9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe
Size

298KB
MD5

85a7c11687b99161bc496800fe455aab
SHA1

8461cc1210a97fc792f01d52169ac6d435589db4
SHA256

9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f
SHA512

d0fb10fc3c4019a0d480b30e82646944fa025a58540db802c500b3751c87018bfefe8d54e1b1caccd547cddc338839ca2db2583470da61414dfde19e0c4ecdbc
SSDEEP

6144:S7idiSZdgTnIifnWnp2fl4DFk4c6q4l8S8dufYFkUVxegCyVtI:SGESZdg0ifnG2kF93/8dfZPHPI

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1340	vyfyi.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1424-54-0x0000000000400000-0x0000000000815000-memory.dmp	upx
behavioral1/files/0x000c00000001230f-57.dat	upx
behavioral1/files/0x000c00000001230f-58.dat	upx
behavioral1/files/0x000c00000001230f-60.dat	upx
behavioral1/files/0x000c00000001230f-62.dat	upx

Deletes itself 1 IoCs

pid	Process
1776	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe
1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	vyfyi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Yhafe\\vyfyi.exe"	vyfyi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 1776	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	27

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe
1340	vyfyi.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe
Token: SeSecurityPrivilege	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe
Token: SeSecurityPrivilege	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1340	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	26
PID 1424 wrote to memory of 1340	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	26
PID 1424 wrote to memory of 1340	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	26
PID 1424 wrote to memory of 1340	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	26
PID 1340 wrote to memory of 1148	1340	vyfyi.exe	13
PID 1340 wrote to memory of 1148	1340	vyfyi.exe	13
PID 1340 wrote to memory of 1148	1340	vyfyi.exe	13
PID 1340 wrote to memory of 1148	1340	vyfyi.exe	13
PID 1340 wrote to memory of 1148	1340	vyfyi.exe	13
PID 1340 wrote to memory of 1224	1340	vyfyi.exe	12
PID 1340 wrote to memory of 1224	1340	vyfyi.exe	12
PID 1340 wrote to memory of 1224	1340	vyfyi.exe	12
PID 1340 wrote to memory of 1224	1340	vyfyi.exe	12
PID 1340 wrote to memory of 1224	1340	vyfyi.exe	12
PID 1340 wrote to memory of 1260	1340	vyfyi.exe	11
PID 1340 wrote to memory of 1260	1340	vyfyi.exe	11
PID 1340 wrote to memory of 1260	1340	vyfyi.exe	11
PID 1340 wrote to memory of 1260	1340	vyfyi.exe	11
PID 1340 wrote to memory of 1260	1340	vyfyi.exe	11
PID 1340 wrote to memory of 1424	1340	vyfyi.exe	25
PID 1340 wrote to memory of 1424	1340	vyfyi.exe	25
PID 1340 wrote to memory of 1424	1340	vyfyi.exe	25
PID 1340 wrote to memory of 1424	1340	vyfyi.exe	25
PID 1340 wrote to memory of 1424	1340	vyfyi.exe	25
PID 1424 wrote to memory of 1776	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	27
PID 1424 wrote to memory of 1776	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	27
PID 1424 wrote to memory of 1776	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	27
PID 1424 wrote to memory of 1776	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	27
PID 1424 wrote to memory of 1776	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	27
PID 1424 wrote to memory of 1776	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	27
PID 1424 wrote to memory of 1776	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	27
PID 1424 wrote to memory of 1776	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	27
PID 1424 wrote to memory of 1776	1424	9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe
  "C:\Users\Admin\AppData\Local\Temp\9c037fc5a1046bb145c44a787972191652706b1108233b7f5601aa556cb1c59f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Roaming\Yhafe\vyfyi.exe
    "C:\Users\Admin\AppData\Roaming\Yhafe\vyfyi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfeaef38e.bat"
    3⤵
    - Deletes itself
    PID:1776

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfeaef38e.bat

Filesize
307B

MD5
980b52e60893d04b818bcf99b0ec4c45

SHA1
042698dc6b2e45402d2a0f8d3c1c4e3cef55ffbb

SHA256
c4316bf416716e38f1774cbaf117ae58e79a6d81cac6557aff8de038f9a9684b

SHA512
595076b91b53e50f2df0c78e1d7496d2092bfd428ca5914340b4ebe2390b9fd85a61b17475e6431e280181ad7597b45376bd2a0584f2a1b415548e30295f0eef

Download Submit
C:\Users\Admin\AppData\Roaming\Anuxhu\keho.igo

Filesize
398B

MD5
08da0c57378a9b798f20e1b8e370730a

SHA1
ac5418ead41f9ea67ad9179154826081c1ce102e

SHA256
8340a9c1b7da6e0f8ae1e7ed62a2693726fb78d23dbae83ac486d0f46ae04412

SHA512
cc187d976231bf3f786f1041ca1991fea810078c982c2881f28fa5b8492549babb94c26ea9456a97d065dbf1f20ce0a76678a7ce993b611b88fb92e485e7c5f2

Download Submit
C:\Users\Admin\AppData\Roaming\Yhafe\vyfyi.exe

Filesize
298KB

MD5
1a427fcf33ca4265f98eb953e199c9e4

SHA1
f5e2661d184a1def946db1c413e94abee3e8deac

SHA256
f358f31430a66e381e60c2e484bf411e432c5f8811de7131b9fa9980e1c4f264

SHA512
2b2e8a2b6c49f04f753b2f8474f212220a2673c4f2562c29ec4c942025335c74d3fe4224fd3beb8257c689964ffaf6445349cd01da02a6bc94254ded1b5eb33a

Download Submit
C:\Users\Admin\AppData\Roaming\Yhafe\vyfyi.exe

Filesize
298KB

MD5
1a427fcf33ca4265f98eb953e199c9e4

SHA1
f5e2661d184a1def946db1c413e94abee3e8deac

SHA256
f358f31430a66e381e60c2e484bf411e432c5f8811de7131b9fa9980e1c4f264

SHA512
2b2e8a2b6c49f04f753b2f8474f212220a2673c4f2562c29ec4c942025335c74d3fe4224fd3beb8257c689964ffaf6445349cd01da02a6bc94254ded1b5eb33a

Download Submit
\Users\Admin\AppData\Roaming\Yhafe\vyfyi.exe

Filesize
298KB

MD5
1a427fcf33ca4265f98eb953e199c9e4

SHA1
f5e2661d184a1def946db1c413e94abee3e8deac

SHA256
f358f31430a66e381e60c2e484bf411e432c5f8811de7131b9fa9980e1c4f264

SHA512
2b2e8a2b6c49f04f753b2f8474f212220a2673c4f2562c29ec4c942025335c74d3fe4224fd3beb8257c689964ffaf6445349cd01da02a6bc94254ded1b5eb33a

Download Submit
\Users\Admin\AppData\Roaming\Yhafe\vyfyi.exe

Filesize
298KB

MD5
1a427fcf33ca4265f98eb953e199c9e4

SHA1
f5e2661d184a1def946db1c413e94abee3e8deac

SHA256
f358f31430a66e381e60c2e484bf411e432c5f8811de7131b9fa9980e1c4f264

SHA512
2b2e8a2b6c49f04f753b2f8474f212220a2673c4f2562c29ec4c942025335c74d3fe4224fd3beb8257c689964ffaf6445349cd01da02a6bc94254ded1b5eb33a

Download Submit
memory/1148-66-0x0000000001D20000-0x0000000001D5D000-memory.dmp

Filesize
244KB

Download
memory/1148-67-0x0000000001D20000-0x0000000001D5D000-memory.dmp

Filesize
244KB

Download
memory/1148-63-0x0000000001D20000-0x0000000001D5D000-memory.dmp

Filesize
244KB

Download
memory/1148-65-0x0000000001D20000-0x0000000001D5D000-memory.dmp

Filesize
244KB

Download
memory/1148-68-0x0000000001D20000-0x0000000001D5D000-memory.dmp

Filesize
244KB

Download
memory/1224-74-0x00000000001C0000-0x00000000001FD000-memory.dmp

Filesize
244KB

Download
memory/1224-73-0x00000000001C0000-0x00000000001FD000-memory.dmp

Filesize
244KB

Download
memory/1224-72-0x00000000001C0000-0x00000000001FD000-memory.dmp

Filesize
244KB

Download
memory/1224-71-0x00000000001C0000-0x00000000001FD000-memory.dmp

Filesize
244KB

Download
memory/1260-78-0x00000000029C0000-0x00000000029FD000-memory.dmp

Filesize
244KB

Download
memory/1260-77-0x00000000029C0000-0x00000000029FD000-memory.dmp

Filesize
244KB

Download
memory/1260-80-0x00000000029C0000-0x00000000029FD000-memory.dmp

Filesize
244KB

Download
memory/1260-79-0x00000000029C0000-0x00000000029FD000-memory.dmp

Filesize
244KB

Download
memory/1340-89-0x0000000000400000-0x0000000000815000-memory.dmp

Filesize
4.1MB

Download
memory/1340-105-0x0000000000400000-0x0000000000815000-memory.dmp

Filesize
4.1MB

Download
memory/1424-90-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/1424-100-0x0000000000400000-0x0000000000815000-memory.dmp

Filesize
4.1MB

Download
memory/1424-83-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/1424-87-0x0000000002780000-0x0000000002B95000-memory.dmp

Filesize
4.1MB

Download
memory/1424-88-0x0000000002780000-0x0000000002B95000-memory.dmp

Filesize
4.1MB

Download
memory/1424-85-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/1424-84-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/1424-56-0x0000000000400000-0x0000000000815000-memory.dmp

Filesize
4.1MB

Download
memory/1424-54-0x0000000000400000-0x0000000000815000-memory.dmp

Filesize
4.1MB

Download
memory/1424-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1424-101-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/1424-86-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/1776-94-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/1776-96-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/1776-98-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/1776-104-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/1776-97-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download