ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b

Analysis

max time kernel
175s
max time network
231s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe
Size

323KB
MD5

41d4b8979546d899d41c56cdc8a60aa2
SHA1

afdad883f5d54fc946f14659fcea32ebdff8b774
SHA256

ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b
SHA512

4b72805780308a31214877d9ad6be64e3c162e0a136432c4401cdeef72566523b9ea3de3f073dfb14ba96584ae58964fefeba855843015ed3a47fb95827949ed
SSDEEP

6144:WF0NzItWU8Jh7/oRlZaNeo0Ay4oqiM3gr9bvO:W60k/oFCry4oqiM329b2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
556	tialxo.exe
1264	tialxo.exe

Deletes itself 1 IoCs

pid	Process
1956	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1272	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe
1272	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	tialxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Ytqun\\tialxo.exe"	tialxo.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 1272	1988	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	28
PID 556 set thread context of 1264	556	tialxo.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe
1264	tialxo.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1272	1988	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	28
PID 1988 wrote to memory of 1272	1988	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	28
PID 1988 wrote to memory of 1272	1988	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	28
PID 1988 wrote to memory of 1272	1988	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	28
PID 1988 wrote to memory of 1272	1988	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	28
PID 1988 wrote to memory of 1272	1988	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	28
PID 1988 wrote to memory of 1272	1988	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	28
PID 1988 wrote to memory of 1272	1988	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	28
PID 1988 wrote to memory of 1272	1988	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	28
PID 1272 wrote to memory of 556	1272	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	29
PID 1272 wrote to memory of 556	1272	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	29
PID 1272 wrote to memory of 556	1272	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	29
PID 1272 wrote to memory of 556	1272	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	29
PID 556 wrote to memory of 1264	556	tialxo.exe	30
PID 556 wrote to memory of 1264	556	tialxo.exe	30
PID 556 wrote to memory of 1264	556	tialxo.exe	30
PID 556 wrote to memory of 1264	556	tialxo.exe	30
PID 556 wrote to memory of 1264	556	tialxo.exe	30
PID 556 wrote to memory of 1264	556	tialxo.exe	30
PID 556 wrote to memory of 1264	556	tialxo.exe	30
PID 556 wrote to memory of 1264	556	tialxo.exe	30
PID 556 wrote to memory of 1264	556	tialxo.exe	30
PID 1264 wrote to memory of 1116	1264	tialxo.exe	14
PID 1264 wrote to memory of 1116	1264	tialxo.exe	14
PID 1264 wrote to memory of 1116	1264	tialxo.exe	14
PID 1264 wrote to memory of 1116	1264	tialxo.exe	14
PID 1264 wrote to memory of 1116	1264	tialxo.exe	14
PID 1264 wrote to memory of 1172	1264	tialxo.exe	20
PID 1264 wrote to memory of 1172	1264	tialxo.exe	20
PID 1264 wrote to memory of 1172	1264	tialxo.exe	20
PID 1264 wrote to memory of 1172	1264	tialxo.exe	20
PID 1264 wrote to memory of 1172	1264	tialxo.exe	20
PID 1264 wrote to memory of 1216	1264	tialxo.exe	16
PID 1264 wrote to memory of 1216	1264	tialxo.exe	16
PID 1264 wrote to memory of 1216	1264	tialxo.exe	16
PID 1264 wrote to memory of 1216	1264	tialxo.exe	16
PID 1264 wrote to memory of 1216	1264	tialxo.exe	16
PID 1264 wrote to memory of 1272	1264	tialxo.exe	28
PID 1264 wrote to memory of 1272	1264	tialxo.exe	28
PID 1264 wrote to memory of 1272	1264	tialxo.exe	28
PID 1264 wrote to memory of 1272	1264	tialxo.exe	28
PID 1264 wrote to memory of 1272	1264	tialxo.exe	28
PID 1272 wrote to memory of 1956	1272	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	31
PID 1272 wrote to memory of 1956	1272	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	31
PID 1272 wrote to memory of 1956	1272	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	31
PID 1272 wrote to memory of 1956	1272	ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe	31
PID 1264 wrote to memory of 1956	1264	tialxo.exe	31
PID 1264 wrote to memory of 1956	1264	tialxo.exe	31
PID 1264 wrote to memory of 1956	1264	tialxo.exe	31
PID 1264 wrote to memory of 1956	1264	tialxo.exe	31
PID 1264 wrote to memory of 1956	1264	tialxo.exe	31
PID 1264 wrote to memory of 292	1264	tialxo.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe
  "C:\Users\Admin\AppData\Local\Temp\ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe
    "C:\Users\Admin\AppData\Local\Temp\ab09213c63f299239ba186ab3039e1e0f664fbb494f141a07daa13dab76e3d0b.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Roaming\Ytqun\tialxo.exe
      "C:\Users\Admin\AppData\Roaming\Ytqun\tialxo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Users\Admin\AppData\Roaming\Ytqun\tialxo.exe
        
        "C:\Users\Admin\AppData\Roaming\Ytqun\tialxo.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp840d45ba.bat"
      4⤵
      Deletes itself
      PID:1956

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5194700891948840554-1222669410-1911807183-1806403782-10027910607404209952017740104"
1⤵
PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp840d45ba.bat

Filesize
307B

MD5
45411a8eb792a691b90d7e04f9f2049c

SHA1
0b528d9f0fc24e289bd67931bdaa21876a940a2a

SHA256
5f81c6694dd0946b5571f577b41b5d8d4745084e923c1b04426e7fa539a5ce3c

SHA512
be092a5eedf003ea1ed747d4c070f1ed430be5e0294d166bf6ed91b2ff8169b6f07aec8b3971ede7240fbc4bcf76b33758a454bd20cf7fd1897dbaf007ce0bd3

Download Submit
C:\Users\Admin\AppData\Roaming\Ytqun\tialxo.exe

Filesize
323KB

MD5
a49e1e758d8a7466f60a88ea07839280

SHA1
708ca4db48e0767381de95b45e30ef0f49e35d0e

SHA256
71b6d7f685e32531df6699bb3f90c9db8e6d6a91909be0543d6e3e09d48f4ba8

SHA512
631480b2c259fa4cdaa78d9b52346b6aa5f9bcdf208a65b234b36407d8cfaa5a97a7c79991c5d4ed9976486954d8224dfd61d5c48af8ba8b8fcdf89f34a9a8aa

Download Submit
C:\Users\Admin\AppData\Roaming\Ytqun\tialxo.exe

Filesize
323KB

MD5
a49e1e758d8a7466f60a88ea07839280

SHA1
708ca4db48e0767381de95b45e30ef0f49e35d0e

SHA256
71b6d7f685e32531df6699bb3f90c9db8e6d6a91909be0543d6e3e09d48f4ba8

SHA512
631480b2c259fa4cdaa78d9b52346b6aa5f9bcdf208a65b234b36407d8cfaa5a97a7c79991c5d4ed9976486954d8224dfd61d5c48af8ba8b8fcdf89f34a9a8aa

Download Submit
C:\Users\Admin\AppData\Roaming\Ytqun\tialxo.exe

Filesize
323KB

MD5
a49e1e758d8a7466f60a88ea07839280

SHA1
708ca4db48e0767381de95b45e30ef0f49e35d0e

SHA256
71b6d7f685e32531df6699bb3f90c9db8e6d6a91909be0543d6e3e09d48f4ba8

SHA512
631480b2c259fa4cdaa78d9b52346b6aa5f9bcdf208a65b234b36407d8cfaa5a97a7c79991c5d4ed9976486954d8224dfd61d5c48af8ba8b8fcdf89f34a9a8aa

Download Submit
\Users\Admin\AppData\Roaming\Ytqun\tialxo.exe

Filesize
323KB

MD5
a49e1e758d8a7466f60a88ea07839280

SHA1
708ca4db48e0767381de95b45e30ef0f49e35d0e

SHA256
71b6d7f685e32531df6699bb3f90c9db8e6d6a91909be0543d6e3e09d48f4ba8

SHA512
631480b2c259fa4cdaa78d9b52346b6aa5f9bcdf208a65b234b36407d8cfaa5a97a7c79991c5d4ed9976486954d8224dfd61d5c48af8ba8b8fcdf89f34a9a8aa

Download Submit
\Users\Admin\AppData\Roaming\Ytqun\tialxo.exe

Filesize
323KB

MD5
a49e1e758d8a7466f60a88ea07839280

SHA1
708ca4db48e0767381de95b45e30ef0f49e35d0e

SHA256
71b6d7f685e32531df6699bb3f90c9db8e6d6a91909be0543d6e3e09d48f4ba8

SHA512
631480b2c259fa4cdaa78d9b52346b6aa5f9bcdf208a65b234b36407d8cfaa5a97a7c79991c5d4ed9976486954d8224dfd61d5c48af8ba8b8fcdf89f34a9a8aa

Download Submit
memory/556-85-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/556-73-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1116-92-0x0000000001DA0000-0x0000000001DE4000-memory.dmp

Filesize
272KB

Download
memory/1116-89-0x0000000001DA0000-0x0000000001DE4000-memory.dmp

Filesize
272KB

Download
memory/1116-91-0x0000000001DA0000-0x0000000001DE4000-memory.dmp

Filesize
272KB

Download
memory/1116-90-0x0000000001DA0000-0x0000000001DE4000-memory.dmp

Filesize
272KB

Download
memory/1172-97-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1172-98-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1172-96-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1172-95-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1216-102-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1216-104-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1216-103-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1216-101-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1264-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1264-124-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-65-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/1272-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-72-0x0000000001F90000-0x0000000001FE5000-memory.dmp

Filesize
340KB

Download
memory/1272-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-109-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/1272-110-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/1272-108-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/1272-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-107-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/1272-114-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-112-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/1272-115-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/1956-118-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/1956-119-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/1956-120-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/1956-121-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/1988-54-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1988-66-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1988-64-0x0000000000320000-0x0000000000375000-memory.dmp

Filesize
340KB

Download