cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe
Size

206KB
MD5

a35d45cc93bd866f9a06c75939023cf7
SHA1

d823d0a4bee7d38318ba03842962e25624e8b39f
SHA256

cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d
SHA512

e10e9ea55ac3d3e853380141df1baf541b1ceb07e7acf96f452c42b3fc6e2553c0dd7b08b09599ee19539e014faac16b5e5af15b1ef8fff78683ac079ec336bf
SSDEEP

6144:XEtB2/V0RC1/u2SGuW4o+SJuf/a1zjdHUkNDa3tK:XU8/Vx/u2Ju7lUzjpUEDWt

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1776	roeqt.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122f9-58.dat	upx
behavioral1/files/0x000a0000000122f9-59.dat	upx
behavioral1/files/0x000a0000000122f9-61.dat	upx
behavioral1/memory/1776-64-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/files/0x000a0000000122f9-66.dat	upx

Deletes itself 1 IoCs

pid	Process
1996	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe
1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	roeqt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{875BD3E4-FED9-42CB-AF9C-C688BF4A42B2} = "C:\\Users\\Admin\\AppData\\Roaming\\Yvap\\roeqt.exe"	roeqt.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	roeqt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	roeqt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 1996	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\6D2E7BA2-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe
1776	roeqt.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe
Token: SeSecurityPrivilege	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe
Token: SeSecurityPrivilege	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe
Token: SeManageVolumePrivilege	568	WinMail.exe
Token: SeSecurityPrivilege	1996	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
568	WinMail.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1776	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	27
PID 1292 wrote to memory of 1776	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	27
PID 1292 wrote to memory of 1776	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	27
PID 1292 wrote to memory of 1776	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	27
PID 1776 wrote to memory of 1112	1776	roeqt.exe	12
PID 1776 wrote to memory of 1112	1776	roeqt.exe	12
PID 1776 wrote to memory of 1112	1776	roeqt.exe	12
PID 1776 wrote to memory of 1112	1776	roeqt.exe	12
PID 1776 wrote to memory of 1112	1776	roeqt.exe	12
PID 1776 wrote to memory of 1176	1776	roeqt.exe	19
PID 1776 wrote to memory of 1176	1776	roeqt.exe	19
PID 1776 wrote to memory of 1176	1776	roeqt.exe	19
PID 1776 wrote to memory of 1176	1776	roeqt.exe	19
PID 1776 wrote to memory of 1176	1776	roeqt.exe	19
PID 1776 wrote to memory of 1200	1776	roeqt.exe	18
PID 1776 wrote to memory of 1200	1776	roeqt.exe	18
PID 1776 wrote to memory of 1200	1776	roeqt.exe	18
PID 1776 wrote to memory of 1200	1776	roeqt.exe	18
PID 1776 wrote to memory of 1200	1776	roeqt.exe	18
PID 1776 wrote to memory of 1292	1776	roeqt.exe	26
PID 1776 wrote to memory of 1292	1776	roeqt.exe	26
PID 1776 wrote to memory of 1292	1776	roeqt.exe	26
PID 1776 wrote to memory of 1292	1776	roeqt.exe	26
PID 1776 wrote to memory of 1292	1776	roeqt.exe	26
PID 1776 wrote to memory of 568	1776	roeqt.exe	28
PID 1776 wrote to memory of 568	1776	roeqt.exe	28
PID 1776 wrote to memory of 568	1776	roeqt.exe	28
PID 1776 wrote to memory of 568	1776	roeqt.exe	28
PID 1776 wrote to memory of 568	1776	roeqt.exe	28
PID 1292 wrote to memory of 1996	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	29
PID 1292 wrote to memory of 1996	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	29
PID 1292 wrote to memory of 1996	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	29
PID 1292 wrote to memory of 1996	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	29
PID 1292 wrote to memory of 1996	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	29
PID 1292 wrote to memory of 1996	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	29
PID 1292 wrote to memory of 1996	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	29
PID 1292 wrote to memory of 1996	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	29
PID 1292 wrote to memory of 1996	1292	cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe	29
PID 1776 wrote to memory of 856	1776	roeqt.exe	30
PID 1776 wrote to memory of 856	1776	roeqt.exe	30
PID 1776 wrote to memory of 856	1776	roeqt.exe	30
PID 1776 wrote to memory of 856	1776	roeqt.exe	30
PID 1776 wrote to memory of 856	1776	roeqt.exe	30
PID 1776 wrote to memory of 1080	1776	roeqt.exe	31
PID 1776 wrote to memory of 1080	1776	roeqt.exe	31
PID 1776 wrote to memory of 1080	1776	roeqt.exe	31
PID 1776 wrote to memory of 1080	1776	roeqt.exe	31
PID 1776 wrote to memory of 1080	1776	roeqt.exe	31
PID 1776 wrote to memory of 920	1776	roeqt.exe	32
PID 1776 wrote to memory of 920	1776	roeqt.exe	32
PID 1776 wrote to memory of 920	1776	roeqt.exe	32
PID 1776 wrote to memory of 920	1776	roeqt.exe	32
PID 1776 wrote to memory of 920	1776	roeqt.exe	32
PID 1776 wrote to memory of 1692	1776	roeqt.exe	33
PID 1776 wrote to memory of 1692	1776	roeqt.exe	33
PID 1776 wrote to memory of 1692	1776	roeqt.exe	33
PID 1776 wrote to memory of 1692	1776	roeqt.exe	33
PID 1776 wrote to memory of 1692	1776	roeqt.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe
  "C:\Users\Admin\AppData\Local\Temp\cc4810e3f3278b3b60e99dad5bedb7597e9a70d707b3dbba6e82c49a2e1ef72d.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Roaming\Yvap\roeqt.exe
    "C:\Users\Admin\AppData\Roaming\Yvap\roeqt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8de5fbdd.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:1996

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "208425040-11842592401660462489-17441910581877473769765504759-1018265139129739885"
1⤵
PID:856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8de5fbdd.bat

Filesize
307B

MD5
ca56b66e79505f27dedbf36e8cc5d209

SHA1
43fb34fd9290affd245ddbb1aa5e62c56242e419

SHA256
a9659b22699e77dfc502a05ad619521d42f16d5207d7771be8e9745daff3385a

SHA512
e73e0b7ad838954c707b716aaf808c83074e3c97cf24b2503ca3512dd4a25ea442f4e3e81c48b069b4206d6b4825ffab91693bf10c76324f623eecb38d4fb0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Fiyv\syota.iwn

Filesize
398B

MD5
f17427f8e178059aa6be3d10d7d40227

SHA1
69b0466bbafef59c5334b1a0895ceb901d7427e5

SHA256
1b1979ad110179e29914c492d4d490ebd18f0028cddb82836a110ee3e19e1865

SHA512
4ed0e1eb07f21113c51c7d855e3f63f422bc63b65d63f6efc6fac7656ad616e10a9ee77b0131937750429dbed76b97693b2b819d96a98f4bcadc506872d34790

Download Submit
C:\Users\Admin\AppData\Roaming\Yvap\roeqt.exe

Filesize
206KB

MD5
532d9a9ce55ec2082a433365ba8c8178

SHA1
e841845be9e6da51631f0858226627ab783ddbea

SHA256
ad49564d3844613092e271591d984481dee6258cfffbfa78f7da016a59d17406

SHA512
ad3a64c01b931509fd8d6b9d69f01684ee32930473c37ceda6091caa79ab9f51d2ed13df66cdf790cecd7982a3fb12f518eab46492123c893426b4d8ac313e28

Download Submit
C:\Users\Admin\AppData\Roaming\Yvap\roeqt.exe

Filesize
206KB

MD5
532d9a9ce55ec2082a433365ba8c8178

SHA1
e841845be9e6da51631f0858226627ab783ddbea

SHA256
ad49564d3844613092e271591d984481dee6258cfffbfa78f7da016a59d17406

SHA512
ad3a64c01b931509fd8d6b9d69f01684ee32930473c37ceda6091caa79ab9f51d2ed13df66cdf790cecd7982a3fb12f518eab46492123c893426b4d8ac313e28

Download Submit
\Users\Admin\AppData\Roaming\Yvap\roeqt.exe

Filesize
206KB

MD5
532d9a9ce55ec2082a433365ba8c8178

SHA1
e841845be9e6da51631f0858226627ab783ddbea

SHA256
ad49564d3844613092e271591d984481dee6258cfffbfa78f7da016a59d17406

SHA512
ad3a64c01b931509fd8d6b9d69f01684ee32930473c37ceda6091caa79ab9f51d2ed13df66cdf790cecd7982a3fb12f518eab46492123c893426b4d8ac313e28

Download Submit
\Users\Admin\AppData\Roaming\Yvap\roeqt.exe

Filesize
206KB

MD5
532d9a9ce55ec2082a433365ba8c8178

SHA1
e841845be9e6da51631f0858226627ab783ddbea

SHA256
ad49564d3844613092e271591d984481dee6258cfffbfa78f7da016a59d17406

SHA512
ad3a64c01b931509fd8d6b9d69f01684ee32930473c37ceda6091caa79ab9f51d2ed13df66cdf790cecd7982a3fb12f518eab46492123c893426b4d8ac313e28

Download Submit
memory/568-110-0x0000000004130000-0x0000000004157000-memory.dmp

Filesize
156KB

Download
memory/568-91-0x000007FEFC211000-0x000007FEFC213000-memory.dmp

Filesize
8KB

Download
memory/568-99-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/568-111-0x0000000004130000-0x0000000004157000-memory.dmp

Filesize
156KB

Download
memory/568-112-0x0000000004130000-0x0000000004157000-memory.dmp

Filesize
156KB

Download
memory/568-93-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/568-92-0x000007FEFB421000-0x000007FEFB423000-memory.dmp

Filesize
8KB

Download
memory/568-109-0x0000000004130000-0x0000000004157000-memory.dmp

Filesize
156KB

Download
memory/856-127-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/856-130-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/856-129-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/856-128-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/1080-136-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/1080-135-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/1112-71-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1112-67-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1112-70-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1112-72-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1112-69-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1176-78-0x0000000001AD0000-0x0000000001AF7000-memory.dmp

Filesize
156KB

Download
memory/1176-77-0x0000000001AD0000-0x0000000001AF7000-memory.dmp

Filesize
156KB

Download
memory/1176-76-0x0000000001AD0000-0x0000000001AF7000-memory.dmp

Filesize
156KB

Download
memory/1176-75-0x0000000001AD0000-0x0000000001AF7000-memory.dmp

Filesize
156KB

Download
memory/1200-83-0x0000000002AD0000-0x0000000002AF7000-memory.dmp

Filesize
156KB

Download
memory/1200-82-0x0000000002AD0000-0x0000000002AF7000-memory.dmp

Filesize
156KB

Download
memory/1200-84-0x0000000002AD0000-0x0000000002AF7000-memory.dmp

Filesize
156KB

Download
memory/1200-81-0x0000000002AD0000-0x0000000002AF7000-memory.dmp

Filesize
156KB

Download
memory/1292-106-0x0000000001B70000-0x0000000001B93000-memory.dmp

Filesize
140KB

Download
memory/1292-122-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1292-87-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/1292-55-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1292-90-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/1292-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1292-89-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/1292-56-0x00000000003C0000-0x00000000003D5000-memory.dmp

Filesize
84KB

Download
memory/1292-57-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1292-62-0x00000000021F0000-0x0000000002240000-memory.dmp

Filesize
320KB

Download
memory/1292-63-0x00000000021F0000-0x0000000002240000-memory.dmp

Filesize
320KB

Download
memory/1292-88-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/1776-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1776-60-0x0000000000000000-mapping.dmp

Download
memory/1776-131-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1776-105-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1996-124-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1996-121-0x00000000000635CC-mapping.dmp

Download
memory/1996-120-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1996-119-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1996-118-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1996-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download