7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138

Analysis

max time kernel
187s
max time network
186s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 02:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe
Size

321KB
MD5

76a493b8d76ef9ad997bcc8ce0d466c7
SHA1

575e8ec2ebcbbfe1163886d64fb16e6f248d5c7a
SHA256

7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138
SHA512

55201d002d00a319dd8e1784aec77b5f3de1ddbc61f9c64e821de0994b9a17062cd1ad8937a613603c4e7ed8c3a89508247fdcf0c1b4cf4975c5e0e8727bc266
SSDEEP

6144:Fl1KJioProMSt9kClgNGU7wh8QuRwSWfGDz/CW0WXjgyCQ/tZK6N7gDCV4/Dt1qi:3UiyoXt9kClIGU7whWwSGUbgxAPN7gmm

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1440	waseqe.exe
1528	waseqe.exe

Deletes itself 1 IoCs

pid	Process
1700	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1216	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe
1216	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	waseqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Ycar\\waseqe.exe"	waseqe.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 308 set thread context of 1216	308	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	28
PID 1440 set thread context of 1528	1440	waseqe.exe	30

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe
1528	waseqe.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 1216	308	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	28
PID 308 wrote to memory of 1216	308	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	28
PID 308 wrote to memory of 1216	308	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	28
PID 308 wrote to memory of 1216	308	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	28
PID 308 wrote to memory of 1216	308	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	28
PID 308 wrote to memory of 1216	308	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	28
PID 308 wrote to memory of 1216	308	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	28
PID 308 wrote to memory of 1216	308	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	28
PID 308 wrote to memory of 1216	308	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	28
PID 1216 wrote to memory of 1440	1216	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	29
PID 1216 wrote to memory of 1440	1216	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	29
PID 1216 wrote to memory of 1440	1216	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	29
PID 1216 wrote to memory of 1440	1216	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	29
PID 1440 wrote to memory of 1528	1440	waseqe.exe	30
PID 1440 wrote to memory of 1528	1440	waseqe.exe	30
PID 1440 wrote to memory of 1528	1440	waseqe.exe	30
PID 1440 wrote to memory of 1528	1440	waseqe.exe	30
PID 1440 wrote to memory of 1528	1440	waseqe.exe	30
PID 1440 wrote to memory of 1528	1440	waseqe.exe	30
PID 1440 wrote to memory of 1528	1440	waseqe.exe	30
PID 1440 wrote to memory of 1528	1440	waseqe.exe	30
PID 1440 wrote to memory of 1528	1440	waseqe.exe	30
PID 1528 wrote to memory of 1120	1528	waseqe.exe	16
PID 1528 wrote to memory of 1120	1528	waseqe.exe	16
PID 1528 wrote to memory of 1120	1528	waseqe.exe	16
PID 1528 wrote to memory of 1120	1528	waseqe.exe	16
PID 1528 wrote to memory of 1120	1528	waseqe.exe	16
PID 1528 wrote to memory of 1196	1528	waseqe.exe	15
PID 1528 wrote to memory of 1196	1528	waseqe.exe	15
PID 1528 wrote to memory of 1196	1528	waseqe.exe	15
PID 1528 wrote to memory of 1196	1528	waseqe.exe	15
PID 1528 wrote to memory of 1196	1528	waseqe.exe	15
PID 1528 wrote to memory of 1224	1528	waseqe.exe	8
PID 1528 wrote to memory of 1224	1528	waseqe.exe	8
PID 1528 wrote to memory of 1224	1528	waseqe.exe	8
PID 1528 wrote to memory of 1224	1528	waseqe.exe	8
PID 1528 wrote to memory of 1224	1528	waseqe.exe	8
PID 1528 wrote to memory of 1216	1528	waseqe.exe	28
PID 1528 wrote to memory of 1216	1528	waseqe.exe	28
PID 1528 wrote to memory of 1216	1528	waseqe.exe	28
PID 1528 wrote to memory of 1216	1528	waseqe.exe	28
PID 1528 wrote to memory of 1216	1528	waseqe.exe	28
PID 1528 wrote to memory of 1700	1528	waseqe.exe	31
PID 1528 wrote to memory of 1700	1528	waseqe.exe	31
PID 1528 wrote to memory of 1700	1528	waseqe.exe	31
PID 1528 wrote to memory of 1700	1528	waseqe.exe	31
PID 1528 wrote to memory of 1700	1528	waseqe.exe	31
PID 1216 wrote to memory of 1700	1216	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	31
PID 1216 wrote to memory of 1700	1216	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	31
PID 1216 wrote to memory of 1700	1216	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	31
PID 1216 wrote to memory of 1700	1216	7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe
  "C:\Users\Admin\AppData\Local\Temp\7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Users\Admin\AppData\Local\Temp\7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe
    "C:\Users\Admin\AppData\Local\Temp\7a3f49cc0a5af0ee1635c506c8a6256f24a8ebab222650686b95d1d8806cd138.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Users\Admin\AppData\Roaming\Ycar\waseqe.exe
      "C:\Users\Admin\AppData\Roaming\Ycar\waseqe.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Users\Admin\AppData\Roaming\Ycar\waseqe.exe
        
        "C:\Users\Admin\AppData\Roaming\Ycar\waseqe.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp99858e83.bat"
      4⤵
      Deletes itself
      PID:1700

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1196

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp99858e83.bat

Filesize
307B

MD5
e0d58fb4a5148bcad84f12f795b21194

SHA1
7e4fd41ac9bd9d8a12cde1e291015bc5ff3fbed1

SHA256
492f396aaaafe188eadeaf7cb37374c59f20568e8d5ef1c4e5cb38072eb9403f

SHA512
bef302d74b96a9c25a927ed68cbfb59060855bdcae9ab5dbfb717dcbb6caf3a0c89449c8cb1b18342ebdeace5b9f5102c042d15ca7d268a739721ed2ccdcfb57

Download Submit
C:\Users\Admin\AppData\Roaming\Ycar\waseqe.exe

Filesize
321KB

MD5
69fa6a3b5c052a43bc2888230b50b45c

SHA1
0f66071a1524683dd0e5e233e4468bd34cdc7c4d

SHA256
cb48c2484229aae3586cda35a817a9b01f8161c828c7c0df6d871e0982bbfc4d

SHA512
2680ed523bdc8b8f70140cbf4260bc11891628f16168a3dfc070ad68f119d388ac6bed1f406daff4ab3e2a3ecb6610fb69bc7f0e3423a0d19abb99675610ca5c

Download Submit
C:\Users\Admin\AppData\Roaming\Ycar\waseqe.exe

Filesize
321KB

MD5
69fa6a3b5c052a43bc2888230b50b45c

SHA1
0f66071a1524683dd0e5e233e4468bd34cdc7c4d

SHA256
cb48c2484229aae3586cda35a817a9b01f8161c828c7c0df6d871e0982bbfc4d

SHA512
2680ed523bdc8b8f70140cbf4260bc11891628f16168a3dfc070ad68f119d388ac6bed1f406daff4ab3e2a3ecb6610fb69bc7f0e3423a0d19abb99675610ca5c

Download Submit
C:\Users\Admin\AppData\Roaming\Ycar\waseqe.exe

Filesize
321KB

MD5
69fa6a3b5c052a43bc2888230b50b45c

SHA1
0f66071a1524683dd0e5e233e4468bd34cdc7c4d

SHA256
cb48c2484229aae3586cda35a817a9b01f8161c828c7c0df6d871e0982bbfc4d

SHA512
2680ed523bdc8b8f70140cbf4260bc11891628f16168a3dfc070ad68f119d388ac6bed1f406daff4ab3e2a3ecb6610fb69bc7f0e3423a0d19abb99675610ca5c

Download Submit
\Users\Admin\AppData\Roaming\Ycar\waseqe.exe

Filesize
321KB

MD5
69fa6a3b5c052a43bc2888230b50b45c

SHA1
0f66071a1524683dd0e5e233e4468bd34cdc7c4d

SHA256
cb48c2484229aae3586cda35a817a9b01f8161c828c7c0df6d871e0982bbfc4d

SHA512
2680ed523bdc8b8f70140cbf4260bc11891628f16168a3dfc070ad68f119d388ac6bed1f406daff4ab3e2a3ecb6610fb69bc7f0e3423a0d19abb99675610ca5c

Download Submit
\Users\Admin\AppData\Roaming\Ycar\waseqe.exe

Filesize
321KB

MD5
69fa6a3b5c052a43bc2888230b50b45c

SHA1
0f66071a1524683dd0e5e233e4468bd34cdc7c4d

SHA256
cb48c2484229aae3586cda35a817a9b01f8161c828c7c0df6d871e0982bbfc4d

SHA512
2680ed523bdc8b8f70140cbf4260bc11891628f16168a3dfc070ad68f119d388ac6bed1f406daff4ab3e2a3ecb6610fb69bc7f0e3423a0d19abb99675610ca5c

Download Submit
memory/308-54-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/308-64-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1120-89-0x0000000001BE0000-0x0000000001C2C000-memory.dmp

Filesize
304KB

Download
memory/1120-88-0x0000000001BE0000-0x0000000001C2C000-memory.dmp

Filesize
304KB

Download
memory/1120-87-0x0000000001BE0000-0x0000000001C2C000-memory.dmp

Filesize
304KB

Download
memory/1120-86-0x0000000001BE0000-0x0000000001C2C000-memory.dmp

Filesize
304KB

Download
memory/1196-95-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1196-94-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1196-92-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1196-93-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1216-117-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1216-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1216-65-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1216-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1216-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1216-58-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1216-103-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/1216-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1216-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1216-118-0x0000000000460000-0x00000000004AC000-memory.dmp

Filesize
304KB

Download
memory/1216-106-0x0000000000460000-0x00000000004AC000-memory.dmp

Filesize
304KB

Download
memory/1216-107-0x0000000000460000-0x00000000004AC000-memory.dmp

Filesize
304KB

Download
memory/1216-109-0x0000000000460000-0x00000000004AC000-memory.dmp

Filesize
304KB

Download
memory/1216-108-0x0000000000460000-0x00000000004AC000-memory.dmp

Filesize
304KB

Download
memory/1224-98-0x0000000002B80000-0x0000000002BCC000-memory.dmp

Filesize
304KB

Download
memory/1224-101-0x0000000002B80000-0x0000000002BCC000-memory.dmp

Filesize
304KB

Download
memory/1224-100-0x0000000002B80000-0x0000000002BCC000-memory.dmp

Filesize
304KB

Download
memory/1224-99-0x0000000002B80000-0x0000000002BCC000-memory.dmp

Filesize
304KB

Download
memory/1440-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1528-104-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1528-120-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1700-112-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1700-113-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1700-114-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1700-115-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download