8a40e3660141f4cfdf61ec550aa51f3c303bc11af5bc55ac5a6cf735a8a143d5

Analysis

max time kernel
187s
max time network
183s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b8c38e51320034c368bfbb313eca1ff.exe
Size

293KB
MD5

1b8c38e51320034c368bfbb313eca1ff
SHA1

1de55838e8abec4571394e7d5dab5adefcd24be9
SHA256

8a40e3660141f4cfdf61ec550aa51f3c303bc11af5bc55ac5a6cf735a8a143d5
SHA512

1a6f171aeb026cb56a285e7c980b69591701f7453a0b390c0842f696dc440d7cf3d14aa10f9976d5b3394461f67f551246e3a039c92ef75fac2fcb66c3183c7a
SSDEEP

6144:rPdMKMANEVzGlcEDUl4qaRYVQoJTGbusJRhgnGXc1D7Xm2BeddhMHdmHSC:rNEh8cSLqdfsisDhgnGyBBedDM9mHt

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	apif.exe

Loads dropped DLL 2 IoCs

pid	Process
2840	1b8c38e51320034c368bfbb313eca1ff.exe
2840	1b8c38e51320034c368bfbb313eca1ff.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9DB029C8-CEC5-AD4E-0EA6-58580BF07B45} = "C:\\Users\\Admin\\AppData\\Roaming\\Pety\\apif.exe"	apif.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 1516	2840	1b8c38e51320034c368bfbb313eca1ff.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2308	1516	WerFault.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy	1b8c38e51320034c368bfbb313eca1ff.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1b8c38e51320034c368bfbb313eca1ff.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe
2748	apif.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2840	1b8c38e51320034c368bfbb313eca1ff.exe
Token: SeSecurityPrivilege	2840	1b8c38e51320034c368bfbb313eca1ff.exe
Token: SeSecurityPrivilege	2840	1b8c38e51320034c368bfbb313eca1ff.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2840	1b8c38e51320034c368bfbb313eca1ff.exe
2748	apif.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2748	2840	1b8c38e51320034c368bfbb313eca1ff.exe	29
PID 2840 wrote to memory of 2748	2840	1b8c38e51320034c368bfbb313eca1ff.exe	29
PID 2840 wrote to memory of 2748	2840	1b8c38e51320034c368bfbb313eca1ff.exe	29
PID 2840 wrote to memory of 2748	2840	1b8c38e51320034c368bfbb313eca1ff.exe	29
PID 2748 wrote to memory of 1112	2748	apif.exe	13
PID 2748 wrote to memory of 1112	2748	apif.exe	13
PID 2748 wrote to memory of 1112	2748	apif.exe	13
PID 2748 wrote to memory of 1112	2748	apif.exe	13
PID 2748 wrote to memory of 1112	2748	apif.exe	13
PID 2748 wrote to memory of 1216	2748	apif.exe	12
PID 2748 wrote to memory of 1216	2748	apif.exe	12
PID 2748 wrote to memory of 1216	2748	apif.exe	12
PID 2748 wrote to memory of 1216	2748	apif.exe	12
PID 2748 wrote to memory of 1216	2748	apif.exe	12
PID 2748 wrote to memory of 1284	2748	apif.exe	11
PID 2748 wrote to memory of 1284	2748	apif.exe	11
PID 2748 wrote to memory of 1284	2748	apif.exe	11
PID 2748 wrote to memory of 1284	2748	apif.exe	11
PID 2748 wrote to memory of 1284	2748	apif.exe	11
PID 2748 wrote to memory of 2840	2748	apif.exe	24
PID 2748 wrote to memory of 2840	2748	apif.exe	24
PID 2748 wrote to memory of 2840	2748	apif.exe	24
PID 2748 wrote to memory of 2840	2748	apif.exe	24
PID 2748 wrote to memory of 2840	2748	apif.exe	24
PID 2840 wrote to memory of 1516	2840	1b8c38e51320034c368bfbb313eca1ff.exe	30
PID 2840 wrote to memory of 1516	2840	1b8c38e51320034c368bfbb313eca1ff.exe	30
PID 2840 wrote to memory of 1516	2840	1b8c38e51320034c368bfbb313eca1ff.exe	30
PID 2840 wrote to memory of 1516	2840	1b8c38e51320034c368bfbb313eca1ff.exe	30
PID 2840 wrote to memory of 1516	2840	1b8c38e51320034c368bfbb313eca1ff.exe	30
PID 2840 wrote to memory of 1516	2840	1b8c38e51320034c368bfbb313eca1ff.exe	30
PID 2840 wrote to memory of 1516	2840	1b8c38e51320034c368bfbb313eca1ff.exe	30
PID 2840 wrote to memory of 1516	2840	1b8c38e51320034c368bfbb313eca1ff.exe	30
PID 2840 wrote to memory of 1516	2840	1b8c38e51320034c368bfbb313eca1ff.exe	30
PID 1516 wrote to memory of 2308	1516	cmd.exe	31
PID 1516 wrote to memory of 2308	1516	cmd.exe	31
PID 1516 wrote to memory of 2308	1516	cmd.exe	31
PID 1516 wrote to memory of 2308	1516	cmd.exe	31
PID 2748 wrote to memory of 2016	2748	apif.exe	32
PID 2748 wrote to memory of 2016	2748	apif.exe	32
PID 2748 wrote to memory of 2016	2748	apif.exe	32
PID 2748 wrote to memory of 2016	2748	apif.exe	32
PID 2748 wrote to memory of 2016	2748	apif.exe	32
PID 2748 wrote to memory of 2308	2748	apif.exe	31
PID 2748 wrote to memory of 2308	2748	apif.exe	31
PID 2748 wrote to memory of 2308	2748	apif.exe	31
PID 2748 wrote to memory of 2308	2748	apif.exe	31
PID 2748 wrote to memory of 2308	2748	apif.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\1b8c38e51320034c368bfbb313eca1ff.exe
  "C:\Users\Admin\AppData\Local\Temp\1b8c38e51320034c368bfbb313eca1ff.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Roaming\Pety\apif.exe
    "C:\Users\Admin\AppData\Roaming\Pety\apif.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbb5667dd.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 116
      4⤵
      Program crash
      PID:2308

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4449869711033818924962026904407812889531793647-1180426640-326568025-1596758403"
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Exxixo\ymac.ugu

Filesize
366B

MD5
7b51f63fc10b828053b9b820e89e6d0c

SHA1
7dff142d173d4ebbc260f249bf358eb6ebe3dfc6

SHA256
fbd261d39173f9dad39ad1467f9de7629abd12b5b41606a03985e7fbe32ae76c

SHA512
6295748db59ee1ef656524059fa2ee87c7d3489cdb371522d5b20b0452a41060d7d5855e507c4761c5c8023dd0001d8ceed90e1c7ea11d2e768d58b44a3c2181

Download Submit
\Users\Admin\AppData\Roaming\Pety\apif.exe

Filesize
293KB

MD5
5e26952b5e38e022c576c227537abcd5

SHA1
b31489e2052685a1760259cf5201a55efcc6e5e4

SHA256
eb158d713981d7c485a956515db91b4fdaf3f495b827f7bbe02439e3041580f1

SHA512
d2565e9baafc56493fbb966652b42c9ce674f0c7b032eb218be10596c7cd8baaa51aee26a0ba2a61c4d72a8d3b87c7257ac37490d7b5837272da72c2846605a5

Download Submit
memory/1112-21-0x0000000001C90000-0x0000000001CD1000-memory.dmp

Filesize
260KB

Download
memory/1112-19-0x0000000001C90000-0x0000000001CD1000-memory.dmp

Filesize
260KB

Download
memory/1112-23-0x0000000001C90000-0x0000000001CD1000-memory.dmp

Filesize
260KB

Download
memory/1112-22-0x0000000001C90000-0x0000000001CD1000-memory.dmp

Filesize
260KB

Download
memory/1112-20-0x0000000001C90000-0x0000000001CD1000-memory.dmp

Filesize
260KB

Download
memory/1216-26-0x0000000001AF0000-0x0000000001B31000-memory.dmp

Filesize
260KB

Download
memory/1216-25-0x0000000001AF0000-0x0000000001B31000-memory.dmp

Filesize
260KB

Download
memory/1216-28-0x0000000001AF0000-0x0000000001B31000-memory.dmp

Filesize
260KB

Download
memory/1216-27-0x0000000001AF0000-0x0000000001B31000-memory.dmp

Filesize
260KB

Download
memory/1284-32-0x0000000002960000-0x00000000029A1000-memory.dmp

Filesize
260KB

Download
memory/1284-33-0x0000000002960000-0x00000000029A1000-memory.dmp

Filesize
260KB

Download
memory/1284-31-0x0000000002960000-0x00000000029A1000-memory.dmp

Filesize
260KB

Download
memory/1284-30-0x0000000002960000-0x00000000029A1000-memory.dmp

Filesize
260KB

Download
memory/2308-171-0x0000000002530000-0x0000000002571000-memory.dmp

Filesize
260KB

Download
memory/2308-272-0x0000000002530000-0x0000000002571000-memory.dmp

Filesize
260KB

Download
memory/2308-176-0x0000000077A60000-0x0000000077A61000-memory.dmp

Filesize
4KB

Download
memory/2308-174-0x0000000077A60000-0x0000000077A61000-memory.dmp

Filesize
4KB

Download
memory/2308-268-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2748-16-0x0000000000340000-0x000000000038B000-memory.dmp

Filesize
300KB

Download
memory/2748-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-15-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2840-159-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/2840-44-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-134-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-76-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-74-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-72-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-80-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-157-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/2840-70-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-68-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-66-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-64-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-62-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-58-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-54-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-50-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-48-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-46-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-78-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-42-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-40-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-39-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/2840-38-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/2840-37-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/2840-35-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/2840-82-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-60-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-57-0x0000000077A60000-0x0000000077A61000-memory.dmp

Filesize
4KB

Download
memory/2840-55-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/2840-52-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2840-36-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/2840-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-1-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/2840-0-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download