3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd

General

Target

5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Size

116KB
MD5

21102185c207602505d45019f5d782b9
SHA1

5dab5108857805f7535aaf5b8cb54ba289827e61
SHA256

3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd
SHA512

0e23dc3ad9171c86a74f58452d8b7871a147b3d1cdd4550df93bf5c74b1a3661e76da106b1f6ea9b080b2f7cec4d66ba8f1cffbf757d049ed5f1a0c68dcbe247
SSDEEP

3072:77Z/40Gq94BICd5X2NShaMJ0ejq6+l0Yt2EKL4niDjd:7z4BjdqMaoHB194Gx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vual.exe

pid process

556 vual.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1676 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid process

2024 5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid	process
1676	cmd.exe

pid	process
2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vual.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	vual.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{07485E54-30A2-795B-6989-374937CFD642} = "C:\\Users\\Admin\\AppData\\Roaming\\Fuzi\\vual.exe"	vual.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description pid process target process

PID 2024 set thread context of 1676 2024 5dab5108857805f7535aaf5b8cb54ba289827e61.exe cmd.exe

description	pid	process	target process
PID 2024 set thread context of 1676	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

vual.exe

pid	process
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe
556	vual.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	pid	process
Token: SeSecurityPrivilege	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exevual.exe

description	pid	process	target process
PID 2024 wrote to memory of 556	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	vual.exe
PID 2024 wrote to memory of 556	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	vual.exe
PID 2024 wrote to memory of 556	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	vual.exe
PID 2024 wrote to memory of 556	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	vual.exe
PID 556 wrote to memory of 1128	556	vual.exe	taskhost.exe
PID 556 wrote to memory of 1128	556	vual.exe	taskhost.exe
PID 556 wrote to memory of 1128	556	vual.exe	taskhost.exe
PID 556 wrote to memory of 1128	556	vual.exe	taskhost.exe
PID 556 wrote to memory of 1128	556	vual.exe	taskhost.exe
PID 556 wrote to memory of 1180	556	vual.exe	Dwm.exe
PID 556 wrote to memory of 1180	556	vual.exe	Dwm.exe
PID 556 wrote to memory of 1180	556	vual.exe	Dwm.exe
PID 556 wrote to memory of 1180	556	vual.exe	Dwm.exe
PID 556 wrote to memory of 1180	556	vual.exe	Dwm.exe
PID 556 wrote to memory of 1252	556	vual.exe	Explorer.EXE
PID 556 wrote to memory of 1252	556	vual.exe	Explorer.EXE
PID 556 wrote to memory of 1252	556	vual.exe	Explorer.EXE
PID 556 wrote to memory of 1252	556	vual.exe	Explorer.EXE
PID 556 wrote to memory of 1252	556	vual.exe	Explorer.EXE
PID 556 wrote to memory of 2024	556	vual.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 556 wrote to memory of 2024	556	vual.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 556 wrote to memory of 2024	556	vual.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 556 wrote to memory of 2024	556	vual.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 556 wrote to memory of 2024	556	vual.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 2024 wrote to memory of 1676	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 556 wrote to memory of 976	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 976	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 976	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 976	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 976	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 1416	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 1416	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 1416	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 1416	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 1416	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 1456	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 1456	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 1456	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 1456	556	vual.exe	DllHost.exe
PID 556 wrote to memory of 1456	556	vual.exe	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe
"C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\Fuzi\vual.exe
"C:\Users\Admin\AppData\Roaming\Fuzi\vual.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe8c2fd9a.bat"
2⤵
- Deletes itself
PID:1676

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1416

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe8c2fd9a.bat
Filesize
259B

MD5
4474f0d8b753de0f5a7d1c868d70f5e3

SHA1
869cfe56882ace4942c7fe3413b81f0af7c502fd

SHA256
6e7c19864f75eef60c5bb47f98e7277e87b616f966a2cc0cfa418befed8b269e

SHA512
a65f8d7db4f70940eea1d0ac83f4880fc0553acf0ccf6dfbb78c1af4a49594af1dce0a54120ca87560f2a602ed6777302d1379296d595d762f2eebe8b1d98eb9

Download Submit
C:\Users\Admin\AppData\Roaming\Fuzi\vual.exe
Filesize
116KB

MD5
a3549ece48cb7ad53c58c491f5d7fdf7

SHA1
79b34f633bf2163d3ededfeffecb98804eaf39da

SHA256
0e7f41315bb312555e6b5a7ce1a4b735cd04b76a42c3473e27b5c0d86c31fd98

SHA512
23a991a4f84687563a937251792ee1441e1690dde1d1c22c93bbf6cea4466afdfd66f337c75fd6617743abff2784cf48acd0b1b71b8b1de1a8267a5155d8a0d6

Download Submit
C:\Users\Admin\AppData\Roaming\Fuzi\vual.exe
Filesize
116KB

MD5
a3549ece48cb7ad53c58c491f5d7fdf7

SHA1
79b34f633bf2163d3ededfeffecb98804eaf39da

SHA256
0e7f41315bb312555e6b5a7ce1a4b735cd04b76a42c3473e27b5c0d86c31fd98

SHA512
23a991a4f84687563a937251792ee1441e1690dde1d1c22c93bbf6cea4466afdfd66f337c75fd6617743abff2784cf48acd0b1b71b8b1de1a8267a5155d8a0d6

Download Submit
C:\Users\Admin\AppData\Roaming\Tovios\xukaf.soo
Filesize
374B

MD5
5a51dd7535599538d8a341b7d725cd78

SHA1
042c5d80d4ee1c73702c3479679dfdf6ca59cd9e

SHA256
fbdc3a894d81e3f31ceeb366b12606b4acc623da97aec03b747d856011ec9274

SHA512
4e79e48a0503c3dee5145e0f7df33921bbe42138dc09fa7ccde3e9c9e2e833915019709ae9cd7355592493f8fb71ce5d1b0106dd8ead4d4bfc8ea5bb0c94d9c5

Download Submit
\Users\Admin\AppData\Roaming\Fuzi\vual.exe
Filesize
116KB

MD5
a3549ece48cb7ad53c58c491f5d7fdf7

SHA1
79b34f633bf2163d3ededfeffecb98804eaf39da

SHA256
0e7f41315bb312555e6b5a7ce1a4b735cd04b76a42c3473e27b5c0d86c31fd98

SHA512
23a991a4f84687563a937251792ee1441e1690dde1d1c22c93bbf6cea4466afdfd66f337c75fd6617743abff2784cf48acd0b1b71b8b1de1a8267a5155d8a0d6

Download Submit
memory/556-60-0x0000000000000000-mapping.dmp

Download
memory/556-102-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/976-108-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/976-107-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/976-106-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/976-105-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/1128-68-0x0000000001D60000-0x0000000001D85000-memory.dmp

Filesize
148KB

Download
memory/1128-67-0x0000000001D60000-0x0000000001D85000-memory.dmp

Filesize
148KB

Download
memory/1128-69-0x0000000001D60000-0x0000000001D85000-memory.dmp

Filesize
148KB

Download
memory/1128-64-0x0000000001D60000-0x0000000001D85000-memory.dmp

Filesize
148KB

Download
memory/1128-66-0x0000000001D60000-0x0000000001D85000-memory.dmp

Filesize
148KB

Download
memory/1180-72-0x0000000001AC0000-0x0000000001AE5000-memory.dmp

Filesize
148KB

Download
memory/1180-73-0x0000000001AC0000-0x0000000001AE5000-memory.dmp

Filesize
148KB

Download
memory/1180-74-0x0000000001AC0000-0x0000000001AE5000-memory.dmp

Filesize
148KB

Download
memory/1180-75-0x0000000001AC0000-0x0000000001AE5000-memory.dmp

Filesize
148KB

Download
memory/1252-78-0x0000000002AF0000-0x0000000002B15000-memory.dmp

Filesize
148KB

Download
memory/1252-79-0x0000000002AF0000-0x0000000002B15000-memory.dmp

Filesize
148KB

Download
memory/1252-80-0x0000000002AF0000-0x0000000002B15000-memory.dmp

Filesize
148KB

Download
memory/1252-81-0x0000000002AF0000-0x0000000002B15000-memory.dmp

Filesize
148KB

Download
memory/1416-114-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1416-113-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1416-112-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1416-111-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1456-117-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1456-118-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1456-119-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1456-120-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1676-94-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1676-95-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1676-96-0x0000000000055A36-mapping.dmp

Download
memory/1676-101-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1676-93-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1676-91-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/2024-54-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download
memory/2024-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2024-55-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/2024-98-0x0000000000300000-0x0000000000325000-memory.dmp

Filesize
148KB

Download
memory/2024-57-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/2024-58-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2024-97-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2024-87-0x0000000000300000-0x0000000000325000-memory.dmp

Filesize
148KB

Download
memory/2024-86-0x0000000000300000-0x0000000000325000-memory.dmp

Filesize
148KB

Download
memory/2024-85-0x0000000000300000-0x0000000000325000-memory.dmp

Filesize
148KB

Download
memory/2024-84-0x0000000000300000-0x0000000000325000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads