9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 05:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe
Size

93KB
MD5

c8ef7e0f7816df4fc6548a6d3b2ef3ea
SHA1

0a8f9d53f701b59a0a3834e7920e58799deaa073
SHA256

9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97
SHA512

861235643cf3dcbb3c19a6aaac8556020bf3988670b5de119d44ed8e483c483b9b5ceb89dddc51fc28dc188f76bb863ea7fb5f31ce143f61e380738e7096c8f0
SSDEEP

1536:XwH8vwlr3QF/GTqg8HLhobQLAfm5b8HLljs2mwEhstzWrYe:yblr39Og8HlKQLAfMmLljJmwEixWrN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
884	wimee.exe

Deletes itself 1 IoCs

pid	Process
648	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe
1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	wimee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{69380601-2FD2-87D8-CBFA-D60AA98D9D84} = "C:\\Users\\Admin\\AppData\\Roaming\\Luroev\\wimee.exe"	wimee.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1392 set thread context of 648	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe
884	wimee.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe
Token: SeSecurityPrivilege	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe
Token: SeSecurityPrivilege	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 884	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	28
PID 1392 wrote to memory of 884	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	28
PID 1392 wrote to memory of 884	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	28
PID 1392 wrote to memory of 884	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	28
PID 884 wrote to memory of 1120	884	wimee.exe	18
PID 884 wrote to memory of 1120	884	wimee.exe	18
PID 884 wrote to memory of 1120	884	wimee.exe	18
PID 884 wrote to memory of 1120	884	wimee.exe	18
PID 884 wrote to memory of 1120	884	wimee.exe	18
PID 884 wrote to memory of 1176	884	wimee.exe	17
PID 884 wrote to memory of 1176	884	wimee.exe	17
PID 884 wrote to memory of 1176	884	wimee.exe	17
PID 884 wrote to memory of 1176	884	wimee.exe	17
PID 884 wrote to memory of 1176	884	wimee.exe	17
PID 884 wrote to memory of 1212	884	wimee.exe	16
PID 884 wrote to memory of 1212	884	wimee.exe	16
PID 884 wrote to memory of 1212	884	wimee.exe	16
PID 884 wrote to memory of 1212	884	wimee.exe	16
PID 884 wrote to memory of 1212	884	wimee.exe	16
PID 884 wrote to memory of 1392	884	wimee.exe	27
PID 884 wrote to memory of 1392	884	wimee.exe	27
PID 884 wrote to memory of 1392	884	wimee.exe	27
PID 884 wrote to memory of 1392	884	wimee.exe	27
PID 884 wrote to memory of 1392	884	wimee.exe	27
PID 1392 wrote to memory of 648	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	29
PID 1392 wrote to memory of 648	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	29
PID 1392 wrote to memory of 648	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	29
PID 1392 wrote to memory of 648	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	29
PID 1392 wrote to memory of 648	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	29
PID 1392 wrote to memory of 648	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	29
PID 1392 wrote to memory of 648	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	29
PID 1392 wrote to memory of 648	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	29
PID 1392 wrote to memory of 648	1392	9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe	29
PID 884 wrote to memory of 1264	884	wimee.exe	31
PID 884 wrote to memory of 1264	884	wimee.exe	31
PID 884 wrote to memory of 1264	884	wimee.exe	31
PID 884 wrote to memory of 1264	884	wimee.exe	31
PID 884 wrote to memory of 1264	884	wimee.exe	31
PID 884 wrote to memory of 1252	884	wimee.exe	32
PID 884 wrote to memory of 1252	884	wimee.exe	32
PID 884 wrote to memory of 1252	884	wimee.exe	32
PID 884 wrote to memory of 1252	884	wimee.exe	32
PID 884 wrote to memory of 1252	884	wimee.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe
  "C:\Users\Admin\AppData\Local\Temp\9d7e92b946e9fcce820470d8d6c57ca8ca2f6f76f4b95c5583fdd56fceb16b97.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Roaming\Luroev\wimee.exe
    "C:\Users\Admin\AppData\Roaming\Luroev\wimee.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp978954d9.bat"
    3⤵
    - Deletes itself
    PID:648

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1264

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp978954d9.bat

Filesize
307B

MD5
42f703ee080a0b0c532ee89db68fe052

SHA1
49b8d515a44289a706d99f7c4f5bdf9b13e2a847

SHA256
53cdeb8c7ff4d7901c8224fccfd8ef71ea3d8c598fee63ec6f711508001d730e

SHA512
bac066eb0d45c36d65d5605006b967fed87ced60427e73541e392fc7e6055531af99a513e2b312432a103e24bf0ddc92eb77df0bd99eecc4d39db419b39c8616

Download Submit
C:\Users\Admin\AppData\Roaming\Bupoci\neda.ylo

Filesize
398B

MD5
f2e6da19f3bc53bfcd1a9ddf01619f1d

SHA1
5655dd08889774bbf44f8cb38b9dd3b12b11d62e

SHA256
cfa49222f51a26a8ca945b424fd5d9c92bdbb5e40f26dc5d4426419276babe6c

SHA512
ff801d150617a8a2ec0b00b643e3a4fd5993965f2b2c7e3920f3969fa2af2711c4c2a3f6c53c690fe4718fd1b09b95478dfcc341f96ad99d59de6c92efc7fd63

Download Submit
C:\Users\Admin\AppData\Roaming\Luroev\wimee.exe

Filesize
93KB

MD5
ad9cbbdb1f5a4fd7e45226467f5bfa94

SHA1
340c5154798c5d1d388039515212eb0a9b5614aa

SHA256
6e26d558f4c849f4d637187166320cd01c9ecf717c47613010846d4a8bbe66d5

SHA512
60f6a6482b937b0251ad3e9ba4c37f54c8fcc63cff4cb8387dd818b46cd860cbecc68b67e90b4c4fe78dcddec3ea9c8645e669ee602773600bc9a6c6f85f48be

Download Submit
C:\Users\Admin\AppData\Roaming\Luroev\wimee.exe

Filesize
93KB

MD5
ad9cbbdb1f5a4fd7e45226467f5bfa94

SHA1
340c5154798c5d1d388039515212eb0a9b5614aa

SHA256
6e26d558f4c849f4d637187166320cd01c9ecf717c47613010846d4a8bbe66d5

SHA512
60f6a6482b937b0251ad3e9ba4c37f54c8fcc63cff4cb8387dd818b46cd860cbecc68b67e90b4c4fe78dcddec3ea9c8645e669ee602773600bc9a6c6f85f48be

Download Submit
\Users\Admin\AppData\Roaming\Luroev\wimee.exe

Filesize
93KB

MD5
ad9cbbdb1f5a4fd7e45226467f5bfa94

SHA1
340c5154798c5d1d388039515212eb0a9b5614aa

SHA256
6e26d558f4c849f4d637187166320cd01c9ecf717c47613010846d4a8bbe66d5

SHA512
60f6a6482b937b0251ad3e9ba4c37f54c8fcc63cff4cb8387dd818b46cd860cbecc68b67e90b4c4fe78dcddec3ea9c8645e669ee602773600bc9a6c6f85f48be

Download Submit
\Users\Admin\AppData\Roaming\Luroev\wimee.exe

Filesize
93KB

MD5
ad9cbbdb1f5a4fd7e45226467f5bfa94

SHA1
340c5154798c5d1d388039515212eb0a9b5614aa

SHA256
6e26d558f4c849f4d637187166320cd01c9ecf717c47613010846d4a8bbe66d5

SHA512
60f6a6482b937b0251ad3e9ba4c37f54c8fcc63cff4cb8387dd818b46cd860cbecc68b67e90b4c4fe78dcddec3ea9c8645e669ee602773600bc9a6c6f85f48be

Download Submit
memory/648-91-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/648-97-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/648-92-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/648-90-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/648-88-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/1120-63-0x0000000001C20000-0x0000000001C3A000-memory.dmp

Filesize
104KB

Download
memory/1120-64-0x0000000001C20000-0x0000000001C3A000-memory.dmp

Filesize
104KB

Download
memory/1120-61-0x0000000001C20000-0x0000000001C3A000-memory.dmp

Filesize
104KB

Download
memory/1120-66-0x0000000001C20000-0x0000000001C3A000-memory.dmp

Filesize
104KB

Download
memory/1120-65-0x0000000001C20000-0x0000000001C3A000-memory.dmp

Filesize
104KB

Download
memory/1176-71-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/1176-72-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/1176-69-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/1176-70-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/1212-78-0x0000000002240000-0x000000000225A000-memory.dmp

Filesize
104KB

Download
memory/1212-77-0x0000000002240000-0x000000000225A000-memory.dmp

Filesize
104KB

Download
memory/1212-76-0x0000000002240000-0x000000000225A000-memory.dmp

Filesize
104KB

Download
memory/1212-75-0x0000000002240000-0x000000000225A000-memory.dmp

Filesize
104KB

Download
memory/1252-109-0x0000000003B50000-0x0000000003B6A000-memory.dmp

Filesize
104KB

Download
memory/1252-108-0x0000000003B50000-0x0000000003B6A000-memory.dmp

Filesize
104KB

Download
memory/1252-107-0x0000000003B50000-0x0000000003B6A000-memory.dmp

Filesize
104KB

Download
memory/1252-106-0x0000000003B50000-0x0000000003B6A000-memory.dmp

Filesize
104KB

Download
memory/1264-102-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1264-100-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1264-101-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1264-103-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1392-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1392-81-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1392-94-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1392-84-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1392-83-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1392-82-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download