7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d

Analysis

max time kernel
201s
max time network
199s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe
Size

302KB
MD5

7f76de43cf2481ed9dc310baf3499290
SHA1

68e0bf6c58f32342d84ca90ff80b18829ada5957
SHA256

7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d
SHA512

4140c22014a147a626a5552df22f8cfdb53ffab78000bfb61d6655c6f6010a9c9ce012634f1851b7a8538a70bc4eb601e8f1c11784ba977864a064b8d345f603
SSDEEP

6144:NJaxOE5IKGerVUGAGZp+uDOVcgLUTYBSddc9mnNFJ5pk:N8D5IKGGCyOVcgLJSddtZ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
604	foseaj.exe

Deletes itself 1 IoCs

pid	Process
432	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe
1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	foseaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Foseaj = "C:\\Users\\Admin\\AppData\\Roaming\\Piezu\\foseaj.exe"	foseaj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1724 set thread context of 432	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	29

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe
604	foseaj.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 604	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	28
PID 1724 wrote to memory of 604	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	28
PID 1724 wrote to memory of 604	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	28
PID 1724 wrote to memory of 604	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	28
PID 604 wrote to memory of 1108	604	foseaj.exe	19
PID 604 wrote to memory of 1108	604	foseaj.exe	19
PID 604 wrote to memory of 1108	604	foseaj.exe	19
PID 604 wrote to memory of 1108	604	foseaj.exe	19
PID 604 wrote to memory of 1108	604	foseaj.exe	19
PID 604 wrote to memory of 1176	604	foseaj.exe	17
PID 604 wrote to memory of 1176	604	foseaj.exe	17
PID 604 wrote to memory of 1176	604	foseaj.exe	17
PID 604 wrote to memory of 1176	604	foseaj.exe	17
PID 604 wrote to memory of 1176	604	foseaj.exe	17
PID 604 wrote to memory of 1208	604	foseaj.exe	16
PID 604 wrote to memory of 1208	604	foseaj.exe	16
PID 604 wrote to memory of 1208	604	foseaj.exe	16
PID 604 wrote to memory of 1208	604	foseaj.exe	16
PID 604 wrote to memory of 1208	604	foseaj.exe	16
PID 604 wrote to memory of 1724	604	foseaj.exe	18
PID 604 wrote to memory of 1724	604	foseaj.exe	18
PID 604 wrote to memory of 1724	604	foseaj.exe	18
PID 604 wrote to memory of 1724	604	foseaj.exe	18
PID 604 wrote to memory of 1724	604	foseaj.exe	18
PID 1724 wrote to memory of 432	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	29
PID 1724 wrote to memory of 432	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	29
PID 1724 wrote to memory of 432	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	29
PID 1724 wrote to memory of 432	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	29
PID 1724 wrote to memory of 432	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	29
PID 1724 wrote to memory of 432	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	29
PID 1724 wrote to memory of 432	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	29
PID 1724 wrote to memory of 432	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	29
PID 1724 wrote to memory of 432	1724	7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe
  "C:\Users\Admin\AppData\Local\Temp\7d52e16ed7aef7f4523b9cb600f234bbfb4853c0b79b1764ee732477c05cd37d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Roaming\Piezu\foseaj.exe
    "C:\Users\Admin\AppData\Roaming\Piezu\foseaj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\RQLEA1C.bat"
    3⤵
    - Deletes itself
    PID:432

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RQLEA1C.bat

Filesize
303B

MD5
75da31e89436ece12a9e4a79f594ad6a

SHA1
1c0a0ea614158235cbe759fbb41666cacb4be405

SHA256
f9a4592dc8415064dbfbef7d02bb1b06e665247d1713da4faba2fa320cb80b8b

SHA512
8cbccbe3dbd724565c00d9f3f7fa9415c94fdb7727de8b00a190f3c7e703095fa848895f3e81638575d700614eb203309a88bd88b3252839c38424501b51054d

Download Submit
C:\Users\Admin\AppData\Roaming\Piezu\foseaj.exe

Filesize
302KB

MD5
f37a0c43151387c8f1fc9f0d09e3dda8

SHA1
00dd969dc3004f7344ff52bb3ce7b2755a6fae41

SHA256
907231f36afd291a2fd803aac716013d1ad7d4b856bf27d1d52df5977f96e1c9

SHA512
16fe4913aa71bb816f97a553e70efe6458af62507cef712e6ed029ae5405132af2279a75db15e6ff86eafdcf6f4fddb80d34cce4a042bdc33410249093c1a041

Download Submit
C:\Users\Admin\AppData\Roaming\Piezu\foseaj.exe

Filesize
302KB

MD5
f37a0c43151387c8f1fc9f0d09e3dda8

SHA1
00dd969dc3004f7344ff52bb3ce7b2755a6fae41

SHA256
907231f36afd291a2fd803aac716013d1ad7d4b856bf27d1d52df5977f96e1c9

SHA512
16fe4913aa71bb816f97a553e70efe6458af62507cef712e6ed029ae5405132af2279a75db15e6ff86eafdcf6f4fddb80d34cce4a042bdc33410249093c1a041

Download Submit
\Users\Admin\AppData\Roaming\Piezu\foseaj.exe

Filesize
302KB

MD5
f37a0c43151387c8f1fc9f0d09e3dda8

SHA1
00dd969dc3004f7344ff52bb3ce7b2755a6fae41

SHA256
907231f36afd291a2fd803aac716013d1ad7d4b856bf27d1d52df5977f96e1c9

SHA512
16fe4913aa71bb816f97a553e70efe6458af62507cef712e6ed029ae5405132af2279a75db15e6ff86eafdcf6f4fddb80d34cce4a042bdc33410249093c1a041

Download Submit
\Users\Admin\AppData\Roaming\Piezu\foseaj.exe

Filesize
302KB

MD5
f37a0c43151387c8f1fc9f0d09e3dda8

SHA1
00dd969dc3004f7344ff52bb3ce7b2755a6fae41

SHA256
907231f36afd291a2fd803aac716013d1ad7d4b856bf27d1d52df5977f96e1c9

SHA512
16fe4913aa71bb816f97a553e70efe6458af62507cef712e6ed029ae5405132af2279a75db15e6ff86eafdcf6f4fddb80d34cce4a042bdc33410249093c1a041

Download Submit
memory/432-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/432-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/432-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/432-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/432-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/432-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/432-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/432-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/432-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/432-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/432-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/432-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/604-63-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1108-68-0x0000000001CC0000-0x0000000001D09000-memory.dmp

Filesize
292KB

Download
memory/1108-65-0x0000000001CC0000-0x0000000001D09000-memory.dmp

Filesize
292KB

Download
memory/1108-67-0x0000000001CC0000-0x0000000001D09000-memory.dmp

Filesize
292KB

Download
memory/1108-70-0x0000000001CC0000-0x0000000001D09000-memory.dmp

Filesize
292KB

Download
memory/1108-69-0x0000000001CC0000-0x0000000001D09000-memory.dmp

Filesize
292KB

Download
memory/1176-76-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1176-73-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1176-74-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1176-75-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1208-80-0x0000000002B70000-0x0000000002BB9000-memory.dmp

Filesize
292KB

Download
memory/1208-82-0x0000000002B70000-0x0000000002BB9000-memory.dmp

Filesize
292KB

Download
memory/1208-79-0x0000000002B70000-0x0000000002BB9000-memory.dmp

Filesize
292KB

Download
memory/1208-81-0x0000000002B70000-0x0000000002BB9000-memory.dmp

Filesize
292KB

Download
memory/1724-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-88-0x0000000001F80000-0x0000000001FC9000-memory.dmp

Filesize
292KB

Download
memory/1724-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-103-0x0000000001F80000-0x0000000001FC9000-memory.dmp

Filesize
292KB

Download
memory/1724-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-87-0x0000000001F80000-0x0000000001FC9000-memory.dmp

Filesize
292KB

Download
memory/1724-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1724-86-0x0000000001F80000-0x0000000001FC9000-memory.dmp

Filesize
292KB

Download
memory/1724-85-0x0000000001F80000-0x0000000001FC9000-memory.dmp

Filesize
292KB

Download
memory/1724-56-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1724-55-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download