763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc

Analysis

max time kernel
177s
max time network
210s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 18:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Size

221KB
MD5

0b8e611a5d9820e5709dabac3728afc0
SHA1

af8a4552eb2c1accc38b2c3953b1e9b32f64527a
SHA256

763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc
SHA512

c4627ffab3314c3d26a5467f197a8762c91305d1abc1fdd89f8153fa57a0f3f4e88d05c6f7b5211152732bb5da08649912fc564e0513d8d363c543b549040459
SSDEEP

6144:w0i0DhlSlqqDLPyO06ODvcDjoG1oPKajg3GqVmnO76kL:w0i0DhlBqnGcDjoGyPKaE3Dd7XL

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
584	axfom.exe

Deletes itself 1 IoCs

pid	Process
1744	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ymereb = "C:\\Users\\Admin\\AppData\\Roaming\\Afyfe\\axfom.exe"	axfom.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	axfom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	axfom.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 360 set thread context of 1744	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\475A1E2D-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe
584	axfom.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeSecurityPrivilege	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	1744	cmd.exe
Token: SeSecurityPrivilege	1744	cmd.exe
Token: SeSecurityPrivilege	1744	cmd.exe
Token: SeSecurityPrivilege	1744	cmd.exe
Token: SeSecurityPrivilege	1744	cmd.exe
Token: SeSecurityPrivilege	1744	cmd.exe
Token: SeSecurityPrivilege	1744	cmd.exe
Token: SeManageVolumePrivilege	548	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
548	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
548	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
548	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 584	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	28
PID 360 wrote to memory of 584	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	28
PID 360 wrote to memory of 584	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	28
PID 360 wrote to memory of 584	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	28
PID 584 wrote to memory of 1120	584	axfom.exe	18
PID 584 wrote to memory of 1120	584	axfom.exe	18
PID 584 wrote to memory of 1120	584	axfom.exe	18
PID 584 wrote to memory of 1120	584	axfom.exe	18
PID 584 wrote to memory of 1120	584	axfom.exe	18
PID 584 wrote to memory of 1164	584	axfom.exe	21
PID 584 wrote to memory of 1164	584	axfom.exe	21
PID 584 wrote to memory of 1164	584	axfom.exe	21
PID 584 wrote to memory of 1164	584	axfom.exe	21
PID 584 wrote to memory of 1164	584	axfom.exe	21
PID 584 wrote to memory of 1200	584	axfom.exe	20
PID 584 wrote to memory of 1200	584	axfom.exe	20
PID 584 wrote to memory of 1200	584	axfom.exe	20
PID 584 wrote to memory of 1200	584	axfom.exe	20
PID 584 wrote to memory of 1200	584	axfom.exe	20
PID 584 wrote to memory of 360	584	axfom.exe	27
PID 584 wrote to memory of 360	584	axfom.exe	27
PID 584 wrote to memory of 360	584	axfom.exe	27
PID 584 wrote to memory of 360	584	axfom.exe	27
PID 584 wrote to memory of 360	584	axfom.exe	27
PID 360 wrote to memory of 1744	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	29
PID 360 wrote to memory of 1744	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	29
PID 360 wrote to memory of 1744	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	29
PID 360 wrote to memory of 1744	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	29
PID 360 wrote to memory of 1744	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	29
PID 360 wrote to memory of 1744	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	29
PID 360 wrote to memory of 1744	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	29
PID 360 wrote to memory of 1744	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	29
PID 360 wrote to memory of 1744	360	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	29
PID 584 wrote to memory of 1716	584	axfom.exe	30
PID 584 wrote to memory of 1716	584	axfom.exe	30
PID 584 wrote to memory of 1716	584	axfom.exe	30
PID 584 wrote to memory of 1716	584	axfom.exe	30
PID 584 wrote to memory of 1716	584	axfom.exe	30
PID 584 wrote to memory of 828	584	axfom.exe	31
PID 584 wrote to memory of 828	584	axfom.exe	31
PID 584 wrote to memory of 828	584	axfom.exe	31
PID 584 wrote to memory of 828	584	axfom.exe	31
PID 584 wrote to memory of 828	584	axfom.exe	31
PID 584 wrote to memory of 548	584	axfom.exe	32
PID 584 wrote to memory of 548	584	axfom.exe	32
PID 584 wrote to memory of 548	584	axfom.exe	32
PID 584 wrote to memory of 548	584	axfom.exe	32
PID 584 wrote to memory of 548	584	axfom.exe	32
PID 584 wrote to memory of 1912	584	axfom.exe	33
PID 584 wrote to memory of 1912	584	axfom.exe	33
PID 584 wrote to memory of 1912	584	axfom.exe	33
PID 584 wrote to memory of 1912	584	axfom.exe	33
PID 584 wrote to memory of 1912	584	axfom.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
  "C:\Users\Admin\AppData\Local\Temp\763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Users\Admin\AppData\Roaming\Afyfe\axfom.exe
    "C:\Users\Admin\AppData\Roaming\Afyfe\axfom.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0988c9b9.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:1744

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-377856481213443954-16219504382098023873-514223886909486486-10784275-1817288607"
1⤵
PID:828

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0988c9b9.bat

Filesize
307B

MD5
5e96b36e7bcf731a4514d3be83df1212

SHA1
c543535cf140dfd33434bbc7f578689f930dbf16

SHA256
b3d398bc238241d2db2d7c84f5791735ac89e41f299718f4c8bac9652ea189c4

SHA512
18f37b8e4a751d03456c31d6f65445d85cc22d44b903c4af2027ba2964f6a4f96d0ef4cda62b4054867780c083cc319fee6249d071a0c89bd525e80e9acd826e

Download Submit
C:\Users\Admin\AppData\Roaming\Afyfe\axfom.exe

Filesize
221KB

MD5
a432b8ab412c6f3343d5f887e40b5b14

SHA1
2e6c1e391d719d883b012d6a4ade753f293dfe26

SHA256
2e58679c7faf5cd1a672ba0c8fefbf51e001dd7fa5a328fbea0cf041ff3dc90b

SHA512
4865fe664977b1967313fc99f6e424df064ff08911b8df2c870630fff2e5309b5fc2eae7508761af93f7a012f39102d6e1c6c99f1f1cd84fd8af4e16862beb52

Download Submit
C:\Users\Admin\AppData\Roaming\Afyfe\axfom.exe

Filesize
221KB

MD5
a432b8ab412c6f3343d5f887e40b5b14

SHA1
2e6c1e391d719d883b012d6a4ade753f293dfe26

SHA256
2e58679c7faf5cd1a672ba0c8fefbf51e001dd7fa5a328fbea0cf041ff3dc90b

SHA512
4865fe664977b1967313fc99f6e424df064ff08911b8df2c870630fff2e5309b5fc2eae7508761af93f7a012f39102d6e1c6c99f1f1cd84fd8af4e16862beb52

Download Submit
C:\Users\Admin\AppData\Roaming\Bygy\reyc.ofn

Filesize
421B

MD5
c3663f564dbdd82cb3dffe681c206a06

SHA1
5b19a14705a71f96b566731f1ceb43aca0ed8f75

SHA256
02c6bc817a867cb3fed3a8ef06640c2a1d9d2af762d835da3d1d3288699c001b

SHA512
d245eee712b9cfff9557b57c59fdd224315f666210019c76d98ad0263834ef80764acdb43f82b29229ed979280ec792fbab3fde5419552c067d8786274aef08e

Download Submit
C:\Users\Admin\AppData\Roaming\Bygy\reyc.ofn

Filesize
4KB

MD5
f1ca8560f3fa5c0877a6cc81ed5768b1

SHA1
4009b5c6a4a04ac03957a909f1b331dc0a4d642d

SHA256
e8359ebfc39ee0d8641685f95693a3247ea0abe660c1e4d1182c0ba1e863d810

SHA512
7c500e555b923709d3eb1940f5fab6be1f4ecec08522b94df581f583e863c85f9fd1549078cf16762d6831e4703c5a56663df9e84ea96f14c4b4c9b65b5748ee

Download Submit
\Users\Admin\AppData\Roaming\Afyfe\axfom.exe

Filesize
221KB

MD5
a432b8ab412c6f3343d5f887e40b5b14

SHA1
2e6c1e391d719d883b012d6a4ade753f293dfe26

SHA256
2e58679c7faf5cd1a672ba0c8fefbf51e001dd7fa5a328fbea0cf041ff3dc90b

SHA512
4865fe664977b1967313fc99f6e424df064ff08911b8df2c870630fff2e5309b5fc2eae7508761af93f7a012f39102d6e1c6c99f1f1cd84fd8af4e16862beb52

Download Submit
\Users\Admin\AppData\Roaming\Afyfe\axfom.exe

Filesize
221KB

MD5
a432b8ab412c6f3343d5f887e40b5b14

SHA1
2e6c1e391d719d883b012d6a4ade753f293dfe26

SHA256
2e58679c7faf5cd1a672ba0c8fefbf51e001dd7fa5a328fbea0cf041ff3dc90b

SHA512
4865fe664977b1967313fc99f6e424df064ff08911b8df2c870630fff2e5309b5fc2eae7508761af93f7a012f39102d6e1c6c99f1f1cd84fd8af4e16862beb52

Download Submit
memory/360-87-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/360-86-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/360-83-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/360-82-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/360-81-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/360-223-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/360-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/360-85-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/360-84-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/1120-63-0x0000000001E60000-0x0000000001E9B000-memory.dmp

Filesize
236KB

Download
memory/1120-61-0x0000000001E60000-0x0000000001E9B000-memory.dmp

Filesize
236KB

Download
memory/1120-64-0x0000000001E60000-0x0000000001E9B000-memory.dmp

Filesize
236KB

Download
memory/1120-66-0x0000000001E60000-0x0000000001E9B000-memory.dmp

Filesize
236KB

Download
memory/1120-65-0x0000000001E60000-0x0000000001E9B000-memory.dmp

Filesize
236KB

Download
memory/1164-71-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/1164-72-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/1164-69-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/1164-70-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/1200-78-0x0000000002680000-0x00000000026BB000-memory.dmp

Filesize
236KB

Download
memory/1200-77-0x0000000002680000-0x00000000026BB000-memory.dmp

Filesize
236KB

Download
memory/1200-76-0x0000000002680000-0x00000000026BB000-memory.dmp

Filesize
236KB

Download
memory/1200-75-0x0000000002680000-0x00000000026BB000-memory.dmp

Filesize
236KB

Download
memory/1744-109-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-107-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-99-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-101-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-105-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-103-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-96-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-113-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-115-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-111-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-95-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-119-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-117-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-121-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-123-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-125-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-127-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-224-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-94-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-263-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1744-92-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download