3ef62f7a5f6fe074478ec0d191bda2455c6da86c6147ed7af623a7c272b9a37b

General

Target

57fb35cf44737a4c012ffc72d301dc69.exe
Size

104KB
MD5

57fb35cf44737a4c012ffc72d301dc69
SHA1

f189c8f6c2773299937f959703c199963845228e
SHA256

3ef62f7a5f6fe074478ec0d191bda2455c6da86c6147ed7af623a7c272b9a37b
SHA512

f477a1e5a0fb3e171b0d515446ed2269660e65fdfdb9926365eef6d1aaa7fcdb5f804e000df2ce31336a80df73e96678eba697856d2e4693a3b56e9f21808f9e
SSDEEP

3072:xQWiPsbAfAF59W0lJebAEbIpKzUT+sqxqIUoeOiN/:1QAdxl64pj0xbeOiN/

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2264 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

vadizyg.exe

pid process

2500 vadizyg.exe
Loads dropped DLL 2 IoCs

Processes:

57fb35cf44737a4c012ffc72d301dc69.exe

pid process

1216 57fb35cf44737a4c012ffc72d301dc69.exe
1216 57fb35cf44737a4c012ffc72d301dc69.exe

pid	process
2264	cmd.exe

pid	process
1216	57fb35cf44737a4c012ffc72d301dc69.exe
1216	57fb35cf44737a4c012ffc72d301dc69.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vadizyg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\{110B54E0-E2BA-5EA7-1600-5E6CC59164B6} = "C:\\Users\\Admin\\AppData\\Roaming\\Oqba\\vadizyg.exe"	vadizyg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

57fb35cf44737a4c012ffc72d301dc69.exe

description pid process target process

PID 1216 set thread context of 2264 1216 57fb35cf44737a4c012ffc72d301dc69.exe cmd.exe

description	pid	process	target process
PID 1216 set thread context of 2264	1216	57fb35cf44737a4c012ffc72d301dc69.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

57fb35cf44737a4c012ffc72d301dc69.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Privacy	57fb35cf44737a4c012ffc72d301dc69.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	57fb35cf44737a4c012ffc72d301dc69.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\3375247A-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

vadizyg.exe

pid	process
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe
2500	vadizyg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

57fb35cf44737a4c012ffc72d301dc69.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1216	57fb35cf44737a4c012ffc72d301dc69.exe
Token: SeSecurityPrivilege	1216	57fb35cf44737a4c012ffc72d301dc69.exe
Token: SeSecurityPrivilege	1216	57fb35cf44737a4c012ffc72d301dc69.exe
Token: SeManageVolumePrivilege	2940	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

2940 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

2940 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

2940 WinMail.exe

pid	process
2940	WinMail.exe

pid	process
2940	WinMail.exe

pid	process
2940	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

57fb35cf44737a4c012ffc72d301dc69.exevadizyg.exe

description	pid	process	target process
PID 1216 wrote to memory of 2500	1216	57fb35cf44737a4c012ffc72d301dc69.exe	vadizyg.exe
PID 1216 wrote to memory of 2500	1216	57fb35cf44737a4c012ffc72d301dc69.exe	vadizyg.exe
PID 1216 wrote to memory of 2500	1216	57fb35cf44737a4c012ffc72d301dc69.exe	vadizyg.exe
PID 1216 wrote to memory of 2500	1216	57fb35cf44737a4c012ffc72d301dc69.exe	vadizyg.exe
PID 2500 wrote to memory of 1136	2500	vadizyg.exe	taskhost.exe
PID 2500 wrote to memory of 1136	2500	vadizyg.exe	taskhost.exe
PID 2500 wrote to memory of 1136	2500	vadizyg.exe	taskhost.exe
PID 2500 wrote to memory of 1136	2500	vadizyg.exe	taskhost.exe
PID 2500 wrote to memory of 1136	2500	vadizyg.exe	taskhost.exe
PID 2500 wrote to memory of 1228	2500	vadizyg.exe	Dwm.exe
PID 2500 wrote to memory of 1228	2500	vadizyg.exe	Dwm.exe
PID 2500 wrote to memory of 1228	2500	vadizyg.exe	Dwm.exe
PID 2500 wrote to memory of 1228	2500	vadizyg.exe	Dwm.exe
PID 2500 wrote to memory of 1228	2500	vadizyg.exe	Dwm.exe
PID 2500 wrote to memory of 1264	2500	vadizyg.exe	Explorer.EXE
PID 2500 wrote to memory of 1264	2500	vadizyg.exe	Explorer.EXE
PID 2500 wrote to memory of 1264	2500	vadizyg.exe	Explorer.EXE
PID 2500 wrote to memory of 1264	2500	vadizyg.exe	Explorer.EXE
PID 2500 wrote to memory of 1264	2500	vadizyg.exe	Explorer.EXE
PID 2500 wrote to memory of 1792	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 1792	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 1792	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 1792	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 1792	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 1216	2500	vadizyg.exe	57fb35cf44737a4c012ffc72d301dc69.exe
PID 2500 wrote to memory of 1216	2500	vadizyg.exe	57fb35cf44737a4c012ffc72d301dc69.exe
PID 2500 wrote to memory of 1216	2500	vadizyg.exe	57fb35cf44737a4c012ffc72d301dc69.exe
PID 2500 wrote to memory of 1216	2500	vadizyg.exe	57fb35cf44737a4c012ffc72d301dc69.exe
PID 2500 wrote to memory of 1216	2500	vadizyg.exe	57fb35cf44737a4c012ffc72d301dc69.exe
PID 1216 wrote to memory of 2264	1216	57fb35cf44737a4c012ffc72d301dc69.exe	cmd.exe
PID 1216 wrote to memory of 2264	1216	57fb35cf44737a4c012ffc72d301dc69.exe	cmd.exe
PID 1216 wrote to memory of 2264	1216	57fb35cf44737a4c012ffc72d301dc69.exe	cmd.exe
PID 1216 wrote to memory of 2264	1216	57fb35cf44737a4c012ffc72d301dc69.exe	cmd.exe
PID 1216 wrote to memory of 2264	1216	57fb35cf44737a4c012ffc72d301dc69.exe	cmd.exe
PID 1216 wrote to memory of 2264	1216	57fb35cf44737a4c012ffc72d301dc69.exe	cmd.exe
PID 1216 wrote to memory of 2264	1216	57fb35cf44737a4c012ffc72d301dc69.exe	cmd.exe
PID 1216 wrote to memory of 2264	1216	57fb35cf44737a4c012ffc72d301dc69.exe	cmd.exe
PID 1216 wrote to memory of 2264	1216	57fb35cf44737a4c012ffc72d301dc69.exe	cmd.exe
PID 2500 wrote to memory of 280	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 280	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 280	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 280	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 280	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 2032	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 2032	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 2032	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 2032	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 2032	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 2864	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 2864	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 2864	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 2864	2500	vadizyg.exe	DllHost.exe
PID 2500 wrote to memory of 2864	2500	vadizyg.exe	DllHost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1792

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\57fb35cf44737a4c012ffc72d301dc69.exe
"C:\Users\Admin\AppData\Local\Temp\57fb35cf44737a4c012ffc72d301dc69.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Roaming\Oqba\vadizyg.exe
"C:\Users\Admin\AppData\Roaming\Oqba\vadizyg.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa2f7f52e.bat"
3⤵
- Deletes itself
PID:2264

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
Filesize
2.0MB

MD5
188a07a8be3eaaf181e5a52841592770

SHA1
828788f0f5f5b85d62496f4691990c08496f35e8

SHA256
d46b2f37ca407d1891dbdbd446095245208b16ea5d540dd791e55863fc9373e3

SHA512
33309b736860e743f7e086e6bbefc3d4709fd1add8fbbd032066e9e6237113738efc5a9d6edb438c1b6c4abf436d6aac5e2e53badd658b1dd593f9af340f06ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpa2f7f52e.bat
Filesize
243B

MD5
9f922651146639d252a90db67ebe7ef4

SHA1
73c90c1b1ed96cc471ba46f78795a59833f30bef

SHA256
55496aa50ab0d155247124e18596ea6a1580636b1c669187a90170afef581797

SHA512
8da79efe2db325570dc80598f678032851760d5945fbb9a0a6c3cd145b3ce21bc84691047cf75dbf198b586b1861a98ff9c86aac8dba59179bc316ded63c77a1

Download Submit
C:\Users\Admin\AppData\Roaming\Ocidof\adivowa.nir
Filesize
366B

MD5
23468aba6bfa4b1c4b500c72a0851d78

SHA1
10949a6adb1a7f6db4e9ba442e665cfa5eddbce8

SHA256
a096d2ebdcbdf7960500095e57936f2186d911816acbf70c328a0294e1ed71d3

SHA512
643ad00fb40eb47789d8717c65559fc45843f06d66ebba6d63c69eb497cdee22f1f1befc40ba55d0de5e8add5a1c0280b9df929499b5c81adbe5231da6c318ac

Download Submit
\Users\Admin\AppData\Roaming\Oqba\vadizyg.exe
Filesize
104KB

MD5
5f662c558ea872b4927c99adf5d44094

SHA1
a35fed2e702877950a3e9b0d265bf69bc5c95160

SHA256
ae89a1c065dce11a296492fcb69940a90ebee7904d8985cf70e5f8f810f0e0b7

SHA512
554201454dd8e6e156f1c2ed436f1998236ff95aed05fcf86d55d20dcfbf98f9400c595b9d0af3bb7ff9c319c516b67672c2ca9f2edcf5a7908954a9ea78d8ca

Download Submit
memory/1136-18-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1136-14-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1136-15-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1136-16-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1136-17-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1216-74-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-52-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-1-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1216-216-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1216-218-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1216-217-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1216-2-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1216-132-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-78-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-76-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1216-72-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-70-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-35-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1216-36-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1216-37-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1216-38-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1216-39-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1216-40-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1216-41-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-43-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-45-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-48-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/1216-47-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-50-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-68-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-54-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-56-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-58-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-60-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-62-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-64-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1216-66-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1228-20-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1228-21-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1228-22-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1228-23-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1264-26-0x00000000029B0000-0x00000000029D7000-memory.dmp

Filesize
156KB

Download
memory/1264-27-0x00000000029B0000-0x00000000029D7000-memory.dmp

Filesize
156KB

Download
memory/1264-25-0x00000000029B0000-0x00000000029D7000-memory.dmp

Filesize
156KB

Download
memory/1264-28-0x00000000029B0000-0x00000000029D7000-memory.dmp

Filesize
156KB

Download
memory/1792-32-0x0000000001C90000-0x0000000001CB7000-memory.dmp

Filesize
156KB

Download
memory/1792-33-0x0000000001C90000-0x0000000001CB7000-memory.dmp

Filesize
156KB

Download
memory/1792-30-0x0000000001C90000-0x0000000001CB7000-memory.dmp

Filesize
156KB

Download
memory/1792-31-0x0000000001C90000-0x0000000001CB7000-memory.dmp

Filesize
156KB

Download
memory/2264-219-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2264-222-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/2264-224-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/2264-315-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2264-314-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2500-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2500-312-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads