b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 14:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Size

226KB
MD5

79f875dc26c65118f42685d840f3b3d2
SHA1

4fe505c46fab53e06694c69f3fd96c638f763d6a
SHA256

b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921
SHA512

708704308f0c479e8d43ae4a4b792a6788b7253ad4aa9b482698a9f760ce53e312390c55f617ef77558bf5bf307b1fdb580324e0660f23f82da1ee2f540d8a80
SSDEEP

6144:y1UDbH3ddnSueE5DsqGYIKeOUJOAOO8IucPK4jr:DDbHtIVE5QLYIKBUJO5XZgK4n

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1144	delu.exe

Deletes itself 1 IoCs

pid	Process
812	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	delu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pocounomn = "C:\\Users\\Admin\\AppData\\Roaming\\Piocte\\delu.exe"	delu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 812	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\5520083D-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe
1144	delu.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Token: SeSecurityPrivilege	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Token: SeSecurityPrivilege	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Token: SeSecurityPrivilege	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Token: SeSecurityPrivilege	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Token: SeSecurityPrivilege	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Token: SeSecurityPrivilege	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Token: SeSecurityPrivilege	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Token: SeSecurityPrivilege	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Token: SeSecurityPrivilege	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
Token: SeManageVolumePrivilege	1796	WinMail.exe
Token: SeSecurityPrivilege	812	cmd.exe
Token: SeSecurityPrivilege	812	cmd.exe
Token: SeSecurityPrivilege	812	cmd.exe
Token: SeSecurityPrivilege	812	cmd.exe
Token: SeSecurityPrivilege	812	cmd.exe
Token: SeSecurityPrivilege	812	cmd.exe
Token: SeSecurityPrivilege	812	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1796	WinMail.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
1144	delu.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1144	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	27
PID 1760 wrote to memory of 1144	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	27
PID 1760 wrote to memory of 1144	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	27
PID 1760 wrote to memory of 1144	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	27
PID 1144 wrote to memory of 1112	1144	delu.exe	17
PID 1144 wrote to memory of 1112	1144	delu.exe	17
PID 1144 wrote to memory of 1112	1144	delu.exe	17
PID 1144 wrote to memory of 1112	1144	delu.exe	17
PID 1144 wrote to memory of 1112	1144	delu.exe	17
PID 1144 wrote to memory of 1176	1144	delu.exe	16
PID 1144 wrote to memory of 1176	1144	delu.exe	16
PID 1144 wrote to memory of 1176	1144	delu.exe	16
PID 1144 wrote to memory of 1176	1144	delu.exe	16
PID 1144 wrote to memory of 1176	1144	delu.exe	16
PID 1144 wrote to memory of 1204	1144	delu.exe	15
PID 1144 wrote to memory of 1204	1144	delu.exe	15
PID 1144 wrote to memory of 1204	1144	delu.exe	15
PID 1144 wrote to memory of 1204	1144	delu.exe	15
PID 1144 wrote to memory of 1204	1144	delu.exe	15
PID 1144 wrote to memory of 1760	1144	delu.exe	26
PID 1144 wrote to memory of 1760	1144	delu.exe	26
PID 1144 wrote to memory of 1760	1144	delu.exe	26
PID 1144 wrote to memory of 1760	1144	delu.exe	26
PID 1144 wrote to memory of 1760	1144	delu.exe	26
PID 1144 wrote to memory of 1796	1144	delu.exe	28
PID 1144 wrote to memory of 1796	1144	delu.exe	28
PID 1144 wrote to memory of 1796	1144	delu.exe	28
PID 1144 wrote to memory of 1796	1144	delu.exe	28
PID 1144 wrote to memory of 1796	1144	delu.exe	28
PID 1760 wrote to memory of 812	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	29
PID 1760 wrote to memory of 812	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	29
PID 1760 wrote to memory of 812	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	29
PID 1760 wrote to memory of 812	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	29
PID 1760 wrote to memory of 812	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	29
PID 1760 wrote to memory of 812	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	29
PID 1760 wrote to memory of 812	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	29
PID 1760 wrote to memory of 812	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	29
PID 1760 wrote to memory of 812	1760	b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe	29
PID 1144 wrote to memory of 1704	1144	delu.exe	30
PID 1144 wrote to memory of 1704	1144	delu.exe	30
PID 1144 wrote to memory of 1704	1144	delu.exe	30
PID 1144 wrote to memory of 1704	1144	delu.exe	30
PID 1144 wrote to memory of 1704	1144	delu.exe	30
PID 1144 wrote to memory of 1576	1144	delu.exe	32
PID 1144 wrote to memory of 1576	1144	delu.exe	32
PID 1144 wrote to memory of 1576	1144	delu.exe	32
PID 1144 wrote to memory of 1576	1144	delu.exe	32
PID 1144 wrote to memory of 1576	1144	delu.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe
  "C:\Users\Admin\AppData\Local\Temp\b4ec602eceb647459a5948bffc253e5a01594d2bc8f5ed916a470c6afc070921.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Roaming\Piocte\delu.exe
    "C:\Users\Admin\AppData\Roaming\Piocte\delu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3d51a36a.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:812

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1704

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3d51a36a.bat

Filesize
307B

MD5
9b7fee01db32b5279f33b79558de56dd

SHA1
47d5360e4c44f758b9945bf890e4b618a9e75d0b

SHA256
b76dd1e6c0ba75118bb3da834cc8f1ad77898b2e8e551580f20b85a9da7f2b30

SHA512
b5b422f69d1c129ab7b3ae5b5f8de8939f43f0430d405f4554059597569a22f006dab62ad517437e3795e37e9928c43e8ad6f91d020cca1d0d655edc20ee6052

Download Submit
C:\Users\Admin\AppData\Roaming\Piocte\delu.exe

Filesize
226KB

MD5
abce4d3befeb0ccea2ad4c328a22f57f

SHA1
18bb24bde157528f6510c759ba99339a2cf4d29f

SHA256
a4734eb42db36d50b7d7b10b857ac52a1211216a35f9782df9ee7a558e19b0c0

SHA512
35de97f5cd4792402c95f902886c988d5128e886f1f623808d8d6c777ea184244320821506cdf013d1ac77d5f367851a47631aed55a42ae487c7f336caf3dfb9

Download Submit
C:\Users\Admin\AppData\Roaming\Piocte\delu.exe

Filesize
226KB

MD5
abce4d3befeb0ccea2ad4c328a22f57f

SHA1
18bb24bde157528f6510c759ba99339a2cf4d29f

SHA256
a4734eb42db36d50b7d7b10b857ac52a1211216a35f9782df9ee7a558e19b0c0

SHA512
35de97f5cd4792402c95f902886c988d5128e886f1f623808d8d6c777ea184244320821506cdf013d1ac77d5f367851a47631aed55a42ae487c7f336caf3dfb9

Download Submit
C:\Users\Admin\AppData\Roaming\Woxie\esdi.rou

Filesize
4KB

MD5
5fcd841951d052ad8a35d4f0d34a2b65

SHA1
cfb141d82e53e0bb65de992b654ef2d1689f350c

SHA256
26109a39625f1e92946bfbd900136d8d67f02ddb3d1dfc14f78cfd7a3deb8099

SHA512
1eeb2c30e81c6ab8a6d41449044b2711875df38840173c96542e80c7c8b5f6138d62ccba8da82b4e0f74baee7a99d1ae25816a09f0bb4a62c40fee2959bf5ed2

Download Submit
\Users\Admin\AppData\Roaming\Piocte\delu.exe

Filesize
226KB

MD5
abce4d3befeb0ccea2ad4c328a22f57f

SHA1
18bb24bde157528f6510c759ba99339a2cf4d29f

SHA256
a4734eb42db36d50b7d7b10b857ac52a1211216a35f9782df9ee7a558e19b0c0

SHA512
35de97f5cd4792402c95f902886c988d5128e886f1f623808d8d6c777ea184244320821506cdf013d1ac77d5f367851a47631aed55a42ae487c7f336caf3dfb9

Download Submit
memory/812-134-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/812-138-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/812-136-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/812-120-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/812-185-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/812-132-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/812-130-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/812-125-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/812-124-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/812-123-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/812-259-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/1112-75-0x0000000001CD0000-0x0000000001D0C000-memory.dmp

Filesize
240KB

Download
memory/1112-70-0x0000000001CD0000-0x0000000001D0C000-memory.dmp

Filesize
240KB

Download
memory/1112-72-0x0000000001CD0000-0x0000000001D0C000-memory.dmp

Filesize
240KB

Download
memory/1112-73-0x0000000001CD0000-0x0000000001D0C000-memory.dmp

Filesize
240KB

Download
memory/1112-74-0x0000000001CD0000-0x0000000001D0C000-memory.dmp

Filesize
240KB

Download
memory/1144-187-0x0000000002F90000-0x0000000002FCD000-memory.dmp

Filesize
244KB

Download
memory/1144-189-0x0000000002F90000-0x0000000002FCD000-memory.dmp

Filesize
244KB

Download
memory/1144-193-0x0000000002F90000-0x0000000002FCD000-memory.dmp

Filesize
244KB

Download
memory/1144-102-0x0000000001BD0000-0x0000000001C0D000-memory.dmp

Filesize
244KB

Download
memory/1144-65-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1144-100-0x00000000022E0000-0x0000000002302000-memory.dmp

Filesize
136KB

Download
memory/1176-79-0x0000000001AD0000-0x0000000001B0C000-memory.dmp

Filesize
240KB

Download
memory/1176-78-0x0000000001AD0000-0x0000000001B0C000-memory.dmp

Filesize
240KB

Download
memory/1176-81-0x0000000001AD0000-0x0000000001B0C000-memory.dmp

Filesize
240KB

Download
memory/1176-80-0x0000000001AD0000-0x0000000001B0C000-memory.dmp

Filesize
240KB

Download
memory/1204-87-0x0000000002A80000-0x0000000002ABC000-memory.dmp

Filesize
240KB

Download
memory/1204-86-0x0000000002A80000-0x0000000002ABC000-memory.dmp

Filesize
240KB

Download
memory/1204-85-0x0000000002A80000-0x0000000002ABC000-memory.dmp

Filesize
240KB

Download
memory/1204-84-0x0000000002A80000-0x0000000002ABC000-memory.dmp

Filesize
240KB

Download
memory/1760-93-0x0000000001BE0000-0x0000000001C1C000-memory.dmp

Filesize
240KB

Download
memory/1760-59-0x0000000002170000-0x0000000002192000-memory.dmp

Filesize
136KB

Download
memory/1760-104-0x0000000001BE0000-0x0000000001C1D000-memory.dmp

Filesize
244KB

Download
memory/1760-58-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1760-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1760-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1760-94-0x0000000001BE0000-0x0000000001C1C000-memory.dmp

Filesize
240KB

Download
memory/1760-63-0x0000000001BE0000-0x0000000001C1D000-memory.dmp

Filesize
244KB

Download
memory/1760-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1760-129-0x0000000001BE0000-0x0000000001C1C000-memory.dmp

Filesize
240KB

Download
memory/1760-92-0x0000000001BE0000-0x0000000001C1C000-memory.dmp

Filesize
240KB

Download
memory/1760-91-0x0000000001BE0000-0x0000000001C1C000-memory.dmp

Filesize
240KB

Download
memory/1760-90-0x0000000001BE0000-0x0000000001C1C000-memory.dmp

Filesize
240KB

Download
memory/1796-95-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Filesize
8KB

Download
memory/1796-114-0x0000000004100000-0x000000000413C000-memory.dmp

Filesize
240KB

Download
memory/1796-115-0x0000000004100000-0x000000000413C000-memory.dmp

Filesize
240KB

Download
memory/1796-117-0x0000000004100000-0x000000000413C000-memory.dmp

Filesize
240KB

Download
memory/1796-116-0x0000000004100000-0x000000000413C000-memory.dmp

Filesize
240KB

Download
memory/1796-106-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/1796-97-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/1796-96-0x000007FEFA831000-0x000007FEFA833000-memory.dmp

Filesize
8KB

Download