20a98e86ebeeacb4d79a4f3fe6fead40559b83bf5388123099365739fdd09e3b

General

Target

52e299444efeafc5b6dab83f45a2aaf9.exe
Size

148KB
MD5

52e299444efeafc5b6dab83f45a2aaf9
SHA1

1ea251945e0e8f318942a5e59b91ce9a106f8810
SHA256

20a98e86ebeeacb4d79a4f3fe6fead40559b83bf5388123099365739fdd09e3b
SHA512

a9a0b85e24e26ac2de55096bc2b24ce9df518bd2581483d0b53058c96840d6d5281facb08dacfffbd7cd44acb8894e4c292f49c3ed04ae77f0eb11debcff1084
SSDEEP

3072:5aGovdrh2RoMVmO7IzohgxR9o583dHfukXt/Ypug3Oz4hlsVFq:5aGoGRoM0OszzR9x5uRp7ezm

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2820 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1896 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

supyuse.exe

pid process

3060 supyuse.exe
Loads dropped DLL 2 IoCs

Processes:

52e299444efeafc5b6dab83f45a2aaf9.exe

pid process

2628 52e299444efeafc5b6dab83f45a2aaf9.exe
2628 52e299444efeafc5b6dab83f45a2aaf9.exe

pid	process
2820	netsh.exe

pid	process
1896	cmd.exe

pid	process
2628	52e299444efeafc5b6dab83f45a2aaf9.exe
2628	52e299444efeafc5b6dab83f45a2aaf9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

supyuse.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\{25E0B336-5FE6-1479-52CC-3E6CBC2A6430} = "C:\\Users\\Admin\\AppData\\Roaming\\Hieh\\supyuse.exe"	supyuse.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

52e299444efeafc5b6dab83f45a2aaf9.exe

description pid process target process

PID 2628 set thread context of 1896 2628 52e299444efeafc5b6dab83f45a2aaf9.exe cmd.exe

description	pid	process	target process
PID 2628 set thread context of 1896	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

52e299444efeafc5b6dab83f45a2aaf9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy	52e299444efeafc5b6dab83f45a2aaf9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	52e299444efeafc5b6dab83f45a2aaf9.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\62DA29B1-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

supyuse.exe

pid	process
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe
3060	supyuse.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

52e299444efeafc5b6dab83f45a2aaf9.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	2628	52e299444efeafc5b6dab83f45a2aaf9.exe
Token: SeSecurityPrivilege	2628	52e299444efeafc5b6dab83f45a2aaf9.exe
Token: SeSecurityPrivilege	2628	52e299444efeafc5b6dab83f45a2aaf9.exe
Token: SeManageVolumePrivilege	560	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

560 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

560 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

560 WinMail.exe

pid	process
560	WinMail.exe

pid	process
560	WinMail.exe

pid	process
560	WinMail.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

52e299444efeafc5b6dab83f45a2aaf9.execmd.exesupyuse.exe

description	pid	process	target process
PID 2628 wrote to memory of 2400	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 2400	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 2400	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 2400	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 3060	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	supyuse.exe
PID 2628 wrote to memory of 3060	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	supyuse.exe
PID 2628 wrote to memory of 3060	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	supyuse.exe
PID 2628 wrote to memory of 3060	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	supyuse.exe
PID 2400 wrote to memory of 2820	2400	cmd.exe	netsh.exe
PID 2400 wrote to memory of 2820	2400	cmd.exe	netsh.exe
PID 2400 wrote to memory of 2820	2400	cmd.exe	netsh.exe
PID 2400 wrote to memory of 2820	2400	cmd.exe	netsh.exe
PID 3060 wrote to memory of 1108	3060	supyuse.exe	taskhost.exe
PID 3060 wrote to memory of 1108	3060	supyuse.exe	taskhost.exe
PID 3060 wrote to memory of 1108	3060	supyuse.exe	taskhost.exe
PID 3060 wrote to memory of 1108	3060	supyuse.exe	taskhost.exe
PID 3060 wrote to memory of 1108	3060	supyuse.exe	taskhost.exe
PID 3060 wrote to memory of 1168	3060	supyuse.exe	Dwm.exe
PID 3060 wrote to memory of 1168	3060	supyuse.exe	Dwm.exe
PID 3060 wrote to memory of 1168	3060	supyuse.exe	Dwm.exe
PID 3060 wrote to memory of 1168	3060	supyuse.exe	Dwm.exe
PID 3060 wrote to memory of 1168	3060	supyuse.exe	Dwm.exe
PID 3060 wrote to memory of 1208	3060	supyuse.exe	Explorer.EXE
PID 3060 wrote to memory of 1208	3060	supyuse.exe	Explorer.EXE
PID 3060 wrote to memory of 1208	3060	supyuse.exe	Explorer.EXE
PID 3060 wrote to memory of 1208	3060	supyuse.exe	Explorer.EXE
PID 3060 wrote to memory of 1208	3060	supyuse.exe	Explorer.EXE
PID 3060 wrote to memory of 1016	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 1016	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 1016	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 1016	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 1016	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 2628	3060	supyuse.exe	52e299444efeafc5b6dab83f45a2aaf9.exe
PID 3060 wrote to memory of 2628	3060	supyuse.exe	52e299444efeafc5b6dab83f45a2aaf9.exe
PID 3060 wrote to memory of 2628	3060	supyuse.exe	52e299444efeafc5b6dab83f45a2aaf9.exe
PID 3060 wrote to memory of 2628	3060	supyuse.exe	52e299444efeafc5b6dab83f45a2aaf9.exe
PID 3060 wrote to memory of 2628	3060	supyuse.exe	52e299444efeafc5b6dab83f45a2aaf9.exe
PID 2628 wrote to memory of 1896	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	52e299444efeafc5b6dab83f45a2aaf9.exe	cmd.exe
PID 3060 wrote to memory of 1260	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 1260	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 1260	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 1260	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 1260	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 2728	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 2728	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 2728	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 2728	3060	supyuse.exe	DllHost.exe
PID 3060 wrote to memory of 2728	3060	supyuse.exe	DllHost.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1016

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\52e299444efeafc5b6dab83f45a2aaf9.exe
"C:\Users\Admin\AppData\Local\Temp\52e299444efeafc5b6dab83f45a2aaf9.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4654d8e4.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Hieh\supyuse.exe"
4⤵
- Modifies Windows Firewall
PID:2820

C:\Users\Admin\AppData\Roaming\Hieh\supyuse.exe
"C:\Users\Admin\AppData\Roaming\Hieh\supyuse.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5e61e9ee.bat"
3⤵
- Deletes itself
PID:1896

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1260

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
Filesize
2.0MB

MD5
5965120911479fae9a42ef121256ba4c

SHA1
d13a08185b0f33a842c89ff0775a48f4fa591f59

SHA256
3592a966d328ed50c7f7e942e5e9b898e72dacdaa8bfb1f4bac3467ca14bc20c

SHA512
053db4aae70e67906595152d4b6c00b539325e61093b1489b187e94d2581924b669955b55e6b7c690071591e0d730c416bb54d25201ae7444cb301440fc83b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4654d8e4.bat
Filesize
201B

MD5
25063716d83c0d61139d47383b2f4ebe

SHA1
a9f864300433f407a4d3e868b38a9a7b96f00488

SHA256
9fddbbe6bfb98092c4322355a3463483e640dc67a3890159771af151cf1a6a8e

SHA512
d33f6daabd227cb838b9560404ad700894cb5eccfd3e83771149bc00ffc917f63b907e705334f12530a05344fdfc5687d1a11c85e76cb1a580ac422ddb20a501

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5e61e9ee.bat
Filesize
243B

MD5
30db1e121cc90fc5471b08ff5aa05b9e

SHA1
edc5f39dfbbe77620152dc7694823647a5431f72

SHA256
e155f999c8409ede69a8aad2a01a00387576dfcdd247d4248fb24a4b2cab16e3

SHA512
626022c3ae1fc65205cf3197321ae345c2d52ce52c3d307fb893888d61233f9835a77f759605652145b477a52b9539645b8e88b022c7c48cdb11bd8408731061

Download Submit
C:\Users\Admin\AppData\Roaming\Icohkec\siucis.xuy
Filesize
366B

MD5
38abfda117c8e5bca3752e13231453f6

SHA1
84641a4f5c6e62fac943e47903e2bf740905e941

SHA256
6b56668c2ba466354a22737ad98a786f01771f6d35445212fa0d138af5034258

SHA512
ddcc6be2e2414ed8717c26fde66650f120044eb73a39e732968f59edb200f3f24b183adc0cfe106723d12325d7b6c924f91d94972d7feaca45c75fd72fd9dcb3

Download Submit
\Users\Admin\AppData\Roaming\Hieh\supyuse.exe
Filesize
148KB

MD5
89d19c0394c209532fb48f29f9cbfad7

SHA1
60ff668fc1a8fc20515a3cdc2665907a1eb2853f

SHA256
59a11ea242f0153ad4d4f3478a84be0d283476742829f3930dcfc4f237e83572

SHA512
7f28740f65c4e058a6f3b8d842e23cac2362593a8ae073675ee8f2d7fb824cb741493e2ffb57dd5c933569a1e6ae64b6b6f1eacb31586fba6e838ec844e1109b

Download Submit
memory/1016-34-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1016-35-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1016-36-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1016-33-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1108-19-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1108-18-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1108-20-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1108-21-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1108-17-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1168-24-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1168-23-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1168-26-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1168-25-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1208-28-0x0000000002730000-0x0000000002757000-memory.dmp

Filesize
156KB

Download
memory/1208-29-0x0000000002730000-0x0000000002757000-memory.dmp

Filesize
156KB

Download
memory/1208-30-0x0000000002730000-0x0000000002757000-memory.dmp

Filesize
156KB

Download
memory/1208-31-0x0000000002730000-0x0000000002757000-memory.dmp

Filesize
156KB

Download
memory/1896-322-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1896-226-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1896-229-0x0000000077B00000-0x0000000077B01000-memory.dmp

Filesize
4KB

Download
memory/1896-233-0x0000000077B00000-0x0000000077B01000-memory.dmp

Filesize
4KB

Download
memory/2628-75-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-47-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/2628-79-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-73-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-71-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-69-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-65-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-63-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-61-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-59-0x0000000077B00000-0x0000000077B01000-memory.dmp

Filesize
4KB

Download
memory/2628-58-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-54-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-52-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-50-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-48-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-77-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-45-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/2628-41-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/2628-39-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/2628-81-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-138-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-67-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-56-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-225-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2628-43-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/2628-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2628-1-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2628-2-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3060-231-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3060-16-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3060-14-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads