e54656edfecdadcdfb7067e0a9b6c8173742bec5f75f06fd06eaee8d88c75395

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7173228e125b93ef1446e35dce57e254.exe
Size

220KB
MD5

7173228e125b93ef1446e35dce57e254
SHA1

a580543220f960afe5bcf709b3a7cfd65190c2af
SHA256

e54656edfecdadcdfb7067e0a9b6c8173742bec5f75f06fd06eaee8d88c75395
SHA512

ca7afc4a2545b2297b85687c9dbebf78e5dce9d38c61d13e9e3ba472c929ad6e34eb38b3d80ffadf907b129562c3e39a4a707c1e153b5f88d4d1c20ef40c0551
SSDEEP

6144:d/0bjwuHKipVCgvtxeP7d1ozmm0e+NU9uQ54IC4F5o2Tcruj:+cKbpVCgQ1oz/0vmFC4vo2TJj

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1744	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1892	enmio.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	7173228e125b93ef1446e35dce57e254.exe
2024	7173228e125b93ef1446e35dce57e254.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2024-0-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/files/0x000d000000014313-5.dat	upx
behavioral1/memory/2024-11-0x0000000001E90000-0x0000000001EE5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E2278F98-20E9-9674-D8D6-07B339FEDF3F} = "C:\\Users\\Admin\\AppData\\Roaming\\Hoopz\\enmio.exe"	enmio.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1744	2024	7173228e125b93ef1446e35dce57e254.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy	7173228e125b93ef1446e35dce57e254.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7173228e125b93ef1446e35dce57e254.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\08EB4F87-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe
1892	enmio.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2024	7173228e125b93ef1446e35dce57e254.exe
Token: SeSecurityPrivilege	2024	7173228e125b93ef1446e35dce57e254.exe
Token: SeSecurityPrivilege	2024	7173228e125b93ef1446e35dce57e254.exe
Token: SeManageVolumePrivilege	1584	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1584	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1584	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1584	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1892	2024	7173228e125b93ef1446e35dce57e254.exe	28
PID 2024 wrote to memory of 1892	2024	7173228e125b93ef1446e35dce57e254.exe	28
PID 2024 wrote to memory of 1892	2024	7173228e125b93ef1446e35dce57e254.exe	28
PID 2024 wrote to memory of 1892	2024	7173228e125b93ef1446e35dce57e254.exe	28
PID 1892 wrote to memory of 1056	1892	enmio.exe	10
PID 1892 wrote to memory of 1056	1892	enmio.exe	10
PID 1892 wrote to memory of 1056	1892	enmio.exe	10
PID 1892 wrote to memory of 1056	1892	enmio.exe	10
PID 1892 wrote to memory of 1056	1892	enmio.exe	10
PID 1892 wrote to memory of 1088	1892	enmio.exe	8
PID 1892 wrote to memory of 1088	1892	enmio.exe	8
PID 1892 wrote to memory of 1088	1892	enmio.exe	8
PID 1892 wrote to memory of 1088	1892	enmio.exe	8
PID 1892 wrote to memory of 1088	1892	enmio.exe	8
PID 1892 wrote to memory of 1144	1892	enmio.exe	7
PID 1892 wrote to memory of 1144	1892	enmio.exe	7
PID 1892 wrote to memory of 1144	1892	enmio.exe	7
PID 1892 wrote to memory of 1144	1892	enmio.exe	7
PID 1892 wrote to memory of 1144	1892	enmio.exe	7
PID 1892 wrote to memory of 2200	1892	enmio.exe	4
PID 1892 wrote to memory of 2200	1892	enmio.exe	4
PID 1892 wrote to memory of 2200	1892	enmio.exe	4
PID 1892 wrote to memory of 2200	1892	enmio.exe	4
PID 1892 wrote to memory of 2200	1892	enmio.exe	4
PID 1892 wrote to memory of 2024	1892	enmio.exe	11
PID 1892 wrote to memory of 2024	1892	enmio.exe	11
PID 1892 wrote to memory of 2024	1892	enmio.exe	11
PID 1892 wrote to memory of 2024	1892	enmio.exe	11
PID 1892 wrote to memory of 2024	1892	enmio.exe	11
PID 2024 wrote to memory of 1744	2024	7173228e125b93ef1446e35dce57e254.exe	30
PID 2024 wrote to memory of 1744	2024	7173228e125b93ef1446e35dce57e254.exe	30
PID 2024 wrote to memory of 1744	2024	7173228e125b93ef1446e35dce57e254.exe	30
PID 2024 wrote to memory of 1744	2024	7173228e125b93ef1446e35dce57e254.exe	30
PID 2024 wrote to memory of 1744	2024	7173228e125b93ef1446e35dce57e254.exe	30
PID 2024 wrote to memory of 1744	2024	7173228e125b93ef1446e35dce57e254.exe	30
PID 2024 wrote to memory of 1744	2024	7173228e125b93ef1446e35dce57e254.exe	30
PID 2024 wrote to memory of 1744	2024	7173228e125b93ef1446e35dce57e254.exe	30
PID 2024 wrote to memory of 1744	2024	7173228e125b93ef1446e35dce57e254.exe	30
PID 1892 wrote to memory of 2116	1892	enmio.exe	32
PID 1892 wrote to memory of 2116	1892	enmio.exe	32
PID 1892 wrote to memory of 2116	1892	enmio.exe	32
PID 1892 wrote to memory of 2116	1892	enmio.exe	32
PID 1892 wrote to memory of 2116	1892	enmio.exe	32
PID 1892 wrote to memory of 1888	1892	enmio.exe	33
PID 1892 wrote to memory of 1888	1892	enmio.exe	33
PID 1892 wrote to memory of 1888	1892	enmio.exe	33
PID 1892 wrote to memory of 1888	1892	enmio.exe	33
PID 1892 wrote to memory of 1888	1892	enmio.exe	33
PID 1892 wrote to memory of 2292	1892	enmio.exe	34
PID 1892 wrote to memory of 2292	1892	enmio.exe	34
PID 1892 wrote to memory of 2292	1892	enmio.exe	34
PID 1892 wrote to memory of 2292	1892	enmio.exe	34
PID 1892 wrote to memory of 2292	1892	enmio.exe	34

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2200

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\7173228e125b93ef1446e35dce57e254.exe
  "C:\Users\Admin\AppData\Local\Temp\7173228e125b93ef1446e35dce57e254.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\Hoopz\enmio.exe
    "C:\Users\Admin\AppData\Roaming\Hoopz\enmio.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp60a8b409.bat"
    3⤵
    - Deletes itself
    PID:1744

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1088

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1056

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
34KB

MD5
917a7d515b3c2e0555a98a4dc63133aa

SHA1
3d6b70000903ab1f9298022a71b846c0d98e1bd8

SHA256
480810ac45ffc4c1b1b21badc2d5d1e2e7cefef91cf9bca91e8fd539fd751a39

SHA512
4c3ef5a64efaa05086465b8a023b96f0a4092f7563aa50e44c33491442ce56b10bc5789a8abaa352a0c0dd8040931ed456c3e6c1548c3dc97c9973d87065edb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp60a8b409.bat

Filesize
243B

MD5
8acefbb74fcccb344915aeb1e02b3a9d

SHA1
21023227aa2e2460c8626ada6f8b8ea1425ab778

SHA256
bef9510371da9d6f71ab3f5cac1338211ab29d43ac2fc58c95dddca27a2217aa

SHA512
4c26fb2889d456371f9631f2191fe32de6b425e07419696a841a2a27877b113bada6b54d4d55e43a7b7ded2253bde79dda0c415e2d75d380edfff6a4638a5738

Download Submit
C:\Users\Admin\AppData\Roaming\Voubo\lyco.pou

Filesize
366B

MD5
63d1543da8390f760bbf2938c682c522

SHA1
007f2b37b5c8b8e40be3e147e8601bd75fba3478

SHA256
3442065af47c8ab0ccce56d41ae117e990f32ce588b54d79d689a56b5d4d7aed

SHA512
c797a9173c0d0edf9a021ccd13de5addcc01ee0885dae2ede947cdf83a0d1ce8cd33d73d68e46b94b217cc6de7e452f6c480c6d41b1cc9f8e5696de449df035a

Download Submit
\Users\Admin\AppData\Roaming\Hoopz\enmio.exe

Filesize
220KB

MD5
779f30e241a38058cbdedf0c1b1b8e38

SHA1
e6a2d33abdced61eb28a0470d596811eb1d22ec8

SHA256
b7de5fe325b23355476cd28c225ff2d124a144d74de248d177ea7ed32902e682

SHA512
12edef747ac3d6bc670619fc8da6157689d3d7919d03f3c9d35d939dd5d5786ca0ec8cce2a6a728278cc593cd0e57edc90ea39a282bc0d2f313b3e3f568b7a2f

Download Submit
memory/1056-20-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1056-17-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1056-16-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1056-19-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1056-18-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1088-23-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1088-22-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1088-25-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1088-24-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1144-29-0x0000000002DF0000-0x0000000002E17000-memory.dmp

Filesize
156KB

Download
memory/1144-30-0x0000000002DF0000-0x0000000002E17000-memory.dmp

Filesize
156KB

Download
memory/1144-28-0x0000000002DF0000-0x0000000002E17000-memory.dmp

Filesize
156KB

Download
memory/1144-27-0x0000000002DF0000-0x0000000002E17000-memory.dmp

Filesize
156KB

Download
memory/1744-227-0x0000000077870000-0x0000000077871000-memory.dmp

Filesize
4KB

Download
memory/1744-316-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1744-317-0x00000000000B0000-0x00000000000D7000-memory.dmp

Filesize
156KB

Download
memory/1744-223-0x00000000000B0000-0x00000000000D7000-memory.dmp

Filesize
156KB

Download
memory/1744-225-0x0000000077870000-0x0000000077871000-memory.dmp

Filesize
4KB

Download
memory/1892-319-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2024-77-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-61-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-57-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-55-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-53-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-51-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-49-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-47-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-46-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/2024-44-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/2024-42-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/2024-40-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/2024-38-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/2024-1-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/2024-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2024-11-0x0000000001E90000-0x0000000001EE5000-memory.dmp

Filesize
340KB

Download
memory/2024-13-0x0000000001E90000-0x0000000001EE5000-memory.dmp

Filesize
340KB

Download
memory/2024-59-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-65-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-67-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-69-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-134-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-71-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-73-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-75-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2024-220-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2024-221-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/2024-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2024-90-0x0000000077870000-0x0000000077871000-memory.dmp

Filesize
4KB

Download
memory/2024-63-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2200-32-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/2200-33-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/2200-34-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/2200-35-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download