ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466

Analysis

max time kernel
152s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe
Size

305KB
MD5

cafbe1859caa83efc27f2f64b82af6ce
SHA1

2d96fab0eaf7b49705623a95f3e7da871bea4b8c
SHA256

ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466
SHA512

db1f5fcff77cd375aff8e6a9fec634458addf05061dcb185fa980687fd2d296af38945254e18382ea2df2488a174e3b8c64219b95ab0476508a959e731052a5e
SSDEEP

6144:NO71gi4TG15/eG4VkWwJWcjEpCiW3JBo3QGSc2TAj0Hmeg1:N4+52kG+k7JWEunmJOLITPHmt1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

atim.exe

pid process

1596 atim.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

764 cmd.exe

pid	process
764	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe

pid	process
1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe
1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

atim.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	atim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atim = "C:\\Users\\Admin\\AppData\\Roaming\\Meofy\\atim.exe"	atim.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe

description pid process target process

PID 1780 set thread context of 764 1780 ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe cmd.exe

description	pid	process	target process
PID 1780 set thread context of 764	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

atim.exe

pid	process
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe
1596	atim.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exeatim.exe

description	pid	process	target process
PID 1780 wrote to memory of 1596	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	atim.exe
PID 1780 wrote to memory of 1596	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	atim.exe
PID 1780 wrote to memory of 1596	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	atim.exe
PID 1780 wrote to memory of 1596	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	atim.exe
PID 1596 wrote to memory of 1136	1596	atim.exe	taskhost.exe
PID 1596 wrote to memory of 1136	1596	atim.exe	taskhost.exe
PID 1596 wrote to memory of 1136	1596	atim.exe	taskhost.exe
PID 1596 wrote to memory of 1136	1596	atim.exe	taskhost.exe
PID 1596 wrote to memory of 1136	1596	atim.exe	taskhost.exe
PID 1596 wrote to memory of 1200	1596	atim.exe	Dwm.exe
PID 1596 wrote to memory of 1200	1596	atim.exe	Dwm.exe
PID 1596 wrote to memory of 1200	1596	atim.exe	Dwm.exe
PID 1596 wrote to memory of 1200	1596	atim.exe	Dwm.exe
PID 1596 wrote to memory of 1200	1596	atim.exe	Dwm.exe
PID 1596 wrote to memory of 1288	1596	atim.exe	Explorer.EXE
PID 1596 wrote to memory of 1288	1596	atim.exe	Explorer.EXE
PID 1596 wrote to memory of 1288	1596	atim.exe	Explorer.EXE
PID 1596 wrote to memory of 1288	1596	atim.exe	Explorer.EXE
PID 1596 wrote to memory of 1288	1596	atim.exe	Explorer.EXE
PID 1596 wrote to memory of 1780	1596	atim.exe	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe
PID 1596 wrote to memory of 1780	1596	atim.exe	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe
PID 1596 wrote to memory of 1780	1596	atim.exe	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe
PID 1596 wrote to memory of 1780	1596	atim.exe	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe
PID 1596 wrote to memory of 1780	1596	atim.exe	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe
PID 1780 wrote to memory of 764	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	cmd.exe
PID 1780 wrote to memory of 764	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	cmd.exe
PID 1780 wrote to memory of 764	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	cmd.exe
PID 1780 wrote to memory of 764	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	cmd.exe
PID 1780 wrote to memory of 764	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	cmd.exe
PID 1780 wrote to memory of 764	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	cmd.exe
PID 1780 wrote to memory of 764	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	cmd.exe
PID 1780 wrote to memory of 764	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	cmd.exe
PID 1780 wrote to memory of 764	1780	ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe
"C:\Users\Admin\AppData\Local\Temp\ea67d3e64b2b29b9e83b2af78ef551ad2f0b4c15eff0740741109daba5f8d466.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Roaming\Meofy\atim.exe
"C:\Users\Admin\AppData\Roaming\Meofy\atim.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\SAL2817.bat"
2⤵
- Deletes itself
PID:764

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SAL2817.bat

Filesize
303B

MD5
6139e6a940c2e936b4a260601e1f0c24

SHA1
2a14356fc14a01078783299b43ef14d63d64df5e

SHA256
b6fcd8c752ca1f2bf904db866248536cafd439f385197f8cc7a450c2be5227f5

SHA512
7e88eb7844e5cada3a4af37af1aab380181092181bc2e645fd502bf75ff81528538143b53a7ad91b89de7d1cfad8df740805e554bb68baff22e4da610fcbd7ce

Download Submit
C:\Users\Admin\AppData\Roaming\Meofy\atim.exe

Filesize
305KB

MD5
3b26e13d105be06f930e809a95fb399c

SHA1
61a906ab4ee7b5d687b736f70bbbb89173cdb4c3

SHA256
e78dbd8eed428347b0d77cf383451f7fc7b2843ad099005649c299b7685bff73

SHA512
824d1c61af74b534ad4d7777563ed75eef7a9654a5bc58c402d47fe28fcd0e3353880d4e64a7ba7941a2dd147c63e64bfd406f2da0b4a5987ea0ca128c4cdc87

Download Submit
C:\Users\Admin\AppData\Roaming\Meofy\atim.exe

Filesize
305KB

MD5
3b26e13d105be06f930e809a95fb399c

SHA1
61a906ab4ee7b5d687b736f70bbbb89173cdb4c3

SHA256
e78dbd8eed428347b0d77cf383451f7fc7b2843ad099005649c299b7685bff73

SHA512
824d1c61af74b534ad4d7777563ed75eef7a9654a5bc58c402d47fe28fcd0e3353880d4e64a7ba7941a2dd147c63e64bfd406f2da0b4a5987ea0ca128c4cdc87

Download Submit
\Users\Admin\AppData\Roaming\Meofy\atim.exe

Filesize
305KB

MD5
3b26e13d105be06f930e809a95fb399c

SHA1
61a906ab4ee7b5d687b736f70bbbb89173cdb4c3

SHA256
e78dbd8eed428347b0d77cf383451f7fc7b2843ad099005649c299b7685bff73

SHA512
824d1c61af74b534ad4d7777563ed75eef7a9654a5bc58c402d47fe28fcd0e3353880d4e64a7ba7941a2dd147c63e64bfd406f2da0b4a5987ea0ca128c4cdc87

Download Submit
\Users\Admin\AppData\Roaming\Meofy\atim.exe

Filesize
305KB

MD5
3b26e13d105be06f930e809a95fb399c

SHA1
61a906ab4ee7b5d687b736f70bbbb89173cdb4c3

SHA256
e78dbd8eed428347b0d77cf383451f7fc7b2843ad099005649c299b7685bff73

SHA512
824d1c61af74b534ad4d7777563ed75eef7a9654a5bc58c402d47fe28fcd0e3353880d4e64a7ba7941a2dd147c63e64bfd406f2da0b4a5987ea0ca128c4cdc87

Download Submit
memory/764-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/764-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/764-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-103-0x0000000000083B6A-mapping.dmp

Download
memory/764-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/764-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/764-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1136-68-0x0000000000340000-0x0000000000389000-memory.dmp

Filesize
292KB

Download
memory/1136-70-0x0000000000340000-0x0000000000389000-memory.dmp

Filesize
292KB

Download
memory/1136-69-0x0000000000340000-0x0000000000389000-memory.dmp

Filesize
292KB

Download
memory/1136-67-0x0000000000340000-0x0000000000389000-memory.dmp

Filesize
292KB

Download
memory/1136-65-0x0000000000340000-0x0000000000389000-memory.dmp

Filesize
292KB

Download
memory/1200-76-0x0000000001E50000-0x0000000001E99000-memory.dmp

Filesize
292KB

Download
memory/1200-73-0x0000000001E50000-0x0000000001E99000-memory.dmp

Filesize
292KB

Download
memory/1200-74-0x0000000001E50000-0x0000000001E99000-memory.dmp

Filesize
292KB

Download
memory/1200-75-0x0000000001E50000-0x0000000001E99000-memory.dmp

Filesize
292KB

Download
memory/1288-81-0x0000000002A90000-0x0000000002AD9000-memory.dmp

Filesize
292KB

Download
memory/1288-80-0x0000000002A90000-0x0000000002AD9000-memory.dmp

Filesize
292KB

Download
memory/1288-82-0x0000000002A90000-0x0000000002AD9000-memory.dmp

Filesize
292KB

Download
memory/1288-79-0x0000000002A90000-0x0000000002AD9000-memory.dmp

Filesize
292KB

Download
memory/1596-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1596-59-0x0000000000000000-mapping.dmp

Download
memory/1780-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1780-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1780-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1780-102-0x0000000001FB0000-0x0000000001FF9000-memory.dmp

Filesize
292KB

Download
memory/1780-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1780-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1780-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1780-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1780-88-0x0000000001FB0000-0x0000000001FF9000-memory.dmp

Filesize
292KB

Download
memory/1780-87-0x0000000001FB0000-0x0000000001FF9000-memory.dmp

Filesize
292KB

Download
memory/1780-86-0x0000000001FB0000-0x0000000001FF9000-memory.dmp

Filesize
292KB

Download
memory/1780-85-0x0000000001FB0000-0x0000000001FF9000-memory.dmp

Filesize
292KB

Download
memory/1780-56-0x0000000075001000-0x0000000075003000-memory.dmp

Filesize
8KB

Download
memory/1780-54-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download