c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c

Analysis

max time kernel
250s
max time network
356s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 23:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe
Size

295KB
MD5

892ced6dd414eb46e12aab39c8522975
SHA1

90a890c008317c27a57384b6047e7d005a3de3ca
SHA256

c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c
SHA512

9e94b8ed95b1e2d126bda1e9693c7a36d650cd293597e780af2fbb554b4b05d3b28eeed63c1d6a04d2262a92716f29b831adeb58c391106055755e615d5f493d
SSDEEP

6144:1iGtsLTAlqNC+e+1PTG/qm/PgCnmUSFMhl4F+M/oI29kKL:YGtsLst+31PTEn/iUSFM8F+rI2/L

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	utev.exe

Deletes itself 1 IoCs

pid	Process
1964	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe
772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	utev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E8A35E48-3774-AD4D-52EE-D422474DF73F} = "C:\\Users\\Admin\\AppData\\Roaming\\Cyafa\\utev.exe"	utev.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 772 set thread context of 1964	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe
1928	utev.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe
1928	utev.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 1928	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	27
PID 772 wrote to memory of 1928	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	27
PID 772 wrote to memory of 1928	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	27
PID 772 wrote to memory of 1928	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	27
PID 1928 wrote to memory of 1124	1928	utev.exe	18
PID 1928 wrote to memory of 1124	1928	utev.exe	18
PID 1928 wrote to memory of 1124	1928	utev.exe	18
PID 1928 wrote to memory of 1124	1928	utev.exe	18
PID 1928 wrote to memory of 1124	1928	utev.exe	18
PID 1928 wrote to memory of 1180	1928	utev.exe	17
PID 1928 wrote to memory of 1180	1928	utev.exe	17
PID 1928 wrote to memory of 1180	1928	utev.exe	17
PID 1928 wrote to memory of 1180	1928	utev.exe	17
PID 1928 wrote to memory of 1180	1928	utev.exe	17
PID 1928 wrote to memory of 1232	1928	utev.exe	16
PID 1928 wrote to memory of 1232	1928	utev.exe	16
PID 1928 wrote to memory of 1232	1928	utev.exe	16
PID 1928 wrote to memory of 1232	1928	utev.exe	16
PID 1928 wrote to memory of 1232	1928	utev.exe	16
PID 1928 wrote to memory of 772	1928	utev.exe	26
PID 1928 wrote to memory of 772	1928	utev.exe	26
PID 1928 wrote to memory of 772	1928	utev.exe	26
PID 1928 wrote to memory of 772	1928	utev.exe	26
PID 1928 wrote to memory of 772	1928	utev.exe	26
PID 772 wrote to memory of 1964	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	28
PID 772 wrote to memory of 1964	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	28
PID 772 wrote to memory of 1964	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	28
PID 772 wrote to memory of 1964	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	28
PID 772 wrote to memory of 1964	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	28
PID 772 wrote to memory of 1964	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	28
PID 772 wrote to memory of 1964	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	28
PID 772 wrote to memory of 1964	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	28
PID 772 wrote to memory of 1964	772	c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe
  "C:\Users\Admin\AppData\Local\Temp\c2d19b2bdeb1cccc92245453b37fbb6af5ef516042826116705bf116da86879c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Roaming\Cyafa\utev.exe
    "C:\Users\Admin\AppData\Roaming\Cyafa\utev.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp70952fa3.bat"
    3⤵
    - Deletes itself
    PID:1964

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp70952fa3.bat

Filesize
307B

MD5
98522b82ffcbf3bfa380c27bddb486b3

SHA1
ae5673a1d633ad55f8aae1c873e2e66983714403

SHA256
8bf17a47a60449f5b2d960648778393cea89a4a09aee97719d07b9595dd81b28

SHA512
bdc985f273fa85788a2de45dd6482627428cd038503c65a2f053c595b066698bd487862d4972a06c2fd930683b3a92b75b9b8db3ebb8155ed0db9412f6c9d375

Download Submit
C:\Users\Admin\AppData\Roaming\Cyafa\utev.exe

Filesize
295KB

MD5
c5ad8eb11ce878a362f2d613a554f0ff

SHA1
54af9b35f78b23160bb6d05092ee2fbefab57ea4

SHA256
e65f59cb4ea27a0f357c3e3c6c025aa96a7ddef7c6d3c2b392d29ff36518d40d

SHA512
221cceefb51029fac1ab49dbb22e7bfb8af7f4ee2cd1b952fcc1ffd03464f87a14320e28a2dfb100743f37dd7e22078141f1c17b107cd0ac6c80bc81d8f4fb4a

Download Submit
C:\Users\Admin\AppData\Roaming\Cyafa\utev.exe

Filesize
295KB

MD5
c5ad8eb11ce878a362f2d613a554f0ff

SHA1
54af9b35f78b23160bb6d05092ee2fbefab57ea4

SHA256
e65f59cb4ea27a0f357c3e3c6c025aa96a7ddef7c6d3c2b392d29ff36518d40d

SHA512
221cceefb51029fac1ab49dbb22e7bfb8af7f4ee2cd1b952fcc1ffd03464f87a14320e28a2dfb100743f37dd7e22078141f1c17b107cd0ac6c80bc81d8f4fb4a

Download Submit
\Users\Admin\AppData\Roaming\Cyafa\utev.exe

Filesize
295KB

MD5
c5ad8eb11ce878a362f2d613a554f0ff

SHA1
54af9b35f78b23160bb6d05092ee2fbefab57ea4

SHA256
e65f59cb4ea27a0f357c3e3c6c025aa96a7ddef7c6d3c2b392d29ff36518d40d

SHA512
221cceefb51029fac1ab49dbb22e7bfb8af7f4ee2cd1b952fcc1ffd03464f87a14320e28a2dfb100743f37dd7e22078141f1c17b107cd0ac6c80bc81d8f4fb4a

Download Submit
\Users\Admin\AppData\Roaming\Cyafa\utev.exe

Filesize
295KB

MD5
c5ad8eb11ce878a362f2d613a554f0ff

SHA1
54af9b35f78b23160bb6d05092ee2fbefab57ea4

SHA256
e65f59cb4ea27a0f357c3e3c6c025aa96a7ddef7c6d3c2b392d29ff36518d40d

SHA512
221cceefb51029fac1ab49dbb22e7bfb8af7f4ee2cd1b952fcc1ffd03464f87a14320e28a2dfb100743f37dd7e22078141f1c17b107cd0ac6c80bc81d8f4fb4a

Download Submit
memory/772-58-0x0000000000370000-0x00000000003BE000-memory.dmp

Filesize
312KB

Download
memory/772-59-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/772-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/772-57-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/772-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-88-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/772-89-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/772-87-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/772-86-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/772-93-0x00000000004A0000-0x00000000004EE000-memory.dmp

Filesize
312KB

Download
memory/772-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-103-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/1124-68-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1124-71-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1124-70-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1124-69-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1124-66-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1180-77-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/1180-76-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/1180-75-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/1180-74-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/1232-80-0x0000000002910000-0x0000000002954000-memory.dmp

Filesize
272KB

Download
memory/1232-82-0x0000000002910000-0x0000000002954000-memory.dmp

Filesize
272KB

Download
memory/1232-81-0x0000000002910000-0x0000000002954000-memory.dmp

Filesize
272KB

Download
memory/1232-83-0x0000000002910000-0x0000000002954000-memory.dmp

Filesize
272KB

Download
memory/1928-92-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1928-90-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1928-91-0x0000000000380000-0x00000000003CE000-memory.dmp

Filesize
312KB

Download
memory/1964-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1964-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1964-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1964-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1964-106-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download