2f16b2a5a282fcf985cd3f5c63ccaf3942adcd9dce862724ba5d570c41e415ab

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06f86a1f619231fad1708e9422c08f14.exe
Size

93KB
MD5

06f86a1f619231fad1708e9422c08f14
SHA1

a2e8fd1f8b51b624d94ea36e15d2bc8766b677af
SHA256

2f16b2a5a282fcf985cd3f5c63ccaf3942adcd9dce862724ba5d570c41e415ab
SHA512

50063d3403edad0d088e347b563b02d6a0421dd6ba29c7c123e1212a5a2584e5a9f34bce0ac8d2cb7199c165c2b76d68523d6754f044a9203bf2f9b16436ccf4
SSDEEP

1536:uwH8uLlr3QF/GTqg8HLhobQLAfm5b8HLljs2mwEhstzWrY1:HPLlr39Og8HlKQLAfMmLljJmwEixWrq

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2364	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	gelet.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	06f86a1f619231fad1708e9422c08f14.exe
2184	06f86a1f619231fad1708e9422c08f14.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4E8F31F7-F244-FC7E-34DB-BDE4BDB76D75} = "C:\\Users\\Admin\\AppData\\Roaming\\Lyuls\\gelet.exe"	gelet.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 2364	2184	06f86a1f619231fad1708e9422c08f14.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy	06f86a1f619231fad1708e9422c08f14.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	06f86a1f619231fad1708e9422c08f14.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe
2776	gelet.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2184	06f86a1f619231fad1708e9422c08f14.exe
Token: SeSecurityPrivilege	2184	06f86a1f619231fad1708e9422c08f14.exe
Token: SeSecurityPrivilege	2184	06f86a1f619231fad1708e9422c08f14.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2776	2184	06f86a1f619231fad1708e9422c08f14.exe	28
PID 2184 wrote to memory of 2776	2184	06f86a1f619231fad1708e9422c08f14.exe	28
PID 2184 wrote to memory of 2776	2184	06f86a1f619231fad1708e9422c08f14.exe	28
PID 2184 wrote to memory of 2776	2184	06f86a1f619231fad1708e9422c08f14.exe	28
PID 2776 wrote to memory of 1088	2776	gelet.exe	13
PID 2776 wrote to memory of 1088	2776	gelet.exe	13
PID 2776 wrote to memory of 1088	2776	gelet.exe	13
PID 2776 wrote to memory of 1088	2776	gelet.exe	13
PID 2776 wrote to memory of 1088	2776	gelet.exe	13
PID 2776 wrote to memory of 1176	2776	gelet.exe	12
PID 2776 wrote to memory of 1176	2776	gelet.exe	12
PID 2776 wrote to memory of 1176	2776	gelet.exe	12
PID 2776 wrote to memory of 1176	2776	gelet.exe	12
PID 2776 wrote to memory of 1176	2776	gelet.exe	12
PID 2776 wrote to memory of 1208	2776	gelet.exe	11
PID 2776 wrote to memory of 1208	2776	gelet.exe	11
PID 2776 wrote to memory of 1208	2776	gelet.exe	11
PID 2776 wrote to memory of 1208	2776	gelet.exe	11
PID 2776 wrote to memory of 1208	2776	gelet.exe	11
PID 2776 wrote to memory of 2156	2776	gelet.exe	9
PID 2776 wrote to memory of 2156	2776	gelet.exe	9
PID 2776 wrote to memory of 2156	2776	gelet.exe	9
PID 2776 wrote to memory of 2156	2776	gelet.exe	9
PID 2776 wrote to memory of 2156	2776	gelet.exe	9
PID 2776 wrote to memory of 2184	2776	gelet.exe	20
PID 2776 wrote to memory of 2184	2776	gelet.exe	20
PID 2776 wrote to memory of 2184	2776	gelet.exe	20
PID 2776 wrote to memory of 2184	2776	gelet.exe	20
PID 2776 wrote to memory of 2184	2776	gelet.exe	20
PID 2184 wrote to memory of 2364	2184	06f86a1f619231fad1708e9422c08f14.exe	30
PID 2184 wrote to memory of 2364	2184	06f86a1f619231fad1708e9422c08f14.exe	30
PID 2184 wrote to memory of 2364	2184	06f86a1f619231fad1708e9422c08f14.exe	30
PID 2184 wrote to memory of 2364	2184	06f86a1f619231fad1708e9422c08f14.exe	30
PID 2184 wrote to memory of 2364	2184	06f86a1f619231fad1708e9422c08f14.exe	30
PID 2184 wrote to memory of 2364	2184	06f86a1f619231fad1708e9422c08f14.exe	30
PID 2184 wrote to memory of 2364	2184	06f86a1f619231fad1708e9422c08f14.exe	30
PID 2184 wrote to memory of 2364	2184	06f86a1f619231fad1708e9422c08f14.exe	30
PID 2184 wrote to memory of 2364	2184	06f86a1f619231fad1708e9422c08f14.exe	30
PID 2776 wrote to memory of 1948	2776	gelet.exe	31
PID 2776 wrote to memory of 1948	2776	gelet.exe	31
PID 2776 wrote to memory of 1948	2776	gelet.exe	31
PID 2776 wrote to memory of 1948	2776	gelet.exe	31
PID 2776 wrote to memory of 1948	2776	gelet.exe	31

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\06f86a1f619231fad1708e9422c08f14.exe
  "C:\Users\Admin\AppData\Local\Temp\06f86a1f619231fad1708e9422c08f14.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Roaming\Lyuls\gelet.exe
    "C:\Users\Admin\AppData\Roaming\Lyuls\gelet.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp22f1fd9c.bat"
    3⤵
    - Deletes itself
    PID:2364

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1088

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp22f1fd9c.bat

Filesize
243B

MD5
9045819fb6246ca7572d83bcac3e2928

SHA1
58d87029d882ea77b871a5992b43a3a5bdf7b970

SHA256
ef3a4c42f3bda2f503b5784afa54d93ecac53fd12ce9fce0f026a0f56a3adf25

SHA512
f7dc698e8ea1cb172b0c575f0b50afa39c3da6b306817118e836edbd20e5066f0a8f0ea7f60a63d041ff0b2af5825ecf5482f5ac4f3a92d1511c5b0ceb6d7a17

Download Submit
C:\Users\Admin\AppData\Roaming\Vaepy\ylit.amb

Filesize
366B

MD5
afa768a70f82121e26a345decac6c63f

SHA1
4edef8a57f40d47396e166ae0a2561edd3ab7af0

SHA256
d6dd60a3d94f7db742b972f7ab0c25785ce07e8e2668d164c42c672ea0829697

SHA512
014e5350ce92a3668c15f67c73e2fb4e9c4f212c189efc4aeee1cd244d2d0a8672df1c74429eb6d0581ebc810dc007d83dc230a87157b51ef547d34cbdc7ce48

Download Submit
\Users\Admin\AppData\Roaming\Lyuls\gelet.exe

Filesize
93KB

MD5
26a2f6edf661df78c0759442a2cb8113

SHA1
4083219d329500c6f4a65767dcc3b796dcd56464

SHA256
03db03742dcdab6ce6a5c43266d0ae77fabe8ede4dc3a347a5710505abc95832

SHA512
69b1fa6a5b78d5fcbb9fd3f2ac66f2fe2fb67ae297e8854d790d45d76df53acc2dcb43738dc0d7e566c05e0590044aca1a924a99836dfbf360caa23adcd0f212

Download Submit
memory/1088-10-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1088-11-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1088-12-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1088-14-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1088-13-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1176-16-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1176-17-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1176-18-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1176-19-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1208-21-0x0000000003D60000-0x0000000003D7A000-memory.dmp

Filesize
104KB

Download
memory/1208-24-0x0000000003D60000-0x0000000003D7A000-memory.dmp

Filesize
104KB

Download
memory/1208-23-0x0000000003D60000-0x0000000003D7A000-memory.dmp

Filesize
104KB

Download
memory/1208-22-0x0000000003D60000-0x0000000003D7A000-memory.dmp

Filesize
104KB

Download
memory/2156-26-0x00000000005F0000-0x000000000060A000-memory.dmp

Filesize
104KB

Download
memory/2156-27-0x00000000005F0000-0x000000000060A000-memory.dmp

Filesize
104KB

Download
memory/2156-28-0x00000000005F0000-0x000000000060A000-memory.dmp

Filesize
104KB

Download
memory/2156-29-0x00000000005F0000-0x000000000060A000-memory.dmp

Filesize
104KB

Download
memory/2184-46-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-38-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-70-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2184-67-0x0000000077400000-0x0000000077401000-memory.dmp

Filesize
4KB

Download
memory/2184-34-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2184-44-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-68-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-31-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2184-32-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2184-66-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2184-64-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-62-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-60-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-58-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-56-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-54-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-52-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-50-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-48-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-33-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2184-42-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-40-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2184-35-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2184-36-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2364-73-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/2364-77-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/2364-79-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/2364-111-0x0000000077400000-0x0000000077401000-memory.dmp

Filesize
4KB

Download
memory/2364-78-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/2364-113-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2364-112-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/2364-76-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download