03b2d3b592c0b5e06929bda31201ed30afc310f97a1c15c3ac3597ff9ce495a5

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d092411cd6cf219f6ec04dd32952ce3.exe
Size

314KB
MD5

6d092411cd6cf219f6ec04dd32952ce3
SHA1

59494f53778ea081376ebebe572913ac8988c988
SHA256

03b2d3b592c0b5e06929bda31201ed30afc310f97a1c15c3ac3597ff9ce495a5
SHA512

c14ca855854bff89760700fd863243be8dd87002894f5dbd029f25fb127dfb7e07b45eff77e4aa8f4d0e12f2c4bbe264aa2160ff1de5e19248bdbc4eba5456ce
SSDEEP

3072:LBg8Nu8xX7OdM7GVlT0At9gMNNy9sEeR7Kw1lmGSKM4hMpCAgCCcxXbsPC35ynqq:28Nu8QiCV1mGtn2tpCnMflokFnqK6

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2668	gely.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	6d092411cd6cf219f6ec04dd32952ce3.exe
2316	6d092411cd6cf219f6ec04dd32952ce3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9DB029C8-CEC5-AD4E-0EA6-58580BF07B45} = "C:\\Users\\Admin\\AppData\\Roaming\\Bijoxe\\gely.exe"	gely.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 1348	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	28

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2884	1348	WerFault.exe	28
2112	2884	WerFault.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy	6d092411cd6cf219f6ec04dd32952ce3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	6d092411cd6cf219f6ec04dd32952ce3.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe
2668	gely.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2316	6d092411cd6cf219f6ec04dd32952ce3.exe
2668	gely.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2668	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	31
PID 2316 wrote to memory of 2668	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	31
PID 2316 wrote to memory of 2668	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	31
PID 2316 wrote to memory of 2668	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	31
PID 2668 wrote to memory of 1128	2668	gely.exe	11
PID 2668 wrote to memory of 1128	2668	gely.exe	11
PID 2668 wrote to memory of 1128	2668	gely.exe	11
PID 2668 wrote to memory of 1128	2668	gely.exe	11
PID 2668 wrote to memory of 1128	2668	gely.exe	11
PID 2668 wrote to memory of 1236	2668	gely.exe	10
PID 2668 wrote to memory of 1236	2668	gely.exe	10
PID 2668 wrote to memory of 1236	2668	gely.exe	10
PID 2668 wrote to memory of 1236	2668	gely.exe	10
PID 2668 wrote to memory of 1236	2668	gely.exe	10
PID 2668 wrote to memory of 1276	2668	gely.exe	9
PID 2668 wrote to memory of 1276	2668	gely.exe	9
PID 2668 wrote to memory of 1276	2668	gely.exe	9
PID 2668 wrote to memory of 1276	2668	gely.exe	9
PID 2668 wrote to memory of 1276	2668	gely.exe	9
PID 2668 wrote to memory of 1948	2668	gely.exe	7
PID 2668 wrote to memory of 1948	2668	gely.exe	7
PID 2668 wrote to memory of 1948	2668	gely.exe	7
PID 2668 wrote to memory of 1948	2668	gely.exe	7
PID 2668 wrote to memory of 1948	2668	gely.exe	7
PID 2668 wrote to memory of 2316	2668	gely.exe	16
PID 2668 wrote to memory of 2316	2668	gely.exe	16
PID 2668 wrote to memory of 2316	2668	gely.exe	16
PID 2668 wrote to memory of 2316	2668	gely.exe	16
PID 2668 wrote to memory of 2316	2668	gely.exe	16
PID 2316 wrote to memory of 1348	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	28
PID 2316 wrote to memory of 1348	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	28
PID 2316 wrote to memory of 1348	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	28
PID 2316 wrote to memory of 1348	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	28
PID 2316 wrote to memory of 1348	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	28
PID 2316 wrote to memory of 1348	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	28
PID 2316 wrote to memory of 1348	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	28
PID 2316 wrote to memory of 1348	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	28
PID 2316 wrote to memory of 1348	2316	6d092411cd6cf219f6ec04dd32952ce3.exe	28
PID 1348 wrote to memory of 2884	1348	cmd.exe	30
PID 1348 wrote to memory of 2884	1348	cmd.exe	30
PID 1348 wrote to memory of 2884	1348	cmd.exe	30
PID 1348 wrote to memory of 2884	1348	cmd.exe	30
PID 2668 wrote to memory of 1160	2668	gely.exe	29
PID 2668 wrote to memory of 1160	2668	gely.exe	29
PID 2668 wrote to memory of 1160	2668	gely.exe	29
PID 2668 wrote to memory of 1160	2668	gely.exe	29
PID 2668 wrote to memory of 1160	2668	gely.exe	29
PID 2668 wrote to memory of 2884	2668	gely.exe	30
PID 2668 wrote to memory of 2884	2668	gely.exe	30
PID 2668 wrote to memory of 2884	2668	gely.exe	30
PID 2668 wrote to memory of 2884	2668	gely.exe	30
PID 2668 wrote to memory of 2884	2668	gely.exe	30
PID 2884 wrote to memory of 2112	2884	WerFault.exe	32
PID 2884 wrote to memory of 2112	2884	WerFault.exe	32
PID 2884 wrote to memory of 2112	2884	WerFault.exe	32
PID 2884 wrote to memory of 2112	2884	WerFault.exe	32

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1948

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\6d092411cd6cf219f6ec04dd32952ce3.exe
  "C:\Users\Admin\AppData\Local\Temp\6d092411cd6cf219f6ec04dd32952ce3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe101c15f.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 116
      4⤵
      Program crash
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 536
        5⤵
        Program crash
        
        PID:2112
- - C:\Users\Admin\AppData\Roaming\Bijoxe\gely.exe
    "C:\Users\Admin\AppData\Roaming\Bijoxe\gely.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2668

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11423155971901795380-1960152292-406584113638267231-175957649-45403603-810707522"
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Bijoxe\gely.exe

Filesize
314KB

MD5
3c41c279e4ba0e7a03929e8c01351119

SHA1
406f101d42944da14fd44ec65327cf4a02763b63

SHA256
49da4dac6548a4127155a00080d9c75c0aeb68d4f1b7709130285b5b3e164d7f

SHA512
7daf9f8ec63790f52273cf866052f1697a00a017cf10a75ed5d94205107fbed5c83e5a6f2f71e23bc8aa4334332e1a6cecf701c226928d6b84c0ec8304af0240

Download Submit
memory/1128-22-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1128-18-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1128-21-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1128-23-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1128-19-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1236-26-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1236-27-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1236-28-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1236-25-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1276-30-0x0000000002A20000-0x0000000002A64000-memory.dmp

Filesize
272KB

Download
memory/1276-33-0x0000000002A20000-0x0000000002A64000-memory.dmp

Filesize
272KB

Download
memory/1276-31-0x0000000002A20000-0x0000000002A64000-memory.dmp

Filesize
272KB

Download
memory/1276-32-0x0000000002A20000-0x0000000002A64000-memory.dmp

Filesize
272KB

Download
memory/1948-39-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1948-35-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1948-36-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1948-37-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/2316-81-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-77-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-65-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-63-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-58-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-56-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-54-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-52-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-51-0x0000000002300000-0x0000000002344000-memory.dmp

Filesize
272KB

Download
memory/2316-49-0x0000000002300000-0x0000000002344000-memory.dmp

Filesize
272KB

Download
memory/2316-47-0x0000000002300000-0x0000000002344000-memory.dmp

Filesize
272KB

Download
memory/2316-45-0x0000000002300000-0x0000000002344000-memory.dmp

Filesize
272KB

Download
memory/2316-69-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-73-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-75-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-145-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-67-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-79-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-0-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2316-71-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-62-0x0000000077C90000-0x0000000077C91000-memory.dmp

Filesize
4KB

Download
memory/2316-60-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2316-43-0x0000000002300000-0x0000000002344000-memory.dmp

Filesize
272KB

Download
memory/2316-1-0x00000000002E0000-0x0000000000332000-memory.dmp

Filesize
328KB

Download
memory/2316-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-17-0x0000000000460000-0x00000000004B2000-memory.dmp

Filesize
328KB

Download
memory/2668-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-15-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/2668-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download