3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984

Analysis

max time kernel
152s
max time network
195s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
Size

420KB
MD5

c9cc8b473e688977cfe8f372a5c8df09
SHA1

69378d1062c100d2c74eaa149c662a48a4645906
SHA256

3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984
SHA512

d045f82bf29284fad97c3bc77b1f81abd47e395a70eea1cc461f22370bf2e94f8c20615f1d41bee0c7f43fac67f4774dfe6cb7716ac112ea629c43f5f81d64c2
SSDEEP

6144:ke9gLFazjEImp3vRaso7pywUFUP4xN6Io2urjuyF/MnALjyF:yRcjEIORaskpywUFUwgIo2gjuTnAaF

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

yqzu.exeyqzu.exeyqzu.exe

pid process

676 yqzu.exe
1112 yqzu.exe
1212 yqzu.exe
Loads dropped DLL 1 IoCs

Processes:

3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe

pid process

2000 3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe

pid	process
676	yqzu.exe
1112	yqzu.exe
1212	yqzu.exe

pid	process
2000	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yqzu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	yqzu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{BC16E362-C29B-EA16-403B-EF65254F307B} = "C:\\Users\\Admin\\AppData\\Roaming\\Edpami\\yqzu.exe"	yqzu.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exeyqzu.exe3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe

description	pid	process	target process
PID 1228 set thread context of 2000	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 676 set thread context of 1112	676	yqzu.exe	yqzu.exe
PID 2008 set thread context of 1844	2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1844 set thread context of 1644	1844	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1844 set thread context of 1644	1844	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1844 set thread context of 856	1844	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\206A7686-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exeyqzu.exe

pid	process
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
1112	yqzu.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe
1112	yqzu.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	2000	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
Token: SeSecurityPrivilege	2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
Token: SeSecurityPrivilege	2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
Token: SeSecurityPrivilege	1844	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
Token: SeSecurityPrivilege	1844	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
Token: SeManageVolumePrivilege	1336	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1336 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1336 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1336 WinMail.exe

pid	process
1336	WinMail.exe

pid	process
1336	WinMail.exe

pid	process
1336	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exeyqzu.exeyqzu.exe3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe

description	pid	process	target process
PID 1228 wrote to memory of 2000	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2000	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2000	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2000	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2000	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2000	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2000	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2000	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2000	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2008	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2008	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2008	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1228 wrote to memory of 2008	1228	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 2000 wrote to memory of 676	2000	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	yqzu.exe
PID 2000 wrote to memory of 676	2000	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	yqzu.exe
PID 2000 wrote to memory of 676	2000	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	yqzu.exe
PID 2000 wrote to memory of 676	2000	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	yqzu.exe
PID 676 wrote to memory of 1112	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1112	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1112	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1112	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1112	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1112	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1112	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1112	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1112	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1212	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1212	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1212	676	yqzu.exe	yqzu.exe
PID 676 wrote to memory of 1212	676	yqzu.exe	yqzu.exe
PID 1112 wrote to memory of 1132	1112	yqzu.exe	taskhost.exe
PID 1112 wrote to memory of 1132	1112	yqzu.exe	taskhost.exe
PID 1112 wrote to memory of 1132	1112	yqzu.exe	taskhost.exe
PID 1112 wrote to memory of 1132	1112	yqzu.exe	taskhost.exe
PID 1112 wrote to memory of 1132	1112	yqzu.exe	taskhost.exe
PID 1112 wrote to memory of 1192	1112	yqzu.exe	Dwm.exe
PID 1112 wrote to memory of 1192	1112	yqzu.exe	Dwm.exe
PID 1112 wrote to memory of 1192	1112	yqzu.exe	Dwm.exe
PID 1112 wrote to memory of 1192	1112	yqzu.exe	Dwm.exe
PID 1112 wrote to memory of 1192	1112	yqzu.exe	Dwm.exe
PID 1112 wrote to memory of 1268	1112	yqzu.exe	Explorer.EXE
PID 1112 wrote to memory of 1268	1112	yqzu.exe	Explorer.EXE
PID 1112 wrote to memory of 1268	1112	yqzu.exe	Explorer.EXE
PID 1112 wrote to memory of 1268	1112	yqzu.exe	Explorer.EXE
PID 1112 wrote to memory of 1268	1112	yqzu.exe	Explorer.EXE
PID 1112 wrote to memory of 2000	1112	yqzu.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1112 wrote to memory of 2000	1112	yqzu.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1112 wrote to memory of 2000	1112	yqzu.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1112 wrote to memory of 2000	1112	yqzu.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1112 wrote to memory of 2000	1112	yqzu.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 2000 wrote to memory of 1736	2000	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	cmd.exe
PID 2000 wrote to memory of 1736	2000	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	cmd.exe
PID 2000 wrote to memory of 1736	2000	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	cmd.exe
PID 2000 wrote to memory of 1736	2000	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	cmd.exe
PID 1112 wrote to memory of 2008	1112	yqzu.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1112 wrote to memory of 2008	1112	yqzu.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1112 wrote to memory of 2008	1112	yqzu.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1112 wrote to memory of 2008	1112	yqzu.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 1112 wrote to memory of 2008	1112	yqzu.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 2008 wrote to memory of 1844	2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 2008 wrote to memory of 1844	2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 2008 wrote to memory of 1844	2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 2008 wrote to memory of 1844	2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
PID 2008 wrote to memory of 1844	2008	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe	3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
"C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
"C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe"
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Roaming\Edpami\yqzu.exe
"C:\Users\Admin\AppData\Roaming\Edpami\yqzu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Roaming\Edpami\yqzu.exe
"C:\Users\Admin\AppData\Roaming\Edpami\yqzu.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Roaming\Edpami\yqzu.exe
"C:\Users\Admin\AppData\Roaming\Edpami\yqzu.exe" ouisUOkuiWGDN¤½Zd LBFFWAHNW 1112
5⤵
- Executes dropped EXE
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe8bcf0a2.bat"
4⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
"C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe" ouisUOkuiWGDN¤½Zd LBFFWAHNW 2000
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
"C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
"C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe"
5⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe
"C:\Users\Admin\AppData\Local\Temp\3a3ebe672c11bfb71c98711fac541da1f8900dc4f8b59a8d662d8c5993135984.exe" ouisUOkuiWGDN¤½Zd LBFFWAHNW 1644
5⤵
PID:856

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-599633321734122105-15489587792102238659-368700900-1303125052-744328874-1346433625"
1⤵
PID:872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1176

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1072

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe8bcf0a2.bat

Filesize
307B

MD5
dfee76bd156e9530cff027e74deefdf5

SHA1
7a4569a344a17365b21a1b4e2aef4cd22b6694d9

SHA256
db03b54ff56a2530d76019263265db71a6cdd354577f400c9c1e56a0299d49e7

SHA512
8deddaf05fd2469c1a85cfbcb1dd72b5eafad93a0eb34a724fb805e5488c7ca1035cf310925d6aa966741ab60fbfadef37ed9cb26981da0b741813ff9a97a8f4

Download Submit
C:\Users\Admin\AppData\Roaming\Edpami\yqzu.exe

Filesize
420KB

MD5
1eb91a8ff108151433fde4b33333922f

SHA1
85633dad41a992a3fac14c234f56ee687a0861da

SHA256
7de8d7250ca356638cef3600f35fb63bff5bfff29f640caddd1a4094056d61a8

SHA512
2ab360b135e8187af2be1a11c92437a26196a179d4c315126b478542d442e32c7b5b958d3a9609718a0d25f3ad92304e1dd9619e35844503ca6cca8e6a0fe90e

Download Submit
C:\Users\Admin\AppData\Roaming\Edpami\yqzu.exe

Filesize
420KB

MD5
1eb91a8ff108151433fde4b33333922f

SHA1
85633dad41a992a3fac14c234f56ee687a0861da

SHA256
7de8d7250ca356638cef3600f35fb63bff5bfff29f640caddd1a4094056d61a8

SHA512
2ab360b135e8187af2be1a11c92437a26196a179d4c315126b478542d442e32c7b5b958d3a9609718a0d25f3ad92304e1dd9619e35844503ca6cca8e6a0fe90e

Download Submit
C:\Users\Admin\AppData\Roaming\Edpami\yqzu.exe

Filesize
420KB

MD5
1eb91a8ff108151433fde4b33333922f

SHA1
85633dad41a992a3fac14c234f56ee687a0861da

SHA256
7de8d7250ca356638cef3600f35fb63bff5bfff29f640caddd1a4094056d61a8

SHA512
2ab360b135e8187af2be1a11c92437a26196a179d4c315126b478542d442e32c7b5b958d3a9609718a0d25f3ad92304e1dd9619e35844503ca6cca8e6a0fe90e

Download Submit
C:\Users\Admin\AppData\Roaming\Edpami\yqzu.exe

Filesize
420KB

MD5
1eb91a8ff108151433fde4b33333922f

SHA1
85633dad41a992a3fac14c234f56ee687a0861da

SHA256
7de8d7250ca356638cef3600f35fb63bff5bfff29f640caddd1a4094056d61a8

SHA512
2ab360b135e8187af2be1a11c92437a26196a179d4c315126b478542d442e32c7b5b958d3a9609718a0d25f3ad92304e1dd9619e35844503ca6cca8e6a0fe90e

Download Submit
C:\Users\Admin\AppData\Roaming\Fekiby\qome.uvm

Filesize
796B

MD5
6abc91491551d585f1ad1d5da932f5af

SHA1
e888a90eb08cd907a9a326a5b4e67247eaef6145

SHA256
c8f54656a0a998919d827148530c46fcdeacb5f494354f7f81522421152afc48

SHA512
85962edcf1e3c965bf057858487dea718727e7ebbc57df966b5aa2512bf098c196e0e13fdc4a9f68d159a785619c8eeb3ea521defafff4366484ac7f30b0c9d8

Download Submit
C:\Users\Admin\AppData\Roaming\Fekiby\qome.uvm

Filesize
796B

MD5
6abc91491551d585f1ad1d5da932f5af

SHA1
e888a90eb08cd907a9a326a5b4e67247eaef6145

SHA256
c8f54656a0a998919d827148530c46fcdeacb5f494354f7f81522421152afc48

SHA512
85962edcf1e3c965bf057858487dea718727e7ebbc57df966b5aa2512bf098c196e0e13fdc4a9f68d159a785619c8eeb3ea521defafff4366484ac7f30b0c9d8

Download Submit
\Users\Admin\AppData\Roaming\Edpami\yqzu.exe

Filesize
420KB

MD5
1eb91a8ff108151433fde4b33333922f

SHA1
85633dad41a992a3fac14c234f56ee687a0861da

SHA256
7de8d7250ca356638cef3600f35fb63bff5bfff29f640caddd1a4094056d61a8

SHA512
2ab360b135e8187af2be1a11c92437a26196a179d4c315126b478542d442e32c7b5b958d3a9609718a0d25f3ad92304e1dd9619e35844503ca6cca8e6a0fe90e

Download Submit
memory/676-73-0x0000000000000000-mapping.dmp

Download
memory/856-222-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/856-219-0x0000000000062CBA-mapping.dmp

Download
memory/1112-83-0x0000000000413048-mapping.dmp

Download
memory/1112-95-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1132-94-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1132-96-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1132-97-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1132-98-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1192-102-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1192-101-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1192-104-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1192-103-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1212-85-0x0000000000000000-mapping.dmp

Download
memory/1228-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1268-107-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1268-108-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1268-110-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1268-109-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1644-221-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1644-208-0x0000000000413048-mapping.dmp

Download
memory/1736-147-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/1736-118-0x0000000000000000-mapping.dmp

Download
memory/1844-135-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1844-133-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1844-155-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1844-138-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1844-136-0x0000000000062CBA-mapping.dmp

Download
memory/1844-131-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1844-134-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2000-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2000-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2000-119-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2000-120-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/2000-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2000-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2000-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2000-69-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2000-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2000-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2000-117-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/2000-116-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/2000-115-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/2000-71-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2000-114-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/2000-113-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/2000-62-0x0000000000413048-mapping.dmp

Download
memory/2000-68-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2008-128-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/2008-127-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/2008-126-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/2008-125-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/2008-124-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/2008-64-0x0000000000000000-mapping.dmp

Download