0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955

Analysis

max time kernel
187s
max time network
140s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Size

283KB
MD5

9eff4dc732c8793104cf8d670b81da80
SHA1

7b76201b0f57de97706a32931e0a7916e5bf4b8c
SHA256

0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955
SHA512

b96c9e68085fde13bfcc77fe879177a4a34e0267ea20e28554e28275066d188384d9e503687516e51513d81284005258dfcc77749e725f3ac40afd1a17f310c2
SSDEEP

6144:MCSTrIE3jL7cIFbqQPCLheqvJ8iDBvn4nK6MRSlLO+bL:bmjLtBXUheqvGiFv4nK6ASE+H

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1212	epece.exe
1876	epece.exe

Deletes itself 1 IoCs

pid	Process
1528	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	epece.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4FE87ECA-A0C1-D679-2170-043925E8D951} = "C:\\Users\\Admin\\AppData\\Roaming\\Adyteh\\epece.exe"	epece.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 2004	1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	28
PID 1212 set thread context of 1876	1212	epece.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\printto\command	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0FE398~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adyteh\\epece.exe,0"	epece.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adyteh\\epece.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""	epece.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\print	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\DefaultIcon	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0FE398~1.EXE \"%1\""	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\printto	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\print\command	epece.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.q\ShellNew\NullFile	epece.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\open	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\DefaultIcon	epece.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\open\command	epece.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\printto\command	epece.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.q	epece.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adyteh\\epece.exe /p \"%1\""	epece.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.q	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.q\ShellNew\NullFile	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\ = "S7 Document"	epece.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0FE398~1.EXE,0"	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0FE398~1.EXE /p \"%1\""	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.q\ = "S7.Document"	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.q\ShellNew	epece.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\ = "S7 Document"	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\print\command	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adyteh\\epece.exe \"%1\""	epece.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.q\ = "S7.Document"	epece.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document\shell\open\command	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.q\ShellNew	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S7.Document	epece.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	epece.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	epece.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	epece.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	epece.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	epece.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	epece.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
1212	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe
1876	epece.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Token: SeSecurityPrivilege	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
Token: SeSecurityPrivilege	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
1212	epece.exe
1212	epece.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2004	1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	28
PID 1704 wrote to memory of 2004	1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	28
PID 1704 wrote to memory of 2004	1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	28
PID 1704 wrote to memory of 2004	1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	28
PID 1704 wrote to memory of 2004	1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	28
PID 1704 wrote to memory of 2004	1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	28
PID 1704 wrote to memory of 2004	1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	28
PID 1704 wrote to memory of 2004	1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	28
PID 1704 wrote to memory of 2004	1704	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	28
PID 2004 wrote to memory of 1212	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	29
PID 2004 wrote to memory of 1212	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	29
PID 2004 wrote to memory of 1212	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	29
PID 2004 wrote to memory of 1212	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	29
PID 1212 wrote to memory of 1876	1212	epece.exe	30
PID 1212 wrote to memory of 1876	1212	epece.exe	30
PID 1212 wrote to memory of 1876	1212	epece.exe	30
PID 1212 wrote to memory of 1876	1212	epece.exe	30
PID 1212 wrote to memory of 1876	1212	epece.exe	30
PID 1212 wrote to memory of 1876	1212	epece.exe	30
PID 1212 wrote to memory of 1876	1212	epece.exe	30
PID 1212 wrote to memory of 1876	1212	epece.exe	30
PID 1212 wrote to memory of 1876	1212	epece.exe	30
PID 1876 wrote to memory of 1140	1876	epece.exe	18
PID 1876 wrote to memory of 1140	1876	epece.exe	18
PID 1876 wrote to memory of 1140	1876	epece.exe	18
PID 1876 wrote to memory of 1140	1876	epece.exe	18
PID 1876 wrote to memory of 1140	1876	epece.exe	18
PID 1876 wrote to memory of 1240	1876	epece.exe	17
PID 1876 wrote to memory of 1240	1876	epece.exe	17
PID 1876 wrote to memory of 1240	1876	epece.exe	17
PID 1876 wrote to memory of 1240	1876	epece.exe	17
PID 1876 wrote to memory of 1240	1876	epece.exe	17
PID 1876 wrote to memory of 1272	1876	epece.exe	16
PID 1876 wrote to memory of 1272	1876	epece.exe	16
PID 1876 wrote to memory of 1272	1876	epece.exe	16
PID 1876 wrote to memory of 1272	1876	epece.exe	16
PID 1876 wrote to memory of 1272	1876	epece.exe	16
PID 1876 wrote to memory of 2004	1876	epece.exe	28
PID 1876 wrote to memory of 2004	1876	epece.exe	28
PID 1876 wrote to memory of 2004	1876	epece.exe	28
PID 1876 wrote to memory of 2004	1876	epece.exe	28
PID 1876 wrote to memory of 2004	1876	epece.exe	28
PID 2004 wrote to memory of 1528	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	31
PID 2004 wrote to memory of 1528	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	31
PID 2004 wrote to memory of 1528	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	31
PID 2004 wrote to memory of 1528	2004	0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe	31
PID 1876 wrote to memory of 1528	1876	epece.exe	31
PID 1876 wrote to memory of 1528	1876	epece.exe	31
PID 1876 wrote to memory of 1528	1876	epece.exe	31
PID 1876 wrote to memory of 1528	1876	epece.exe	31
PID 1876 wrote to memory of 1528	1876	epece.exe	31
PID 1876 wrote to memory of 2032	1876	epece.exe	32
PID 1876 wrote to memory of 1544	1876	epece.exe	33
PID 1876 wrote to memory of 1544	1876	epece.exe	33
PID 1876 wrote to memory of 1544	1876	epece.exe	33
PID 1876 wrote to memory of 1544	1876	epece.exe	33
PID 1876 wrote to memory of 1544	1876	epece.exe	33
PID 1876 wrote to memory of 1372	1876	epece.exe	34
PID 1876 wrote to memory of 1372	1876	epece.exe	34
PID 1876 wrote to memory of 1372	1876	epece.exe	34
PID 1876 wrote to memory of 1372	1876	epece.exe	34
PID 1876 wrote to memory of 1372	1876	epece.exe	34

C:\Users\Admin\AppData\Local\Temp\0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
"C:\Users\Admin\AppData\Local\Temp\0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
  C:\Users\Admin\AppData\Local\Temp\0fe398a85a1023353bd221c6089ac7f79dc4dc7a6647ba089662de5387f4a955.exe
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Roaming\Adyteh\epece.exe
    "C:\Users\Admin\AppData\Roaming\Adyteh\epece.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Users\Admin\AppData\Roaming\Adyteh\epece.exe
      C:\Users\Admin\AppData\Roaming\Adyteh\epece.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdd2119a5.bat"
    3⤵
    - Deletes itself
    PID:1528

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-728384917761883586841861277223535049-5377057561785085638-1943288879-76051827"
1⤵
PID:2032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpdd2119a5.bat

Filesize
307B

MD5
620aa4fd977ca3994f238907a589f5d8

SHA1
7f743afd4d45f5cee776ab8606d539ffe9da412f

SHA256
45412fa6d716ea9030def17c20e724a453971a8c529d366ac2a2c8c19fda995c

SHA512
1b312dd09f140b5db14f426e7d665346e598c774f2d1eb5adef6d60300afcb175238527b868f423fbc502c25d9d35d650a31e819a5b122441c6ff2649d4e0a31

Download Submit
C:\Users\Admin\AppData\Roaming\Adyteh\epece.exe

Filesize
283KB

MD5
fd5e0ca27eef9088efc0c31218525bd9

SHA1
93bdd906824c376558a52e8eff679cd543f0c082

SHA256
797d3c1598c35f7d2a1cec95bd5071884f230c171fa8ac954fad153592c41830

SHA512
f6af92aef06874c5e12c972b0b8055dfb317d318bd41b5d732e80f9ba27355ad7d6d82473b39cfd067229eedc74bfeb2ae8de9af944c2c141f9f5174d22baa84

Download Submit
C:\Users\Admin\AppData\Roaming\Adyteh\epece.exe

Filesize
283KB

MD5
fd5e0ca27eef9088efc0c31218525bd9

SHA1
93bdd906824c376558a52e8eff679cd543f0c082

SHA256
797d3c1598c35f7d2a1cec95bd5071884f230c171fa8ac954fad153592c41830

SHA512
f6af92aef06874c5e12c972b0b8055dfb317d318bd41b5d732e80f9ba27355ad7d6d82473b39cfd067229eedc74bfeb2ae8de9af944c2c141f9f5174d22baa84

Download Submit
C:\Users\Admin\AppData\Roaming\Adyteh\epece.exe

Filesize
283KB

MD5
fd5e0ca27eef9088efc0c31218525bd9

SHA1
93bdd906824c376558a52e8eff679cd543f0c082

SHA256
797d3c1598c35f7d2a1cec95bd5071884f230c171fa8ac954fad153592c41830

SHA512
f6af92aef06874c5e12c972b0b8055dfb317d318bd41b5d732e80f9ba27355ad7d6d82473b39cfd067229eedc74bfeb2ae8de9af944c2c141f9f5174d22baa84

Download Submit
C:\Users\Admin\AppData\Roaming\Refof\peve.opd

Filesize
398B

MD5
b9e26a22dbc88e782fbbbb21196681a5

SHA1
11bb09619d5a2efbc334209971f38eda5a93dace

SHA256
024774b6dafebe4b2db8f4e0c94d7d5c9afe241f864e3caa50c48a2b60076cfa

SHA512
48d9ed7d973bbe36017c63ca7b1c97f6e9795b1ef1db7425c7f4e026d7ee478cc8cd205fe1de16f602e94c05d53dd5ebb8e80e905d3c4f3b1c9afb403ef122ad

Download Submit
\Users\Admin\AppData\Roaming\Adyteh\epece.exe

Filesize
283KB

MD5
fd5e0ca27eef9088efc0c31218525bd9

SHA1
93bdd906824c376558a52e8eff679cd543f0c082

SHA256
797d3c1598c35f7d2a1cec95bd5071884f230c171fa8ac954fad153592c41830

SHA512
f6af92aef06874c5e12c972b0b8055dfb317d318bd41b5d732e80f9ba27355ad7d6d82473b39cfd067229eedc74bfeb2ae8de9af944c2c141f9f5174d22baa84

Download Submit
\Users\Admin\AppData\Roaming\Adyteh\epece.exe

Filesize
283KB

MD5
fd5e0ca27eef9088efc0c31218525bd9

SHA1
93bdd906824c376558a52e8eff679cd543f0c082

SHA256
797d3c1598c35f7d2a1cec95bd5071884f230c171fa8ac954fad153592c41830

SHA512
f6af92aef06874c5e12c972b0b8055dfb317d318bd41b5d732e80f9ba27355ad7d6d82473b39cfd067229eedc74bfeb2ae8de9af944c2c141f9f5174d22baa84

Download Submit
memory/1140-90-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1140-88-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1140-89-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1140-87-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1212-82-0x0000000000290000-0x0000000000294000-memory.dmp

Filesize
16KB

Download
memory/1240-96-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1240-93-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1240-95-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1240-94-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1272-100-0x0000000002B10000-0x0000000002B37000-memory.dmp

Filesize
156KB

Download
memory/1272-101-0x0000000002B10000-0x0000000002B37000-memory.dmp

Filesize
156KB

Download
memory/1272-102-0x0000000002B10000-0x0000000002B37000-memory.dmp

Filesize
156KB

Download
memory/1272-99-0x0000000002B10000-0x0000000002B37000-memory.dmp

Filesize
156KB

Download
memory/1372-133-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/1372-132-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/1372-131-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/1372-134-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/1528-117-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1528-118-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1528-116-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1528-115-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1544-128-0x0000000003B70000-0x0000000003B97000-memory.dmp

Filesize
156KB

Download
memory/1544-125-0x0000000003B70000-0x0000000003B97000-memory.dmp

Filesize
156KB

Download
memory/1544-126-0x0000000003B70000-0x0000000003B97000-memory.dmp

Filesize
156KB

Download
memory/1544-127-0x0000000003B70000-0x0000000003B97000-memory.dmp

Filesize
156KB

Download
memory/1704-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1876-122-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1876-110-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2004-112-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2004-111-0x00000000024F0000-0x0000000002517000-memory.dmp

Filesize
156KB

Download
memory/2004-107-0x00000000024F0000-0x0000000002517000-memory.dmp

Filesize
156KB

Download
memory/2004-108-0x00000000024F0000-0x0000000002517000-memory.dmp

Filesize
156KB

Download
memory/2004-106-0x00000000024F0000-0x0000000002517000-memory.dmp

Filesize
156KB

Download
memory/2004-105-0x00000000024F0000-0x0000000002517000-memory.dmp

Filesize
156KB

Download
memory/2004-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2004-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2004-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2004-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2004-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2004-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2004-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download