facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1

Analysis

max time kernel
152s
max time network
183s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe
Size

304KB
MD5

3c0da04705a9b5450498581694e019d0
SHA1

0d2690ebfd559d73568ea1c119c1f4c917c332c6
SHA256

facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1
SHA512

a86a4124c55a0db1fce6a424a654388fc2add2c57f226664ef581bffdb8d079562974bbe15cf01bb72d0b3fc523734b4fe9d599ed5e6546281464e76a8df4be9
SSDEEP

6144:YNfTZ82uLw6ZRPCbWt0xjuPrbYwUW/UZkCGsXQ5VMGAKfv:YBe2WwARCBxKP+SUZkC0TTf

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1676	efelge.exe

Deletes itself 1 IoCs

pid	Process
1264	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe
2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	efelge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Efelge = "C:\\Users\\Admin\\AppData\\Roaming\\Acyvf\\efelge.exe"	efelge.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 1264	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	29

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe
1676	efelge.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1676	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	28
PID 2036 wrote to memory of 1676	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	28
PID 2036 wrote to memory of 1676	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	28
PID 2036 wrote to memory of 1676	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	28
PID 1676 wrote to memory of 1140	1676	efelge.exe	14
PID 1676 wrote to memory of 1140	1676	efelge.exe	14
PID 1676 wrote to memory of 1140	1676	efelge.exe	14
PID 1676 wrote to memory of 1140	1676	efelge.exe	14
PID 1676 wrote to memory of 1140	1676	efelge.exe	14
PID 1676 wrote to memory of 1240	1676	efelge.exe	13
PID 1676 wrote to memory of 1240	1676	efelge.exe	13
PID 1676 wrote to memory of 1240	1676	efelge.exe	13
PID 1676 wrote to memory of 1240	1676	efelge.exe	13
PID 1676 wrote to memory of 1240	1676	efelge.exe	13
PID 1676 wrote to memory of 1272	1676	efelge.exe	5
PID 1676 wrote to memory of 1272	1676	efelge.exe	5
PID 1676 wrote to memory of 1272	1676	efelge.exe	5
PID 1676 wrote to memory of 1272	1676	efelge.exe	5
PID 1676 wrote to memory of 1272	1676	efelge.exe	5
PID 1676 wrote to memory of 2036	1676	efelge.exe	12
PID 1676 wrote to memory of 2036	1676	efelge.exe	12
PID 1676 wrote to memory of 2036	1676	efelge.exe	12
PID 1676 wrote to memory of 2036	1676	efelge.exe	12
PID 1676 wrote to memory of 2036	1676	efelge.exe	12
PID 2036 wrote to memory of 1264	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	29
PID 2036 wrote to memory of 1264	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	29
PID 2036 wrote to memory of 1264	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	29
PID 2036 wrote to memory of 1264	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	29
PID 2036 wrote to memory of 1264	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	29
PID 2036 wrote to memory of 1264	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	29
PID 2036 wrote to memory of 1264	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	29
PID 2036 wrote to memory of 1264	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	29
PID 2036 wrote to memory of 1264	2036	facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe	29
PID 1676 wrote to memory of 1932	1676	efelge.exe	30
PID 1676 wrote to memory of 1932	1676	efelge.exe	30
PID 1676 wrote to memory of 1932	1676	efelge.exe	30
PID 1676 wrote to memory of 1932	1676	efelge.exe	30
PID 1676 wrote to memory of 1932	1676	efelge.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe
  "C:\Users\Admin\AppData\Local\Temp\facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Roaming\Acyvf\efelge.exe
    "C:\Users\Admin\AppData\Roaming\Acyvf\efelge.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\LOY63BB.bat"
    3⤵
    - Deletes itself
    PID:1264

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-728384917761883586841861277223535049-5377057561785085638-1943288879-76051827"
1⤵
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LOY63BB.bat

Filesize
303B

MD5
0fb7d903c4d52c8da8339c30a88c746e

SHA1
4efad1bdfb4705cd73935ed7f7797de4dff77ae6

SHA256
afcac2c7f3e96eab8ee7108b2bd8d3cf854cee6c54ec7b74af2419450a62a499

SHA512
90be9182284594e56343094cb195ca2892ae004df519f071a573be0a4dc127580458fa1d675c9f7957e2a1218b6764d3c73fb73660d4ef276f9f9df55d52b9c8

Download Submit
C:\Users\Admin\AppData\Roaming\Acyvf\efelge.exe

Filesize
304KB

MD5
2126b89642c0d95f98990ebdabb20cdc

SHA1
710e598456d0418c461b668543a013a8e6a6c7bb

SHA256
7aa2433f706d1d036ce9772502e3da1db0e0433300a4a69b19341a4b79d93c21

SHA512
0840e85472cdb7d5240ef57a7aab7aa30c62a0c4e06fc048183c2b5437451b3721ddeaf3a693f2731ca1f65fa314ab3a0b649a50c972746f05af8957bc6bbde4

Download Submit
C:\Users\Admin\AppData\Roaming\Acyvf\efelge.exe

Filesize
304KB

MD5
2126b89642c0d95f98990ebdabb20cdc

SHA1
710e598456d0418c461b668543a013a8e6a6c7bb

SHA256
7aa2433f706d1d036ce9772502e3da1db0e0433300a4a69b19341a4b79d93c21

SHA512
0840e85472cdb7d5240ef57a7aab7aa30c62a0c4e06fc048183c2b5437451b3721ddeaf3a693f2731ca1f65fa314ab3a0b649a50c972746f05af8957bc6bbde4

Download Submit
\Users\Admin\AppData\Roaming\Acyvf\efelge.exe

Filesize
304KB

MD5
2126b89642c0d95f98990ebdabb20cdc

SHA1
710e598456d0418c461b668543a013a8e6a6c7bb

SHA256
7aa2433f706d1d036ce9772502e3da1db0e0433300a4a69b19341a4b79d93c21

SHA512
0840e85472cdb7d5240ef57a7aab7aa30c62a0c4e06fc048183c2b5437451b3721ddeaf3a693f2731ca1f65fa314ab3a0b649a50c972746f05af8957bc6bbde4

Download Submit
\Users\Admin\AppData\Roaming\Acyvf\efelge.exe

Filesize
304KB

MD5
2126b89642c0d95f98990ebdabb20cdc

SHA1
710e598456d0418c461b668543a013a8e6a6c7bb

SHA256
7aa2433f706d1d036ce9772502e3da1db0e0433300a4a69b19341a4b79d93c21

SHA512
0840e85472cdb7d5240ef57a7aab7aa30c62a0c4e06fc048183c2b5437451b3721ddeaf3a693f2731ca1f65fa314ab3a0b649a50c972746f05af8957bc6bbde4

Download Submit
memory/1140-65-0x0000000001C10000-0x0000000001C59000-memory.dmp

Filesize
292KB

Download
memory/1140-67-0x0000000001C10000-0x0000000001C59000-memory.dmp

Filesize
292KB

Download
memory/1140-68-0x0000000001C10000-0x0000000001C59000-memory.dmp

Filesize
292KB

Download
memory/1140-69-0x0000000001C10000-0x0000000001C59000-memory.dmp

Filesize
292KB

Download
memory/1140-70-0x0000000001C10000-0x0000000001C59000-memory.dmp

Filesize
292KB

Download
memory/1240-75-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1240-73-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1240-76-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1240-74-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1264-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1264-121-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1264-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1264-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1264-112-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1264-116-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-119-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1264-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-115-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1272-82-0x0000000002B10000-0x0000000002B59000-memory.dmp

Filesize
292KB

Download
memory/1272-81-0x0000000002B10000-0x0000000002B59000-memory.dmp

Filesize
292KB

Download
memory/1272-80-0x0000000002B10000-0x0000000002B59000-memory.dmp

Filesize
292KB

Download
memory/1272-79-0x0000000002B10000-0x0000000002B59000-memory.dmp

Filesize
292KB

Download
memory/1676-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1932-107-0x0000000001BA0000-0x0000000001BE9000-memory.dmp

Filesize
292KB

Download
memory/1932-108-0x0000000001BA0000-0x0000000001BE9000-memory.dmp

Filesize
292KB

Download
memory/1932-110-0x0000000001BA0000-0x0000000001BE9000-memory.dmp

Filesize
292KB

Download
memory/1932-109-0x0000000001BA0000-0x0000000001BE9000-memory.dmp

Filesize
292KB

Download
memory/2036-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-103-0x0000000002000000-0x0000000002049000-memory.dmp

Filesize
292KB

Download
memory/2036-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-91-0x0000000002000000-0x0000000002049000-memory.dmp

Filesize
292KB

Download
memory/2036-54-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2036-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-86-0x0000000002000000-0x0000000002049000-memory.dmp

Filesize
292KB

Download
memory/2036-88-0x0000000002000000-0x0000000002049000-memory.dmp

Filesize
292KB

Download
memory/2036-87-0x0000000002000000-0x0000000002049000-memory.dmp

Filesize
292KB

Download
memory/2036-85-0x0000000002000000-0x0000000002049000-memory.dmp

Filesize
292KB

Download
memory/2036-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/2036-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download