44c8bd65e74bc5e11c7deea39abcf719c7b390c4cec2275fd895f9bc18320743

Analysis

max time kernel
211s
max time network
230s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a838d92124222fbef7429e324131eba.exe
Size

212KB
MD5

2a838d92124222fbef7429e324131eba
SHA1

7b4b5682b107b306e71ac45a06977883c659cc53
SHA256

44c8bd65e74bc5e11c7deea39abcf719c7b390c4cec2275fd895f9bc18320743
SHA512

d991be1c72b490c630d1c62112bc1ec7d3fb2176819113c117c44af6f8bc97ba71ed172758b52a88d7b14814c9e994512a2ea2d27faca4e58449c971c399a3d1
SSDEEP

6144:8ZdqqDLl00jGiJjM6Ow1A3f6fmBjFwdmIt+t:8Zgqnl00jN5p1Q6kgmG+

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2228	sahoe.exe

Loads dropped DLL 2 IoCs

pid	Process
2804	2a838d92124222fbef7429e324131eba.exe
2804	2a838d92124222fbef7429e324131eba.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xeykotub = "C:\\Users\\Admin\\AppData\\Roaming\\Nyucu\\sahoe.exe"	sahoe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 1952	2804	2a838d92124222fbef7429e324131eba.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2244	1952	WerFault.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy	2a838d92124222fbef7429e324131eba.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2a838d92124222fbef7429e324131eba.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4FFB3F55-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe
2228	sahoe.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2804	2a838d92124222fbef7429e324131eba.exe
Token: SeSecurityPrivilege	2804	2a838d92124222fbef7429e324131eba.exe
Token: SeSecurityPrivilege	2804	2a838d92124222fbef7429e324131eba.exe
Token: SeSecurityPrivilege	2244	WerFault.exe
Token: SeSecurityPrivilege	2244	WerFault.exe
Token: SeSecurityPrivilege	2244	WerFault.exe
Token: SeSecurityPrivilege	2244	WerFault.exe
Token: SeSecurityPrivilege	2244	WerFault.exe
Token: SeSecurityPrivilege	2244	WerFault.exe
Token: SeManageVolumePrivilege	2208	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2208	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2208	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2208	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2228	2804	2a838d92124222fbef7429e324131eba.exe	29
PID 2804 wrote to memory of 2228	2804	2a838d92124222fbef7429e324131eba.exe	29
PID 2804 wrote to memory of 2228	2804	2a838d92124222fbef7429e324131eba.exe	29
PID 2804 wrote to memory of 2228	2804	2a838d92124222fbef7429e324131eba.exe	29
PID 2228 wrote to memory of 1124	2228	sahoe.exe	9
PID 2228 wrote to memory of 1124	2228	sahoe.exe	9
PID 2228 wrote to memory of 1124	2228	sahoe.exe	9
PID 2228 wrote to memory of 1124	2228	sahoe.exe	9
PID 2228 wrote to memory of 1124	2228	sahoe.exe	9
PID 2228 wrote to memory of 1172	2228	sahoe.exe	10
PID 2228 wrote to memory of 1172	2228	sahoe.exe	10
PID 2228 wrote to memory of 1172	2228	sahoe.exe	10
PID 2228 wrote to memory of 1172	2228	sahoe.exe	10
PID 2228 wrote to memory of 1172	2228	sahoe.exe	10
PID 2228 wrote to memory of 1208	2228	sahoe.exe	11
PID 2228 wrote to memory of 1208	2228	sahoe.exe	11
PID 2228 wrote to memory of 1208	2228	sahoe.exe	11
PID 2228 wrote to memory of 1208	2228	sahoe.exe	11
PID 2228 wrote to memory of 1208	2228	sahoe.exe	11
PID 2228 wrote to memory of 2804	2228	sahoe.exe	14
PID 2228 wrote to memory of 2804	2228	sahoe.exe	14
PID 2228 wrote to memory of 2804	2228	sahoe.exe	14
PID 2228 wrote to memory of 2804	2228	sahoe.exe	14
PID 2228 wrote to memory of 2804	2228	sahoe.exe	14
PID 2228 wrote to memory of 1924	2228	sahoe.exe	31
PID 2228 wrote to memory of 1924	2228	sahoe.exe	31
PID 2228 wrote to memory of 1924	2228	sahoe.exe	31
PID 2228 wrote to memory of 1924	2228	sahoe.exe	31
PID 2228 wrote to memory of 1924	2228	sahoe.exe	31
PID 2804 wrote to memory of 1952	2804	2a838d92124222fbef7429e324131eba.exe	30
PID 2804 wrote to memory of 1952	2804	2a838d92124222fbef7429e324131eba.exe	30
PID 2804 wrote to memory of 1952	2804	2a838d92124222fbef7429e324131eba.exe	30
PID 2804 wrote to memory of 1952	2804	2a838d92124222fbef7429e324131eba.exe	30
PID 2804 wrote to memory of 1952	2804	2a838d92124222fbef7429e324131eba.exe	30
PID 2804 wrote to memory of 1952	2804	2a838d92124222fbef7429e324131eba.exe	30
PID 2804 wrote to memory of 1952	2804	2a838d92124222fbef7429e324131eba.exe	30
PID 2804 wrote to memory of 1952	2804	2a838d92124222fbef7429e324131eba.exe	30
PID 2804 wrote to memory of 1952	2804	2a838d92124222fbef7429e324131eba.exe	30
PID 1952 wrote to memory of 2244	1952	cmd.exe	33
PID 1952 wrote to memory of 2244	1952	cmd.exe	33
PID 1952 wrote to memory of 2244	1952	cmd.exe	33
PID 1952 wrote to memory of 2244	1952	cmd.exe	33
PID 2228 wrote to memory of 2200	2228	sahoe.exe	32
PID 2228 wrote to memory of 2200	2228	sahoe.exe	32
PID 2228 wrote to memory of 2200	2228	sahoe.exe	32
PID 2228 wrote to memory of 2200	2228	sahoe.exe	32
PID 2228 wrote to memory of 2200	2228	sahoe.exe	32
PID 2228 wrote to memory of 2244	2228	sahoe.exe	33
PID 2228 wrote to memory of 2244	2228	sahoe.exe	33
PID 2228 wrote to memory of 2244	2228	sahoe.exe	33
PID 2228 wrote to memory of 2244	2228	sahoe.exe	33
PID 2228 wrote to memory of 2244	2228	sahoe.exe	33
PID 2228 wrote to memory of 2968	2228	sahoe.exe	35
PID 2228 wrote to memory of 2968	2228	sahoe.exe	35
PID 2228 wrote to memory of 2968	2228	sahoe.exe	35
PID 2228 wrote to memory of 2968	2228	sahoe.exe	35
PID 2228 wrote to memory of 2968	2228	sahoe.exe	35
PID 2228 wrote to memory of 2208	2228	sahoe.exe	36
PID 2228 wrote to memory of 2208	2228	sahoe.exe	36
PID 2228 wrote to memory of 2208	2228	sahoe.exe	36
PID 2228 wrote to memory of 2208	2228	sahoe.exe	36
PID 2228 wrote to memory of 2208	2228	sahoe.exe	36
PID 2228 wrote to memory of 2980	2228	sahoe.exe	37
PID 2228 wrote to memory of 2980	2228	sahoe.exe	37

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\2a838d92124222fbef7429e324131eba.exe
  "C:\Users\Admin\AppData\Local\Temp\2a838d92124222fbef7429e324131eba.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Roaming\Nyucu\sahoe.exe
    "C:\Users\Admin\AppData\Roaming\Nyucu\sahoe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc8c93a12.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 116
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2244

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2098009297-1968050951316883586-214138420-1092661188-2073513302-1448949530-1103939902"
1⤵
PID:2200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2968

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
192KB

MD5
a3e68ead61d06a1ddf7fa50d23ac2078

SHA1
0a30f7d5951ac96873179f73c9b7c3ddea832e36

SHA256
7929b5668720538f75f61c532579e766c495855cdd9e6d70fc54848bcc864a81

SHA512
10b2c1cfa0183d65ef4b551e79c8ff2a72b18e7f9984bd614b3dd27783d1802ed42af396b13cb187ef3a26ace0533c63a1e3b75b531cc899e62258ee57f83ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Iwxo\leitu.etf

Filesize
3KB

MD5
5597d1bc6381826713e5090b5d510dbd

SHA1
91a71a73118916adef33eee383d9bb02ff8676ae

SHA256
7c6a3054fee6753d2edb318f984517f5f63b78d3e76804db57c84dc04b1b7318

SHA512
e6cc3e2f50ccc367363d650b3a219989c8883368c3d133df24e4065a95a9e6c0e406d2dc4f67f618520b4b054d4bc1afb52b7b34dbd3b98e351b14248e6d257b

Download Submit
C:\Users\Admin\AppData\Roaming\Iwxo\leitu.etf

Filesize
8KB

MD5
d0336f9cdc6471d37628fc63a0760de6

SHA1
cd6f9a367dd77e265658dfde6d5d93891e0d56d4

SHA256
6c9d7fa7f4c726a87d244c30a3cf0a5af5bf5de0aea83d9c54b87132a6f85e37

SHA512
0ca3ecb607cae06019b137223a50b09e2bd08c09bfafe7b274a978f6b7993186fc2479ba4e721bcc9bb4b09e3e3c6cab936087c06744a7ab1ec07d1edaa0ad14

Download Submit
C:\Users\Admin\AppData\Roaming\Nyucu\sahoe.exe

Filesize
118KB

MD5
86520af7a73b8c7cf6d61b7fad3514d6

SHA1
cfd4fbe0b1d1b7277ed17b463de9b6a3815e044c

SHA256
30a12a7c3c1d7af8ca83a390b129bcd8c5444c8c534b89a99859f74e93a08ac0

SHA512
907fa9e369643fec68ab14c80ca99c347855ae3b3c3cca56e6986892da3c015ce904d9cf29763a26531d742c594925ce96fad6edfef1e36e2ebb9e9877cb3d20

Download Submit
C:\Users\Admin\AppData\Roaming\Nyucu\sahoe.exe

Filesize
176KB

MD5
0854bf65547295b48f7c5cf746ec2480

SHA1
849ea4077853f7118a11bba3bed0641d72be6a37

SHA256
2c27272dda51465590b574ab9b644fbbaec04c3af35421ced8d2ba9cc5412754

SHA512
5e0c830537913c692cbb65dee3c65f037584776280aaf5b26e310827034d9d6df567eae62921828bc3b944c49694e069c2da39b9720c7ab9688e02750c49f133

Download Submit
C:\Users\Admin\AppData\Roaming\Nyucu\sahoe.exe

Filesize
155KB

MD5
d8ceb380a21f27e15b81c082e5d8684d

SHA1
57365381585b1c9d054ec5efe7bd583a18200cc0

SHA256
7a041ef736ac48ff3ef52556f355eec31e4cdc34443d7a349855af0021560ead

SHA512
dcb446946af3a1a127dcec1bde17edbde2a986803dd226081e7c6bec543ea8c164270697908e46c3816c60c2213c5f23d69d6dc4ef0f5f6e15877c992a61d836

Download Submit
\Users\Admin\AppData\Roaming\Nyucu\sahoe.exe

Filesize
141KB

MD5
d72752e963cfef7fbdd3c4029b36cbce

SHA1
b09eabfc9093c0b03077e145ea03e813ae4013f0

SHA256
ccc8dd1681dcd40520c7ac939a7d74b361bafc7c9bdefff01b14e9cc913f5e88

SHA512
72219ca4ade48edc0fae96800fa2d54d2da91db3c176b80614c2816c03498a513f5d2f9f9829a3ce67600e1fa390e014f210680c78c231205dcdbbd2894b94fa

Download Submit
\Users\Admin\AppData\Roaming\Nyucu\sahoe.exe

Filesize
180KB

MD5
b08174ef2ffe220c8d9ba3b772d95333

SHA1
d0b373bf989f270610ff7ac731f9021f473fe63a

SHA256
32d3f434ded45e5fa887504ebdf1bcc48a28915937e586a01c3d0482e0bac800

SHA512
7d0253ff938d9f1f3c0c383e05f92c85ede8b03b868f6365914b80098977e24d0f3521161edfa89248d8641130dbe073283902555a72f53159bfe4adc1a09651

Download Submit
memory/1124-20-0x0000000001EF0000-0x0000000001F29000-memory.dmp

Filesize
228KB

Download
memory/1124-18-0x0000000001EF0000-0x0000000001F29000-memory.dmp

Filesize
228KB

Download
memory/1124-22-0x0000000001EF0000-0x0000000001F29000-memory.dmp

Filesize
228KB

Download
memory/1124-26-0x0000000001EF0000-0x0000000001F29000-memory.dmp

Filesize
228KB

Download
memory/1124-24-0x0000000001EF0000-0x0000000001F29000-memory.dmp

Filesize
228KB

Download
memory/1172-29-0x0000000001AE0000-0x0000000001B19000-memory.dmp

Filesize
228KB

Download
memory/1172-32-0x0000000001AE0000-0x0000000001B19000-memory.dmp

Filesize
228KB

Download
memory/1172-31-0x0000000001AE0000-0x0000000001B19000-memory.dmp

Filesize
228KB

Download
memory/1172-30-0x0000000001AE0000-0x0000000001B19000-memory.dmp

Filesize
228KB

Download
memory/1208-37-0x0000000002960000-0x0000000002999000-memory.dmp

Filesize
228KB

Download
memory/1208-34-0x0000000002960000-0x0000000002999000-memory.dmp

Filesize
228KB

Download
memory/1208-35-0x0000000002960000-0x0000000002999000-memory.dmp

Filesize
228KB

Download
memory/1208-36-0x0000000002960000-0x0000000002999000-memory.dmp

Filesize
228KB

Download
memory/2244-402-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2244-525-0x0000000000B90000-0x0000000000BC9000-memory.dmp

Filesize
228KB

Download
memory/2244-472-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2244-276-0x0000000077450000-0x0000000077451000-memory.dmp

Filesize
4KB

Download
memory/2244-271-0x0000000000B90000-0x0000000000BC9000-memory.dmp

Filesize
228KB

Download
memory/2244-274-0x0000000077450000-0x0000000077451000-memory.dmp

Filesize
4KB

Download
memory/2804-74-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2804-40-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-41-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-42-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-43-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-44-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-47-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2804-49-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2804-51-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-53-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2804-57-0x0000000077450000-0x0000000077451000-memory.dmp

Filesize
4KB

Download
memory/2804-64-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-66-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2804-232-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2804-237-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-259-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-68-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-70-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2804-72-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-2-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2804-62-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2804-60-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-58-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2804-55-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2804-0-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download