8f7313789ce1289f3155ee4e46b2d1760f8097f31ec05d4fbe2b185766fd9d5d

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4872fcca2f34673e20e8969d6897fb26.exe
Size

217KB
MD5

4872fcca2f34673e20e8969d6897fb26
SHA1

61f4903edc1f6366f993d6e6f4b64f4bb4855180
SHA256

8f7313789ce1289f3155ee4e46b2d1760f8097f31ec05d4fbe2b185766fd9d5d
SHA512

f77b44d20be14403e60559613148876512b5153b98ee7692348215a161f0ca41e98cf18c7aa628101eabfe653b05045491f693e6366accc4e0ed5b4c5526670d
SSDEEP

6144:NAJzqnhxwEa0JyJsx2bLPI0ADVoACLgk:SxWoEawyJHLALEg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2764	Awezya.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Awezya.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Awezya.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	4872fcca2f34673e20e8969d6897fb26.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	4872fcca2f34673e20e8969d6897fb26.exe
File created	C:\Windows\Awezya.exe	4872fcca2f34673e20e8969d6897fb26.exe
File opened for modification	C:\Windows\Awezya.exe	4872fcca2f34673e20e8969d6897fb26.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	Awezya.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\International	Awezya.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe
2764	Awezya.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2764	2432	4872fcca2f34673e20e8969d6897fb26.exe	28
PID 2432 wrote to memory of 2764	2432	4872fcca2f34673e20e8969d6897fb26.exe	28
PID 2432 wrote to memory of 2764	2432	4872fcca2f34673e20e8969d6897fb26.exe	28
PID 2432 wrote to memory of 2764	2432	4872fcca2f34673e20e8969d6897fb26.exe	28
PID 2432 wrote to memory of 2764	2432	4872fcca2f34673e20e8969d6897fb26.exe	28
PID 2432 wrote to memory of 2764	2432	4872fcca2f34673e20e8969d6897fb26.exe	28
PID 2432 wrote to memory of 2764	2432	4872fcca2f34673e20e8969d6897fb26.exe	28

C:\Users\Admin\AppData\Local\Temp\4872fcca2f34673e20e8969d6897fb26.exe
"C:\Users\Admin\AppData\Local\Temp\4872fcca2f34673e20e8969d6897fb26.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\Awezya.exe
  C:\Windows\Awezya.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Awezya.exe

Filesize
217KB

MD5
4872fcca2f34673e20e8969d6897fb26

SHA1
61f4903edc1f6366f993d6e6f4b64f4bb4855180

SHA256
8f7313789ce1289f3155ee4e46b2d1760f8097f31ec05d4fbe2b185766fd9d5d

SHA512
f77b44d20be14403e60559613148876512b5153b98ee7692348215a161f0ca41e98cf18c7aa628101eabfe653b05045491f693e6366accc4e0ed5b4c5526670d

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
344B

MD5
ac722efab6cf575d28328b4b8f5be85d

SHA1
91258e8e1068a54ea4dac6083122c1576b194e6d

SHA256
2785540f0dc8b6c3ae8acea9b56db64b1b50f45f0dbb0997423b2de9a7717be4

SHA512
3a3e50bc2aa2c05d2f9ffb64f3c1786850af03a1ccd36ece1623f1dfbe4bb8528fc943edae1f76b25daf7e1d4ad191ec52e1dbf90d0786124f198000551d8592

Download Submit
memory/2432-4564-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-0-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2432-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-12318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-17971-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-17973-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-31871-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-44502-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-45494-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-45495-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-45496-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-45498-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-45499-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download