76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3

General

Target

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
Size

248KB
MD5

c21c3dbeca0b9907fecb00fd52af2ed1
SHA1

428c51312b76451a57c60aec540fde14f6ea6b78
SHA256

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3
SHA512

93db1fb60fa399d8a30d8782bb9310cee2cfc68682010d988fb3ce8d6dad17904a4aaefed4b840208ed3d654e92dc5f4c7e87ea8f88adc71784ef9e782b340ed
SSDEEP

6144:A23pwG2Dz3v6bSwTrqEwT2CPTOulbPIS4q:B5wG6zv61/xCrO+bPDX

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

duund.exeduund.exe

pid process

1300 duund.exe
1464 duund.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1224 cmd.exe

pid	process
1300	duund.exe
1464	duund.exe

pid	process
1224	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe

pid	process
1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exeduund.exe

description	pid	process	target process
PID 1200 set thread context of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1300 set thread context of 1464	1300	duund.exe	duund.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\47373276-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

duund.exe

pid process

1464 duund.exe
1464 duund.exe

pid	process
1464	duund.exe
1464	duund.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
Token: SeManageVolumePrivilege	1904	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1904 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1904 WinMail.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exeduund.exeWinMail.exe

pid process

1200 76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
1300 duund.exe
1904 WinMail.exe

pid	process
1904	WinMail.exe

pid	process
1904	WinMail.exe

pid	process
1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
1300	duund.exe
1904	WinMail.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exeduund.exeduund.exeexplorer.exe

description	pid	process	target process
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1200 wrote to memory of 1108	1200	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1108 wrote to memory of 1300	1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	duund.exe
PID 1108 wrote to memory of 1300	1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	duund.exe
PID 1108 wrote to memory of 1300	1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	duund.exe
PID 1108 wrote to memory of 1300	1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1300 wrote to memory of 1464	1300	duund.exe	duund.exe
PID 1108 wrote to memory of 1224	1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	cmd.exe
PID 1108 wrote to memory of 1224	1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	cmd.exe
PID 1108 wrote to memory of 1224	1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	cmd.exe
PID 1108 wrote to memory of 1224	1108	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	cmd.exe
PID 1464 wrote to memory of 1636	1464	duund.exe	explorer.exe
PID 1464 wrote to memory of 1636	1464	duund.exe	explorer.exe
PID 1464 wrote to memory of 1636	1464	duund.exe	explorer.exe
PID 1464 wrote to memory of 1636	1464	duund.exe	explorer.exe
PID 1464 wrote to memory of 1636	1464	duund.exe	explorer.exe
PID 1464 wrote to memory of 1636	1464	duund.exe	explorer.exe
PID 1464 wrote to memory of 1636	1464	duund.exe	explorer.exe
PID 1464 wrote to memory of 1636	1464	duund.exe	explorer.exe
PID 1464 wrote to memory of 1636	1464	duund.exe	explorer.exe
PID 1464 wrote to memory of 1636	1464	duund.exe	explorer.exe
PID 1636 wrote to memory of 1400	1636	explorer.exe	Explorer.EXE
PID 1636 wrote to memory of 1400	1636	explorer.exe	Explorer.EXE
PID 1636 wrote to memory of 1400	1636	explorer.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
"C:\Users\Admin\AppData\Local\Temp\76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
"C:\Users\Admin\AppData\Local\Temp\76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Roaming\Axybiw\duund.exe
"C:\Users\Admin\AppData\Roaming\Axybiw\duund.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Roaming\Axybiw\duund.exe
"C:\Users\Admin\AppData\Roaming\Axybiw\duund.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
6⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa1d5dbfb.bat"
4⤵
- Deletes itself
PID:1224

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c82cf16d93fca925c92d75d389a99824

SHA1
74b777497505631fbc455e4c9e8f367c7f8be769

SHA256
2dd0f63cb761e60eba322373b17886886b12bd8196be02574414ffa81a8d7178

SHA512
adf5c6258f4a300854b3e33550b4e10ecf3ee52a82495d3b09c5e70893aa17b456d8081726e638b2aaeb3b7cd671e30a5e397e264da104d0ba8a66b1cd61a9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpa1d5dbfb.bat
Filesize
307B

MD5
568f5056456f1dcbeba53ae6db58b66c

SHA1
124f354645e794451480c928ba5f78ef97186884

SHA256
4e237fcf7ff11e0c04727e014faf0a2eebb3e2be102db4c528f1b929b705b85d

SHA512
fdfe37ffb13c32af75de1835482b4c23313b0561d41c1ee092b0e1f734ca2fcc0b0ae4ee3798afdc6a6f0cc0d3cf79340384dd730c8d3363dce005e30bc59145

Download Submit
C:\Users\Admin\AppData\Roaming\Axybiw\duund.exe
Filesize
248KB

MD5
3b9045cd34b9cbe7059a675076208aa4

SHA1
967cbd8ff76a8053bb8d2f3feb1b788dac29042b

SHA256
f464aa5f3cd5bf2d5bfcf854f192a8962e0525d7793373193f3f1b21863fdabb

SHA512
77efec4c65175dbd1ed253e5843b99076de1ca934f15aaf7836775674ab60fe1d96156ab41df361d460057679b606ba3089fabb1ca61a2691fda7ae7242801b8

Download Submit
C:\Users\Admin\AppData\Roaming\Axybiw\duund.exe
Filesize
248KB

MD5
3b9045cd34b9cbe7059a675076208aa4

SHA1
967cbd8ff76a8053bb8d2f3feb1b788dac29042b

SHA256
f464aa5f3cd5bf2d5bfcf854f192a8962e0525d7793373193f3f1b21863fdabb

SHA512
77efec4c65175dbd1ed253e5843b99076de1ca934f15aaf7836775674ab60fe1d96156ab41df361d460057679b606ba3089fabb1ca61a2691fda7ae7242801b8

Download Submit
C:\Users\Admin\AppData\Roaming\Axybiw\duund.exe
Filesize
248KB

MD5
3b9045cd34b9cbe7059a675076208aa4

SHA1
967cbd8ff76a8053bb8d2f3feb1b788dac29042b

SHA256
f464aa5f3cd5bf2d5bfcf854f192a8962e0525d7793373193f3f1b21863fdabb

SHA512
77efec4c65175dbd1ed253e5843b99076de1ca934f15aaf7836775674ab60fe1d96156ab41df361d460057679b606ba3089fabb1ca61a2691fda7ae7242801b8

Download Submit
\Users\Admin\AppData\Roaming\Axybiw\duund.exe
Filesize
248KB

MD5
3b9045cd34b9cbe7059a675076208aa4

SHA1
967cbd8ff76a8053bb8d2f3feb1b788dac29042b

SHA256
f464aa5f3cd5bf2d5bfcf854f192a8962e0525d7793373193f3f1b21863fdabb

SHA512
77efec4c65175dbd1ed253e5843b99076de1ca934f15aaf7836775674ab60fe1d96156ab41df361d460057679b606ba3089fabb1ca61a2691fda7ae7242801b8

Download Submit
\Users\Admin\AppData\Roaming\Axybiw\duund.exe
Filesize
248KB

MD5
3b9045cd34b9cbe7059a675076208aa4

SHA1
967cbd8ff76a8053bb8d2f3feb1b788dac29042b

SHA256
f464aa5f3cd5bf2d5bfcf854f192a8962e0525d7793373193f3f1b21863fdabb

SHA512
77efec4c65175dbd1ed253e5843b99076de1ca934f15aaf7836775674ab60fe1d96156ab41df361d460057679b606ba3089fabb1ca61a2691fda7ae7242801b8

Download Submit
memory/1108-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1108-57-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1108-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1108-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1108-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1108-58-0x0000000000405DC9-mapping.dmp

Download
memory/1108-81-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1200-56-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1200-59-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1224-80-0x0000000000000000-mapping.dmp

Download
memory/1300-67-0x0000000000000000-mapping.dmp

Download
memory/1464-75-0x0000000000405DC9-mapping.dmp

Download
memory/1464-109-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1464-108-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1636-88-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1636-87-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1636-86-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1636-92-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1636-90-0x0000000000000000-mapping.dmp

Download
memory/1636-112-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1636-85-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1636-82-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1636-107-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1636-89-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1904-93-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/1904-101-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/1904-95-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/1904-94-0x000007FEF6A21000-0x000007FEF6A23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads