7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b

Analysis

max time kernel
150s
max time network
188s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe
Size

305KB
MD5

a2cf56861a19fb60b552af6b9c86caeb
SHA1

e850f440b54f951c55d3b39c102857b258b3cf26
SHA256

7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b
SHA512

7c6f1951bdd4aa0ac6da5b8d5ed8d6df029ed4845cce9ab4c1485fd93390527e68860ddec58feac43f9085bb8bb9ea539085610b399e15fc79aa49605c5f7858
SSDEEP

6144:EZVQK+tyRnJdaKZfZMSm/JZJVag4y4aRC2/IC0zzisaMJ:EZVt+4RnTZaS0J/4vXa4zqMJ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	fekyon.exe

Deletes itself 1 IoCs

pid	Process
1160	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Puitu\\fekyon.exe"	fekyon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	fekyon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1160	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	28

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe
2028	fekyon.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe
2028	fekyon.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2028	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	27
PID 1632 wrote to memory of 2028	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	27
PID 1632 wrote to memory of 2028	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	27
PID 1632 wrote to memory of 2028	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	27
PID 2028 wrote to memory of 1116	2028	fekyon.exe	9
PID 2028 wrote to memory of 1116	2028	fekyon.exe	9
PID 2028 wrote to memory of 1116	2028	fekyon.exe	9
PID 2028 wrote to memory of 1116	2028	fekyon.exe	9
PID 2028 wrote to memory of 1116	2028	fekyon.exe	9
PID 2028 wrote to memory of 1180	2028	fekyon.exe	8
PID 2028 wrote to memory of 1180	2028	fekyon.exe	8
PID 2028 wrote to memory of 1180	2028	fekyon.exe	8
PID 2028 wrote to memory of 1180	2028	fekyon.exe	8
PID 2028 wrote to memory of 1180	2028	fekyon.exe	8
PID 2028 wrote to memory of 1268	2028	fekyon.exe	7
PID 2028 wrote to memory of 1268	2028	fekyon.exe	7
PID 2028 wrote to memory of 1268	2028	fekyon.exe	7
PID 2028 wrote to memory of 1268	2028	fekyon.exe	7
PID 2028 wrote to memory of 1268	2028	fekyon.exe	7
PID 2028 wrote to memory of 1632	2028	fekyon.exe	4
PID 2028 wrote to memory of 1632	2028	fekyon.exe	4
PID 2028 wrote to memory of 1632	2028	fekyon.exe	4
PID 2028 wrote to memory of 1632	2028	fekyon.exe	4
PID 2028 wrote to memory of 1632	2028	fekyon.exe	4
PID 1632 wrote to memory of 1160	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	28
PID 1632 wrote to memory of 1160	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	28
PID 1632 wrote to memory of 1160	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	28
PID 1632 wrote to memory of 1160	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	28
PID 1632 wrote to memory of 1160	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	28
PID 1632 wrote to memory of 1160	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	28
PID 1632 wrote to memory of 1160	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	28
PID 1632 wrote to memory of 1160	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	28
PID 1632 wrote to memory of 1160	1632	7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe	28

C:\Users\Admin\AppData\Local\Temp\7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe
"C:\Users\Admin\AppData\Local\Temp\7d8755ce809ad5ac79fcd9ced8eb5babf0e7b563e11046bf44ec01a97d1dce9b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Roaming\Puitu\fekyon.exe
  "C:\Users\Admin\AppData\Roaming\Puitu\fekyon.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0fdf5771.bat"
  2⤵
  - Deletes itself
  PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0fdf5771.bat

Filesize
307B

MD5
11c3d9b8395d82b71ae0bd7e1f5cbeaf

SHA1
a0bb754216d461cadab87cd04be7ff882e9f036d

SHA256
0ba9eb192d40ffcf45bee30b4a80d0fc8c706083045f0209f7a6c100715fcbdb

SHA512
9b9187de68ff1855b7b93baddc790bc024679c3222092582301079fbb9615bb4458f8ddd2105dfb5ad791194ad92c0b6228b200cfc402f3aaabb6b48eb7c0efb

Download Submit
C:\Users\Admin\AppData\Roaming\Puitu\fekyon.exe

Filesize
305KB

MD5
c60af29cbdb6208579630063210e67ba

SHA1
5e21ce4189e5636f90ed5146eac2ea00ac6bc451

SHA256
1e395edd3a302bdd62cc48ef80d0e07c5afcd05b3def4fe40ab4c21180b241a9

SHA512
7eb70169f434fb5541d34f88eec8dc85aa5df6ec4d0e4b60377ca7281f2206fd80a19daa2a7df081dc9fa90e0e3a50ab89ca79e9cb1debb9e1dc83a2b088a39f

Download Submit
C:\Users\Admin\AppData\Roaming\Puitu\fekyon.exe

Filesize
305KB

MD5
c60af29cbdb6208579630063210e67ba

SHA1
5e21ce4189e5636f90ed5146eac2ea00ac6bc451

SHA256
1e395edd3a302bdd62cc48ef80d0e07c5afcd05b3def4fe40ab4c21180b241a9

SHA512
7eb70169f434fb5541d34f88eec8dc85aa5df6ec4d0e4b60377ca7281f2206fd80a19daa2a7df081dc9fa90e0e3a50ab89ca79e9cb1debb9e1dc83a2b088a39f

Download Submit
\Users\Admin\AppData\Roaming\Puitu\fekyon.exe

Filesize
305KB

MD5
c60af29cbdb6208579630063210e67ba

SHA1
5e21ce4189e5636f90ed5146eac2ea00ac6bc451

SHA256
1e395edd3a302bdd62cc48ef80d0e07c5afcd05b3def4fe40ab4c21180b241a9

SHA512
7eb70169f434fb5541d34f88eec8dc85aa5df6ec4d0e4b60377ca7281f2206fd80a19daa2a7df081dc9fa90e0e3a50ab89ca79e9cb1debb9e1dc83a2b088a39f

Download Submit
memory/1116-62-0x0000000000240000-0x0000000000287000-memory.dmp

Filesize
284KB

Download
memory/1116-64-0x0000000000240000-0x0000000000287000-memory.dmp

Filesize
284KB

Download
memory/1116-65-0x0000000000240000-0x0000000000287000-memory.dmp

Filesize
284KB

Download
memory/1116-66-0x0000000000240000-0x0000000000287000-memory.dmp

Filesize
284KB

Download
memory/1116-67-0x0000000000240000-0x0000000000287000-memory.dmp

Filesize
284KB

Download
memory/1160-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1160-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1160-94-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1160-97-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1160-98-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1160-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1160-114-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1160-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1160-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1160-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1160-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1160-96-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1180-71-0x0000000001AF0000-0x0000000001B37000-memory.dmp

Filesize
284KB

Download
memory/1180-70-0x0000000001AF0000-0x0000000001B37000-memory.dmp

Filesize
284KB

Download
memory/1180-72-0x0000000001AF0000-0x0000000001B37000-memory.dmp

Filesize
284KB

Download
memory/1180-73-0x0000000001AF0000-0x0000000001B37000-memory.dmp

Filesize
284KB

Download
memory/1268-79-0x00000000029D0000-0x0000000002A17000-memory.dmp

Filesize
284KB

Download
memory/1268-78-0x00000000029D0000-0x0000000002A17000-memory.dmp

Filesize
284KB

Download
memory/1268-77-0x00000000029D0000-0x0000000002A17000-memory.dmp

Filesize
284KB

Download
memory/1268-76-0x00000000029D0000-0x0000000002A17000-memory.dmp

Filesize
284KB

Download
memory/1632-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-84-0x0000000000460000-0x00000000004A7000-memory.dmp

Filesize
284KB

Download
memory/1632-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-101-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1632-100-0x00000000002C0000-0x0000000000310000-memory.dmp

Filesize
320KB

Download
memory/1632-102-0x0000000000460000-0x00000000004A7000-memory.dmp

Filesize
284KB

Download
memory/1632-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1632-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1632-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1632-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-86-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-85-0x0000000000460000-0x00000000004A7000-memory.dmp

Filesize
284KB

Download
memory/1632-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-83-0x0000000000460000-0x00000000004A7000-memory.dmp

Filesize
284KB

Download
memory/1632-82-0x0000000000460000-0x00000000004A7000-memory.dmp

Filesize
284KB

Download
memory/2028-104-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2028-103-0x00000000002C0000-0x0000000000310000-memory.dmp

Filesize
320KB

Download
memory/2028-115-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download