bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f

Analysis

max time kernel
152s
max time network
191s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe
Size

1011KB
MD5

8d050e6c36bddfe517c452ef3fb8da49
SHA1

db605bb62115600deabdd657c8fa97c7fd8893d7
SHA256

bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f
SHA512

f5ff92335fde85625f2e8c222eb72a7010a200db5ba760cfe69db7b25fffc2af9cb460939e1e76998863e760900a2f40eb5e1fdd78cadd0c8a466cffb335988f
SSDEEP

12288:0ibYXCz2cMSy8DayqcpRxUKME+mgeaeyDt4U+ifnUzLLLqaWbe477rTXIt6g5Z:09mrRDa4psLPDt4WfnUzTYbeMzy6g5Z

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1508	uzti.exe
864	uzti.exe

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe
1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 1364	1356	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	28
PID 1508 set thread context of 864	1508	uzti.exe	30

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\2BB66FC4-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
864	uzti.exe
864	uzti.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe
Token: SeManageVolumePrivilege	1476	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1476	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1476	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1476	WinMail.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1364	1356	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	28
PID 1356 wrote to memory of 1364	1356	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	28
PID 1356 wrote to memory of 1364	1356	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	28
PID 1356 wrote to memory of 1364	1356	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	28
PID 1356 wrote to memory of 1364	1356	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	28
PID 1356 wrote to memory of 1364	1356	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	28
PID 1364 wrote to memory of 1508	1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	29
PID 1364 wrote to memory of 1508	1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	29
PID 1364 wrote to memory of 1508	1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	29
PID 1364 wrote to memory of 1508	1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	29
PID 1508 wrote to memory of 864	1508	uzti.exe	30
PID 1508 wrote to memory of 864	1508	uzti.exe	30
PID 1508 wrote to memory of 864	1508	uzti.exe	30
PID 1508 wrote to memory of 864	1508	uzti.exe	30
PID 1508 wrote to memory of 864	1508	uzti.exe	30
PID 1508 wrote to memory of 864	1508	uzti.exe	30
PID 1364 wrote to memory of 2036	1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	32
PID 1364 wrote to memory of 2036	1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	32
PID 1364 wrote to memory of 2036	1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	32
PID 1364 wrote to memory of 2036	1364	bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe	32
PID 864 wrote to memory of 780	864	uzti.exe	31
PID 864 wrote to memory of 780	864	uzti.exe	31
PID 864 wrote to memory of 780	864	uzti.exe	31
PID 864 wrote to memory of 780	864	uzti.exe	31
PID 864 wrote to memory of 780	864	uzti.exe	31
PID 864 wrote to memory of 780	864	uzti.exe	31
PID 864 wrote to memory of 780	864	uzti.exe	31
PID 864 wrote to memory of 780	864	uzti.exe	31
PID 864 wrote to memory of 780	864	uzti.exe	31
PID 864 wrote to memory of 780	864	uzti.exe	31
PID 780 wrote to memory of 1272	780	explorer.exe	20
PID 780 wrote to memory of 1272	780	explorer.exe	20
PID 780 wrote to memory of 1272	780	explorer.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe
  "C:\Users\Admin\AppData\Local\Temp\bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe
    "C:\Users\Admin\AppData\Local\Temp\bf05271b69324450c1368edd962fd7254822b5b5c8fcc60e41a5a6fdc5b75e4f.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\Admin\AppData\Roaming\Ablic\uzti.exe
      "C:\Users\Admin\AppData\Roaming\Ablic\uzti.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Users\Admin\AppData\Roaming\Ablic\uzti.exe
        
        "C:\Users\Admin\AppData\Roaming\Ablic\uzti.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe6f3ec0a.bat"
      4⤵
      Deletes itself
      PID:2036

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe6f3ec0a.bat

Filesize
307B

MD5
4f2f2e0d14c481e6ac4930d93f381215

SHA1
91502190f4e5010c4778a6430453c461175c5c18

SHA256
a4233f56ab1c54233525cd2446ad720e27017010ff7fb05f53f9f18192a85f09

SHA512
ce7033e67614610a310ca0910ad874bb4dee5868c19897b2554bd5f3276df972ab96d945fd5a781a77650458c584700e6315dba0ea24463e33de732f2bc3abd3

Download Submit
C:\Users\Admin\AppData\Roaming\Ablic\uzti.exe

Filesize
1011KB

MD5
2edd4f341ef87610183aa1fcd524fa44

SHA1
8ecb145fb164d237c14d031199d4b31921d4615b

SHA256
4cd400dc177dbeabefcfb3352e0f3041f03b83a54f487bcfe16941194444ef49

SHA512
e814396202d346b5b731606cb1d781b34659ed26fa2766b6a0c7344bac98c775ec68dd006e5a80944cdd571b7ff5e062b5a07d47943616aef3f447eb18c8a4e6

Download Submit
C:\Users\Admin\AppData\Roaming\Ablic\uzti.exe

Filesize
1011KB

MD5
2edd4f341ef87610183aa1fcd524fa44

SHA1
8ecb145fb164d237c14d031199d4b31921d4615b

SHA256
4cd400dc177dbeabefcfb3352e0f3041f03b83a54f487bcfe16941194444ef49

SHA512
e814396202d346b5b731606cb1d781b34659ed26fa2766b6a0c7344bac98c775ec68dd006e5a80944cdd571b7ff5e062b5a07d47943616aef3f447eb18c8a4e6

Download Submit
C:\Users\Admin\AppData\Roaming\Ablic\uzti.exe

Filesize
1011KB

MD5
2edd4f341ef87610183aa1fcd524fa44

SHA1
8ecb145fb164d237c14d031199d4b31921d4615b

SHA256
4cd400dc177dbeabefcfb3352e0f3041f03b83a54f487bcfe16941194444ef49

SHA512
e814396202d346b5b731606cb1d781b34659ed26fa2766b6a0c7344bac98c775ec68dd006e5a80944cdd571b7ff5e062b5a07d47943616aef3f447eb18c8a4e6

Download Submit
\Users\Admin\AppData\Roaming\Ablic\uzti.exe

Filesize
1011KB

MD5
2edd4f341ef87610183aa1fcd524fa44

SHA1
8ecb145fb164d237c14d031199d4b31921d4615b

SHA256
4cd400dc177dbeabefcfb3352e0f3041f03b83a54f487bcfe16941194444ef49

SHA512
e814396202d346b5b731606cb1d781b34659ed26fa2766b6a0c7344bac98c775ec68dd006e5a80944cdd571b7ff5e062b5a07d47943616aef3f447eb18c8a4e6

Download Submit
\Users\Admin\AppData\Roaming\Ablic\uzti.exe

Filesize
1011KB

MD5
2edd4f341ef87610183aa1fcd524fa44

SHA1
8ecb145fb164d237c14d031199d4b31921d4615b

SHA256
4cd400dc177dbeabefcfb3352e0f3041f03b83a54f487bcfe16941194444ef49

SHA512
e814396202d346b5b731606cb1d781b34659ed26fa2766b6a0c7344bac98c775ec68dd006e5a80944cdd571b7ff5e062b5a07d47943616aef3f447eb18c8a4e6

Download Submit
memory/780-88-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/780-94-0x0000000074991000-0x0000000074993000-memory.dmp

Filesize
8KB

Download
memory/780-89-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/780-96-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/780-87-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/780-86-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/780-90-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/780-112-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/864-81-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/864-110-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/864-111-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1356-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1356-61-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/1364-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1364-82-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1364-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1364-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1364-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1364-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1364-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1364-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1476-95-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1476-98-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/1476-104-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/1476-97-0x000007FEF63E1000-0x000007FEF63E3000-memory.dmp

Filesize
8KB

Download