e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe
Size

246KB
MD5

14e27b5cef1d19cfb43f16ddc4dc0276
SHA1

5c95b2fd02db9f2054e77fc01f7ebe00f5edb6ae
SHA256

e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9
SHA512

e7081996dbfdbf5696b6b32c8858804fed106ded03662e974a14ea9f6e72f0c81cdd10f0f32bbf4cfe5cdecf0ca221bf5f95cea56dfe8244f8e8eaf564868df6
SSDEEP

3072:SpORsHfCMAN2Xl/At+KT6gAxeB6lQyuQGel7q1pS/3a45+C+iwQw0:+gSf6YV/IOgAEQOF31EaSh+iXh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2040	inevd.exe
1708	inevd.exe

Deletes itself 1 IoCs

pid	Process
552	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe
984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	inevd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{DFC76512-4421-DB88-D414-383F79AC53F5} = "C:\\Users\\Admin\\AppData\\Roaming\\Zuuvru\\inevd.exe"	inevd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 984	1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	27
PID 2040 set thread context of 1708	2040	inevd.exe	29

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1708	inevd.exe
1708	inevd.exe
1708	inevd.exe
1708	inevd.exe
1708	inevd.exe
1708	inevd.exe
1708	inevd.exe
1708	inevd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe
2040	inevd.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 984	1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	27
PID 1292 wrote to memory of 984	1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	27
PID 1292 wrote to memory of 984	1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	27
PID 1292 wrote to memory of 984	1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	27
PID 1292 wrote to memory of 984	1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	27
PID 1292 wrote to memory of 984	1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	27
PID 1292 wrote to memory of 984	1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	27
PID 1292 wrote to memory of 984	1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	27
PID 1292 wrote to memory of 984	1292	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	27
PID 984 wrote to memory of 2040	984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	28
PID 984 wrote to memory of 2040	984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	28
PID 984 wrote to memory of 2040	984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	28
PID 984 wrote to memory of 2040	984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	28
PID 2040 wrote to memory of 1708	2040	inevd.exe	29
PID 2040 wrote to memory of 1708	2040	inevd.exe	29
PID 2040 wrote to memory of 1708	2040	inevd.exe	29
PID 2040 wrote to memory of 1708	2040	inevd.exe	29
PID 2040 wrote to memory of 1708	2040	inevd.exe	29
PID 2040 wrote to memory of 1708	2040	inevd.exe	29
PID 2040 wrote to memory of 1708	2040	inevd.exe	29
PID 2040 wrote to memory of 1708	2040	inevd.exe	29
PID 2040 wrote to memory of 1708	2040	inevd.exe	29
PID 984 wrote to memory of 552	984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	30
PID 984 wrote to memory of 552	984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	30
PID 984 wrote to memory of 552	984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	30
PID 984 wrote to memory of 552	984	e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe	30
PID 1708 wrote to memory of 1112	1708	inevd.exe	10
PID 1708 wrote to memory of 1112	1708	inevd.exe	10
PID 1708 wrote to memory of 1112	1708	inevd.exe	10
PID 1708 wrote to memory of 1112	1708	inevd.exe	10
PID 1708 wrote to memory of 1112	1708	inevd.exe	10
PID 1708 wrote to memory of 1176	1708	inevd.exe	9
PID 1708 wrote to memory of 1176	1708	inevd.exe	9
PID 1708 wrote to memory of 1176	1708	inevd.exe	9
PID 1708 wrote to memory of 1176	1708	inevd.exe	9
PID 1708 wrote to memory of 1176	1708	inevd.exe	9
PID 1708 wrote to memory of 1200	1708	inevd.exe	8
PID 1708 wrote to memory of 1200	1708	inevd.exe	8
PID 1708 wrote to memory of 1200	1708	inevd.exe	8
PID 1708 wrote to memory of 1200	1708	inevd.exe	8
PID 1708 wrote to memory of 1200	1708	inevd.exe	8
PID 1708 wrote to memory of 1832	1708	inevd.exe	32
PID 1708 wrote to memory of 1832	1708	inevd.exe	32
PID 1708 wrote to memory of 1832	1708	inevd.exe	32
PID 1708 wrote to memory of 1832	1708	inevd.exe	32
PID 1708 wrote to memory of 1832	1708	inevd.exe	32
PID 1708 wrote to memory of 1092	1708	inevd.exe	33
PID 1708 wrote to memory of 1092	1708	inevd.exe	33
PID 1708 wrote to memory of 1092	1708	inevd.exe	33
PID 1708 wrote to memory of 1092	1708	inevd.exe	33
PID 1708 wrote to memory of 1092	1708	inevd.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe
  "C:\Users\Admin\AppData\Local\Temp\e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe
    "C:\Users\Admin\AppData\Local\Temp\e48add3a9dca4d609c735d3c2c6c9a98c31cfe5892f455b7744904037e1ccfe9.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Users\Admin\AppData\Roaming\Zuuvru\inevd.exe
      "C:\Users\Admin\AppData\Roaming\Zuuvru\inevd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Users\Admin\AppData\Roaming\Zuuvru\inevd.exe
        
        "C:\Users\Admin\AppData\Roaming\Zuuvru\inevd.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb2312ee3.bat"
      4⤵
      Deletes itself
      PID:552

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb2312ee3.bat

Filesize
307B

MD5
76c6cd084a33819c45ae66d8ef5bc20f

SHA1
7fff42bf02b128439143eacef0d3bef66773aa61

SHA256
b0657a56cd7e6bc710e8346d39c178d739ba1653e7c62e91c5c97fed63cccc66

SHA512
b36298e8b3e98a64df5b44ffc995cb91bd6d61d6aa7372b893d6cca0c9fc0270dd7e9e17beca27442f5013b57c2db9e129df5daaaa17bc3f72ee53bbd288b4eb

Download Submit
C:\Users\Admin\AppData\Roaming\Zuuvru\inevd.exe

Filesize
246KB

MD5
b4bb011c9534487b3f33254c5c1674b8

SHA1
4e72ae5f65b11abadd471486e2b2bcdfab17594c

SHA256
f35d9df45fafa2daf0ae5b73724e81a7b218c2dc937b4ead55bcf87e961752ac

SHA512
37774bd1b2a608c93392fdac56e14b00a1ff3c315bf1100128e0bf441ec737d470766c2092043114910c6ff6e8f008cb6bb13750704974122175570755971e93

Download Submit
C:\Users\Admin\AppData\Roaming\Zuuvru\inevd.exe

Filesize
246KB

MD5
b4bb011c9534487b3f33254c5c1674b8

SHA1
4e72ae5f65b11abadd471486e2b2bcdfab17594c

SHA256
f35d9df45fafa2daf0ae5b73724e81a7b218c2dc937b4ead55bcf87e961752ac

SHA512
37774bd1b2a608c93392fdac56e14b00a1ff3c315bf1100128e0bf441ec737d470766c2092043114910c6ff6e8f008cb6bb13750704974122175570755971e93

Download Submit
C:\Users\Admin\AppData\Roaming\Zuuvru\inevd.exe

Filesize
246KB

MD5
b4bb011c9534487b3f33254c5c1674b8

SHA1
4e72ae5f65b11abadd471486e2b2bcdfab17594c

SHA256
f35d9df45fafa2daf0ae5b73724e81a7b218c2dc937b4ead55bcf87e961752ac

SHA512
37774bd1b2a608c93392fdac56e14b00a1ff3c315bf1100128e0bf441ec737d470766c2092043114910c6ff6e8f008cb6bb13750704974122175570755971e93

Download Submit
\Users\Admin\AppData\Roaming\Zuuvru\inevd.exe

Filesize
246KB

MD5
b4bb011c9534487b3f33254c5c1674b8

SHA1
4e72ae5f65b11abadd471486e2b2bcdfab17594c

SHA256
f35d9df45fafa2daf0ae5b73724e81a7b218c2dc937b4ead55bcf87e961752ac

SHA512
37774bd1b2a608c93392fdac56e14b00a1ff3c315bf1100128e0bf441ec737d470766c2092043114910c6ff6e8f008cb6bb13750704974122175570755971e93

Download Submit
\Users\Admin\AppData\Roaming\Zuuvru\inevd.exe

Filesize
246KB

MD5
b4bb011c9534487b3f33254c5c1674b8

SHA1
4e72ae5f65b11abadd471486e2b2bcdfab17594c

SHA256
f35d9df45fafa2daf0ae5b73724e81a7b218c2dc937b4ead55bcf87e961752ac

SHA512
37774bd1b2a608c93392fdac56e14b00a1ff3c315bf1100128e0bf441ec737d470766c2092043114910c6ff6e8f008cb6bb13750704974122175570755971e93

Download Submit
memory/984-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/984-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/984-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/984-62-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/984-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/984-65-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/984-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/984-90-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/984-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1092-119-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1092-118-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1092-116-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1092-117-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1112-92-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1112-91-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1112-93-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1112-89-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1112-86-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1176-96-0x0000000001AD0000-0x0000000001AF7000-memory.dmp

Filesize
156KB

Download
memory/1176-97-0x0000000001AD0000-0x0000000001AF7000-memory.dmp

Filesize
156KB

Download
memory/1176-98-0x0000000001AD0000-0x0000000001AF7000-memory.dmp

Filesize
156KB

Download
memory/1176-99-0x0000000001AD0000-0x0000000001AF7000-memory.dmp

Filesize
156KB

Download
memory/1200-106-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1200-105-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1200-104-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1200-103-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1292-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1708-107-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1708-120-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1832-110-0x00000000003F0000-0x0000000000417000-memory.dmp

Filesize
156KB

Download
memory/1832-111-0x00000000003F0000-0x0000000000417000-memory.dmp

Filesize
156KB

Download
memory/1832-112-0x00000000003F0000-0x0000000000417000-memory.dmp

Filesize
156KB

Download
memory/1832-113-0x00000000003F0000-0x0000000000417000-memory.dmp

Filesize
156KB

Download
memory/2040-83-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download