e08b93e5e31665dfdfb0f51386c0b4dc21d6a87bf732e0076ff66e0693170869

Analysis

max time kernel
7s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57567da333edefd06dc068c8852ea22d.exe
Size

188KB
MD5

57567da333edefd06dc068c8852ea22d
SHA1

ab61bd29f548e5f529a22685a62325c983df4feb
SHA256

e08b93e5e31665dfdfb0f51386c0b4dc21d6a87bf732e0076ff66e0693170869
SHA512

5e335d60778ff73d2864e8ee22de22851db4f9baafe7566911607e19c5641f5643543ae660f5fcbfaae5a63ebc405d3197e633dfef694a5e996fbbf1ceb97d6f
SSDEEP

3072:JlwE1v6dyY3R+/MOS0XM8DxYmLmwFg+0LK5vAYVUQKMnoZmOpC64UjAFDldu4S6r:7wtTk/HbKwFg+/5vDUcUX/sFx4h6HUpU

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2348	saazm.exe

Loads dropped DLL 2 IoCs

pid	Process
1428	57567da333edefd06dc068c8852ea22d.exe
1428	57567da333edefd06dc068c8852ea22d.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1428-0-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/files/0x000b00000001508a-14.dat	upx
behavioral1/files/0x000b00000001508a-7.dat	upx
behavioral1/files/0x000b00000001508a-5.dat	upx

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy	57567da333edefd06dc068c8852ea22d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	57567da333edefd06dc068c8852ea22d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2348	saazm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1428	57567da333edefd06dc068c8852ea22d.exe
Token: SeSecurityPrivilege	1428	57567da333edefd06dc068c8852ea22d.exe
Token: SeSecurityPrivilege	1428	57567da333edefd06dc068c8852ea22d.exe
Token: SeManageVolumePrivilege	1232	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1232	WinMail.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 2348	1428	57567da333edefd06dc068c8852ea22d.exe	29
PID 1428 wrote to memory of 2348	1428	57567da333edefd06dc068c8852ea22d.exe	29
PID 1428 wrote to memory of 2348	1428	57567da333edefd06dc068c8852ea22d.exe	29
PID 1428 wrote to memory of 2348	1428	57567da333edefd06dc068c8852ea22d.exe	29
PID 2348 wrote to memory of 1096	2348	saazm.exe	18
PID 2348 wrote to memory of 1096	2348	saazm.exe	18
PID 2348 wrote to memory of 1096	2348	saazm.exe	18
PID 2348 wrote to memory of 1096	2348	saazm.exe	18
PID 2348 wrote to memory of 1096	2348	saazm.exe	18
PID 2348 wrote to memory of 1160	2348	saazm.exe	10
PID 2348 wrote to memory of 1160	2348	saazm.exe	10
PID 2348 wrote to memory of 1160	2348	saazm.exe	10
PID 2348 wrote to memory of 1160	2348	saazm.exe	10
PID 2348 wrote to memory of 1160	2348	saazm.exe	10
PID 2348 wrote to memory of 1184	2348	saazm.exe	17
PID 2348 wrote to memory of 1184	2348	saazm.exe	17
PID 2348 wrote to memory of 1184	2348	saazm.exe	17
PID 2348 wrote to memory of 1184	2348	saazm.exe	17
PID 2348 wrote to memory of 1184	2348	saazm.exe	17
PID 2348 wrote to memory of 2196	2348	saazm.exe	15
PID 2348 wrote to memory of 2196	2348	saazm.exe	15
PID 2348 wrote to memory of 2196	2348	saazm.exe	15
PID 2348 wrote to memory of 2196	2348	saazm.exe	15
PID 2348 wrote to memory of 2196	2348	saazm.exe	15
PID 2348 wrote to memory of 1428	2348	saazm.exe	14
PID 2348 wrote to memory of 1428	2348	saazm.exe	14
PID 2348 wrote to memory of 1428	2348	saazm.exe	14
PID 2348 wrote to memory of 1428	2348	saazm.exe	14
PID 2348 wrote to memory of 1428	2348	saazm.exe	14

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\57567da333edefd06dc068c8852ea22d.exe
"C:\Users\Admin\AppData\Local\Temp\57567da333edefd06dc068c8852ea22d.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Roaming\Esox\saazm.exe
  "C:\Users\Admin\AppData\Roaming\Esox\saazm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb9261d6f.bat"
  2⤵
  PID:1836

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2196

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1096

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Esox\saazm.exe

Filesize
93KB

MD5
df5bc5744e82042a38f929621d6ddeb9

SHA1
7ce53c834da84c7dbc9460e7b78f9fd249c66b50

SHA256
6d1624a1983f303d4012167358a57851ad9c20a5b9169d040039808b8ef0747c

SHA512
8920e8117707360c43183c6df1b5fce1031d227d9af8e991c1ecdc4a9ce93f1e337afe56502cc376bb41948ccc47f355a682800f248d7de47985b3aa6747aebf

Download Submit
\Users\Admin\AppData\Roaming\Esox\saazm.exe

Filesize
157KB

MD5
d3efac56d4d711b3f28cce51caf8a777

SHA1
c466137cf15171cbb8dc2db51937717cfb7de71f

SHA256
04206507eac723b1314b74876955bae018fe5428cb1047598e58cbfad0a4369f

SHA512
3fc77c86f3eaffc9720859bb222f6ecf5fee2fc9afc9cacc5378d5df82cfdb8d0905f50b43eb9324580b17668de30cc3c0af53c8e5e03ce911d23d5d9818d7c7

Download Submit
memory/1096-19-0x0000000002390000-0x00000000023B7000-memory.dmp

Filesize
156KB

Download
memory/1096-15-0x0000000002390000-0x00000000023B7000-memory.dmp

Filesize
156KB

Download
memory/1096-16-0x0000000002390000-0x00000000023B7000-memory.dmp

Filesize
156KB

Download
memory/1096-17-0x0000000002390000-0x00000000023B7000-memory.dmp

Filesize
156KB

Download
memory/1096-18-0x0000000002390000-0x00000000023B7000-memory.dmp

Filesize
156KB

Download
memory/1160-22-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1160-24-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1160-26-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1160-28-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1184-34-0x00000000025D0000-0x00000000025F7000-memory.dmp

Filesize
156KB

Download
memory/1184-31-0x00000000025D0000-0x00000000025F7000-memory.dmp

Filesize
156KB

Download
memory/1184-32-0x00000000025D0000-0x00000000025F7000-memory.dmp

Filesize
156KB

Download
memory/1184-33-0x00000000025D0000-0x00000000025F7000-memory.dmp

Filesize
156KB

Download
memory/1428-66-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-1-0x00000000002D0000-0x00000000002E5000-memory.dmp

Filesize
84KB

Download
memory/1428-56-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-54-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-52-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-50-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-48-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-46-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-45-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1428-44-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1428-43-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1428-42-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1428-41-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1428-224-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1428-225-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1428-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1428-60-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-62-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-64-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-58-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-68-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-70-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-72-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-76-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-79-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1428-139-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-77-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1428-74-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1428-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1428-12-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/1836-235-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1836-319-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1836-233-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2196-38-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/2196-36-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/2196-37-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/2196-39-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/2348-321-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download