868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af

Analysis

max time kernel
238s
max time network
273s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe
Size

150KB
MD5

e45bd9921d9f8f7adfe808033e03363c
SHA1

7fb4fe3208006004543839553c044c2bca0e5a23
SHA256

868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af
SHA512

d9046461d0d863dff4be0a3d2b941a583d826e699a0223449959108a55bac036053fb771c2797f1ec06f01625040b7668dd0b9991a9881f324b3e05a79276af0
SSDEEP

3072:7HOY7lFdY557iC5tMMHKHdz6Ul7zE1NYYcYtdd1oJbbdds:7HZ3C57pjrHQ4+rYWr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
268	ehucybs.exe

Loads dropped DLL 2 IoCs

pid	Process
788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe
788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	ehucybs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{124A34C9-A7E3-7F56-0EF9-2448AC6ED580} = "C:\\Users\\Admin\\AppData\\Roaming\\Owit\\ehucybs.exe"	ehucybs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 788 set thread context of 336	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe
268	ehucybs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe
Token: SeSecurityPrivilege	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe
Token: SeSecurityPrivilege	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe
Token: SeSecurityPrivilege	336	cmd.exe
Token: SeManageVolumePrivilege	1732	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1732	WinMail.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 268	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	28
PID 788 wrote to memory of 268	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	28
PID 788 wrote to memory of 268	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	28
PID 788 wrote to memory of 268	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	28
PID 268 wrote to memory of 1136	268	ehucybs.exe	17
PID 268 wrote to memory of 1136	268	ehucybs.exe	17
PID 268 wrote to memory of 1136	268	ehucybs.exe	17
PID 268 wrote to memory of 1136	268	ehucybs.exe	17
PID 268 wrote to memory of 1136	268	ehucybs.exe	17
PID 268 wrote to memory of 1184	268	ehucybs.exe	15
PID 268 wrote to memory of 1184	268	ehucybs.exe	15
PID 268 wrote to memory of 1184	268	ehucybs.exe	15
PID 268 wrote to memory of 1184	268	ehucybs.exe	15
PID 268 wrote to memory of 1184	268	ehucybs.exe	15
PID 268 wrote to memory of 1272	268	ehucybs.exe	14
PID 268 wrote to memory of 1272	268	ehucybs.exe	14
PID 268 wrote to memory of 1272	268	ehucybs.exe	14
PID 268 wrote to memory of 1272	268	ehucybs.exe	14
PID 268 wrote to memory of 1272	268	ehucybs.exe	14
PID 268 wrote to memory of 788	268	ehucybs.exe	27
PID 268 wrote to memory of 788	268	ehucybs.exe	27
PID 268 wrote to memory of 788	268	ehucybs.exe	27
PID 268 wrote to memory of 788	268	ehucybs.exe	27
PID 268 wrote to memory of 788	268	ehucybs.exe	27
PID 268 wrote to memory of 868	268	ehucybs.exe	29
PID 268 wrote to memory of 868	268	ehucybs.exe	29
PID 268 wrote to memory of 868	268	ehucybs.exe	29
PID 268 wrote to memory of 868	268	ehucybs.exe	29
PID 268 wrote to memory of 868	268	ehucybs.exe	29
PID 788 wrote to memory of 336	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	30
PID 788 wrote to memory of 336	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	30
PID 788 wrote to memory of 336	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	30
PID 788 wrote to memory of 336	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	30
PID 788 wrote to memory of 336	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	30
PID 788 wrote to memory of 336	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	30
PID 788 wrote to memory of 336	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	30
PID 788 wrote to memory of 336	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	30
PID 788 wrote to memory of 336	788	868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe	30
PID 268 wrote to memory of 1748	268	ehucybs.exe	31
PID 268 wrote to memory of 1748	268	ehucybs.exe	31
PID 268 wrote to memory of 1748	268	ehucybs.exe	31
PID 268 wrote to memory of 1748	268	ehucybs.exe	31
PID 268 wrote to memory of 1748	268	ehucybs.exe	31
PID 268 wrote to memory of 1992	268	ehucybs.exe	32
PID 268 wrote to memory of 1992	268	ehucybs.exe	32
PID 268 wrote to memory of 1992	268	ehucybs.exe	32
PID 268 wrote to memory of 1992	268	ehucybs.exe	32
PID 268 wrote to memory of 1992	268	ehucybs.exe	32
PID 268 wrote to memory of 2040	268	ehucybs.exe	33
PID 268 wrote to memory of 2040	268	ehucybs.exe	33
PID 268 wrote to memory of 2040	268	ehucybs.exe	33
PID 268 wrote to memory of 2040	268	ehucybs.exe	33
PID 268 wrote to memory of 2040	268	ehucybs.exe	33
PID 268 wrote to memory of 1732	268	ehucybs.exe	34
PID 268 wrote to memory of 1732	268	ehucybs.exe	34
PID 268 wrote to memory of 1732	268	ehucybs.exe	34
PID 268 wrote to memory of 1732	268	ehucybs.exe	34
PID 268 wrote to memory of 1732	268	ehucybs.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe
  "C:\Users\Admin\AppData\Local\Temp\868ca7f79b5327da8e800aafa25369bd7d8d41cdad0fa51a7c673323a13330af.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Users\Admin\AppData\Roaming\Owit\ehucybs.exe
    "C:\Users\Admin\AppData\Roaming\Owit\ehucybs.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf57d2d01.bat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:336

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "234915277-581817542-14886218611870343312891662854865822025-14192657121612156813"
1⤵
PID:1748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2040

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ange\samypi.oro

Filesize
398B

MD5
c7bfb8e7314ede95f91635a86d9e3491

SHA1
b0ce2df99638082c9cbd63309915ac5ef55d3adb

SHA256
d6e61f26520ba05e74cb5fa4530415d394001015277bea5a202e4cfaa0357461

SHA512
032701f9a0bb778a8e597e7c5fd9fc734c3d05c2238238032f0056a1d754b2dc2ab880fc8c8688c6475bc9645eef01c8fdfbed0601b332797188ecd5066249ec

Download Submit
C:\Users\Admin\AppData\Roaming\Owit\ehucybs.exe

Filesize
150KB

MD5
650a9d5f05b4066f3d765dce63c8b661

SHA1
695c403f807a4e89c07593812468c7c81e7869a5

SHA256
e1faaefe0ab3f07ce9d451c8f3d16410444159d7f9b0f7300914a82b2c98f84e

SHA512
65cee86577bfaaa6fe073be885c1ded4804d1e21591532cac17aee155fcfabcb1e659c76303109775caa4e7c424ce73f57db37db47a85907923a9761f1c090aa

Download Submit
C:\Users\Admin\AppData\Roaming\Owit\ehucybs.exe

Filesize
150KB

MD5
650a9d5f05b4066f3d765dce63c8b661

SHA1
695c403f807a4e89c07593812468c7c81e7869a5

SHA256
e1faaefe0ab3f07ce9d451c8f3d16410444159d7f9b0f7300914a82b2c98f84e

SHA512
65cee86577bfaaa6fe073be885c1ded4804d1e21591532cac17aee155fcfabcb1e659c76303109775caa4e7c424ce73f57db37db47a85907923a9761f1c090aa

Download Submit
\Users\Admin\AppData\Roaming\Owit\ehucybs.exe

Filesize
150KB

MD5
650a9d5f05b4066f3d765dce63c8b661

SHA1
695c403f807a4e89c07593812468c7c81e7869a5

SHA256
e1faaefe0ab3f07ce9d451c8f3d16410444159d7f9b0f7300914a82b2c98f84e

SHA512
65cee86577bfaaa6fe073be885c1ded4804d1e21591532cac17aee155fcfabcb1e659c76303109775caa4e7c424ce73f57db37db47a85907923a9761f1c090aa

Download Submit
\Users\Admin\AppData\Roaming\Owit\ehucybs.exe

Filesize
150KB

MD5
650a9d5f05b4066f3d765dce63c8b661

SHA1
695c403f807a4e89c07593812468c7c81e7869a5

SHA256
e1faaefe0ab3f07ce9d451c8f3d16410444159d7f9b0f7300914a82b2c98f84e

SHA512
65cee86577bfaaa6fe073be885c1ded4804d1e21591532cac17aee155fcfabcb1e659c76303109775caa4e7c424ce73f57db37db47a85907923a9761f1c090aa

Download Submit
memory/268-66-0x0000000001F50000-0x0000000001F92000-memory.dmp

Filesize
264KB

Download
memory/268-96-0x0000000001F50000-0x0000000001F92000-memory.dmp

Filesize
264KB

Download
memory/268-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/268-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/268-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/336-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/336-107-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/336-128-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/336-115-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/336-109-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/336-110-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/788-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/788-55-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/788-94-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/788-54-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/788-59-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/788-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/788-97-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/788-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/788-56-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/788-89-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/788-90-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/788-91-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/788-92-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/788-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/868-100-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/868-101-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/868-102-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/868-103-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1136-72-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1136-69-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1136-71-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1136-73-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1136-74-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1184-78-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1184-79-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1184-80-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1184-77-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1272-83-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1272-84-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1272-85-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1272-86-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1732-137-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1732-136-0x000007FEF5E31000-0x000007FEF5E33000-memory.dmp

Filesize
8KB

Download
memory/1732-135-0x000007FEFBE21000-0x000007FEFBE23000-memory.dmp

Filesize
8KB

Download
memory/1748-119-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1748-121-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1748-120-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1748-118-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1992-125-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/1992-126-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/1992-127-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/1992-124-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/2040-131-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2040-132-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2040-133-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2040-134-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download