ad3bcb65313043b1a43b8fb210f3a20a87df8a8145ed9a18b086d0859616caa2

Analysis

max time kernel
90s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe
Size

1.1MB
MD5

ae90880e6556ebb938795518af3a08b2
SHA1

8647dce3b9cce0197ab0e9b832de1f6d2413dd45
SHA256

803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53
SHA512

049ee5204617be840fbce46209b52e788932ffa061c7aa7121caee80d3bcbd26cede1d5657ef4e06bde550f16b7f12d0fbf965340a75ed1b4f6e281afa3135fe
SSDEEP

24576:xdtRKR7yXFNlMcc7xWzyXe0nyrFPZM7ZNe+d+8/zUX0rSbKnvW5iaO:/y70F0vNXfn+FSlPc4SkvWXO

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Email Access Online.exe

pid process

4324 Email Access Online.exe

pid	process
4324	Email Access Online.exe

Loads dropped DLL 3 IoCs

Processes:

803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe

pid	process
4244	803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe
4244	803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe
4244	803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Email Access Online = "\"C:\\Users\\Admin\\AppData\\Local\\Email Access Online\\Email Access Online.exe\" /delay 0"	803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

808 4324 WerFault.exe Email Access Online.exe
4764 4324 WerFault.exe Email Access Online.exe

pid	pid_target	process	target process
808	4324	WerFault.exe	Email Access Online.exe
4764	4324	WerFault.exe	Email Access Online.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Email Access Online.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Email Access Online.exe = "9999"	Email Access Online.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Email Access Online.exe

pid process

4324 Email Access Online.exe
4324 Email Access Online.exe
4324 Email Access Online.exe
4324 Email Access Online.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Email Access Online.exe

pid process

4324 Email Access Online.exe
4324 Email Access Online.exe
4324 Email Access Online.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Email Access Online.exe

pid process

4324 Email Access Online.exe
4324 Email Access Online.exe

pid	process
4324	Email Access Online.exe
4324	Email Access Online.exe
4324	Email Access Online.exe
4324	Email Access Online.exe

pid	process
4324	Email Access Online.exe
4324	Email Access Online.exe
4324	Email Access Online.exe

pid	process
4324	Email Access Online.exe
4324	Email Access Online.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe

description	pid	process	target process
PID 4244 wrote to memory of 4324	4244	803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe	Email Access Online.exe
PID 4244 wrote to memory of 4324	4244	803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe	Email Access Online.exe
PID 4244 wrote to memory of 4324	4244	803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe	Email Access Online.exe

C:\Users\Admin\AppData\Local\Temp\803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe
"C:\Users\Admin\AppData\Local\Temp\803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\Email Access Online\Email Access Online.exe
"C:\Users\Admin\AppData\Local\Email Access Online\Email Access Online.exe" /firstrun
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1924
3⤵
- Program crash
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 2000
3⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4324 -ip 4324
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4324 -ip 4324
1⤵
PID:3356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Email Access Online\Email Access Online.exe
Filesize
1.8MB

MD5
354acd53e086bbdb1123896958d6f7dd

SHA1
44a7cdb95443f643d1a4d64c4038f88759d16411

SHA256
21a3add118bb22e7773e97b08d6a9b4eb314d9191750e14c7ce285d3af2266d6

SHA512
963fa4e83ad34fb1e36e531f14880eea0b9253344357ffd114359cb3b291fbc4b78d368542c33bbab007c8a15333bf5feb9ca10f1051282943f4208abfc1711b

Download Submit
C:\Users\Admin\AppData\Local\Email Access Online\Email Access Online.exe
Filesize
1.8MB

MD5
354acd53e086bbdb1123896958d6f7dd

SHA1
44a7cdb95443f643d1a4d64c4038f88759d16411

SHA256
21a3add118bb22e7773e97b08d6a9b4eb314d9191750e14c7ce285d3af2266d6

SHA512
963fa4e83ad34fb1e36e531f14880eea0b9253344357ffd114359cb3b291fbc4b78d368542c33bbab007c8a15333bf5feb9ca10f1051282943f4208abfc1711b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD19A.tmp\StdUtils.dll
Filesize
99KB

MD5
7abf66bab64e83da7a4da626bc34493a

SHA1
c3adab85d079b75b0c46f6b25fd2a736687624c5

SHA256
cbe5843990076d7cda9fe83aa305d66d3a0ffdcca932ef23114d1b3a491924f9

SHA512
f1beeb7df3e24daa72bdb093ea655d236c601e55f039322676f80c8aace0d39af6fab78be6b6b63e9486473f78dae42a762022f776b55d118c7a20948990dd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD19A.tmp\System.dll
Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD19A.tmp\npHelper.dll
Filesize
271KB

MD5
c981cb2164e7542c8713d4e72b4e58df

SHA1
9aa01d7662aeb5428750d9ce187ab7b36cd4eb36

SHA256
9dcc839fe0bd5c6f7e81ad72c5615856e3f8ec10b709f3a13848813b5287ac43

SHA512
100fad3b51cf4818bfd0dcd49e17cbe17d11e24cf5b7619b894c47441268abe20570589167f8bbae855ddd414afcbf1fa46dc9a1a0080bdecc7c4aa366b790bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD19A.tmp\npHelper.dll
Filesize
271KB

MD5
c981cb2164e7542c8713d4e72b4e58df

SHA1
9aa01d7662aeb5428750d9ce187ab7b36cd4eb36

SHA256
9dcc839fe0bd5c6f7e81ad72c5615856e3f8ec10b709f3a13848813b5287ac43

SHA512
100fad3b51cf4818bfd0dcd49e17cbe17d11e24cf5b7619b894c47441268abe20570589167f8bbae855ddd414afcbf1fa46dc9a1a0080bdecc7c4aa366b790bd

Download Submit