ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50

Analysis

max time kernel
151s
max time network
116s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe
Size

156KB
MD5

dd363674bca1f38e09a0f876135ac62b
SHA1

db5d188f4e4c2f19acbd5d22b6b121e22a748f45
SHA256

ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50
SHA512

93d2f450e7cacb31f56e03985bd9a4b15599ad20e9b487b96462e5c29694a8837bd356931c50cfd84ca7040f6ae3b4ba8c04c1cbcb321ca3a198962b508f7bc3
SSDEEP

3072:EQX+fUXEuAh/ObiY1mtIMDkqdtAUu1qsPxNQfrVw:8L/Ghqkit5OnurVw

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
240	cuzir.exe

Deletes itself 1 IoCs

pid	Process
968	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe
1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	cuzir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{84BF87C1-7F35-DB84-43F7-22EC564DEBA5} = "C:\\Users\\Admin\\AppData\\Roaming\\Haycl\\cuzir.exe"	cuzir.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 968	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	27

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe
240	cuzir.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe
Token: SeSecurityPrivilege	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe
Token: SeSecurityPrivilege	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 240	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	26
PID 1348 wrote to memory of 240	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	26
PID 1348 wrote to memory of 240	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	26
PID 1348 wrote to memory of 240	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	26
PID 240 wrote to memory of 1104	240	cuzir.exe	9
PID 240 wrote to memory of 1104	240	cuzir.exe	9
PID 240 wrote to memory of 1104	240	cuzir.exe	9
PID 240 wrote to memory of 1104	240	cuzir.exe	9
PID 240 wrote to memory of 1104	240	cuzir.exe	9
PID 240 wrote to memory of 1164	240	cuzir.exe	8
PID 240 wrote to memory of 1164	240	cuzir.exe	8
PID 240 wrote to memory of 1164	240	cuzir.exe	8
PID 240 wrote to memory of 1164	240	cuzir.exe	8
PID 240 wrote to memory of 1164	240	cuzir.exe	8
PID 240 wrote to memory of 1188	240	cuzir.exe	7
PID 240 wrote to memory of 1188	240	cuzir.exe	7
PID 240 wrote to memory of 1188	240	cuzir.exe	7
PID 240 wrote to memory of 1188	240	cuzir.exe	7
PID 240 wrote to memory of 1188	240	cuzir.exe	7
PID 240 wrote to memory of 1348	240	cuzir.exe	13
PID 240 wrote to memory of 1348	240	cuzir.exe	13
PID 240 wrote to memory of 1348	240	cuzir.exe	13
PID 240 wrote to memory of 1348	240	cuzir.exe	13
PID 240 wrote to memory of 1348	240	cuzir.exe	13
PID 1348 wrote to memory of 968	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	27
PID 1348 wrote to memory of 968	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	27
PID 1348 wrote to memory of 968	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	27
PID 1348 wrote to memory of 968	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	27
PID 1348 wrote to memory of 968	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	27
PID 1348 wrote to memory of 968	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	27
PID 1348 wrote to memory of 968	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	27
PID 1348 wrote to memory of 968	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	27
PID 1348 wrote to memory of 968	1348	ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe	27
PID 240 wrote to memory of 552	240	cuzir.exe	29
PID 240 wrote to memory of 552	240	cuzir.exe	29
PID 240 wrote to memory of 552	240	cuzir.exe	29
PID 240 wrote to memory of 552	240	cuzir.exe	29
PID 240 wrote to memory of 552	240	cuzir.exe	29
PID 240 wrote to memory of 1156	240	cuzir.exe	30
PID 240 wrote to memory of 1156	240	cuzir.exe	30
PID 240 wrote to memory of 1156	240	cuzir.exe	30
PID 240 wrote to memory of 1156	240	cuzir.exe	30
PID 240 wrote to memory of 1156	240	cuzir.exe	30
PID 240 wrote to memory of 1084	240	cuzir.exe	31
PID 240 wrote to memory of 1084	240	cuzir.exe	31
PID 240 wrote to memory of 1084	240	cuzir.exe	31
PID 240 wrote to memory of 1084	240	cuzir.exe	31
PID 240 wrote to memory of 1084	240	cuzir.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe
  "C:\Users\Admin\AppData\Local\Temp\ca24c39f6b9505591bf123eda2040cf5fda7e94a2fcf67e55805db503466ad50.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Roaming\Haycl\cuzir.exe
    "C:\Users\Admin\AppData\Roaming\Haycl\cuzir.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5e80249a.bat"
    3⤵
    - Deletes itself
    PID:968

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1156

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5e80249a.bat

Filesize
307B

MD5
3f202493f7785561fa9ff61f7aba6b29

SHA1
0c74c8d4a4c55479beca05491ae6f929db010bd3

SHA256
b5d3e377aeb7a1bde86a49132c19bc64f207afbc7e6ec3b5948fca787f2e27ab

SHA512
0dba789314e30263ad21eacb9406f11c898f601f1a235780f25a5adea8d5232124d98c13e73a79040bfb85bfde5f980c8fcc7181a54824ce6e0b7a38ab11b610

Download Submit
C:\Users\Admin\AppData\Roaming\Haycl\cuzir.exe

Filesize
156KB

MD5
3fce78a8557df5a7c2fe955eff5217b7

SHA1
266508c5f9ec584d8196d2b2e8e27fad4843c72f

SHA256
5150d9d6ded827a3ba88fd9af58ffda410bb1a1263dda172fa19710eaac669e7

SHA512
b14566f2f8909997e14c429defce6844aec88d0f552bce4c85165a3165fb578f9de610fc79445cabf1e1f18d27eeb64043c25bf77184f72f4c519a521083a7cd

Download Submit
C:\Users\Admin\AppData\Roaming\Haycl\cuzir.exe

Filesize
156KB

MD5
3fce78a8557df5a7c2fe955eff5217b7

SHA1
266508c5f9ec584d8196d2b2e8e27fad4843c72f

SHA256
5150d9d6ded827a3ba88fd9af58ffda410bb1a1263dda172fa19710eaac669e7

SHA512
b14566f2f8909997e14c429defce6844aec88d0f552bce4c85165a3165fb578f9de610fc79445cabf1e1f18d27eeb64043c25bf77184f72f4c519a521083a7cd

Download Submit
C:\Users\Admin\AppData\Roaming\Ubgoi\ivhi.sei

Filesize
398B

MD5
f5a97151048ad621f512c4799f04f3ea

SHA1
f0a98e3aae49e5e6863a5fcd6949fe149bc95f8c

SHA256
294d03a8ef16fbd6b4d9dcad02e32037b81dc1a2249d6ba3746a8b3f39ac56b9

SHA512
4ea80987a636a0cbab534c57c197715f7e683b19728d6fbcedce437e6a49285edc7fc92837805faf8ac53218046a6dc104b8122e456c4865ec2f8e6c5c020409

Download Submit
\Users\Admin\AppData\Roaming\Haycl\cuzir.exe

Filesize
156KB

MD5
3fce78a8557df5a7c2fe955eff5217b7

SHA1
266508c5f9ec584d8196d2b2e8e27fad4843c72f

SHA256
5150d9d6ded827a3ba88fd9af58ffda410bb1a1263dda172fa19710eaac669e7

SHA512
b14566f2f8909997e14c429defce6844aec88d0f552bce4c85165a3165fb578f9de610fc79445cabf1e1f18d27eeb64043c25bf77184f72f4c519a521083a7cd

Download Submit
\Users\Admin\AppData\Roaming\Haycl\cuzir.exe

Filesize
156KB

MD5
3fce78a8557df5a7c2fe955eff5217b7

SHA1
266508c5f9ec584d8196d2b2e8e27fad4843c72f

SHA256
5150d9d6ded827a3ba88fd9af58ffda410bb1a1263dda172fa19710eaac669e7

SHA512
b14566f2f8909997e14c429defce6844aec88d0f552bce4c85165a3165fb578f9de610fc79445cabf1e1f18d27eeb64043c25bf77184f72f4c519a521083a7cd

Download Submit
memory/552-108-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/552-107-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/552-106-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/552-105-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/968-96-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/968-94-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/968-92-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/968-102-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/968-95-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1084-120-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1084-117-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1084-118-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1084-119-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1104-69-0x0000000000450000-0x0000000000475000-memory.dmp

Filesize
148KB

Download
memory/1104-70-0x0000000000450000-0x0000000000475000-memory.dmp

Filesize
148KB

Download
memory/1104-65-0x0000000000450000-0x0000000000475000-memory.dmp

Filesize
148KB

Download
memory/1104-67-0x0000000000450000-0x0000000000475000-memory.dmp

Filesize
148KB

Download
memory/1104-68-0x0000000000450000-0x0000000000475000-memory.dmp

Filesize
148KB

Download
memory/1156-114-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1156-113-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1156-112-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1156-111-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1164-74-0x00000000001A0000-0x00000000001C5000-memory.dmp

Filesize
148KB

Download
memory/1164-73-0x00000000001A0000-0x00000000001C5000-memory.dmp

Filesize
148KB

Download
memory/1164-76-0x00000000001A0000-0x00000000001C5000-memory.dmp

Filesize
148KB

Download
memory/1164-75-0x00000000001A0000-0x00000000001C5000-memory.dmp

Filesize
148KB

Download
memory/1188-81-0x0000000002AC0000-0x0000000002AE5000-memory.dmp

Filesize
148KB

Download
memory/1188-79-0x0000000002AC0000-0x0000000002AE5000-memory.dmp

Filesize
148KB

Download
memory/1188-80-0x0000000002AC0000-0x0000000002AE5000-memory.dmp

Filesize
148KB

Download
memory/1188-82-0x0000000002AC0000-0x0000000002AE5000-memory.dmp

Filesize
148KB

Download
memory/1348-86-0x00000000005B0000-0x00000000005D5000-memory.dmp

Filesize
148KB

Download
memory/1348-54-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1348-99-0x00000000005B0000-0x00000000005D5000-memory.dmp

Filesize
148KB

Download
memory/1348-85-0x00000000005B0000-0x00000000005D5000-memory.dmp

Filesize
148KB

Download
memory/1348-89-0x00000000005B0000-0x00000000005D5000-memory.dmp

Filesize
148KB

Download
memory/1348-87-0x00000000005B0000-0x00000000005D5000-memory.dmp

Filesize
148KB

Download
memory/1348-88-0x00000000005B0000-0x00000000005D5000-memory.dmp

Filesize
148KB

Download
memory/1348-56-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1348-55-0x0000000000401000-0x0000000000420000-memory.dmp

Filesize
124KB

Download