f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
Size

295KB
MD5

c1a460115e757a30d1e70ab79e6e7abc
SHA1

ec7e3da6aaf1f3247189732f997fd535b16a157d
SHA256

f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d
SHA512

202ba40829735e01d6cc809a2e964ef438241a088c448abe93d815ccd00f56428f365b4273c7ca036ee6030c0b392c5aef555e03c71356c8baff39d786ff2b99
SSDEEP

6144:YFBLHT/5oGXLKMioMTj4P+YMsGOkk4W4HTPs2erNm3:Y/v/5oGXUtT82YXRL4Wd22g3

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vium.exe

pid process

1532 vium.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1968 cmd.exe

pid	process
1968	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe

pid	process
1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vium.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	vium.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7666262C-A453-7E09-A104-2BAB2380F87E} = "C:\\Users\\Admin\\AppData\\Roaming\\Piel\\vium.exe"	vium.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exevium.exe

pid process

1480 f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
1532 vium.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe

description	pid	process	target process
PID 1480 set thread context of 1968	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\324224B5-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

vium.exe

pid	process
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe
1532	vium.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
Token: SeSecurityPrivilege	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
Token: SeSecurityPrivilege	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
Token: SeManageVolumePrivilege	1552	WinMail.exe
Token: SeSecurityPrivilege	1968	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1552 WinMail.exe

pid	process
1552	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exevium.exe

description	pid	process	target process
PID 1480 wrote to memory of 1532	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	vium.exe
PID 1480 wrote to memory of 1532	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	vium.exe
PID 1480 wrote to memory of 1532	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	vium.exe
PID 1480 wrote to memory of 1532	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	vium.exe
PID 1532 wrote to memory of 1248	1532	vium.exe	taskhost.exe
PID 1532 wrote to memory of 1248	1532	vium.exe	taskhost.exe
PID 1532 wrote to memory of 1248	1532	vium.exe	taskhost.exe
PID 1532 wrote to memory of 1248	1532	vium.exe	taskhost.exe
PID 1532 wrote to memory of 1248	1532	vium.exe	taskhost.exe
PID 1532 wrote to memory of 1360	1532	vium.exe	Dwm.exe
PID 1532 wrote to memory of 1360	1532	vium.exe	Dwm.exe
PID 1532 wrote to memory of 1360	1532	vium.exe	Dwm.exe
PID 1532 wrote to memory of 1360	1532	vium.exe	Dwm.exe
PID 1532 wrote to memory of 1360	1532	vium.exe	Dwm.exe
PID 1532 wrote to memory of 1392	1532	vium.exe	Explorer.EXE
PID 1532 wrote to memory of 1392	1532	vium.exe	Explorer.EXE
PID 1532 wrote to memory of 1392	1532	vium.exe	Explorer.EXE
PID 1532 wrote to memory of 1392	1532	vium.exe	Explorer.EXE
PID 1532 wrote to memory of 1392	1532	vium.exe	Explorer.EXE
PID 1532 wrote to memory of 1480	1532	vium.exe	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
PID 1532 wrote to memory of 1480	1532	vium.exe	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
PID 1532 wrote to memory of 1480	1532	vium.exe	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
PID 1532 wrote to memory of 1480	1532	vium.exe	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
PID 1532 wrote to memory of 1480	1532	vium.exe	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
PID 1532 wrote to memory of 1552	1532	vium.exe	WinMail.exe
PID 1532 wrote to memory of 1552	1532	vium.exe	WinMail.exe
PID 1532 wrote to memory of 1552	1532	vium.exe	WinMail.exe
PID 1532 wrote to memory of 1552	1532	vium.exe	WinMail.exe
PID 1532 wrote to memory of 1552	1532	vium.exe	WinMail.exe
PID 1480 wrote to memory of 1968	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	cmd.exe
PID 1480 wrote to memory of 1968	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	cmd.exe
PID 1480 wrote to memory of 1968	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	cmd.exe
PID 1480 wrote to memory of 1968	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	cmd.exe
PID 1480 wrote to memory of 1968	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	cmd.exe
PID 1480 wrote to memory of 1968	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	cmd.exe
PID 1480 wrote to memory of 1968	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	cmd.exe
PID 1480 wrote to memory of 1968	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	cmd.exe
PID 1480 wrote to memory of 1968	1480	f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe	cmd.exe
PID 1532 wrote to memory of 1672	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 1672	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 1672	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 1672	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 1672	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 1604	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 1604	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 1604	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 1604	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 1604	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 632	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 632	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 632	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 632	1532	vium.exe	DllHost.exe
PID 1532 wrote to memory of 632	1532	vium.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe
"C:\Users\Admin\AppData\Local\Temp\f1eb3681d121b45c0a1f330d9708bbef40ee5570067acc3a238e8da16ad8fd2d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Roaming\Piel\vium.exe
"C:\Users\Admin\AppData\Roaming\Piel\vium.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe3bbe2c2.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1360

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1248

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe3bbe2c2.bat

Filesize
307B

MD5
6e3de92247777c04a6885eb35582c6bb

SHA1
37d45e8f4a44808ad45015d76e7ceef2f73a9b18

SHA256
5deb428a51517693a6e72b56faf69c4e0bc683396208b48c2e96ca1b143b9ea1

SHA512
5f92dc5e0bad79ad11896e7caf2f419e8ebf4fc853d449c820f46b5c1cb5f203e8aa8b6ea415657098c61bb00374d1c626540b9b3605265a721a34e7f69c1f5b

Download Submit
C:\Users\Admin\AppData\Roaming\Piel\vium.exe

Filesize
295KB

MD5
0cc8a2da2a2b863e96121387c0d57cf6

SHA1
b12d73619cc071010f2599dfd3f042ae44a8c749

SHA256
b78f473c6739219a56aaa8550b8ebac88793d7ab3c9d93898e211e06d1e18773

SHA512
212cab9b6af2de636b3ebd67b5a9dd3ee3f9ede8d8040d910f2d9eac5fa5c25fec2d2ca1887ee3986fb40f3cd8f2d8354ca304dfba8a9605a7b60465e6261e73

Download Submit
C:\Users\Admin\AppData\Roaming\Piel\vium.exe

Filesize
295KB

MD5
0cc8a2da2a2b863e96121387c0d57cf6

SHA1
b12d73619cc071010f2599dfd3f042ae44a8c749

SHA256
b78f473c6739219a56aaa8550b8ebac88793d7ab3c9d93898e211e06d1e18773

SHA512
212cab9b6af2de636b3ebd67b5a9dd3ee3f9ede8d8040d910f2d9eac5fa5c25fec2d2ca1887ee3986fb40f3cd8f2d8354ca304dfba8a9605a7b60465e6261e73

Download Submit
C:\Users\Admin\AppData\Roaming\Zoerfo\haer.syy

Filesize
398B

MD5
fde597ba01f10de0d705ca6bbecddf15

SHA1
4e09480eea79ebfd499156f31a578c375ae505b5

SHA256
e7f18a0f510a23bb698c67e262dd8d4bcb3fc8549a432da7188c922c6f09f27f

SHA512
010f546d5d7f2a5f8d1c12fc77198849cee8d8032766da2215acf20d7b6ac85ab92c1b422601a3d6c75359ac3ce56b83ebde3f666ee861bb15802d977901fe9c

Download Submit
\Users\Admin\AppData\Roaming\Piel\vium.exe

Filesize
295KB

MD5
0cc8a2da2a2b863e96121387c0d57cf6

SHA1
b12d73619cc071010f2599dfd3f042ae44a8c749

SHA256
b78f473c6739219a56aaa8550b8ebac88793d7ab3c9d93898e211e06d1e18773

SHA512
212cab9b6af2de636b3ebd67b5a9dd3ee3f9ede8d8040d910f2d9eac5fa5c25fec2d2ca1887ee3986fb40f3cd8f2d8354ca304dfba8a9605a7b60465e6261e73

Download Submit
\Users\Admin\AppData\Roaming\Piel\vium.exe

Filesize
295KB

MD5
0cc8a2da2a2b863e96121387c0d57cf6

SHA1
b12d73619cc071010f2599dfd3f042ae44a8c749

SHA256
b78f473c6739219a56aaa8550b8ebac88793d7ab3c9d93898e211e06d1e18773

SHA512
212cab9b6af2de636b3ebd67b5a9dd3ee3f9ede8d8040d910f2d9eac5fa5c25fec2d2ca1887ee3986fb40f3cd8f2d8354ca304dfba8a9605a7b60465e6261e73

Download Submit
memory/1248-64-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1248-66-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1248-68-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1248-69-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1248-67-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1360-75-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1392-80-0x0000000002680000-0x00000000026A7000-memory.dmp

Filesize
156KB

Download
memory/1392-79-0x0000000002680000-0x00000000026A7000-memory.dmp

Filesize
156KB

Download
memory/1392-81-0x0000000002680000-0x00000000026A7000-memory.dmp

Filesize
156KB

Download
memory/1392-78-0x0000000002680000-0x00000000026A7000-memory.dmp

Filesize
156KB

Download
memory/1480-86-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1480-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1480-57-0x0000000000400000-0x00000000022C9000-memory.dmp

Filesize
30.8MB

Download
memory/1480-84-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1480-85-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1480-56-0x0000000000400000-0x00000000022C9000-memory.dmp

Filesize
30.8MB

Download
memory/1480-87-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1480-123-0x0000000000400000-0x00000000022C9000-memory.dmp

Filesize
30.8MB

Download
memory/1480-89-0x0000000004450000-0x0000000006319000-memory.dmp

Filesize
30.8MB

Download
memory/1480-97-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1480-91-0x0000000004450000-0x0000000006319000-memory.dmp

Filesize
30.8MB

Download
memory/1480-55-0x0000000000400000-0x00000000022C9000-memory.dmp

Filesize
30.8MB

Download
memory/1532-93-0x0000000000400000-0x00000000022C9000-memory.dmp

Filesize
30.8MB

Download
memory/1532-125-0x0000000000400000-0x00000000022C9000-memory.dmp

Filesize
30.8MB

Download
memory/1532-60-0x0000000000000000-mapping.dmp

Download
memory/1552-88-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1552-100-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/1552-111-0x0000000003DC0000-0x0000000003DE7000-memory.dmp

Filesize
156KB

Download
memory/1552-109-0x0000000003DC0000-0x0000000003DE7000-memory.dmp

Filesize
156KB

Download
memory/1552-108-0x0000000003DC0000-0x0000000003DE7000-memory.dmp

Filesize
156KB

Download
memory/1552-110-0x0000000003DC0000-0x0000000003DE7000-memory.dmp

Filesize
156KB

Download
memory/1552-90-0x000007FEF6431000-0x000007FEF6433000-memory.dmp

Filesize
8KB

Download
memory/1552-92-0x00000000020B0000-0x00000000020C0000-memory.dmp

Filesize
64KB

Download
memory/1604-135-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1604-134-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1672-130-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1672-129-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1672-131-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1672-128-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1968-115-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1968-122-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1968-120-0x0000000000062CBA-mapping.dmp

Download
memory/1968-119-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1968-118-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1968-117-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download