fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b

General

Target

fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
Size

138KB
MD5

9f8a279291750bb97d5c1eae362238b8
SHA1

f069f5a50bc586b7f4c42e5d1ea092d9e742181f
SHA256

fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b
SHA512

4b8ff0daa8278e5c02e5dcd4cf6302d04bb18dce278056aa51b07761068f6e119f50c3c18748c0dfd388486757624f507780e81644450227fd42f498bbdbfb88
SSDEEP

3072:8zE81egey1vlx3KiIbf7g3qJFjysgycTxgmipEoKrCyt0lxFVsrT:8zE81Xllx3Kpj0qebycdgmiWWN+rT

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

acfa.exe

pid process

1820 acfa.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1380 cmd.exe

pid	process
1380	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe

pid	process
1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

acfa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	acfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B183C628-1F6C-8B57-8212-86222F7353BB} = "C:\\Users\\Admin\\AppData\\Roaming\\Sulee\\acfa.exe"	acfa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe

description	pid	process	target process
PID 1600 set thread context of 1380	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\33D03602-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

acfa.exe

pid	process
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe
1820	acfa.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
Token: SeSecurityPrivilege	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
Token: SeSecurityPrivilege	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
Token: SeManageVolumePrivilege	1052	WinMail.exe
Token: SeSecurityPrivilege	1380	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1052 WinMail.exe

pid	process
1052	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exeacfa.exe

description	pid	process	target process
PID 1600 wrote to memory of 1820	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	acfa.exe
PID 1600 wrote to memory of 1820	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	acfa.exe
PID 1600 wrote to memory of 1820	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	acfa.exe
PID 1600 wrote to memory of 1820	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	acfa.exe
PID 1820 wrote to memory of 1120	1820	acfa.exe	taskhost.exe
PID 1820 wrote to memory of 1120	1820	acfa.exe	taskhost.exe
PID 1820 wrote to memory of 1120	1820	acfa.exe	taskhost.exe
PID 1820 wrote to memory of 1120	1820	acfa.exe	taskhost.exe
PID 1820 wrote to memory of 1120	1820	acfa.exe	taskhost.exe
PID 1820 wrote to memory of 1168	1820	acfa.exe	Dwm.exe
PID 1820 wrote to memory of 1168	1820	acfa.exe	Dwm.exe
PID 1820 wrote to memory of 1168	1820	acfa.exe	Dwm.exe
PID 1820 wrote to memory of 1168	1820	acfa.exe	Dwm.exe
PID 1820 wrote to memory of 1168	1820	acfa.exe	Dwm.exe
PID 1820 wrote to memory of 1232	1820	acfa.exe	Explorer.EXE
PID 1820 wrote to memory of 1232	1820	acfa.exe	Explorer.EXE
PID 1820 wrote to memory of 1232	1820	acfa.exe	Explorer.EXE
PID 1820 wrote to memory of 1232	1820	acfa.exe	Explorer.EXE
PID 1820 wrote to memory of 1232	1820	acfa.exe	Explorer.EXE
PID 1820 wrote to memory of 1600	1820	acfa.exe	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
PID 1820 wrote to memory of 1600	1820	acfa.exe	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
PID 1820 wrote to memory of 1600	1820	acfa.exe	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
PID 1820 wrote to memory of 1600	1820	acfa.exe	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
PID 1820 wrote to memory of 1600	1820	acfa.exe	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
PID 1820 wrote to memory of 1052	1820	acfa.exe	WinMail.exe
PID 1820 wrote to memory of 1052	1820	acfa.exe	WinMail.exe
PID 1820 wrote to memory of 1052	1820	acfa.exe	WinMail.exe
PID 1820 wrote to memory of 1052	1820	acfa.exe	WinMail.exe
PID 1820 wrote to memory of 1052	1820	acfa.exe	WinMail.exe
PID 1600 wrote to memory of 1380	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	cmd.exe
PID 1600 wrote to memory of 1380	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	cmd.exe
PID 1600 wrote to memory of 1380	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	cmd.exe
PID 1600 wrote to memory of 1380	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	cmd.exe
PID 1600 wrote to memory of 1380	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	cmd.exe
PID 1600 wrote to memory of 1380	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	cmd.exe
PID 1600 wrote to memory of 1380	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	cmd.exe
PID 1600 wrote to memory of 1380	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	cmd.exe
PID 1600 wrote to memory of 1380	1600	fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe	cmd.exe
PID 1820 wrote to memory of 964	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 964	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 964	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 964	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 964	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 1368	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 1368	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 1368	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 1368	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 1368	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 1776	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 1776	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 1776	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 1776	1820	acfa.exe	DllHost.exe
PID 1820 wrote to memory of 1776	1820	acfa.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe
"C:\Users\Admin\AppData\Local\Temp\fb12523b8300788f14c351a071c57da8dff793316916980510cf7feef4f83a8b.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Roaming\Sulee\acfa.exe
"C:\Users\Admin\AppData\Roaming\Sulee\acfa.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe75b18e4.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe75b18e4.bat
Filesize
307B

MD5
30da88a6617ae0a3e0932e4fdc7d88c2

SHA1
b516f4bce694e4fcc3f206ebe914e8699f4a8478

SHA256
ac84ba03f824936b4be85aa6e3785ecdd405f44556f3c45ad8669c8a9ebb8343

SHA512
800ffd6fada307ab2e0615a563e237eb8e50e6f1a73d6289d33becbe22008f346cf06b1dc29f4eed42a767dab1b952cb7c4acd8adfa3f1977a0a96f04a7fe9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Faempi\zaen.bix
Filesize
398B

MD5
1fc80b64d5a36d114537d47b961ab972

SHA1
13943f7c6a4b2a1ffa77112ac9bda206cb2ef08a

SHA256
47133609ab3b4ee3a6171a7a9f49153ce496f9d8cb12cef73d2c46b6eedd8f62

SHA512
4e8009135c802f770c1bd8650f284228664bcdc94c6a21eacc58eab1066e590c1c51432421f9008a36e79f7f6b21bfa4f1de84dd6a5a7dd3eaa442ac4b0421c4

Download Submit
C:\Users\Admin\AppData\Roaming\Sulee\acfa.exe
Filesize
138KB

MD5
406548e186fa74e336d718cb29ea7cc5

SHA1
4bc16738675e67371b9f51a8d3a63b07787d0317

SHA256
985b27ab2ebd92d8c1b64a86986112c2a098ed3a0c0627ecf7978ce9dc8abc74

SHA512
d485488c0dc048fb11d684fab6b16670053ad825d5f71dc22af356b7a0e0459dd301dce76591caf33da2305cc340996ef96bbc9b4d7e14dce3734c773bb15717

Download Submit
C:\Users\Admin\AppData\Roaming\Sulee\acfa.exe
Filesize
138KB

MD5
406548e186fa74e336d718cb29ea7cc5

SHA1
4bc16738675e67371b9f51a8d3a63b07787d0317

SHA256
985b27ab2ebd92d8c1b64a86986112c2a098ed3a0c0627ecf7978ce9dc8abc74

SHA512
d485488c0dc048fb11d684fab6b16670053ad825d5f71dc22af356b7a0e0459dd301dce76591caf33da2305cc340996ef96bbc9b4d7e14dce3734c773bb15717

Download Submit
\Users\Admin\AppData\Roaming\Sulee\acfa.exe
Filesize
138KB

MD5
406548e186fa74e336d718cb29ea7cc5

SHA1
4bc16738675e67371b9f51a8d3a63b07787d0317

SHA256
985b27ab2ebd92d8c1b64a86986112c2a098ed3a0c0627ecf7978ce9dc8abc74

SHA512
d485488c0dc048fb11d684fab6b16670053ad825d5f71dc22af356b7a0e0459dd301dce76591caf33da2305cc340996ef96bbc9b4d7e14dce3734c773bb15717

Download Submit
\Users\Admin\AppData\Roaming\Sulee\acfa.exe
Filesize
138KB

MD5
406548e186fa74e336d718cb29ea7cc5

SHA1
4bc16738675e67371b9f51a8d3a63b07787d0317

SHA256
985b27ab2ebd92d8c1b64a86986112c2a098ed3a0c0627ecf7978ce9dc8abc74

SHA512
d485488c0dc048fb11d684fab6b16670053ad825d5f71dc22af356b7a0e0459dd301dce76591caf33da2305cc340996ef96bbc9b4d7e14dce3734c773bb15717

Download Submit
memory/964-123-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/964-121-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/964-122-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/964-120-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1052-103-0x0000000004880000-0x00000000048A7000-memory.dmp

Filesize
156KB

Download
memory/1052-104-0x0000000004880000-0x00000000048A7000-memory.dmp

Filesize
156KB

Download
memory/1052-94-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/1052-88-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/1052-87-0x000007FEF6571000-0x000007FEF6573000-memory.dmp

Filesize
8KB

Download
memory/1052-86-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1052-105-0x0000000004880000-0x00000000048A7000-memory.dmp

Filesize
156KB

Download
memory/1052-102-0x0000000004880000-0x00000000048A7000-memory.dmp

Filesize
156KB

Download
memory/1120-64-0x0000000001C90000-0x0000000001CB7000-memory.dmp

Filesize
156KB

Download
memory/1120-66-0x0000000001C90000-0x0000000001CB7000-memory.dmp

Filesize
156KB

Download
memory/1120-61-0x0000000001C90000-0x0000000001CB7000-memory.dmp

Filesize
156KB

Download
memory/1120-63-0x0000000001C90000-0x0000000001CB7000-memory.dmp

Filesize
156KB

Download
memory/1120-65-0x0000000001C90000-0x0000000001CB7000-memory.dmp

Filesize
156KB

Download
memory/1168-69-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1168-72-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1168-71-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1168-70-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1232-75-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/1232-78-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/1232-76-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/1232-77-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/1368-127-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1368-126-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1380-110-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1380-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1380-112-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1380-114-0x00000000000605F0-mapping.dmp

Download
memory/1380-108-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1380-117-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1600-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1600-85-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/1600-84-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/1600-83-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/1600-82-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/1600-81-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/1820-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads