dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa

Analysis

max time kernel
152s
max time network
104s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe
Size

205KB
MD5

4b02f44d8aa6583d31a83e62e3b7e84c
SHA1

3665f9414ec1b63a5d52eaa8a36310b4fdb94061
SHA256

dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa
SHA512

0a4bc8941d5ea0269765b2a29fc9c9344a8562367df90a7b8675fe64a289d1d5d3bdf929b49bce77d68a443702abaee85a270c5c6536e4811d23d9c4cb7b4c36
SSDEEP

6144:BMTCPmFCRJjhbc2p9xMfDgd0r5Xc0w3sl2D+FIN+omu:VmFCzjefMI5RwbNRmu

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
824	etxoi.exe
2040	etxoi.exe

Deletes itself 1 IoCs

pid	Process
1548	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe
1992	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe
824	etxoi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	etxoi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E4324064-AB33-0553-3E1C-4A55E74C8C7D} = "C:\\Users\\Admin\\AppData\\Roaming\\Tobe\\etxoi.exe"	etxoi.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 1992	1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	27
PID 824 set thread context of 2040	824	etxoi.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000012353-68.dat	nsis_installer_1
behavioral1/files/0x000b000000012353-68.dat	nsis_installer_2
behavioral1/files/0x000b000000012353-70.dat	nsis_installer_1
behavioral1/files/0x000b000000012353-70.dat	nsis_installer_2
behavioral1/files/0x000b000000012353-72.dat	nsis_installer_1
behavioral1/files/0x000b000000012353-72.dat	nsis_installer_2
behavioral1/files/0x000b000000012353-83.dat	nsis_installer_1
behavioral1/files/0x000b000000012353-83.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe
2040	etxoi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1992	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1992	1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	27
PID 1368 wrote to memory of 1992	1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	27
PID 1368 wrote to memory of 1992	1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	27
PID 1368 wrote to memory of 1992	1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	27
PID 1368 wrote to memory of 1992	1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	27
PID 1368 wrote to memory of 1992	1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	27
PID 1368 wrote to memory of 1992	1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	27
PID 1368 wrote to memory of 1992	1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	27
PID 1368 wrote to memory of 1992	1368	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	27
PID 1992 wrote to memory of 824	1992	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	28
PID 1992 wrote to memory of 824	1992	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	28
PID 1992 wrote to memory of 824	1992	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	28
PID 1992 wrote to memory of 824	1992	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	28
PID 824 wrote to memory of 2040	824	etxoi.exe	29
PID 824 wrote to memory of 2040	824	etxoi.exe	29
PID 824 wrote to memory of 2040	824	etxoi.exe	29
PID 824 wrote to memory of 2040	824	etxoi.exe	29
PID 824 wrote to memory of 2040	824	etxoi.exe	29
PID 824 wrote to memory of 2040	824	etxoi.exe	29
PID 824 wrote to memory of 2040	824	etxoi.exe	29
PID 824 wrote to memory of 2040	824	etxoi.exe	29
PID 824 wrote to memory of 2040	824	etxoi.exe	29
PID 2040 wrote to memory of 1260	2040	etxoi.exe	11
PID 2040 wrote to memory of 1260	2040	etxoi.exe	11
PID 2040 wrote to memory of 1260	2040	etxoi.exe	11
PID 2040 wrote to memory of 1260	2040	etxoi.exe	11
PID 2040 wrote to memory of 1260	2040	etxoi.exe	11
PID 2040 wrote to memory of 1396	2040	etxoi.exe	12
PID 2040 wrote to memory of 1396	2040	etxoi.exe	12
PID 2040 wrote to memory of 1396	2040	etxoi.exe	12
PID 2040 wrote to memory of 1396	2040	etxoi.exe	12
PID 2040 wrote to memory of 1396	2040	etxoi.exe	12
PID 2040 wrote to memory of 1424	2040	etxoi.exe	18
PID 2040 wrote to memory of 1424	2040	etxoi.exe	18
PID 2040 wrote to memory of 1424	2040	etxoi.exe	18
PID 2040 wrote to memory of 1424	2040	etxoi.exe	18
PID 2040 wrote to memory of 1424	2040	etxoi.exe	18
PID 2040 wrote to memory of 1992	2040	etxoi.exe	27
PID 2040 wrote to memory of 1992	2040	etxoi.exe	27
PID 2040 wrote to memory of 1992	2040	etxoi.exe	27
PID 2040 wrote to memory of 1992	2040	etxoi.exe	27
PID 2040 wrote to memory of 1992	2040	etxoi.exe	27
PID 1992 wrote to memory of 1548	1992	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	30
PID 1992 wrote to memory of 1548	1992	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	30
PID 1992 wrote to memory of 1548	1992	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	30
PID 1992 wrote to memory of 1548	1992	dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe	30
PID 2040 wrote to memory of 1548	2040	etxoi.exe	30
PID 2040 wrote to memory of 1548	2040	etxoi.exe	30
PID 2040 wrote to memory of 1548	2040	etxoi.exe	30
PID 2040 wrote to memory of 1548	2040	etxoi.exe	30
PID 2040 wrote to memory of 1548	2040	etxoi.exe	30
PID 2040 wrote to memory of 660	2040	etxoi.exe	32
PID 2040 wrote to memory of 660	2040	etxoi.exe	32
PID 2040 wrote to memory of 660	2040	etxoi.exe	32
PID 2040 wrote to memory of 660	2040	etxoi.exe	32
PID 2040 wrote to memory of 660	2040	etxoi.exe	32
PID 2040 wrote to memory of 1252	2040	etxoi.exe	33
PID 2040 wrote to memory of 1252	2040	etxoi.exe	33
PID 2040 wrote to memory of 1252	2040	etxoi.exe	33
PID 2040 wrote to memory of 1252	2040	etxoi.exe	33
PID 2040 wrote to memory of 1252	2040	etxoi.exe	33
PID 2040 wrote to memory of 1860	2040	etxoi.exe	34
PID 2040 wrote to memory of 1860	2040	etxoi.exe	34
PID 2040 wrote to memory of 1860	2040	etxoi.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1396

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1424
- C:\Users\Admin\AppData\Local\Temp\dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe
  "C:\Users\Admin\AppData\Local\Temp\dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe
    "C:\Users\Admin\AppData\Local\Temp\dfe97a95aa08ff327228c63634191077673d95ac146ac86e91d94433b3e516aa.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Roaming\Tobe\etxoi.exe
      "C:\Users\Admin\AppData\Roaming\Tobe\etxoi.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Users\Admin\AppData\Roaming\Tobe\etxoi.exe
        
        "C:\Users\Admin\AppData\Roaming\Tobe\etxoi.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5b4a034c.bat"
      4⤵
      Deletes itself
      PID:1548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1252

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5b4a034c.bat

Filesize
307B

MD5
8ae7c4abd210647a556aaf447740e356

SHA1
dbbb43c5e51ef8a8bfe1cd8b7f92400ff139a480

SHA256
23f46e7850fccf597521c72d9f5e20d41f3e5ea9f87f35eccf35d8bfaee29f21

SHA512
826005246baa7fd1f5402c7519a3a71fa874dc5fee4884cfdbe61c67e4b800e850888402363f781d6a2a9dbde4994410105011df445a6f033d526ccea846b272

Download Submit
C:\Users\Admin\AppData\Roaming\Tobe\etxoi.exe

Filesize
205KB

MD5
13789e534341a6e92a6c7750677fc730

SHA1
16497b122b2fb8fe4a272b5c4771a5e4ae7574f3

SHA256
bd7a629ab70ccb9202910ebbd6a41961406473a3ec479270ae884599dfa9adfb

SHA512
8112ed39ebf7944f79103bac4d246dc3ae9241d4eee514af5e5f6b63b6260079536cf3d3c5fa1f372b25dcf63331638df15caca9582143a06805b30347fd0ff6

Download Submit
C:\Users\Admin\AppData\Roaming\Tobe\etxoi.exe

Filesize
205KB

MD5
13789e534341a6e92a6c7750677fc730

SHA1
16497b122b2fb8fe4a272b5c4771a5e4ae7574f3

SHA256
bd7a629ab70ccb9202910ebbd6a41961406473a3ec479270ae884599dfa9adfb

SHA512
8112ed39ebf7944f79103bac4d246dc3ae9241d4eee514af5e5f6b63b6260079536cf3d3c5fa1f372b25dcf63331638df15caca9582143a06805b30347fd0ff6

Download Submit
C:\Users\Admin\AppData\Roaming\Tobe\etxoi.exe

Filesize
205KB

MD5
13789e534341a6e92a6c7750677fc730

SHA1
16497b122b2fb8fe4a272b5c4771a5e4ae7574f3

SHA256
bd7a629ab70ccb9202910ebbd6a41961406473a3ec479270ae884599dfa9adfb

SHA512
8112ed39ebf7944f79103bac4d246dc3ae9241d4eee514af5e5f6b63b6260079536cf3d3c5fa1f372b25dcf63331638df15caca9582143a06805b30347fd0ff6

Download Submit
\Users\Admin\AppData\Local\Temp\nsd511E.tmp\corianders.dll

Filesize
60KB

MD5
e88f48cf3e1fb6233354a4830d1ed325

SHA1
84b87dc2e794ab8e1c3d1db636692ae76465d836

SHA256
420b1f83edc691bebacfef339c23ad7bccd817148949683fc223fc6e99adf090

SHA512
4f2b5547556186c6b56daefa002157423f130706671cada106a5f874d42b178e942cd2e57ec50e70195e7a6dceb67138da75e75124710cebb359c4081a24e573

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF4AD.tmp\corianders.dll

Filesize
60KB

MD5
e88f48cf3e1fb6233354a4830d1ed325

SHA1
84b87dc2e794ab8e1c3d1db636692ae76465d836

SHA256
420b1f83edc691bebacfef339c23ad7bccd817148949683fc223fc6e99adf090

SHA512
4f2b5547556186c6b56daefa002157423f130706671cada106a5f874d42b178e942cd2e57ec50e70195e7a6dceb67138da75e75124710cebb359c4081a24e573

Download Submit
\Users\Admin\AppData\Roaming\Tobe\etxoi.exe

Filesize
205KB

MD5
13789e534341a6e92a6c7750677fc730

SHA1
16497b122b2fb8fe4a272b5c4771a5e4ae7574f3

SHA256
bd7a629ab70ccb9202910ebbd6a41961406473a3ec479270ae884599dfa9adfb

SHA512
8112ed39ebf7944f79103bac4d246dc3ae9241d4eee514af5e5f6b63b6260079536cf3d3c5fa1f372b25dcf63331638df15caca9582143a06805b30347fd0ff6

Download Submit
memory/660-127-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/660-124-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/660-126-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/660-125-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1252-133-0x0000000003A00000-0x0000000003A27000-memory.dmp

Filesize
156KB

Download
memory/1252-130-0x0000000003A00000-0x0000000003A27000-memory.dmp

Filesize
156KB

Download
memory/1252-131-0x0000000003A00000-0x0000000003A27000-memory.dmp

Filesize
156KB

Download
memory/1252-132-0x0000000003A00000-0x0000000003A27000-memory.dmp

Filesize
156KB

Download
memory/1260-91-0x0000000001E40000-0x0000000001E67000-memory.dmp

Filesize
156KB

Download
memory/1260-88-0x0000000001E40000-0x0000000001E67000-memory.dmp

Filesize
156KB

Download
memory/1260-89-0x0000000001E40000-0x0000000001E67000-memory.dmp

Filesize
156KB

Download
memory/1260-90-0x0000000001E40000-0x0000000001E67000-memory.dmp

Filesize
156KB

Download
memory/1368-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1396-95-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1396-94-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1396-96-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1396-97-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1424-100-0x0000000002210000-0x0000000002237000-memory.dmp

Filesize
156KB

Download
memory/1424-102-0x0000000002210000-0x0000000002237000-memory.dmp

Filesize
156KB

Download
memory/1424-103-0x0000000002210000-0x0000000002237000-memory.dmp

Filesize
156KB

Download
memory/1424-101-0x0000000002210000-0x0000000002237000-memory.dmp

Filesize
156KB

Download
memory/1548-115-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1548-118-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1548-117-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1548-116-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1992-108-0x0000000000380000-0x00000000003A7000-memory.dmp

Filesize
156KB

Download
memory/1992-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1992-111-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1992-109-0x0000000000380000-0x00000000003A7000-memory.dmp

Filesize
156KB

Download
memory/1992-107-0x0000000000380000-0x00000000003A7000-memory.dmp

Filesize
156KB

Download
memory/1992-106-0x0000000000380000-0x00000000003A7000-memory.dmp

Filesize
156KB

Download
memory/1992-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1992-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1992-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1992-112-0x0000000000380000-0x00000000003A7000-memory.dmp

Filesize
156KB

Download
memory/1992-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1992-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1992-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2040-121-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2040-119-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download