b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90

Analysis

max time kernel
165s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Size

204KB
MD5

896bee8216e0354b2dce57cbf95fdcae
SHA1

34bb0f59699b5a70c6e924a6128dbe8c4726fd33
SHA256

b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90
SHA512

e40efb01c47fa08a77985a8151bc75978e19a8a38f51ee12dcfdfd8a932b6920a97999bd1186c01405266d80fab718447d8edf18f649aeaa09e630ed3cfea427
SSDEEP

6144:bcdOSKq1G5JU09zZd6n0xWWq2oM3/wCeeR0AI01Ak:wwi8Ugz+NG/wQvI0

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3540	tafe.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\Currentversion\Run	tafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	tafe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yhucm = "C:\\Users\\Admin\\AppData\\Roaming\\Puerf\\tafe.exe"	tafe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 2320	1260	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	80

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Privacy	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe
3540	tafe.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1260	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1260	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1260	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1260	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1260	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1260	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 3540	1260	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	79
PID 1260 wrote to memory of 3540	1260	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	79
PID 1260 wrote to memory of 3540	1260	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	79
PID 3540 wrote to memory of 2396	3540	tafe.exe	19
PID 3540 wrote to memory of 2396	3540	tafe.exe	19
PID 3540 wrote to memory of 2396	3540	tafe.exe	19
PID 3540 wrote to memory of 2396	3540	tafe.exe	19
PID 3540 wrote to memory of 2396	3540	tafe.exe	19
PID 3540 wrote to memory of 2408	3540	tafe.exe	28
PID 3540 wrote to memory of 2408	3540	tafe.exe	28
PID 3540 wrote to memory of 2408	3540	tafe.exe	28
PID 3540 wrote to memory of 2408	3540	tafe.exe	28
PID 3540 wrote to memory of 2408	3540	tafe.exe	28
PID 3540 wrote to memory of 2572	3540	tafe.exe	41
PID 3540 wrote to memory of 2572	3540	tafe.exe	41
PID 3540 wrote to memory of 2572	3540	tafe.exe	41
PID 3540 wrote to memory of 2572	3540	tafe.exe	41
PID 3540 wrote to memory of 2572	3540	tafe.exe	41
PID 3540 wrote to memory of 2180	3540	tafe.exe	39
PID 3540 wrote to memory of 2180	3540	tafe.exe	39
PID 3540 wrote to memory of 2180	3540	tafe.exe	39
PID 3540 wrote to memory of 2180	3540	tafe.exe	39
PID 3540 wrote to memory of 2180	3540	tafe.exe	39
PID 3540 wrote to memory of 688	3540	tafe.exe	37
PID 3540 wrote to memory of 688	3540	tafe.exe	37
PID 3540 wrote to memory of 688	3540	tafe.exe	37
PID 3540 wrote to memory of 688	3540	tafe.exe	37
PID 3540 wrote to memory of 688	3540	tafe.exe	37
PID 3540 wrote to memory of 3220	3540	tafe.exe	36
PID 3540 wrote to memory of 3220	3540	tafe.exe	36
PID 3540 wrote to memory of 3220	3540	tafe.exe	36
PID 3540 wrote to memory of 3220	3540	tafe.exe	36
PID 3540 wrote to memory of 3220	3540	tafe.exe	36
PID 3540 wrote to memory of 3340	3540	tafe.exe	35
PID 3540 wrote to memory of 3340	3540	tafe.exe	35
PID 3540 wrote to memory of 3340	3540	tafe.exe	35
PID 3540 wrote to memory of 3340	3540	tafe.exe	35
PID 3540 wrote to memory of 3340	3540	tafe.exe	35
PID 3540 wrote to memory of 3404	3540	tafe.exe	33
PID 3540 wrote to memory of 3404	3540	tafe.exe	33
PID 3540 wrote to memory of 3404	3540	tafe.exe	33
PID 3540 wrote to memory of 3404	3540	tafe.exe	33
PID 3540 wrote to memory of 3404	3540	tafe.exe	33
PID 3540 wrote to memory of 3504	3540	tafe.exe	34
PID 3540 wrote to memory of 3504	3540	tafe.exe	34
PID 3540 wrote to memory of 3504	3540	tafe.exe	34
PID 3540 wrote to memory of 3504	3540	tafe.exe	34
PID 3540 wrote to memory of 3504	3540	tafe.exe	34
PID 3540 wrote to memory of 3660	3540	tafe.exe	38
PID 3540 wrote to memory of 3660	3540	tafe.exe	38
PID 3540 wrote to memory of 3660	3540	tafe.exe	38
PID 3540 wrote to memory of 3660	3540	tafe.exe	38
PID 3540 wrote to memory of 3660	3540	tafe.exe	38
PID 3540 wrote to memory of 4660	3540	tafe.exe	51
PID 3540 wrote to memory of 4660	3540	tafe.exe	51
PID 3540 wrote to memory of 4660	3540	tafe.exe	51
PID 3540 wrote to memory of 4660	3540	tafe.exe	51
PID 3540 wrote to memory of 4660	3540	tafe.exe	51
PID 3540 wrote to memory of 3032	3540	tafe.exe	72
PID 3540 wrote to memory of 3032	3540	tafe.exe	72
PID 3540 wrote to memory of 3032	3540	tafe.exe	72
PID 3540 wrote to memory of 3032	3540	tafe.exe	72
PID 3540 wrote to memory of 3032	3540	tafe.exe	72
PID 3540 wrote to memory of 1260	3540	tafe.exe	78

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:688

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3660

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2180
- C:\Users\Admin\AppData\Local\Temp\b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
  "C:\Users\Admin\AppData\Local\Temp\b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Roaming\Puerf\tafe.exe
    "C:\Users\Admin\AppData\Roaming\Puerf\tafe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc5590700.bat"
    3⤵
    PID:2320
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3112

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2572

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4660

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ifenk\ogutq.pii

Filesize
2KB

MD5
82eef1bec46c378cceb5b1ebcb991a99

SHA1
17b70c5fbce8044f86b05c45a559c3ff235ab717

SHA256
2dd84a5be36a603fdcee39501d067f92b9c1b6d6686b16426ce0eb70ebfbd084

SHA512
4bd448fddf18d1dd48005835cf8559139809288d6d0cc33b6d46e2951b56c4a87727b312d8ad9bc9ae36a0db5614249d88c4cda24feda25f0afa21c1b8e8b8e6

Download Submit
C:\Users\Admin\AppData\Roaming\Puerf\tafe.exe

Filesize
204KB

MD5
88cd86b527391ecc0a907deecb020df8

SHA1
f5a015c35c3258ff306e3769bc31fee6e18f4bde

SHA256
3b6bf61d8ee0fd4908f05e73e4a52d70cf2c6bcbee648292b52111c64f0d05aa

SHA512
8aef36531301157d5e2c14043f52742f07c677060b2c22d9d8902ff0b2d88e7ed5a24cf8dc82792ec1a1773f93ba43868f58554eec8b8c4a0700f3815aca57a8

Download Submit
C:\Users\Admin\AppData\Roaming\Puerf\tafe.exe

Filesize
204KB

MD5
88cd86b527391ecc0a907deecb020df8

SHA1
f5a015c35c3258ff306e3769bc31fee6e18f4bde

SHA256
3b6bf61d8ee0fd4908f05e73e4a52d70cf2c6bcbee648292b52111c64f0d05aa

SHA512
8aef36531301157d5e2c14043f52742f07c677060b2c22d9d8902ff0b2d88e7ed5a24cf8dc82792ec1a1773f93ba43868f58554eec8b8c4a0700f3815aca57a8

Download Submit
memory/1260-144-0x0000000002140000-0x000000000217B000-memory.dmp

Filesize
236KB

Download
memory/1260-134-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1260-133-0x0000000002090000-0x00000000020FA000-memory.dmp

Filesize
424KB

Download
memory/1260-143-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1260-132-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2320-142-0x0000000000140000-0x000000000017B000-memory.dmp

Filesize
236KB

Download
memory/2320-145-0x0000000000140000-0x000000000017B000-memory.dmp

Filesize
236KB

Download
memory/3540-138-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3540-139-0x00000000020D0000-0x000000000213A000-memory.dmp

Filesize
424KB

Download
memory/3540-146-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3540-147-0x00000000020D0000-0x000000000213A000-memory.dmp

Filesize
424KB

Download