a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9

Analysis

max time kernel
150s
max time network
164s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 04:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe
Size

252KB
MD5

ce9b56c4c4e47d05fc99395347388cde
SHA1

191f014a70b17994b997a1fb645e2d5987062713
SHA256

a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9
SHA512

b9b900950d941f4498a2b8ee7e224e965ece1d911d8a7b13ee4640c546a3ba2e728b5805fb7c5b840d07c3c8feef8c2cba388a59de2e8549fde6cb11f74f01bb
SSDEEP

6144:nXCV+v8JGSrN3vyyJ32ZVA+ACDkQozAAIM/KyA:Zv8MS1yOmZVgzAAMyA

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
804	ypypu.exe

Loads dropped DLL 2 IoCs

pid	Process
1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe
1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	ypypu.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	ypypu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xeecofcied = "C:\\Users\\Admin\\AppData\\Roaming\\Yzbyu\\ypypu.exe"	ypypu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1808	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe
804	ypypu.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe
Token: SeSecurityPrivilege	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe
Token: SeSecurityPrivilege	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe
Token: SeSecurityPrivilege	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe
Token: SeSecurityPrivilege	1808	cmd.exe
Token: SeSecurityPrivilege	1808	cmd.exe
Token: SeSecurityPrivilege	1808	cmd.exe
Token: SeSecurityPrivilege	1808	cmd.exe
Token: SeSecurityPrivilege	1808	cmd.exe
Token: SeSecurityPrivilege	1808	cmd.exe
Token: SeSecurityPrivilege	1808	cmd.exe
Token: SeManageVolumePrivilege	2024	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2024	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 804	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	28
PID 1752 wrote to memory of 804	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	28
PID 1752 wrote to memory of 804	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	28
PID 1752 wrote to memory of 804	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	28
PID 804 wrote to memory of 1116	804	ypypu.exe	13
PID 804 wrote to memory of 1116	804	ypypu.exe	13
PID 804 wrote to memory of 1116	804	ypypu.exe	13
PID 804 wrote to memory of 1116	804	ypypu.exe	13
PID 804 wrote to memory of 1116	804	ypypu.exe	13
PID 804 wrote to memory of 1176	804	ypypu.exe	12
PID 804 wrote to memory of 1176	804	ypypu.exe	12
PID 804 wrote to memory of 1176	804	ypypu.exe	12
PID 804 wrote to memory of 1176	804	ypypu.exe	12
PID 804 wrote to memory of 1176	804	ypypu.exe	12
PID 804 wrote to memory of 1216	804	ypypu.exe	10
PID 804 wrote to memory of 1216	804	ypypu.exe	10
PID 804 wrote to memory of 1216	804	ypypu.exe	10
PID 804 wrote to memory of 1216	804	ypypu.exe	10
PID 804 wrote to memory of 1216	804	ypypu.exe	10
PID 804 wrote to memory of 1752	804	ypypu.exe	11
PID 804 wrote to memory of 1752	804	ypypu.exe	11
PID 804 wrote to memory of 1752	804	ypypu.exe	11
PID 804 wrote to memory of 1752	804	ypypu.exe	11
PID 804 wrote to memory of 1752	804	ypypu.exe	11
PID 1752 wrote to memory of 1808	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	29
PID 1752 wrote to memory of 1808	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	29
PID 1752 wrote to memory of 1808	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	29
PID 1752 wrote to memory of 1808	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	29
PID 1752 wrote to memory of 1808	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	29
PID 1752 wrote to memory of 1808	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	29
PID 1752 wrote to memory of 1808	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	29
PID 1752 wrote to memory of 1808	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	29
PID 1752 wrote to memory of 1808	1752	a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe	29
PID 804 wrote to memory of 988	804	ypypu.exe	30
PID 804 wrote to memory of 988	804	ypypu.exe	30
PID 804 wrote to memory of 988	804	ypypu.exe	30
PID 804 wrote to memory of 988	804	ypypu.exe	30
PID 804 wrote to memory of 988	804	ypypu.exe	30
PID 804 wrote to memory of 1984	804	ypypu.exe	31
PID 804 wrote to memory of 1984	804	ypypu.exe	31
PID 804 wrote to memory of 1984	804	ypypu.exe	31
PID 804 wrote to memory of 1984	804	ypypu.exe	31
PID 804 wrote to memory of 1984	804	ypypu.exe	31
PID 804 wrote to memory of 2024	804	ypypu.exe	32
PID 804 wrote to memory of 2024	804	ypypu.exe	32
PID 804 wrote to memory of 2024	804	ypypu.exe	32
PID 804 wrote to memory of 2024	804	ypypu.exe	32
PID 804 wrote to memory of 2024	804	ypypu.exe	32
PID 804 wrote to memory of 1172	804	ypypu.exe	33
PID 804 wrote to memory of 1172	804	ypypu.exe	33
PID 804 wrote to memory of 1172	804	ypypu.exe	33
PID 804 wrote to memory of 1172	804	ypypu.exe	33
PID 804 wrote to memory of 1172	804	ypypu.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe
  "C:\Users\Admin\AppData\Local\Temp\a3b41a1646763a55b4d1530d8cff3444be5a20bf6123bb95f5e396f01f5200e9.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Roaming\Yzbyu\ypypu.exe
    "C:\Users\Admin\AppData\Roaming\Yzbyu\ypypu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc41c0042.bat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1808

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1430441297-1259150737-1939838869-194547176-1620453395-12226571111803932500-1976251307"
1⤵
PID:988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1984

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ukawd\hymo.uke

Filesize
421B

MD5
110ec89f7c5f59e3b06d836639aa0334

SHA1
e86d7370e552c307a474d1d85ed39d0b613e0aa7

SHA256
e77a559bbd9dc5f82284b7ef3460e1faaee1aab46c972a856e3c2b83ef3b63a6

SHA512
d77f54cb6910d52420eeef64d71025cb25cb59a6e9fe45b9996b2372d5a986587cd2fe3205d50544ce5bbc591e7b0752872a72ed6272b2e10cf17d0310376fa1

Download Submit
C:\Users\Admin\AppData\Roaming\Yzbyu\ypypu.exe

Filesize
252KB

MD5
3f514ca96fd8a300ad5b2365ffb79ca9

SHA1
43d6277300c57ae87e3ed7cba2ee494216985bcc

SHA256
7ccf56468c404376c26f028fbcd4c153c8de83a6d6b5285cbf460d94b0f27fa3

SHA512
929bc1aa5c973b3a9ee29e1c5f23acc5b28c68dac80296d914f0a40be8963acb02449bdafcff59185206fb846ee19433a63f28ade320703b6681fc3f43860a67

Download Submit
C:\Users\Admin\AppData\Roaming\Yzbyu\ypypu.exe

Filesize
252KB

MD5
3f514ca96fd8a300ad5b2365ffb79ca9

SHA1
43d6277300c57ae87e3ed7cba2ee494216985bcc

SHA256
7ccf56468c404376c26f028fbcd4c153c8de83a6d6b5285cbf460d94b0f27fa3

SHA512
929bc1aa5c973b3a9ee29e1c5f23acc5b28c68dac80296d914f0a40be8963acb02449bdafcff59185206fb846ee19433a63f28ade320703b6681fc3f43860a67

Download Submit
\Users\Admin\AppData\Roaming\Yzbyu\ypypu.exe

Filesize
252KB

MD5
3f514ca96fd8a300ad5b2365ffb79ca9

SHA1
43d6277300c57ae87e3ed7cba2ee494216985bcc

SHA256
7ccf56468c404376c26f028fbcd4c153c8de83a6d6b5285cbf460d94b0f27fa3

SHA512
929bc1aa5c973b3a9ee29e1c5f23acc5b28c68dac80296d914f0a40be8963acb02449bdafcff59185206fb846ee19433a63f28ade320703b6681fc3f43860a67

Download Submit
\Users\Admin\AppData\Roaming\Yzbyu\ypypu.exe

Filesize
252KB

MD5
3f514ca96fd8a300ad5b2365ffb79ca9

SHA1
43d6277300c57ae87e3ed7cba2ee494216985bcc

SHA256
7ccf56468c404376c26f028fbcd4c153c8de83a6d6b5285cbf460d94b0f27fa3

SHA512
929bc1aa5c973b3a9ee29e1c5f23acc5b28c68dac80296d914f0a40be8963acb02449bdafcff59185206fb846ee19433a63f28ade320703b6681fc3f43860a67

Download Submit
memory/804-69-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1116-66-0x0000000001CD0000-0x0000000001D12000-memory.dmp

Filesize
264KB

Download
memory/1116-63-0x0000000001CD0000-0x0000000001D12000-memory.dmp

Filesize
264KB

Download
memory/1116-65-0x0000000001CD0000-0x0000000001D12000-memory.dmp

Filesize
264KB

Download
memory/1116-67-0x0000000001CD0000-0x0000000001D12000-memory.dmp

Filesize
264KB

Download
memory/1116-68-0x0000000001CD0000-0x0000000001D12000-memory.dmp

Filesize
264KB

Download
memory/1176-72-0x0000000001C60000-0x0000000001CA2000-memory.dmp

Filesize
264KB

Download
memory/1176-73-0x0000000001C60000-0x0000000001CA2000-memory.dmp

Filesize
264KB

Download
memory/1176-74-0x0000000001C60000-0x0000000001CA2000-memory.dmp

Filesize
264KB

Download
memory/1176-75-0x0000000001C60000-0x0000000001CA2000-memory.dmp

Filesize
264KB

Download
memory/1216-80-0x0000000002240000-0x0000000002282000-memory.dmp

Filesize
264KB

Download
memory/1216-81-0x0000000002240000-0x0000000002282000-memory.dmp

Filesize
264KB

Download
memory/1216-78-0x0000000002240000-0x0000000002282000-memory.dmp

Filesize
264KB

Download
memory/1216-79-0x0000000002240000-0x0000000002282000-memory.dmp

Filesize
264KB

Download
memory/1752-88-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1752-100-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1752-84-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1752-85-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1752-86-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1752-87-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1752-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1752-89-0x0000000000350000-0x00000000003AD000-memory.dmp

Filesize
372KB

Download
memory/1752-90-0x0000000000350000-0x00000000003AD000-memory.dmp

Filesize
372KB

Download
memory/1752-57-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1752-55-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1752-101-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1808-103-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-113-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-98-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-97-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-94-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-96-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-105-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-107-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-109-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-111-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-115-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-117-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-119-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-121-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-123-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-125-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-127-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-129-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-131-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-133-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-227-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1808-234-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download