1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe
Size

270KB
MD5

8989ee84238b60f0fc843d5c546656bf
SHA1

06d5a2156f27dcc458becd5402fe45e1979173c5
SHA256

1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f
SHA512

48fea39e8a3f9c42ba1d98e17acc758ceb3ab4460a8310096c11c8fc751c212c2faa35887661efea4c67321cf9b88911d2e3a262b7916e7b5db60051a48d2128
SSDEEP

6144:etjpLGqvoArlO+Beic2/pWTxq/fnx7GDrRcJIcxyCq0hzfM:27vo8yVq/PERcHxywM

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1288	iczuk.exe

Deletes itself 1 IoCs

pid	Process
360	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe
620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	iczuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Naxuw\\iczuk.exe"	iczuk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 620 set thread context of 360	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe
1288	iczuk.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe
1288	iczuk.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1288	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	27
PID 620 wrote to memory of 1288	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	27
PID 620 wrote to memory of 1288	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	27
PID 620 wrote to memory of 1288	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	27
PID 1288 wrote to memory of 1108	1288	iczuk.exe	7
PID 1288 wrote to memory of 1108	1288	iczuk.exe	7
PID 1288 wrote to memory of 1108	1288	iczuk.exe	7
PID 1288 wrote to memory of 1108	1288	iczuk.exe	7
PID 1288 wrote to memory of 1108	1288	iczuk.exe	7
PID 1288 wrote to memory of 1168	1288	iczuk.exe	14
PID 1288 wrote to memory of 1168	1288	iczuk.exe	14
PID 1288 wrote to memory of 1168	1288	iczuk.exe	14
PID 1288 wrote to memory of 1168	1288	iczuk.exe	14
PID 1288 wrote to memory of 1168	1288	iczuk.exe	14
PID 1288 wrote to memory of 1192	1288	iczuk.exe	13
PID 1288 wrote to memory of 1192	1288	iczuk.exe	13
PID 1288 wrote to memory of 1192	1288	iczuk.exe	13
PID 1288 wrote to memory of 1192	1288	iczuk.exe	13
PID 1288 wrote to memory of 1192	1288	iczuk.exe	13
PID 1288 wrote to memory of 620	1288	iczuk.exe	26
PID 1288 wrote to memory of 620	1288	iczuk.exe	26
PID 1288 wrote to memory of 620	1288	iczuk.exe	26
PID 1288 wrote to memory of 620	1288	iczuk.exe	26
PID 1288 wrote to memory of 620	1288	iczuk.exe	26
PID 620 wrote to memory of 360	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	28
PID 620 wrote to memory of 360	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	28
PID 620 wrote to memory of 360	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	28
PID 620 wrote to memory of 360	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	28
PID 620 wrote to memory of 360	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	28
PID 620 wrote to memory of 360	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	28
PID 620 wrote to memory of 360	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	28
PID 620 wrote to memory of 360	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	28
PID 620 wrote to memory of 360	620	1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe
  "C:\Users\Admin\AppData\Local\Temp\1348df1d2e6b1579a03e3e726e6e74fe664887edfc2a38a9ae8fbe0f34c7368f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Users\Admin\AppData\Roaming\Naxuw\iczuk.exe
    "C:\Users\Admin\AppData\Roaming\Naxuw\iczuk.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpba609a57.bat"
    3⤵
    - Deletes itself
    PID:360

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpba609a57.bat

Filesize
307B

MD5
b170dcd3fca018d68a0177df5eea73a7

SHA1
2cb219343bbbf8e6dad42011e5e1f0d45caf4b4f

SHA256
6f87b40a0bd6d89e0979d29146518aa34ffdb98a26f6f935c538cf957f8d8d96

SHA512
91425433c2cab88fb377a1f61bfb45502c30a8cf7109290b54047054c8942af53a607ddffd41f8ffbaa324e1374c7940f0b0c030e6573800ffc9d165ab76f56b

Download Submit
C:\Users\Admin\AppData\Roaming\Naxuw\iczuk.exe

Filesize
270KB

MD5
052657b997d246faf2ee1848cbc6482e

SHA1
a960c60b7ea54ac073f406263852606604114fc8

SHA256
ec9a22d811da6209f63648bd5339511bd10f05a41261382500f8b05c8feb521c

SHA512
1ad75a9b98b3725f3cc9119db9da72865bea893e4ad6db1842e8d5da1940a92bc33736153fbeae826fee6ff012ed40d6d24430b856a8fdf6f5c30d0970067b34

Download Submit
C:\Users\Admin\AppData\Roaming\Naxuw\iczuk.exe

Filesize
270KB

MD5
052657b997d246faf2ee1848cbc6482e

SHA1
a960c60b7ea54ac073f406263852606604114fc8

SHA256
ec9a22d811da6209f63648bd5339511bd10f05a41261382500f8b05c8feb521c

SHA512
1ad75a9b98b3725f3cc9119db9da72865bea893e4ad6db1842e8d5da1940a92bc33736153fbeae826fee6ff012ed40d6d24430b856a8fdf6f5c30d0970067b34

Download Submit
\Users\Admin\AppData\Roaming\Naxuw\iczuk.exe

Filesize
270KB

MD5
052657b997d246faf2ee1848cbc6482e

SHA1
a960c60b7ea54ac073f406263852606604114fc8

SHA256
ec9a22d811da6209f63648bd5339511bd10f05a41261382500f8b05c8feb521c

SHA512
1ad75a9b98b3725f3cc9119db9da72865bea893e4ad6db1842e8d5da1940a92bc33736153fbeae826fee6ff012ed40d6d24430b856a8fdf6f5c30d0970067b34

Download Submit
\Users\Admin\AppData\Roaming\Naxuw\iczuk.exe

Filesize
270KB

MD5
052657b997d246faf2ee1848cbc6482e

SHA1
a960c60b7ea54ac073f406263852606604114fc8

SHA256
ec9a22d811da6209f63648bd5339511bd10f05a41261382500f8b05c8feb521c

SHA512
1ad75a9b98b3725f3cc9119db9da72865bea893e4ad6db1842e8d5da1940a92bc33736153fbeae826fee6ff012ed40d6d24430b856a8fdf6f5c30d0970067b34

Download Submit
memory/360-101-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download
memory/360-107-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download
memory/360-100-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download
memory/360-97-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download
memory/360-99-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download
memory/620-91-0x0000000001D10000-0x0000000001D56000-memory.dmp

Filesize
280KB

Download
memory/620-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/620-90-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/620-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/620-89-0x0000000000380000-0x00000000003C6000-memory.dmp

Filesize
280KB

Download
memory/620-88-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/620-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/620-87-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/620-104-0x0000000001D10000-0x0000000001D52000-memory.dmp

Filesize
264KB

Download
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/620-83-0x0000000001D10000-0x0000000001D52000-memory.dmp

Filesize
264KB

Download
memory/620-84-0x0000000001D10000-0x0000000001D52000-memory.dmp

Filesize
264KB

Download
memory/620-85-0x0000000001D10000-0x0000000001D52000-memory.dmp

Filesize
264KB

Download
memory/620-86-0x0000000001D10000-0x0000000001D52000-memory.dmp

Filesize
264KB

Download
memory/1108-63-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1108-68-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1108-67-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1108-66-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1108-65-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1168-74-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1168-73-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1168-72-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1168-71-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1192-80-0x0000000002AA0000-0x0000000002AE2000-memory.dmp

Filesize
264KB

Download
memory/1192-79-0x0000000002AA0000-0x0000000002AE2000-memory.dmp

Filesize
264KB

Download
memory/1192-78-0x0000000002AA0000-0x0000000002AE2000-memory.dmp

Filesize
264KB

Download
memory/1192-77-0x0000000002AA0000-0x0000000002AE2000-memory.dmp

Filesize
264KB

Download
memory/1288-94-0x00000000004A0000-0x00000000004E6000-memory.dmp

Filesize
280KB

Download
memory/1288-93-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1288-92-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download