46c41097a12828dfaf4b0f55e61417f76ab8824cfe9502fcfdba7265aa83e04a

Analysis

max time kernel
151s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f2e6714b75856c79cd760cce8b0e172.exe
Size

993KB
MD5

4f2e6714b75856c79cd760cce8b0e172
SHA1

8032929bd9a6cc47d37db6165a2e6874bcaa7ed6
SHA256

46c41097a12828dfaf4b0f55e61417f76ab8824cfe9502fcfdba7265aa83e04a
SHA512

7a583ee2ac3ae2437462bece93367a6c40cacd2072d5945735e720dd9f1b4c12dd84859485d699bc0a97e1a7a99120da807f1e4612de82b99527787d1b7ae906
SSDEEP

6144:ce5/c2FEDPWGc6/tSVsdwknSai1nF6L9rtSzJeL/Mo7IFD9CDgQdHhQQA1lIrv+G:SUTct

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
476	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2544	umim.exe
308	umim.exe

Loads dropped DLL 2 IoCs

pid	Process
1136	4f2e6714b75856c79cd760cce8b0e172.exe
1136	4f2e6714b75856c79cd760cce8b0e172.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziirer = "C:\\Users\\Admin\\AppData\\Roaming\\Osfy\\umim.exe"	umim.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 1136	2200	4f2e6714b75856c79cd760cce8b0e172.exe	28
PID 2544 set thread context of 308	2544	umim.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1156	1136	WerFault.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe
308	umim.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1136	4f2e6714b75856c79cd760cce8b0e172.exe
Token: SeSecurityPrivilege	1136	4f2e6714b75856c79cd760cce8b0e172.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2200	4f2e6714b75856c79cd760cce8b0e172.exe
2544	umim.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1136	2200	4f2e6714b75856c79cd760cce8b0e172.exe	28
PID 2200 wrote to memory of 1136	2200	4f2e6714b75856c79cd760cce8b0e172.exe	28
PID 2200 wrote to memory of 1136	2200	4f2e6714b75856c79cd760cce8b0e172.exe	28
PID 2200 wrote to memory of 1136	2200	4f2e6714b75856c79cd760cce8b0e172.exe	28
PID 2200 wrote to memory of 1136	2200	4f2e6714b75856c79cd760cce8b0e172.exe	28
PID 2200 wrote to memory of 1136	2200	4f2e6714b75856c79cd760cce8b0e172.exe	28
PID 2200 wrote to memory of 1136	2200	4f2e6714b75856c79cd760cce8b0e172.exe	28
PID 2200 wrote to memory of 1136	2200	4f2e6714b75856c79cd760cce8b0e172.exe	28
PID 2200 wrote to memory of 1136	2200	4f2e6714b75856c79cd760cce8b0e172.exe	28
PID 1136 wrote to memory of 2544	1136	4f2e6714b75856c79cd760cce8b0e172.exe	29
PID 1136 wrote to memory of 2544	1136	4f2e6714b75856c79cd760cce8b0e172.exe	29
PID 1136 wrote to memory of 2544	1136	4f2e6714b75856c79cd760cce8b0e172.exe	29
PID 1136 wrote to memory of 2544	1136	4f2e6714b75856c79cd760cce8b0e172.exe	29
PID 2544 wrote to memory of 308	2544	umim.exe	30
PID 2544 wrote to memory of 308	2544	umim.exe	30
PID 2544 wrote to memory of 308	2544	umim.exe	30
PID 2544 wrote to memory of 308	2544	umim.exe	30
PID 2544 wrote to memory of 308	2544	umim.exe	30
PID 2544 wrote to memory of 308	2544	umim.exe	30
PID 2544 wrote to memory of 308	2544	umim.exe	30
PID 2544 wrote to memory of 308	2544	umim.exe	30
PID 2544 wrote to memory of 308	2544	umim.exe	30
PID 308 wrote to memory of 1164	308	umim.exe	13
PID 308 wrote to memory of 1164	308	umim.exe	13
PID 308 wrote to memory of 1164	308	umim.exe	13
PID 308 wrote to memory of 1164	308	umim.exe	13
PID 308 wrote to memory of 1164	308	umim.exe	13
PID 308 wrote to memory of 1272	308	umim.exe	14
PID 308 wrote to memory of 1272	308	umim.exe	14
PID 308 wrote to memory of 1272	308	umim.exe	14
PID 308 wrote to memory of 1272	308	umim.exe	14
PID 308 wrote to memory of 1272	308	umim.exe	14
PID 308 wrote to memory of 1344	308	umim.exe	24
PID 308 wrote to memory of 1344	308	umim.exe	24
PID 308 wrote to memory of 1344	308	umim.exe	24
PID 308 wrote to memory of 1344	308	umim.exe	24
PID 308 wrote to memory of 1344	308	umim.exe	24
PID 308 wrote to memory of 1136	308	umim.exe	28
PID 308 wrote to memory of 1136	308	umim.exe	28
PID 308 wrote to memory of 1136	308	umim.exe	28
PID 308 wrote to memory of 1136	308	umim.exe	28
PID 308 wrote to memory of 1136	308	umim.exe	28
PID 1136 wrote to memory of 476	1136	4f2e6714b75856c79cd760cce8b0e172.exe	31
PID 1136 wrote to memory of 476	1136	4f2e6714b75856c79cd760cce8b0e172.exe	31
PID 1136 wrote to memory of 476	1136	4f2e6714b75856c79cd760cce8b0e172.exe	31
PID 1136 wrote to memory of 476	1136	4f2e6714b75856c79cd760cce8b0e172.exe	31
PID 308 wrote to memory of 476	308	umim.exe	31
PID 308 wrote to memory of 476	308	umim.exe	31
PID 308 wrote to memory of 476	308	umim.exe	31
PID 308 wrote to memory of 476	308	umim.exe	31
PID 308 wrote to memory of 476	308	umim.exe	31
PID 308 wrote to memory of 1156	308	umim.exe	32
PID 308 wrote to memory of 1156	308	umim.exe	32
PID 308 wrote to memory of 1156	308	umim.exe	32
PID 308 wrote to memory of 1156	308	umim.exe	32
PID 308 wrote to memory of 1156	308	umim.exe	32
PID 308 wrote to memory of 1180	308	umim.exe	34
PID 308 wrote to memory of 1180	308	umim.exe	34
PID 308 wrote to memory of 1180	308	umim.exe	34
PID 308 wrote to memory of 1180	308	umim.exe	34
PID 308 wrote to memory of 1180	308	umim.exe	34
PID 308 wrote to memory of 1280	308	umim.exe	35
PID 308 wrote to memory of 1280	308	umim.exe	35
PID 308 wrote to memory of 1280	308	umim.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1164

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1272

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\4f2e6714b75856c79cd760cce8b0e172.exe
  "C:\Users\Admin\AppData\Local\Temp\4f2e6714b75856c79cd760cce8b0e172.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\4f2e6714b75856c79cd760cce8b0e172.exe
    "C:\Users\Admin\AppData\Local\Temp\4f2e6714b75856c79cd760cce8b0e172.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Users\Admin\AppData\Roaming\Osfy\umim.exe
      "C:\Users\Admin\AppData\Roaming\Osfy\umim.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Users\Admin\AppData\Roaming\Osfy\umim.exe
        
        "C:\Users\Admin\AppData\Roaming\Osfy\umim.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2ef2dd71.bat"
      4⤵
      Deletes itself
      Modifies Internet Explorer settings
      PID:476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 392
      4⤵
      Program crash
      PID:1156

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1180

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2ef2dd71.bat

Filesize
243B

MD5
e8d3c3a137dd0df858f0e52cf0e3b511

SHA1
ae2911b16f31cc58f43658490125a72d4f8b29ee

SHA256
0d43145d2a37afaf41e223adf2961dfdb109151ad67a3ed9adc80f71fa10d192

SHA512
3391971c708125d7a2b20217b56f8ff01d978e961a5c3245ed86026254eddedb2eb366540cd84bb1b75ecdf9f5614e7daa2ff94b6253b402f7c5f45ad53fc76d

Download Submit
\Users\Admin\AppData\Roaming\Osfy\umim.exe

Filesize
993KB

MD5
f14105c5563a2f2fb9f5b2b26e172d8f

SHA1
4c20a5fe2b4ddee474d7ad22e909106f84e5e01f

SHA256
a2ce8f44375ee170d26ad034ce8ac29ea60ca7ad550a049db9a3aee0ae8b27ba

SHA512
ab4794b6c8827e2520335db59230cc242b3a17c31c61e6fd0420eabe35f81eba07ab3d3277c2f5aa86dc04a277ce18cf00e857d0f8a59b8fa74c2fe41b9b17a3

Download Submit
memory/308-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/308-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/308-139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/476-186-0x00000000000F0000-0x0000000000129000-memory.dmp

Filesize
228KB

Download
memory/476-184-0x0000000077BA0000-0x0000000077BA1000-memory.dmp

Filesize
4KB

Download
memory/476-183-0x00000000000F0000-0x0000000000129000-memory.dmp

Filesize
228KB

Download
memory/1136-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-43-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-61-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1136-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-65-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-67-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-53-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1136-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-49-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1164-149-0x0000000001B50000-0x0000000001B89000-memory.dmp

Filesize
228KB

Download
memory/1164-146-0x0000000001B50000-0x0000000001B89000-memory.dmp

Filesize
228KB

Download
memory/1164-148-0x0000000001B50000-0x0000000001B89000-memory.dmp

Filesize
228KB

Download
memory/1164-147-0x0000000001B50000-0x0000000001B89000-memory.dmp

Filesize
228KB

Download
memory/1272-154-0x0000000000150000-0x0000000000189000-memory.dmp

Filesize
228KB

Download
memory/1272-153-0x0000000000150000-0x0000000000189000-memory.dmp

Filesize
228KB

Download
memory/1272-151-0x0000000000150000-0x0000000000189000-memory.dmp

Filesize
228KB

Download
memory/1272-152-0x0000000000150000-0x0000000000189000-memory.dmp

Filesize
228KB

Download
memory/2200-0-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2200-37-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download