89cd5c3f4fb6834f8104b1fd1ba39222e37de5d8b20a7bb85fa463a88d9baaee

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-01-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d26bb477af79efac4b9b274685cca30.exe
Size

180KB
MD5

6d26bb477af79efac4b9b274685cca30
SHA1

4582b22d230d5990457aab752dc15d83cda873db
SHA256

89cd5c3f4fb6834f8104b1fd1ba39222e37de5d8b20a7bb85fa463a88d9baaee
SHA512

cef52da620ca69bd908992da9f17843f0c44ebec0f576d688ce72a2a63e8dab71825225f8a4557a449f9c474cc68148ea87f75c24aa513a5a28f23d608deff87
SSDEEP

3072:XsRRJgNB10Y1uby6Tfw4m6ZnjShSc6TCkvKEWF7rh8KGT5rzNzHvz1CLhrCDjZR:XuJ6BCYI3THk6OuRWFfhhGT5rzNDvk83

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

592 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

tiej.exe

pid process

2776 tiej.exe
Loads dropped DLL 2 IoCs

Processes:

6d26bb477af79efac4b9b274685cca30.exe

pid process

2276 6d26bb477af79efac4b9b274685cca30.exe
2276 6d26bb477af79efac4b9b274685cca30.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\Ytveze\tiej.exe upx
behavioral1/memory/2276-11-0x0000000000400000-0x00000000027B5000-memory.dmp upx

pid	process
592	cmd.exe

pid	process
2276	6d26bb477af79efac4b9b274685cca30.exe
2276	6d26bb477af79efac4b9b274685cca30.exe

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Ytveze\tiej.exe	upx
behavioral1/memory/2276-11-0x0000000000400000-0x00000000027B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tiej.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9DB029C8-CEC5-AD4E-0EA6-58580BF07B45} = "C:\\Users\\Admin\\AppData\\Roaming\\Ytveze\\tiej.exe"	tiej.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6d26bb477af79efac4b9b274685cca30.exe

description pid process target process

PID 2276 set thread context of 592 2276 6d26bb477af79efac4b9b274685cca30.exe cmd.exe

description	pid	process	target process
PID 2276 set thread context of 592	2276	6d26bb477af79efac4b9b274685cca30.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

6d26bb477af79efac4b9b274685cca30.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy	6d26bb477af79efac4b9b274685cca30.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	6d26bb477af79efac4b9b274685cca30.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

tiej.exe

pid	process
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe
2776	tiej.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6d26bb477af79efac4b9b274685cca30.exe

description	pid	process
Token: SeSecurityPrivilege	2276	6d26bb477af79efac4b9b274685cca30.exe
Token: SeSecurityPrivilege	2276	6d26bb477af79efac4b9b274685cca30.exe
Token: SeSecurityPrivilege	2276	6d26bb477af79efac4b9b274685cca30.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6d26bb477af79efac4b9b274685cca30.exetiej.exe

pid process

2276 6d26bb477af79efac4b9b274685cca30.exe
2776 tiej.exe

pid	process
2276	6d26bb477af79efac4b9b274685cca30.exe
2776	tiej.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

6d26bb477af79efac4b9b274685cca30.exetiej.exe

description	pid	process	target process
PID 2276 wrote to memory of 2776	2276	6d26bb477af79efac4b9b274685cca30.exe	tiej.exe
PID 2276 wrote to memory of 2776	2276	6d26bb477af79efac4b9b274685cca30.exe	tiej.exe
PID 2276 wrote to memory of 2776	2276	6d26bb477af79efac4b9b274685cca30.exe	tiej.exe
PID 2276 wrote to memory of 2776	2276	6d26bb477af79efac4b9b274685cca30.exe	tiej.exe
PID 2776 wrote to memory of 1120	2776	tiej.exe	taskhost.exe
PID 2776 wrote to memory of 1120	2776	tiej.exe	taskhost.exe
PID 2776 wrote to memory of 1120	2776	tiej.exe	taskhost.exe
PID 2776 wrote to memory of 1120	2776	tiej.exe	taskhost.exe
PID 2776 wrote to memory of 1120	2776	tiej.exe	taskhost.exe
PID 2776 wrote to memory of 1184	2776	tiej.exe	Dwm.exe
PID 2776 wrote to memory of 1184	2776	tiej.exe	Dwm.exe
PID 2776 wrote to memory of 1184	2776	tiej.exe	Dwm.exe
PID 2776 wrote to memory of 1184	2776	tiej.exe	Dwm.exe
PID 2776 wrote to memory of 1184	2776	tiej.exe	Dwm.exe
PID 2776 wrote to memory of 1264	2776	tiej.exe	Explorer.EXE
PID 2776 wrote to memory of 1264	2776	tiej.exe	Explorer.EXE
PID 2776 wrote to memory of 1264	2776	tiej.exe	Explorer.EXE
PID 2776 wrote to memory of 1264	2776	tiej.exe	Explorer.EXE
PID 2776 wrote to memory of 1264	2776	tiej.exe	Explorer.EXE
PID 2776 wrote to memory of 1096	2776	tiej.exe	DllHost.exe
PID 2776 wrote to memory of 1096	2776	tiej.exe	DllHost.exe
PID 2776 wrote to memory of 1096	2776	tiej.exe	DllHost.exe
PID 2776 wrote to memory of 1096	2776	tiej.exe	DllHost.exe
PID 2776 wrote to memory of 1096	2776	tiej.exe	DllHost.exe
PID 2776 wrote to memory of 2276	2776	tiej.exe	6d26bb477af79efac4b9b274685cca30.exe
PID 2776 wrote to memory of 2276	2776	tiej.exe	6d26bb477af79efac4b9b274685cca30.exe
PID 2776 wrote to memory of 2276	2776	tiej.exe	6d26bb477af79efac4b9b274685cca30.exe
PID 2776 wrote to memory of 2276	2776	tiej.exe	6d26bb477af79efac4b9b274685cca30.exe
PID 2776 wrote to memory of 2276	2776	tiej.exe	6d26bb477af79efac4b9b274685cca30.exe
PID 2276 wrote to memory of 592	2276	6d26bb477af79efac4b9b274685cca30.exe	cmd.exe
PID 2276 wrote to memory of 592	2276	6d26bb477af79efac4b9b274685cca30.exe	cmd.exe
PID 2276 wrote to memory of 592	2276	6d26bb477af79efac4b9b274685cca30.exe	cmd.exe
PID 2276 wrote to memory of 592	2276	6d26bb477af79efac4b9b274685cca30.exe	cmd.exe
PID 2276 wrote to memory of 592	2276	6d26bb477af79efac4b9b274685cca30.exe	cmd.exe
PID 2276 wrote to memory of 592	2276	6d26bb477af79efac4b9b274685cca30.exe	cmd.exe
PID 2276 wrote to memory of 592	2276	6d26bb477af79efac4b9b274685cca30.exe	cmd.exe
PID 2276 wrote to memory of 592	2276	6d26bb477af79efac4b9b274685cca30.exe	cmd.exe
PID 2276 wrote to memory of 592	2276	6d26bb477af79efac4b9b274685cca30.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\6d26bb477af79efac4b9b274685cca30.exe
"C:\Users\Admin\AppData\Local\Temp\6d26bb477af79efac4b9b274685cca30.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Roaming\Ytveze\tiej.exe
"C:\Users\Admin\AppData\Roaming\Ytveze\tiej.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2691d502.bat"
3⤵
- Deletes itself
PID:592

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2691d502.bat
Filesize
243B

MD5
a5fac2c3eeb8a0cfa770eaffeb85b349

SHA1
47ab151d289be728449ff0e98c418a780b3019e5

SHA256
cde3efbf7b5be6053eccc69fe1bafa2a330d0037de6d197e1d42dbbdcacd5ccc

SHA512
76282628c9f09f9528a3b13e474ea44d2c6a4a1d2bc1cc81e00b7d1057612a865c34238b458ea5867ab17f631b4da7753f0f17f7f009d219abbde5a91412fbb0

Download Submit
C:\Users\Admin\AppData\Roaming\Kuow\ceig.zam
Filesize
366B

MD5
680e84794e9d38bac2621b816eb3cd7b

SHA1
4c38f371ebe54770c3eb117c07cc21cebf17dfe1

SHA256
5ac48d042818f70062afb4f7345d947e641f216c1827a8ef474e12d092b180c9

SHA512
5be349341370d85303dda21908f73bcdecc2a7db15f3cbec6ccbb78b703db2957c998901fccd97852331211c9b9de4d7db0456f8fe3087cfc90de6b0f9d68e70

Download Submit
C:\Users\Admin\AppData\Roaming\Ytveze\tiej.exe
Filesize
180KB

MD5
9e2358d6cfaf6c18f20dd550d025894b

SHA1
f310cec5796002ac2e70c890aef02c07174d5c99

SHA256
90d9ff910148036f3043f5e5aa6839004dacfb70a5719d7b4a2036f5a3ceaa8f

SHA512
4106cc1be5d70d297da6e7379b25d0f33a1af7dbd98a91d4e24d2d08a52b83f648a08dc55961cb097f7f6a9929a075a93c223396cdfb24db1b7bbcb9e03959d4

Download Submit
memory/592-274-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/592-174-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/592-176-0x00000000775D0000-0x00000000775D1000-memory.dmp

Filesize
4KB

Download
memory/592-271-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1096-48-0x0000000001BA0000-0x0000000001BD5000-memory.dmp

Filesize
212KB

Download
memory/1096-50-0x0000000001BA0000-0x0000000001BD5000-memory.dmp

Filesize
212KB

Download
memory/1096-54-0x0000000001BA0000-0x0000000001BD5000-memory.dmp

Filesize
212KB

Download
memory/1096-52-0x0000000001BA0000-0x0000000001BD5000-memory.dmp

Filesize
212KB

Download
memory/1120-10-0x00000000005C0000-0x00000000005F5000-memory.dmp

Filesize
212KB

Download
memory/1120-21-0x00000000005C0000-0x00000000005F5000-memory.dmp

Filesize
212KB

Download
memory/1120-18-0x00000000005C0000-0x00000000005F5000-memory.dmp

Filesize
212KB

Download
memory/1120-16-0x00000000005C0000-0x00000000005F5000-memory.dmp

Filesize
212KB

Download
memory/1120-14-0x00000000005C0000-0x00000000005F5000-memory.dmp

Filesize
212KB

Download
memory/1184-30-0x0000000001BB0000-0x0000000001BE5000-memory.dmp

Filesize
212KB

Download
memory/1184-32-0x0000000001BB0000-0x0000000001BE5000-memory.dmp

Filesize
212KB

Download
memory/1184-27-0x0000000001BB0000-0x0000000001BE5000-memory.dmp

Filesize
212KB

Download
memory/1184-25-0x0000000001BB0000-0x0000000001BE5000-memory.dmp

Filesize
212KB

Download
memory/1264-41-0x0000000002C50000-0x0000000002C85000-memory.dmp

Filesize
212KB

Download
memory/1264-43-0x0000000002C50000-0x0000000002C85000-memory.dmp

Filesize
212KB

Download
memory/1264-39-0x0000000002C50000-0x0000000002C85000-memory.dmp

Filesize
212KB

Download
memory/1264-37-0x0000000002C50000-0x0000000002C85000-memory.dmp

Filesize
212KB

Download
memory/2276-29-0x0000000009A40000-0x000000000BDF5000-memory.dmp

Filesize
35.7MB

Download
memory/2276-77-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2276-61-0x0000000000350000-0x0000000000385000-memory.dmp

Filesize
212KB

Download
memory/2276-63-0x0000000000350000-0x0000000000385000-memory.dmp

Filesize
212KB

Download
memory/2276-65-0x0000000000350000-0x0000000000385000-memory.dmp

Filesize
212KB

Download
memory/2276-66-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2276-68-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2276-69-0x00000000775D0000-0x00000000775D1000-memory.dmp

Filesize
4KB

Download
memory/2276-71-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2276-73-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2276-79-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2276-59-0x0000000000350000-0x0000000000385000-memory.dmp

Filesize
212KB

Download
memory/2276-75-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2276-161-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2276-57-0x0000000000350000-0x0000000000385000-memory.dmp

Filesize
212KB

Download
memory/2276-11-0x0000000000400000-0x00000000027B5000-memory.dmp

Filesize
35.7MB

Download
memory/2276-36-0x0000000009A40000-0x000000000BDF5000-memory.dmp

Filesize
35.7MB

Download
memory/2276-180-0x0000000000400000-0x00000000027B5000-memory.dmp

Filesize
35.7MB

Download
memory/2276-20-0x0000000000400000-0x00000000027B5000-memory.dmp

Filesize
35.7MB

Download
memory/2276-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2776-45-0x0000000000400000-0x00000000027B5000-memory.dmp

Filesize
35.7MB

Download
memory/2776-275-0x0000000000400000-0x00000000027B5000-memory.dmp

Filesize
35.7MB

Download