d84e4899b80da7e70fd68cc898874b5a61fd51ad4f1169ef60cdd0089bddd4e1

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

489a9acbbdaac7c39af4ea99f19152e5.exe
Size

138KB
MD5

489a9acbbdaac7c39af4ea99f19152e5
SHA1

80a9479b5f1c966e625442884779a4a54b69d075
SHA256

d84e4899b80da7e70fd68cc898874b5a61fd51ad4f1169ef60cdd0089bddd4e1
SHA512

b407256f6623e44fab329f2f2e6a767663666d7400a3adbbaa925263a93c54343ca1134ac0258fad5cb7e895b2df6bb9362cf73a06b96478413a57287066b341
SSDEEP

3072:V9kx7xWEd5JPjgfPUH0/UVTgSDZ5TCQ3lH9P6bef:V9kx7MEd7g0H0/UZgSd5TBVH9Sbe

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1108	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	arup.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	489a9acbbdaac7c39af4ea99f19152e5.exe
2448	489a9acbbdaac7c39af4ea99f19152e5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8FFFFFEA-EEF6-C009-2BD1-235A622C59AD} = "C:\\Users\\Admin\\AppData\\Roaming\\Mifoi\\arup.exe"	arup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 1108	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	42

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Privacy	489a9acbbdaac7c39af4ea99f19152e5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	489a9acbbdaac7c39af4ea99f19152e5.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0C3E50AD-00000001.eml:OECustomProperty	WinMail.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe
2704	arup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2448	489a9acbbdaac7c39af4ea99f19152e5.exe
Token: SeSecurityPrivilege	2448	489a9acbbdaac7c39af4ea99f19152e5.exe
Token: SeSecurityPrivilege	2448	489a9acbbdaac7c39af4ea99f19152e5.exe
Token: SeManageVolumePrivilege	1720	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1720	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1720	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1980	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	28
PID 2448 wrote to memory of 1980	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	28
PID 2448 wrote to memory of 1980	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	28
PID 2448 wrote to memory of 1980	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	28
PID 1980 wrote to memory of 2748	1980	net.exe	30
PID 1980 wrote to memory of 2748	1980	net.exe	30
PID 1980 wrote to memory of 2748	1980	net.exe	30
PID 1980 wrote to memory of 2748	1980	net.exe	30
PID 2448 wrote to memory of 2764	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	31
PID 2448 wrote to memory of 2764	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	31
PID 2448 wrote to memory of 2764	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	31
PID 2448 wrote to memory of 2764	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	31
PID 2764 wrote to memory of 2940	2764	net.exe	33
PID 2764 wrote to memory of 2940	2764	net.exe	33
PID 2764 wrote to memory of 2940	2764	net.exe	33
PID 2764 wrote to memory of 2940	2764	net.exe	33
PID 2448 wrote to memory of 2704	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	34
PID 2448 wrote to memory of 2704	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	34
PID 2448 wrote to memory of 2704	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	34
PID 2448 wrote to memory of 2704	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	34
PID 2704 wrote to memory of 2904	2704	arup.exe	35
PID 2704 wrote to memory of 2904	2704	arup.exe	35
PID 2704 wrote to memory of 2904	2704	arup.exe	35
PID 2704 wrote to memory of 2904	2704	arup.exe	35
PID 2904 wrote to memory of 2572	2904	net.exe	37
PID 2904 wrote to memory of 2572	2904	net.exe	37
PID 2904 wrote to memory of 2572	2904	net.exe	37
PID 2904 wrote to memory of 2572	2904	net.exe	37
PID 2704 wrote to memory of 2712	2704	arup.exe	38
PID 2704 wrote to memory of 2712	2704	arup.exe	38
PID 2704 wrote to memory of 2712	2704	arup.exe	38
PID 2704 wrote to memory of 2712	2704	arup.exe	38
PID 2704 wrote to memory of 1140	2704	arup.exe	12
PID 2704 wrote to memory of 1140	2704	arup.exe	12
PID 2704 wrote to memory of 1140	2704	arup.exe	12
PID 2712 wrote to memory of 2600	2712	net.exe	40
PID 2712 wrote to memory of 2600	2712	net.exe	40
PID 2712 wrote to memory of 2600	2712	net.exe	40
PID 2712 wrote to memory of 2600	2712	net.exe	40
PID 2704 wrote to memory of 1140	2704	arup.exe	12
PID 2704 wrote to memory of 1140	2704	arup.exe	12
PID 2704 wrote to memory of 1220	2704	arup.exe	19
PID 2704 wrote to memory of 1220	2704	arup.exe	19
PID 2704 wrote to memory of 1220	2704	arup.exe	19
PID 2704 wrote to memory of 1220	2704	arup.exe	19
PID 2704 wrote to memory of 1220	2704	arup.exe	19
PID 2704 wrote to memory of 1260	2704	arup.exe	18
PID 2704 wrote to memory of 1260	2704	arup.exe	18
PID 2704 wrote to memory of 1260	2704	arup.exe	18
PID 2704 wrote to memory of 1260	2704	arup.exe	18
PID 2704 wrote to memory of 1260	2704	arup.exe	18
PID 2704 wrote to memory of 2448	2704	arup.exe	27
PID 2704 wrote to memory of 2448	2704	arup.exe	27
PID 2704 wrote to memory of 2448	2704	arup.exe	27
PID 2704 wrote to memory of 2448	2704	arup.exe	27
PID 2704 wrote to memory of 2448	2704	arup.exe	27
PID 2448 wrote to memory of 1108	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	42
PID 2448 wrote to memory of 1108	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	42
PID 2448 wrote to memory of 1108	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	42
PID 2448 wrote to memory of 1108	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	42
PID 2448 wrote to memory of 1108	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	42
PID 2448 wrote to memory of 1108	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	42
PID 2448 wrote to memory of 1108	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	42
PID 2448 wrote to memory of 1108	2448	489a9acbbdaac7c39af4ea99f19152e5.exe	42

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\489a9acbbdaac7c39af4ea99f19152e5.exe
  "C:\Users\Admin\AppData\Local\Temp\489a9acbbdaac7c39af4ea99f19152e5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:2940
- - C:\Users\Admin\AppData\Roaming\Mifoi\arup.exe
    "C:\Users\Admin\AppData\Roaming\Mifoi\arup.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\net.exe
      net stop wscsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wscsvc
        5⤵
        
        PID:2572
  - - C:\Windows\SysWOW64\net.exe
      net stop SharedAccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        5⤵
        
        PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp330883d4.bat"
    3⤵
    - Deletes itself
    PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:768

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
188a07a8be3eaaf181e5a52841592770

SHA1
828788f0f5f5b85d62496f4691990c08496f35e8

SHA256
d46b2f37ca407d1891dbdbd446095245208b16ea5d540dd791e55863fc9373e3

SHA512
33309b736860e743f7e086e6bbefc3d4709fd1add8fbbd032066e9e6237113738efc5a9d6edb438c1b6c4abf436d6aac5e2e53badd658b1dd593f9af340f06ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp330883d4.bat

Filesize
243B

MD5
77d25cb7f8021f3b7f8112c5f0b41366

SHA1
0a6855f9f7dce0954b586ee227620512c9c52332

SHA256
d62fc66912bc1c684760d5d134704fb1b7bcf1e078be75c9a5ce4dbd521acad4

SHA512
a4d3661a7712c8601e8c355835956b8901c5d344d85544a44d8baea7a15a445bd6213e1eaa2399f6f57f3ff420fe1e569f7a59fb4ba789ced0fd35aa91366877

Download Submit
C:\Users\Admin\AppData\Roaming\Mini\reuwa.sip

Filesize
366B

MD5
10e87b42065a28df0ab43f52c79682ad

SHA1
b0ba0ce0bdd148a2d38004afa99f4cb398ab17d1

SHA256
0e799d7a9d282a5e2c80f1ed10552f97f3bd6f1351239456d37382be47187f86

SHA512
3ddbfa0513b0a5510bfe34da11325be8c296e40158ecc078c3859c847beff55c4241e35b4b8344c63898b53aed701f75446ca80ce062908cbcf487107de04b78

Download Submit
\Users\Admin\AppData\Roaming\Mifoi\arup.exe

Filesize
138KB

MD5
0b2387aa7e14229424ec5bd8273ead90

SHA1
0e6349645fe2080d6ef99a87dc95c8aa7b55c6b6

SHA256
dcb92321395bbe86fe0639d83b7a304e5d584beb77ae7466cd1ec142bff4c25f

SHA512
8046e6c661471441ea971bc37bbdc86e1ab1daf9a920da3d0eb367e32b1e9167c13953684c16846a12bc27afff4ee8ec0066a3c947aa801ed857e87f8cd484d7

Download Submit
memory/1108-327-0x0000000000050000-0x0000000000078000-memory.dmp

Filesize
160KB

Download
memory/1108-326-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1108-252-0x0000000077960000-0x0000000077961000-memory.dmp

Filesize
4KB

Download
memory/1108-230-0x0000000000050000-0x0000000000078000-memory.dmp

Filesize
160KB

Download
memory/1140-27-0x0000000001AD0000-0x0000000001AF8000-memory.dmp

Filesize
160KB

Download
memory/1140-24-0x0000000001AD0000-0x0000000001AF8000-memory.dmp

Filesize
160KB

Download
memory/1140-26-0x0000000001AD0000-0x0000000001AF8000-memory.dmp

Filesize
160KB

Download
memory/1140-25-0x0000000001AD0000-0x0000000001AF8000-memory.dmp

Filesize
160KB

Download
memory/1140-28-0x0000000001AD0000-0x0000000001AF8000-memory.dmp

Filesize
160KB

Download
memory/1220-30-0x0000000001C30000-0x0000000001C58000-memory.dmp

Filesize
160KB

Download
memory/1220-31-0x0000000001C30000-0x0000000001C58000-memory.dmp

Filesize
160KB

Download
memory/1220-32-0x0000000001C30000-0x0000000001C58000-memory.dmp

Filesize
160KB

Download
memory/1220-33-0x0000000001C30000-0x0000000001C58000-memory.dmp

Filesize
160KB

Download
memory/1260-37-0x0000000002B00000-0x0000000002B28000-memory.dmp

Filesize
160KB

Download
memory/1260-38-0x0000000002B00000-0x0000000002B28000-memory.dmp

Filesize
160KB

Download
memory/1260-36-0x0000000002B00000-0x0000000002B28000-memory.dmp

Filesize
160KB

Download
memory/1260-35-0x0000000002B00000-0x0000000002B28000-memory.dmp

Filesize
160KB

Download
memory/2448-51-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2448-74-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-41-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/2448-43-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/2448-42-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/2448-44-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/2448-45-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/2448-47-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/2448-49-0x0000000077960000-0x0000000077961000-memory.dmp

Filesize
4KB

Download
memory/2448-46-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-50-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-53-0x0000000077960000-0x0000000077961000-memory.dmp

Filesize
4KB

Download
memory/2448-64-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-62-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-60-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-58-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-56-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-54-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-66-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-70-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-68-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-72-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-76-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-78-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-80-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-88-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-86-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-84-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-82-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-90-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-140-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2448-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-229-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/2448-3-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2448-4-0x0000000000222000-0x0000000000223000-memory.dmp

Filesize
4KB

Download
memory/2704-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-21-0x0000000000232000-0x0000000000233000-memory.dmp

Filesize
4KB

Download
memory/2704-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-251-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2704-20-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2704-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download