3f1623b828a933cf6417c90fca8c369450eb964a3b0e5d93a9f4a50b75c869f1

Analysis

max time kernel
215s
max time network
256s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08b00ba850ecccea9f9923bccd4b1ec1.exe
Size

138KB
MD5

08b00ba850ecccea9f9923bccd4b1ec1
SHA1

d70f8be3a246bf33f8cf11bf02bb7305b1030b42
SHA256

3f1623b828a933cf6417c90fca8c369450eb964a3b0e5d93a9f4a50b75c869f1
SHA512

804a73d23ec9cc916d673e67571dd946698136f7cc4dbe2122d485301d3e0935d1a8b2207055e39220ce4c6dbddbf290c41e08367b7622b27403b61c620e1d85
SSDEEP

3072:51T792yOsRDHNaS/ckLCersGf9Yk1cJI0cXdEBslP01aQFCWz:51T79LHNPpaGf8IHXdEZ1aQFX

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1980	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	afid.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	08b00ba850ecccea9f9923bccd4b1ec1.exe
2672	08b00ba850ecccea9f9923bccd4b1ec1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\{99A575BD-1F87-1EC8-3370-2DF0DD99165F} = "C:\\Users\\Admin\\AppData\\Roaming\\Ahso\\afid.exe"	afid.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 1980	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy	08b00ba850ecccea9f9923bccd4b1ec1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	08b00ba850ecccea9f9923bccd4b1ec1.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\2C177455-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe
2788	afid.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe
Token: SeSecurityPrivilege	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe
Token: SeSecurityPrivilege	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe
Token: SeManageVolumePrivilege	2372	WinMail.exe
Token: SeSecurityPrivilege	1980	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2372	WinMail.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2788	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	28
PID 2672 wrote to memory of 2788	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	28
PID 2672 wrote to memory of 2788	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	28
PID 2672 wrote to memory of 2788	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	28
PID 2788 wrote to memory of 1128	2788	afid.exe	8
PID 2788 wrote to memory of 1128	2788	afid.exe	8
PID 2788 wrote to memory of 1128	2788	afid.exe	8
PID 2788 wrote to memory of 1128	2788	afid.exe	8
PID 2788 wrote to memory of 1128	2788	afid.exe	8
PID 2788 wrote to memory of 1216	2788	afid.exe	7
PID 2788 wrote to memory of 1216	2788	afid.exe	7
PID 2788 wrote to memory of 1216	2788	afid.exe	7
PID 2788 wrote to memory of 1216	2788	afid.exe	7
PID 2788 wrote to memory of 1216	2788	afid.exe	7
PID 2788 wrote to memory of 1256	2788	afid.exe	6
PID 2788 wrote to memory of 1256	2788	afid.exe	6
PID 2788 wrote to memory of 1256	2788	afid.exe	6
PID 2788 wrote to memory of 1256	2788	afid.exe	6
PID 2788 wrote to memory of 1256	2788	afid.exe	6
PID 2788 wrote to memory of 2672	2788	afid.exe	14
PID 2788 wrote to memory of 2672	2788	afid.exe	14
PID 2788 wrote to memory of 2672	2788	afid.exe	14
PID 2788 wrote to memory of 2672	2788	afid.exe	14
PID 2788 wrote to memory of 2672	2788	afid.exe	14
PID 2788 wrote to memory of 2372	2788	afid.exe	29
PID 2788 wrote to memory of 2372	2788	afid.exe	29
PID 2788 wrote to memory of 2372	2788	afid.exe	29
PID 2788 wrote to memory of 2372	2788	afid.exe	29
PID 2788 wrote to memory of 2372	2788	afid.exe	29
PID 2672 wrote to memory of 1980	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	30
PID 2672 wrote to memory of 1980	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	30
PID 2672 wrote to memory of 1980	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	30
PID 2672 wrote to memory of 1980	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	30
PID 2672 wrote to memory of 1980	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	30
PID 2672 wrote to memory of 1980	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	30
PID 2672 wrote to memory of 1980	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	30
PID 2672 wrote to memory of 1980	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	30
PID 2672 wrote to memory of 1980	2672	08b00ba850ecccea9f9923bccd4b1ec1.exe	30
PID 2788 wrote to memory of 2320	2788	afid.exe	31
PID 2788 wrote to memory of 2320	2788	afid.exe	31
PID 2788 wrote to memory of 2320	2788	afid.exe	31
PID 2788 wrote to memory of 2320	2788	afid.exe	31
PID 2788 wrote to memory of 2320	2788	afid.exe	31
PID 2788 wrote to memory of 2848	2788	afid.exe	32
PID 2788 wrote to memory of 2848	2788	afid.exe	32
PID 2788 wrote to memory of 2848	2788	afid.exe	32
PID 2788 wrote to memory of 2848	2788	afid.exe	32
PID 2788 wrote to memory of 2848	2788	afid.exe	32
PID 2788 wrote to memory of 2212	2788	afid.exe	33
PID 2788 wrote to memory of 2212	2788	afid.exe	33
PID 2788 wrote to memory of 2212	2788	afid.exe	33
PID 2788 wrote to memory of 2212	2788	afid.exe	33
PID 2788 wrote to memory of 2212	2788	afid.exe	33
PID 2788 wrote to memory of 2812	2788	afid.exe	34
PID 2788 wrote to memory of 2812	2788	afid.exe	34
PID 2788 wrote to memory of 2812	2788	afid.exe	34
PID 2788 wrote to memory of 2812	2788	afid.exe	34
PID 2788 wrote to memory of 2812	2788	afid.exe	34
PID 2788 wrote to memory of 1620	2788	afid.exe	35
PID 2788 wrote to memory of 1620	2788	afid.exe	35
PID 2788 wrote to memory of 1620	2788	afid.exe	35
PID 2788 wrote to memory of 1620	2788	afid.exe	35
PID 2788 wrote to memory of 1620	2788	afid.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\08b00ba850ecccea9f9923bccd4b1ec1.exe
  "C:\Users\Admin\AppData\Local\Temp\08b00ba850ecccea9f9923bccd4b1ec1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Roaming\Ahso\afid.exe
    "C:\Users\Admin\AppData\Roaming\Ahso\afid.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7f7f2e5b.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:1980

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2734379519411917562137382872-19743674288006063001706700938-811254384-734949846"
1⤵
PID:2320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2212

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
1.3MB

MD5
50dbcb59ad936425bda2267cba8006bc

SHA1
9a87eaba9498ba06f89aaa8ce6b47ebc922984aa

SHA256
f52cfda0b3ed981bec384844721c352e1b03bea64fb827228d5e60fa45bd9611

SHA512
58aee9058c5892430246cea2da8b14442c9709183c2f938ccacf00843e50e40ba46848466a30bffda631af73f65b8d36c12329e4157b6ebb2bd4dfe60f86af4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7f7f2e5b.bat

Filesize
243B

MD5
61e12c77ea59236cbe02dcf014d85416

SHA1
32423ea6c9fd1ef00d272a0f74d6bc1272be0c76

SHA256
5f2e7152746a43bf244e9938867b32c5a80377cb3b6c972d8d713192d0073371

SHA512
c7641224e4f1a3547742f3a7c359e1f6ba0517f53ae25fd09b778975666af7ca2409de0df18278f414398533d6c116b4d267d9b905b6485e4bc29fd022d3de62

Download Submit
C:\Users\Admin\AppData\Roaming\Kuom\diod.oku

Filesize
366B

MD5
d51a82bfbbaa3891ce86e8230c2a77e8

SHA1
0e46e30e39ff9037b8e2284f21e1a9976785e794

SHA256
05f4030c5c43f7df7d52cb5ca4ad4628499cfabbec4c144e9084e8eda2ea5f71

SHA512
66ab7c48030cb260c4be23bc09739ce7fb65f805d769f43e83c03cea5f3519cc702bd1f2b11e19d36be2eecbf2483f237484919e072c3ce7ed4e0b685dfd1b65

Download Submit
\Users\Admin\AppData\Roaming\Ahso\afid.exe

Filesize
138KB

MD5
5d6f832c8d4f530318471752d73bb239

SHA1
029c7445a2d8ec11cce15e42a4686c8d55ee576a

SHA256
fe93263fff1ad7909cdb50237436a987caaa03d3189c822ab855f1633dc809b9

SHA512
372f296cdb75cb8594460cabff72a500d0288a9dab7bbcc10375fe032a8a481fc7d9ef83c1547d2f2188acee3f4392886eda3ec203998cecd25fd9f0c6b8c4a9

Download Submit
memory/1128-10-0x0000000001DF0000-0x0000000001E17000-memory.dmp

Filesize
156KB

Download
memory/1128-12-0x0000000001DF0000-0x0000000001E17000-memory.dmp

Filesize
156KB

Download
memory/1128-14-0x0000000001DF0000-0x0000000001E17000-memory.dmp

Filesize
156KB

Download
memory/1128-16-0x0000000001DF0000-0x0000000001E17000-memory.dmp

Filesize
156KB

Download
memory/1128-18-0x0000000001DF0000-0x0000000001E17000-memory.dmp

Filesize
156KB

Download
memory/1216-21-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1216-24-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1216-23-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1216-22-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1256-26-0x0000000002A30000-0x0000000002A57000-memory.dmp

Filesize
156KB

Download
memory/1256-27-0x0000000002A30000-0x0000000002A57000-memory.dmp

Filesize
156KB

Download
memory/1256-29-0x0000000002A30000-0x0000000002A57000-memory.dmp

Filesize
156KB

Download
memory/1256-28-0x0000000002A30000-0x0000000002A57000-memory.dmp

Filesize
156KB

Download
memory/1980-340-0x0000000000090000-0x00000000000B7000-memory.dmp

Filesize
156KB

Download
memory/1980-275-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1980-188-0x0000000000090000-0x00000000000B7000-memory.dmp

Filesize
156KB

Download
memory/1980-209-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/2672-34-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2672-64-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-31-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2672-35-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2672-38-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-48-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-50-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-52-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-54-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-56-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-58-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-60-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-62-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-32-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2672-66-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-68-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-70-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-72-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-74-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-128-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-46-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-36-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-189-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2672-45-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/2672-42-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-43-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2672-40-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-33-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download