3f93dcc60e5d6100cc181d25fa55a59f08abad56039923639ecec15db29f1238

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 16:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

68200eeada32107e3ecb6c7cb9202a89.exe
Size

283KB
MD5

68200eeada32107e3ecb6c7cb9202a89
SHA1

ff468c2e2a231bc6d634f2b1af52d6ea7b55168a
SHA256

3f93dcc60e5d6100cc181d25fa55a59f08abad56039923639ecec15db29f1238
SHA512

81ea62c2ebae542ba64ad9ea105c3c100472c30da905b104896525faed5663319b6f7eb896125685e79bca725f00584558111811f01bcc98fe56e69cca4410ed
SSDEEP

6144:qfZjyK+ySo8Q3wyw+1ErlrOmbZLMzVtuNdNazas73mlH4:qfZh+ySo8CxE7ZwBMtaGMWlY

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	hoig.exe

Loads dropped DLL 2 IoCs

pid	Process
1848	68200eeada32107e3ecb6c7cb9202a89.exe
1848	68200eeada32107e3ecb6c7cb9202a89.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Avabac = "C:\\Users\\Admin\\AppData\\Roaming\\Wees\\hoig.exe"	hoig.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 2668	1848	68200eeada32107e3ecb6c7cb9202a89.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy	68200eeada32107e3ecb6c7cb9202a89.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	68200eeada32107e3ecb6c7cb9202a89.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\7615139F-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe
2836	hoig.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1848	68200eeada32107e3ecb6c7cb9202a89.exe
Token: SeSecurityPrivilege	1848	68200eeada32107e3ecb6c7cb9202a89.exe
Token: SeSecurityPrivilege	1848	68200eeada32107e3ecb6c7cb9202a89.exe
Token: SeSecurityPrivilege	1848	68200eeada32107e3ecb6c7cb9202a89.exe
Token: SeSecurityPrivilege	1848	68200eeada32107e3ecb6c7cb9202a89.exe
Token: SeSecurityPrivilege	1848	68200eeada32107e3ecb6c7cb9202a89.exe
Token: SeSecurityPrivilege	1848	68200eeada32107e3ecb6c7cb9202a89.exe
Token: SeSecurityPrivilege	1848	68200eeada32107e3ecb6c7cb9202a89.exe
Token: SeSecurityPrivilege	1848	68200eeada32107e3ecb6c7cb9202a89.exe
Token: SeSecurityPrivilege	1848	68200eeada32107e3ecb6c7cb9202a89.exe
Token: SeManageVolumePrivilege	2308	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2308	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2308	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2308	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2836	1848	68200eeada32107e3ecb6c7cb9202a89.exe	28
PID 1848 wrote to memory of 2836	1848	68200eeada32107e3ecb6c7cb9202a89.exe	28
PID 1848 wrote to memory of 2836	1848	68200eeada32107e3ecb6c7cb9202a89.exe	28
PID 1848 wrote to memory of 2836	1848	68200eeada32107e3ecb6c7cb9202a89.exe	28
PID 2836 wrote to memory of 1052	2836	hoig.exe	10
PID 2836 wrote to memory of 1052	2836	hoig.exe	10
PID 2836 wrote to memory of 1052	2836	hoig.exe	10
PID 2836 wrote to memory of 1052	2836	hoig.exe	10
PID 2836 wrote to memory of 1052	2836	hoig.exe	10
PID 2836 wrote to memory of 1116	2836	hoig.exe	9
PID 2836 wrote to memory of 1116	2836	hoig.exe	9
PID 2836 wrote to memory of 1116	2836	hoig.exe	9
PID 2836 wrote to memory of 1116	2836	hoig.exe	9
PID 2836 wrote to memory of 1116	2836	hoig.exe	9
PID 2836 wrote to memory of 1140	2836	hoig.exe	8
PID 2836 wrote to memory of 1140	2836	hoig.exe	8
PID 2836 wrote to memory of 1140	2836	hoig.exe	8
PID 2836 wrote to memory of 1140	2836	hoig.exe	8
PID 2836 wrote to memory of 1140	2836	hoig.exe	8
PID 2836 wrote to memory of 1016	2836	hoig.exe	6
PID 2836 wrote to memory of 1016	2836	hoig.exe	6
PID 2836 wrote to memory of 1016	2836	hoig.exe	6
PID 2836 wrote to memory of 1016	2836	hoig.exe	6
PID 2836 wrote to memory of 1016	2836	hoig.exe	6
PID 2836 wrote to memory of 1848	2836	hoig.exe	14
PID 2836 wrote to memory of 1848	2836	hoig.exe	14
PID 2836 wrote to memory of 1848	2836	hoig.exe	14
PID 2836 wrote to memory of 1848	2836	hoig.exe	14
PID 2836 wrote to memory of 1848	2836	hoig.exe	14
PID 1848 wrote to memory of 2668	1848	68200eeada32107e3ecb6c7cb9202a89.exe	30
PID 1848 wrote to memory of 2668	1848	68200eeada32107e3ecb6c7cb9202a89.exe	30
PID 1848 wrote to memory of 2668	1848	68200eeada32107e3ecb6c7cb9202a89.exe	30
PID 1848 wrote to memory of 2668	1848	68200eeada32107e3ecb6c7cb9202a89.exe	30
PID 1848 wrote to memory of 2668	1848	68200eeada32107e3ecb6c7cb9202a89.exe	30
PID 1848 wrote to memory of 2668	1848	68200eeada32107e3ecb6c7cb9202a89.exe	30
PID 1848 wrote to memory of 2668	1848	68200eeada32107e3ecb6c7cb9202a89.exe	30
PID 1848 wrote to memory of 2668	1848	68200eeada32107e3ecb6c7cb9202a89.exe	30
PID 1848 wrote to memory of 2668	1848	68200eeada32107e3ecb6c7cb9202a89.exe	30
PID 2836 wrote to memory of 2828	2836	hoig.exe	31
PID 2836 wrote to memory of 2828	2836	hoig.exe	31
PID 2836 wrote to memory of 2828	2836	hoig.exe	31
PID 2836 wrote to memory of 2828	2836	hoig.exe	31
PID 2836 wrote to memory of 2828	2836	hoig.exe	31
PID 2836 wrote to memory of 2824	2836	hoig.exe	32
PID 2836 wrote to memory of 2824	2836	hoig.exe	32
PID 2836 wrote to memory of 2824	2836	hoig.exe	32
PID 2836 wrote to memory of 2824	2836	hoig.exe	32
PID 2836 wrote to memory of 2824	2836	hoig.exe	32
PID 2836 wrote to memory of 2860	2836	hoig.exe	33
PID 2836 wrote to memory of 2860	2836	hoig.exe	33
PID 2836 wrote to memory of 2860	2836	hoig.exe	33
PID 2836 wrote to memory of 2860	2836	hoig.exe	33
PID 2836 wrote to memory of 2860	2836	hoig.exe	33
PID 2836 wrote to memory of 2496	2836	hoig.exe	34
PID 2836 wrote to memory of 2496	2836	hoig.exe	34
PID 2836 wrote to memory of 2496	2836	hoig.exe	34
PID 2836 wrote to memory of 2496	2836	hoig.exe	34
PID 2836 wrote to memory of 2496	2836	hoig.exe	34
PID 2836 wrote to memory of 2060	2836	hoig.exe	35
PID 2836 wrote to memory of 2060	2836	hoig.exe	35
PID 2836 wrote to memory of 2060	2836	hoig.exe	35
PID 2836 wrote to memory of 2060	2836	hoig.exe	35
PID 2836 wrote to memory of 2060	2836	hoig.exe	35
PID 2836 wrote to memory of 1044	2836	hoig.exe	38

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1016

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\68200eeada32107e3ecb6c7cb9202a89.exe
  "C:\Users\Admin\AppData\Local\Temp\68200eeada32107e3ecb6c7cb9202a89.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Roaming\Wees\hoig.exe
    "C:\Users\Admin\AppData\Roaming\Wees\hoig.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp571f3285.bat"
    3⤵
    PID:2668

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1116

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1052

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1024573658110549193161716640115328019271383548539177818922106797631-210713095"
1⤵
PID:2824

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2060

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3004

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2504

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
282KB

MD5
b2b0305a7b3e686940e86f5e71c20cff

SHA1
d90b004e2a59ce0f9a9083a42507bbbacc97fac0

SHA256
6641daf9524124f39ba78dad3ea9ebbff3e8bbaf118a1c2f4dbd2199e7e7061c

SHA512
d105e2982c68d25074a1dfb39a45a1cd2ef03b33693d7f87fdb30bb2cb1d7dfbe41948d1b4f713177fce582b1049c5cb577bcf0effd17541966928cc22bb4ce5

Download Submit
C:\Users\Admin\AppData\Roaming\Doib\taoco.yhe

Filesize
4KB

MD5
592bdbaf1e0e5a66f9bbbe01729cb906

SHA1
fb18fcbfdb0ede3c53340c2f968b9df62ee71a20

SHA256
6b97bfcef06ad7d1e51332b90896d163f5e4ce67ca3145fedbaa4a1fb936231f

SHA512
c0b4308f29aed29f6302611128acca6838552077ceef557b66f92c6139519e386eaf20d7b45665d735556a3001a8b8d47dfc2c6c2fc96ccb61c94ff22dba5eb0

Download Submit
C:\Users\Admin\AppData\Roaming\Doib\taoco.yhe

Filesize
4KB

MD5
4d28064c305102aaf0a6dc4c1a4adc00

SHA1
08de5a2fc211a4467c1bb4613ece9d8862b5e155

SHA256
cbe249b83af43b0967468f44c4d68d978cf5772e33ab2f8deef1528c4656b33d

SHA512
7609eae32c168370cdc2e8923cc90b8a4181bf966612cc11af5577aa7ff04177031eb4f45bb72142092d765d2bd12ec0e8d4a5f44d4637eb531008424d4bb0a8

Download Submit
\Users\Admin\AppData\Roaming\Wees\hoig.exe

Filesize
283KB

MD5
f5b3f807e77acd30fe205100c9014b85

SHA1
409ca4345e1913904b2ac493b950478ffb1ea25c

SHA256
8d550c8ad443d2c7e10efe61526d0f21f1e9aeeae26b363a43cb07e4268c7214

SHA512
2871d25ef9972f465cd0f0b5063c6970c7591ac53e88f96327d957d26c171d902fa5d737f5ceab77b2734512a161419773a83c55c64d2cde71679e5efd4a1011

Download Submit
memory/1016-50-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/1016-52-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/1016-56-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/1016-54-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/1052-23-0x0000000001F40000-0x0000000001F79000-memory.dmp

Filesize
228KB

Download
memory/1052-25-0x0000000001F40000-0x0000000001F79000-memory.dmp

Filesize
228KB

Download
memory/1052-31-0x0000000001F40000-0x0000000001F79000-memory.dmp

Filesize
228KB

Download
memory/1052-27-0x0000000001F40000-0x0000000001F79000-memory.dmp

Filesize
228KB

Download
memory/1052-29-0x0000000001F40000-0x0000000001F79000-memory.dmp

Filesize
228KB

Download
memory/1116-35-0x0000000001F20000-0x0000000001F59000-memory.dmp

Filesize
228KB

Download
memory/1116-37-0x0000000001F20000-0x0000000001F59000-memory.dmp

Filesize
228KB

Download
memory/1116-39-0x0000000001F20000-0x0000000001F59000-memory.dmp

Filesize
228KB

Download
memory/1116-41-0x0000000001F20000-0x0000000001F59000-memory.dmp

Filesize
228KB

Download
memory/1140-44-0x0000000003CA0000-0x0000000003CD9000-memory.dmp

Filesize
228KB

Download
memory/1140-47-0x0000000003CA0000-0x0000000003CD9000-memory.dmp

Filesize
228KB

Download
memory/1140-46-0x0000000003CA0000-0x0000000003CD9000-memory.dmp

Filesize
228KB

Download
memory/1140-45-0x0000000003CA0000-0x0000000003CD9000-memory.dmp

Filesize
228KB

Download
memory/1848-82-0x0000000077880000-0x0000000077881000-memory.dmp

Filesize
4KB

Download
memory/1848-81-0x0000000001E10000-0x0000000001E49000-memory.dmp

Filesize
228KB

Download
memory/1848-63-0x0000000001E10000-0x0000000001E49000-memory.dmp

Filesize
228KB

Download
memory/1848-62-0x0000000001E10000-0x0000000001E49000-memory.dmp

Filesize
228KB

Download
memory/1848-61-0x0000000001E10000-0x0000000001E49000-memory.dmp

Filesize
228KB

Download
memory/1848-60-0x0000000001E10000-0x0000000001E49000-memory.dmp

Filesize
228KB

Download
memory/1848-59-0x0000000001E10000-0x0000000001E49000-memory.dmp

Filesize
228KB

Download
memory/1848-68-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1848-70-0x0000000001E10000-0x0000000001E49000-memory.dmp

Filesize
228KB

Download
memory/1848-72-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1848-74-0x0000000001E10000-0x0000000001E49000-memory.dmp

Filesize
228KB

Download
memory/1848-76-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1848-252-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1848-78-0x0000000001E10000-0x0000000001E49000-memory.dmp

Filesize
228KB

Download
memory/1848-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1848-66-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1848-356-0x0000000001E10000-0x0000000001E49000-memory.dmp

Filesize
228KB

Download
memory/1848-355-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1848-6-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1848-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1848-2-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1848-0-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2668-357-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/2668-359-0x0000000077880000-0x0000000077881000-memory.dmp

Filesize
4KB

Download
memory/2668-380-0x0000000077880000-0x0000000077881000-memory.dmp

Filesize
4KB

Download
memory/2668-409-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/2836-17-0x0000000001D10000-0x0000000001E10000-memory.dmp

Filesize
1024KB

Download
memory/2836-19-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2836-407-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download