96e4706e47e037dcfb1636e31a0ea8dd4813f11dbd024

SHA512
b882799c5aa1c8914d5bb1b04a34fdd3175a30db903783a2027cc8b60bf63bd08a86281101e1190c428a53ac354fe258ff8721452823357a563401c2198a959f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydlysekerzci.exe

Filesize
17KB

MD5
a496226166890a5dac20fe739a454648

SHA1
ef5a76483e04fc9de642a0970cb132f72fd5c12e

SHA256
6bc25cf53dd76c9be6a96e4706e47e037dcfb1636e31a0ea8dd4813f11dbd024

SHA512
b882799c5aa1c8914d5bb1b04a34fdd3175a30db903783a2027cc8b60bf63bd08a86281101e1190c428a53ac354fe258ff8721452823357a563401c2198a959f

Download Submit
\Users\Admin\AppData\Local\Temp\ydlysekerzci.exe

Filesize
17KB

MD5
a496226166890a5dac20fe739a454648

SHA1
ef5a76483e04fc9de642a0970cb132f72fd5c12e

SHA256
6bc25cf53dd76c9be6a96e4706e47e037dcfb1636e31a0ea8dd4813f11dbd024

SHA512
b882799c5aa1c8914d5bb1b04a34fdd3175a30db903783a2027cc8b60bf63bd08a86281101e1190c428a53ac354fe258ff8721452823357a563401c2198a959f

Download Submit
\Users\Admin\AppData\Local\Temp\ydlysekerzci.exe

Filesize
17KB

MD5
a496226166890a5dac20fe739a454648

SHA1
ef5a76483e04fc9de642a0970cb132f72fd5c12e

SHA256
6bc25cf53dd76c9be6a96e4706e47e037dcfb1636e31a0ea8dd4813f11dbd024

SHA512
b882799c5aa1c8914d5bb1b04a34fdd3175a30db903783a2027cc8b60bf63bd08a86281101e1190c428a53ac354fe258ff8721452823357a563401c2198a959f

Download Submit
memory/1208-59-0x000007FEF36C0000-0x000007FEF40E3000-memory.dmp

Filesize
10.1MB

Download
memory/1208-60-0x000007FEF2620000-0x000007FEF36B6000-memory.dmp

Filesize
16.6MB

Download
memory/1208-62-0x0000000000588000-0x00000000005A7000-memory.dmp

Filesize
124KB

Download
memory/1208-63-0x0000000000588000-0x00000000005A7000-memory.dmp

Filesize
124KB

Download
memory/1208-64-0x000007FEFBA21000-0x000007FEFBA23000-memory.dmp

Filesize
8KB

Download