e07a07f6bdb162d5047a14d78e45e5489222102da72052f8e73070ab0d3ee497

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16fcb722a88d4c32e149a4420cfd353d.exe
Size

293KB
MD5

16fcb722a88d4c32e149a4420cfd353d
SHA1

2fef8dcb6f23b0a0b680bccc2a546edacd072024
SHA256

e07a07f6bdb162d5047a14d78e45e5489222102da72052f8e73070ab0d3ee497
SHA512

81657ccdeb787ac9ca1f89a5506115f7e8aafee273619e34496158b5d2af5ca0558781803475c6d9d0ecd5c1feb9c7621b127d8ce280c971365874d3f2329607
SSDEEP

6144:+PdMcMANEVzGlcEDUl4qaRYVQfJTGbusJRhgnGXcjD7Xm2BeddhMHLHa0:SNEh8cSLqdEsisDhgnGQBBedDMrHL

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ysis.exe

pid process

1468 ysis.exe
Loads dropped DLL 2 IoCs

Processes:

16fcb722a88d4c32e149a4420cfd353d.exe

pid process

1636 16fcb722a88d4c32e149a4420cfd353d.exe
1636 16fcb722a88d4c32e149a4420cfd353d.exe

pid	process
1636	16fcb722a88d4c32e149a4420cfd353d.exe
1636	16fcb722a88d4c32e149a4420cfd353d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ysis.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\{AAF68148-CEF2-AD4E-650F-46A5505365B8} = "C:\\Users\\Admin\\AppData\\Roaming\\Izime\\ysis.exe"	ysis.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

16fcb722a88d4c32e149a4420cfd353d.exe

description pid process target process

PID 1636 set thread context of 320 1636 16fcb722a88d4c32e149a4420cfd353d.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

524 320 WerFault.exe cmd.exe

description	pid	process	target process
PID 1636 set thread context of 320	1636	16fcb722a88d4c32e149a4420cfd353d.exe	cmd.exe

pid	pid_target	process	target process
524	320	WerFault.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

16fcb722a88d4c32e149a4420cfd353d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Privacy	16fcb722a88d4c32e149a4420cfd353d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	16fcb722a88d4c32e149a4420cfd353d.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

ysis.exe

pid	process
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe
1468	ysis.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

16fcb722a88d4c32e149a4420cfd353d.exe

description	pid	process
Token: SeSecurityPrivilege	1636	16fcb722a88d4c32e149a4420cfd353d.exe
Token: SeSecurityPrivilege	1636	16fcb722a88d4c32e149a4420cfd353d.exe
Token: SeSecurityPrivilege	1636	16fcb722a88d4c32e149a4420cfd353d.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

16fcb722a88d4c32e149a4420cfd353d.exeysis.exe

pid process

1636 16fcb722a88d4c32e149a4420cfd353d.exe
1468 ysis.exe

pid	process
1636	16fcb722a88d4c32e149a4420cfd353d.exe
1468	ysis.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

16fcb722a88d4c32e149a4420cfd353d.exeysis.execmd.exe

description	pid	process	target process
PID 1636 wrote to memory of 1468	1636	16fcb722a88d4c32e149a4420cfd353d.exe	ysis.exe
PID 1636 wrote to memory of 1468	1636	16fcb722a88d4c32e149a4420cfd353d.exe	ysis.exe
PID 1636 wrote to memory of 1468	1636	16fcb722a88d4c32e149a4420cfd353d.exe	ysis.exe
PID 1636 wrote to memory of 1468	1636	16fcb722a88d4c32e149a4420cfd353d.exe	ysis.exe
PID 1468 wrote to memory of 1212	1468	ysis.exe	taskhost.exe
PID 1468 wrote to memory of 1212	1468	ysis.exe	taskhost.exe
PID 1468 wrote to memory of 1212	1468	ysis.exe	taskhost.exe
PID 1468 wrote to memory of 1212	1468	ysis.exe	taskhost.exe
PID 1468 wrote to memory of 1212	1468	ysis.exe	taskhost.exe
PID 1468 wrote to memory of 1296	1468	ysis.exe	Dwm.exe
PID 1468 wrote to memory of 1296	1468	ysis.exe	Dwm.exe
PID 1468 wrote to memory of 1296	1468	ysis.exe	Dwm.exe
PID 1468 wrote to memory of 1296	1468	ysis.exe	Dwm.exe
PID 1468 wrote to memory of 1296	1468	ysis.exe	Dwm.exe
PID 1468 wrote to memory of 1360	1468	ysis.exe	Explorer.EXE
PID 1468 wrote to memory of 1360	1468	ysis.exe	Explorer.EXE
PID 1468 wrote to memory of 1360	1468	ysis.exe	Explorer.EXE
PID 1468 wrote to memory of 1360	1468	ysis.exe	Explorer.EXE
PID 1468 wrote to memory of 1360	1468	ysis.exe	Explorer.EXE
PID 1468 wrote to memory of 2180	1468	ysis.exe	DllHost.exe
PID 1468 wrote to memory of 2180	1468	ysis.exe	DllHost.exe
PID 1468 wrote to memory of 2180	1468	ysis.exe	DllHost.exe
PID 1468 wrote to memory of 2180	1468	ysis.exe	DllHost.exe
PID 1468 wrote to memory of 2180	1468	ysis.exe	DllHost.exe
PID 1468 wrote to memory of 1636	1468	ysis.exe	16fcb722a88d4c32e149a4420cfd353d.exe
PID 1468 wrote to memory of 1636	1468	ysis.exe	16fcb722a88d4c32e149a4420cfd353d.exe
PID 1468 wrote to memory of 1636	1468	ysis.exe	16fcb722a88d4c32e149a4420cfd353d.exe
PID 1468 wrote to memory of 1636	1468	ysis.exe	16fcb722a88d4c32e149a4420cfd353d.exe
PID 1468 wrote to memory of 1636	1468	ysis.exe	16fcb722a88d4c32e149a4420cfd353d.exe
PID 1636 wrote to memory of 320	1636	16fcb722a88d4c32e149a4420cfd353d.exe	cmd.exe
PID 1636 wrote to memory of 320	1636	16fcb722a88d4c32e149a4420cfd353d.exe	cmd.exe
PID 1636 wrote to memory of 320	1636	16fcb722a88d4c32e149a4420cfd353d.exe	cmd.exe
PID 1636 wrote to memory of 320	1636	16fcb722a88d4c32e149a4420cfd353d.exe	cmd.exe
PID 1636 wrote to memory of 320	1636	16fcb722a88d4c32e149a4420cfd353d.exe	cmd.exe
PID 1636 wrote to memory of 320	1636	16fcb722a88d4c32e149a4420cfd353d.exe	cmd.exe
PID 1636 wrote to memory of 320	1636	16fcb722a88d4c32e149a4420cfd353d.exe	cmd.exe
PID 1636 wrote to memory of 320	1636	16fcb722a88d4c32e149a4420cfd353d.exe	cmd.exe
PID 1636 wrote to memory of 320	1636	16fcb722a88d4c32e149a4420cfd353d.exe	cmd.exe
PID 320 wrote to memory of 524	320	cmd.exe	WerFault.exe
PID 320 wrote to memory of 524	320	cmd.exe	WerFault.exe
PID 320 wrote to memory of 524	320	cmd.exe	WerFault.exe
PID 320 wrote to memory of 524	320	cmd.exe	WerFault.exe
PID 1468 wrote to memory of 2920	1468	ysis.exe	conhost.exe
PID 1468 wrote to memory of 2920	1468	ysis.exe	conhost.exe
PID 1468 wrote to memory of 2920	1468	ysis.exe	conhost.exe
PID 1468 wrote to memory of 2920	1468	ysis.exe	conhost.exe
PID 1468 wrote to memory of 2920	1468	ysis.exe	conhost.exe
PID 1468 wrote to memory of 524	1468	ysis.exe	WerFault.exe
PID 1468 wrote to memory of 524	1468	ysis.exe	WerFault.exe
PID 1468 wrote to memory of 524	1468	ysis.exe	WerFault.exe
PID 1468 wrote to memory of 524	1468	ysis.exe	WerFault.exe
PID 1468 wrote to memory of 524	1468	ysis.exe	WerFault.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1212

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1296

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\16fcb722a88d4c32e149a4420cfd353d.exe
"C:\Users\Admin\AppData\Local\Temp\16fcb722a88d4c32e149a4420cfd353d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Roaming\Izime\ysis.exe
"C:\Users\Admin\AppData\Roaming\Izime\ysis.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp58b3567a.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 116
4⤵
- Program crash
PID:524

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1824720653574324679994033265-1175774997157579106-1341043369-1082008764-1777650345"
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Izime\ysis.exe

Filesize
246KB

MD5
600ba90c0d6aed457649f30dd38faed3

SHA1
f0b64a432211ce4e2a6a06e89fea861e3d698858

SHA256
38b13b086edfce6b782536fcafddaf9e62dc4e90c4d7143307d532c48e388974

SHA512
8531379222f89934617a9bc8afdc49bacd738813fad23f49c901768d70b30eeac36ba97bfa874c217a0b56ba94e38f80f0d07a98e75d24b0d9fa7b9c144f2630

Download Submit
C:\Users\Admin\AppData\Roaming\Izime\ysis.exe

Filesize
291KB

MD5
d0308bdddd84cd9dddad10f782484532

SHA1
f2ba0b3eb0e5f407c0c3bc2d4e97b50d485c4243

SHA256
4221d6379b0917c6d2be9b265b1bab67de5f1b0fe9e4753445e0a3dbb6894f8f

SHA512
2716f765a63f17153b6f4cc81b4271d4e98f2b0c21f21d99f80a92934944f561372d51956e9510a80ed57c077c26870843426ac93f3ed9380653280c7031995b

Download Submit
C:\Users\Admin\AppData\Roaming\Qosi\ukcov.ogx

Filesize
366B

MD5
8e1fa67c8b4f461eaff34d5cb7b5c259

SHA1
65421d6533b0c4d47b1f0db56d11640c95b60bd4

SHA256
1d05b0a9db48df99c6b385b041d1ed505b74c31d3e8a7d76faa9ac743f0c54c4

SHA512
728c688359d085b9ad617691dd77ba7e03bd657bc43671665a199c4ad606cf9acf5d02a1579ae39063b987e38f968315ae65f0f4003522512fdd18e365761880

Download Submit
\Users\Admin\AppData\Roaming\Izime\ysis.exe

Filesize
293KB

MD5
85849565408294d60651ee45f2eaf1dc

SHA1
d993dd2bd2295d44f4447cce2deec14a607a85f4

SHA256
f10d8dc84e895c2e6a3327f2ea30319618045d3ce80e6268b5215979941e037e

SHA512
cc7fcedccc6671624f5014245d8f84d29f82e510db1f048c38e71a7fb67cc882d58f478bb7f1468d2d26de16d137eab1e2d79b65b7c5496b672aacbefa91ad1b

Download Submit
memory/524-283-0x00000000009E0000-0x0000000000A21000-memory.dmp

Filesize
260KB

Download
memory/524-279-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/524-278-0x0000000077C60000-0x0000000077C61000-memory.dmp

Filesize
4KB

Download
memory/524-183-0x00000000009E0000-0x0000000000A21000-memory.dmp

Filesize
260KB

Download
memory/1212-23-0x0000000001CE0000-0x0000000001D21000-memory.dmp

Filesize
260KB

Download
memory/1212-18-0x0000000001CE0000-0x0000000001D21000-memory.dmp

Filesize
260KB

Download
memory/1212-20-0x0000000001CE0000-0x0000000001D21000-memory.dmp

Filesize
260KB

Download
memory/1212-22-0x0000000001CE0000-0x0000000001D21000-memory.dmp

Filesize
260KB

Download
memory/1212-21-0x0000000001CE0000-0x0000000001D21000-memory.dmp

Filesize
260KB

Download
memory/1296-27-0x0000000001AE0000-0x0000000001B21000-memory.dmp

Filesize
260KB

Download
memory/1296-28-0x0000000001AE0000-0x0000000001B21000-memory.dmp

Filesize
260KB

Download
memory/1296-25-0x0000000001AE0000-0x0000000001B21000-memory.dmp

Filesize
260KB

Download
memory/1296-26-0x0000000001AE0000-0x0000000001B21000-memory.dmp

Filesize
260KB

Download
memory/1360-33-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/1360-30-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/1360-31-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/1360-32-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/1468-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-15-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/1468-17-0x0000000000300000-0x000000000034B000-memory.dmp

Filesize
300KB

Download
memory/1636-43-0x0000000002260000-0x00000000022A1000-memory.dmp

Filesize
260KB

Download
memory/1636-50-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-73-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-71-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-142-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-69-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-67-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-63-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-77-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-61-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-59-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-57-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-56-0x0000000077C60000-0x0000000077C61000-memory.dmp

Filesize
4KB

Download
memory/1636-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-166-0x0000000001B80000-0x0000000001BC1000-memory.dmp

Filesize
260KB

Download
memory/1636-165-0x0000000001BD0000-0x0000000001C1B000-memory.dmp

Filesize
300KB

Download
memory/1636-52-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-75-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-49-0x0000000002260000-0x00000000022A1000-memory.dmp

Filesize
260KB

Download
memory/1636-0-0x0000000001B80000-0x0000000001BC1000-memory.dmp

Filesize
260KB

Download
memory/1636-1-0x0000000001BD0000-0x0000000001C1B000-memory.dmp

Filesize
300KB

Download
memory/1636-79-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-81-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-65-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-54-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1636-47-0x0000000002260000-0x00000000022A1000-memory.dmp

Filesize
260KB

Download
memory/1636-45-0x0000000002260000-0x00000000022A1000-memory.dmp

Filesize
260KB

Download
memory/1636-41-0x0000000002260000-0x00000000022A1000-memory.dmp

Filesize
260KB

Download
memory/1636-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-35-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/2180-38-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/2180-37-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/2180-36-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download