c5541e0fe7b38b74fa242a1063490b1d16ab74ee6f46db55c1fe6e873d7901e9

General

Target

5acdd36c12abb8dd69eaf8303b1105d5.exe
Size

323KB
MD5

5acdd36c12abb8dd69eaf8303b1105d5
SHA1

e421ad6ae11ff0aef7e80f848d4460ea72597fc8
SHA256

c5541e0fe7b38b74fa242a1063490b1d16ab74ee6f46db55c1fe6e873d7901e9
SHA512

8162ce59017fa0c1d93295bb6ecfd373e6a3d01815693aba3ca242be85e41be2957eb04f483d93d5ff01938b938fa888bf73145b4d40f073658ce8e579c50227
SSDEEP

6144:UqfAwfwd99vxoYCh+Li9IBCiiortLe09ZvLmE7JWAd5:/fAos9Dorvors0zCQJBf

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

772 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

itas.exe

pid process

2856 itas.exe
Loads dropped DLL 4 IoCs

Processes:

5acdd36c12abb8dd69eaf8303b1105d5.exeitas.exe

pid process

1704 5acdd36c12abb8dd69eaf8303b1105d5.exe
2856 itas.exe
2856 itas.exe
2856 itas.exe

pid	process
772	cmd.exe

pid	process
1704	5acdd36c12abb8dd69eaf8303b1105d5.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

itas.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9DB029C8-CEC5-AD4E-0EA6-58580BF07B45} = "C:\\Users\\Admin\\AppData\\Roaming\\Egwui\\itas.exe"	itas.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5acdd36c12abb8dd69eaf8303b1105d5.exe

description pid process target process

PID 1704 set thread context of 772 1704 5acdd36c12abb8dd69eaf8303b1105d5.exe cmd.exe

description	pid	process	target process
PID 1704 set thread context of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5acdd36c12abb8dd69eaf8303b1105d5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy	5acdd36c12abb8dd69eaf8303b1105d5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5acdd36c12abb8dd69eaf8303b1105d5.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

itas.exe

pid	process
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe
2856	itas.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5acdd36c12abb8dd69eaf8303b1105d5.exe

description	pid	process
Token: SeSecurityPrivilege	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe
Token: SeSecurityPrivilege	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe
Token: SeSecurityPrivilege	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

5acdd36c12abb8dd69eaf8303b1105d5.exeitas.exe

pid process

1704 5acdd36c12abb8dd69eaf8303b1105d5.exe
2856 itas.exe

pid	process
1704	5acdd36c12abb8dd69eaf8303b1105d5.exe
2856	itas.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

5acdd36c12abb8dd69eaf8303b1105d5.exeitas.exe

description	pid	process	target process
PID 1704 wrote to memory of 2856	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	itas.exe
PID 1704 wrote to memory of 2856	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	itas.exe
PID 1704 wrote to memory of 2856	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	itas.exe
PID 1704 wrote to memory of 2856	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	itas.exe
PID 1704 wrote to memory of 2856	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	itas.exe
PID 1704 wrote to memory of 2856	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	itas.exe
PID 1704 wrote to memory of 2856	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	itas.exe
PID 2856 wrote to memory of 1108	2856	itas.exe	taskhost.exe
PID 2856 wrote to memory of 1108	2856	itas.exe	taskhost.exe
PID 2856 wrote to memory of 1108	2856	itas.exe	taskhost.exe
PID 2856 wrote to memory of 1108	2856	itas.exe	taskhost.exe
PID 2856 wrote to memory of 1108	2856	itas.exe	taskhost.exe
PID 2856 wrote to memory of 1176	2856	itas.exe	Dwm.exe
PID 2856 wrote to memory of 1176	2856	itas.exe	Dwm.exe
PID 2856 wrote to memory of 1176	2856	itas.exe	Dwm.exe
PID 2856 wrote to memory of 1176	2856	itas.exe	Dwm.exe
PID 2856 wrote to memory of 1176	2856	itas.exe	Dwm.exe
PID 2856 wrote to memory of 1200	2856	itas.exe	Explorer.EXE
PID 2856 wrote to memory of 1200	2856	itas.exe	Explorer.EXE
PID 2856 wrote to memory of 1200	2856	itas.exe	Explorer.EXE
PID 2856 wrote to memory of 1200	2856	itas.exe	Explorer.EXE
PID 2856 wrote to memory of 1200	2856	itas.exe	Explorer.EXE
PID 2856 wrote to memory of 2136	2856	itas.exe	DllHost.exe
PID 2856 wrote to memory of 2136	2856	itas.exe	DllHost.exe
PID 2856 wrote to memory of 2136	2856	itas.exe	DllHost.exe
PID 2856 wrote to memory of 2136	2856	itas.exe	DllHost.exe
PID 2856 wrote to memory of 2136	2856	itas.exe	DllHost.exe
PID 2856 wrote to memory of 1704	2856	itas.exe	5acdd36c12abb8dd69eaf8303b1105d5.exe
PID 2856 wrote to memory of 1704	2856	itas.exe	5acdd36c12abb8dd69eaf8303b1105d5.exe
PID 2856 wrote to memory of 1704	2856	itas.exe	5acdd36c12abb8dd69eaf8303b1105d5.exe
PID 2856 wrote to memory of 1704	2856	itas.exe	5acdd36c12abb8dd69eaf8303b1105d5.exe
PID 2856 wrote to memory of 1704	2856	itas.exe	5acdd36c12abb8dd69eaf8303b1105d5.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe
PID 1704 wrote to memory of 772	1704	5acdd36c12abb8dd69eaf8303b1105d5.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2136

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\5acdd36c12abb8dd69eaf8303b1105d5.exe
"C:\Users\Admin\AppData\Local\Temp\5acdd36c12abb8dd69eaf8303b1105d5.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Roaming\Egwui\itas.exe
"C:\Users\Admin\AppData\Roaming\Egwui\itas.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbe2ea5f1.bat"
3⤵
- Deletes itself
PID:772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbe2ea5f1.bat
Filesize
243B

MD5
0c9933aa8a1e6bc752b70a137d8976bb

SHA1
d6fb9d7307c4065378f3966909fb3648bf310adc

SHA256
d671398acee7bad97f192b99af44e3c4337a810fdff15687e05c64ab5f5e61d3

SHA512
96578dbb862e2259d128ecedc93b8dbef4cceb336e89c54b57e280f48a932c73a56f6b54f4c48652a8bb7089832fbd88f3e30d6767c3dc049d4bd9b698ebbf7a

Download Submit
C:\Users\Admin\AppData\Roaming\Asej\qoysn.yma
Filesize
366B

MD5
0506cdf353d89f6758afeb23aded376e

SHA1
f8c5f2746639edb8e041d072758a0dd9c7185c95

SHA256
ffafd7433a502d1687167e5382a094d8d2b675074367ce32cab65a005509f78c

SHA512
3668c827e4098e8d21865c8c058e60187f60e10585529d748eab5623530e35d40ec8f3d4c6df9938a7d3d745d0c15aea8536f78dbad7e1c2128a96ed27af154c

Download Submit
\Users\Admin\AppData\Roaming\Egwui\itas.exe
Filesize
323KB

MD5
9072422a39004890a2e682f5468ace1a

SHA1
1b318cb4e57873f309158ef7ab3fdb794877b527

SHA256
0b4b89f6df61648c11b6202629d20aa32426c2d13d09e8750bc9dca02faeb481

SHA512
5f2b727491d99511eb077cb777fd4f73be774e864d372bf8f68abd00899dccd65883e69070746c8da835a6772f0ec79c00a9e9235798d8821a4ee2586a65c748

Download Submit
memory/772-306-0x0000000000160000-0x00000000001A1000-memory.dmp

Filesize
260KB

Download
memory/772-188-0x0000000000160000-0x00000000001A1000-memory.dmp

Filesize
260KB

Download
memory/1108-23-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1108-18-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1108-19-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1108-21-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1108-25-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1176-29-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1176-31-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1176-33-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1176-35-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1200-41-0x0000000002A90000-0x0000000002AD1000-memory.dmp

Filesize
260KB

Download
memory/1200-40-0x0000000002A90000-0x0000000002AD1000-memory.dmp

Filesize
260KB

Download
memory/1200-39-0x0000000002A90000-0x0000000002AD1000-memory.dmp

Filesize
260KB

Download
memory/1200-38-0x0000000002A90000-0x0000000002AD1000-memory.dmp

Filesize
260KB

Download
memory/1704-49-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1704-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-1-0x0000000000A10000-0x0000000000A63000-memory.dmp

Filesize
332KB

Download
memory/1704-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-187-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1704-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-185-0x0000000000A10000-0x0000000000A63000-memory.dmp

Filesize
332KB

Download
memory/1704-48-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1704-0-0x00000000004D0000-0x0000000000511000-memory.dmp

Filesize
260KB

Download
memory/1704-50-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1704-51-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1704-52-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1704-54-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1704-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-64-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-66-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-68-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-70-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-72-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-74-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-76-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-78-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-80-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2136-46-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2136-45-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2136-44-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2136-43-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2856-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-15-0x0000000000360000-0x00000000003A1000-memory.dmp

Filesize
260KB

Download
memory/2856-16-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2856-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads