af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d

Analysis

max time kernel
154s
max time network
181s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
Size

389KB
MD5

b6f44530923ed01c9d8339cfafca2499
SHA1

b478caf17103ecee9bd78e604f76145b910549ef
SHA256

af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d
SHA512

185990df0173af4e68c7e0f10bb25b81cfa6ff7441254eb1a41b52a9c3a5dedb8681095c06f41442a7a9979ee14cf4526537592022d15460ece13ea60d5230ad
SSDEEP

3072:Pe41fGxM8/R2ljNjbbYewzYS/nnSXjyV8n167SaaHNhXV3+050jIkTHGGrb/SCdK:mAOOeeNbE0SSzO8163F05kxdb965w2Ug

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
564	pezu.exe

Deletes itself 1 IoCs

pid	Process
1568	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	pezu.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	pezu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Enmaqozupy = "C:\\Users\\Admin\\AppData\\Roaming\\Qoocd\\pezu.exe"	pezu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1236 set thread context of 1568	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\2F154496-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe
564	pezu.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
Token: SeSecurityPrivilege	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
Token: SeSecurityPrivilege	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
Token: SeSecurityPrivilege	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
Token: SeSecurityPrivilege	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
Token: SeSecurityPrivilege	1568	cmd.exe
Token: SeSecurityPrivilege	1568	cmd.exe
Token: SeSecurityPrivilege	1568	cmd.exe
Token: SeSecurityPrivilege	1568	cmd.exe
Token: SeSecurityPrivilege	1568	cmd.exe
Token: SeSecurityPrivilege	1568	cmd.exe
Token: SeSecurityPrivilege	1568	cmd.exe
Token: SeSecurityPrivilege	1568	cmd.exe
Token: SeManageVolumePrivilege	848	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
848	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
848	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
848	WinMail.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
564	pezu.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 564	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	28
PID 1236 wrote to memory of 564	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	28
PID 1236 wrote to memory of 564	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	28
PID 1236 wrote to memory of 564	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	28
PID 564 wrote to memory of 1116	564	pezu.exe	11
PID 564 wrote to memory of 1116	564	pezu.exe	11
PID 564 wrote to memory of 1116	564	pezu.exe	11
PID 564 wrote to memory of 1116	564	pezu.exe	11
PID 564 wrote to memory of 1116	564	pezu.exe	11
PID 564 wrote to memory of 1172	564	pezu.exe	10
PID 564 wrote to memory of 1172	564	pezu.exe	10
PID 564 wrote to memory of 1172	564	pezu.exe	10
PID 564 wrote to memory of 1172	564	pezu.exe	10
PID 564 wrote to memory of 1172	564	pezu.exe	10
PID 564 wrote to memory of 1196	564	pezu.exe	9
PID 564 wrote to memory of 1196	564	pezu.exe	9
PID 564 wrote to memory of 1196	564	pezu.exe	9
PID 564 wrote to memory of 1196	564	pezu.exe	9
PID 564 wrote to memory of 1196	564	pezu.exe	9
PID 564 wrote to memory of 1236	564	pezu.exe	8
PID 564 wrote to memory of 1236	564	pezu.exe	8
PID 564 wrote to memory of 1236	564	pezu.exe	8
PID 564 wrote to memory of 1236	564	pezu.exe	8
PID 564 wrote to memory of 1236	564	pezu.exe	8
PID 1236 wrote to memory of 1568	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	29
PID 1236 wrote to memory of 1568	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	29
PID 1236 wrote to memory of 1568	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	29
PID 1236 wrote to memory of 1568	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	29
PID 1236 wrote to memory of 1568	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	29
PID 1236 wrote to memory of 1568	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	29
PID 1236 wrote to memory of 1568	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	29
PID 1236 wrote to memory of 1568	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	29
PID 1236 wrote to memory of 1568	1236	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	29
PID 564 wrote to memory of 1232	564	pezu.exe	30
PID 564 wrote to memory of 1232	564	pezu.exe	30
PID 564 wrote to memory of 1232	564	pezu.exe	30
PID 564 wrote to memory of 1232	564	pezu.exe	30
PID 564 wrote to memory of 1232	564	pezu.exe	30
PID 564 wrote to memory of 768	564	pezu.exe	31
PID 564 wrote to memory of 768	564	pezu.exe	31
PID 564 wrote to memory of 768	564	pezu.exe	31
PID 564 wrote to memory of 768	564	pezu.exe	31
PID 564 wrote to memory of 768	564	pezu.exe	31
PID 564 wrote to memory of 848	564	pezu.exe	32
PID 564 wrote to memory of 848	564	pezu.exe	32
PID 564 wrote to memory of 848	564	pezu.exe	32
PID 564 wrote to memory of 848	564	pezu.exe	32
PID 564 wrote to memory of 848	564	pezu.exe	32
PID 564 wrote to memory of 1544	564	pezu.exe	33
PID 564 wrote to memory of 1544	564	pezu.exe	33
PID 564 wrote to memory of 1544	564	pezu.exe	33
PID 564 wrote to memory of 1544	564	pezu.exe	33
PID 564 wrote to memory of 1544	564	pezu.exe	33
PID 564 wrote to memory of 1552	564	pezu.exe	34
PID 564 wrote to memory of 1552	564	pezu.exe	34
PID 564 wrote to memory of 1552	564	pezu.exe	34
PID 564 wrote to memory of 1552	564	pezu.exe	34
PID 564 wrote to memory of 1552	564	pezu.exe	34
PID 564 wrote to memory of 1796	564	pezu.exe	35
PID 564 wrote to memory of 1796	564	pezu.exe	35
PID 564 wrote to memory of 1796	564	pezu.exe	35
PID 564 wrote to memory of 1796	564	pezu.exe	35
PID 564 wrote to memory of 1796	564	pezu.exe	35

C:\Users\Admin\AppData\Local\Temp\af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
"C:\Users\Admin\AppData\Local\Temp\af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Roaming\Qoocd\pezu.exe
  "C:\Users\Admin\AppData\Roaming\Qoocd\pezu.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp902224d9.bat"
  2⤵
  - Deletes itself
  - Suspicious use of AdjustPrivilegeToken
  PID:1568

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1764198500-14238262041926033190-83834789297287482514512248520632752011694142939"
1⤵
PID:768

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp902224d9.bat

Filesize
307B

MD5
16a498dde2c9db6ee5b618466f6bec41

SHA1
4926aed582bede7fe1fbb01c2843d7b5eee5c534

SHA256
2b7e811f869e67e232de7dc49ce2000eeb3d1ed28048ae9e7184d332dd56cc14

SHA512
0938d3d81b54a6cd27ae539a2b0dfc70210666c68c595723899d5dc6b3716b92d70b34f3e032f2bd1d48cf6793866c330c6b937275e390b112b013c63097c596

Download Submit
C:\Users\Admin\AppData\Roaming\Ipixy\gayxe.ufp

Filesize
421B

MD5
c4266590e7136786c42ffb86380453f3

SHA1
d7dd6dbb8f04290a99196768e6efbb2e6927aa29

SHA256
54f93b3beeac81dbb8f97eec9519fcca9ea94f0bf539408621e7fc38c21fbb8a

SHA512
935a6dbcfeea0aed54edc44d5a1cf5403da756947da0a4517522b152b0af067f1584683f824883d2d73ce8ad887249f6b45c2617cbb38597d36e3127f0579b5e

Download Submit
C:\Users\Admin\AppData\Roaming\Qoocd\pezu.exe

Filesize
389KB

MD5
1a00434009939e7c6b128d9ee5c16dd2

SHA1
9edebed5805164e343e111ae5fcafd4b759fe933

SHA256
5cd48b012876382b8025fc339f6f930e272c29239d431a5f860e4eaae3840c15

SHA512
9785fc0f95eb80cf49393e5aeeefeebd375d700a5eab91ee24c0ad6118409bac7f025fb53c18992d3548f70d13b231b96139483f56cbe53b41f79fb671b590a4

Download Submit
C:\Users\Admin\AppData\Roaming\Qoocd\pezu.exe

Filesize
389KB

MD5
1a00434009939e7c6b128d9ee5c16dd2

SHA1
9edebed5805164e343e111ae5fcafd4b759fe933

SHA256
5cd48b012876382b8025fc339f6f930e272c29239d431a5f860e4eaae3840c15

SHA512
9785fc0f95eb80cf49393e5aeeefeebd375d700a5eab91ee24c0ad6118409bac7f025fb53c18992d3548f70d13b231b96139483f56cbe53b41f79fb671b590a4

Download Submit
\Users\Admin\AppData\Roaming\Qoocd\pezu.exe

Filesize
389KB

MD5
1a00434009939e7c6b128d9ee5c16dd2

SHA1
9edebed5805164e343e111ae5fcafd4b759fe933

SHA256
5cd48b012876382b8025fc339f6f930e272c29239d431a5f860e4eaae3840c15

SHA512
9785fc0f95eb80cf49393e5aeeefeebd375d700a5eab91ee24c0ad6118409bac7f025fb53c18992d3548f70d13b231b96139483f56cbe53b41f79fb671b590a4

Download Submit
\Users\Admin\AppData\Roaming\Qoocd\pezu.exe

Filesize
389KB

MD5
1a00434009939e7c6b128d9ee5c16dd2

SHA1
9edebed5805164e343e111ae5fcafd4b759fe933

SHA256
5cd48b012876382b8025fc339f6f930e272c29239d431a5f860e4eaae3840c15

SHA512
9785fc0f95eb80cf49393e5aeeefeebd375d700a5eab91ee24c0ad6118409bac7f025fb53c18992d3548f70d13b231b96139483f56cbe53b41f79fb671b590a4

Download Submit
memory/564-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/564-66-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/564-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/564-67-0x0000000000390000-0x00000000003F2000-memory.dmp

Filesize
392KB

Download
memory/1116-70-0x0000000001BC0000-0x0000000001BFB000-memory.dmp

Filesize
236KB

Download
memory/1116-72-0x0000000001BC0000-0x0000000001BFB000-memory.dmp

Filesize
236KB

Download
memory/1116-73-0x0000000001BC0000-0x0000000001BFB000-memory.dmp

Filesize
236KB

Download
memory/1116-74-0x0000000001BC0000-0x0000000001BFB000-memory.dmp

Filesize
236KB

Download
memory/1116-75-0x0000000001BC0000-0x0000000001BFB000-memory.dmp

Filesize
236KB

Download
memory/1172-81-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1172-79-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1172-80-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1196-88-0x0000000002AA0000-0x0000000002ADB000-memory.dmp

Filesize
236KB

Download
memory/1196-86-0x0000000002AA0000-0x0000000002ADB000-memory.dmp

Filesize
236KB

Download
memory/1196-87-0x0000000002AA0000-0x0000000002ADB000-memory.dmp

Filesize
236KB

Download
memory/1196-85-0x0000000002AA0000-0x0000000002ADB000-memory.dmp

Filesize
236KB

Download
memory/1236-91-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-111-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-69-0x0000000000370000-0x00000000003D2000-memory.dmp

Filesize
392KB

Download
memory/1236-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1236-57-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1236-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1236-92-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-93-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-94-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-95-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-97-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-99-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-101-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-103-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-105-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-107-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-109-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-76-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1236-113-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-119-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-117-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-115-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-121-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-123-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-125-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-128-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-130-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-220-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1236-56-0x0000000000370000-0x00000000003D2000-memory.dmp

Filesize
392KB

Download
memory/1236-55-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/1236-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1236-234-0x00000000004F0000-0x000000000052B000-memory.dmp

Filesize
236KB

Download
memory/1568-357-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1568-396-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download