ea79ffc7a8a87e0c310731131d2f1648254b8d9988f7fd0118a296ac59330df5

Analysis

max time kernel
145s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d1c008f0c1d0f15dd82e2034801a9e.exe
Size

213KB
MD5

73d1c008f0c1d0f15dd82e2034801a9e
SHA1

75b72bd52af13ec9f83982e223373845ba615002
SHA256

ea79ffc7a8a87e0c310731131d2f1648254b8d9988f7fd0118a296ac59330df5
SHA512

3902ae6141320f0f70996dfc31beb7ae6b2ff4c97db6ac3c469c101b81fb071ac9bd0256d346dbed72eb944efe3b60c7cdee72b4659fbbf78d504e91a5659443
SSDEEP

3072:XN375DqqYJ0wIWD/P9MrxdD4JC40fuLYfjGEhfL8BmSDe/2mKReFSQVn:XNr5DqqRwIuVod74iYWSEhfLSDl7Ret

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2692	veyp.exe
2352	veyp.exe

Loads dropped DLL 2 IoCs

pid	Process
536	73d1c008f0c1d0f15dd82e2034801a9e.exe
536	73d1c008f0c1d0f15dd82e2034801a9e.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 536	1548	73d1c008f0c1d0f15dd82e2034801a9e.exe	28
PID 2692 set thread context of 2352	2692	veyp.exe	30

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe
2352	veyp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	536	73d1c008f0c1d0f15dd82e2034801a9e.exe
Token: SeSecurityPrivilege	536	73d1c008f0c1d0f15dd82e2034801a9e.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 536	1548	73d1c008f0c1d0f15dd82e2034801a9e.exe	28
PID 1548 wrote to memory of 536	1548	73d1c008f0c1d0f15dd82e2034801a9e.exe	28
PID 1548 wrote to memory of 536	1548	73d1c008f0c1d0f15dd82e2034801a9e.exe	28
PID 1548 wrote to memory of 536	1548	73d1c008f0c1d0f15dd82e2034801a9e.exe	28
PID 1548 wrote to memory of 536	1548	73d1c008f0c1d0f15dd82e2034801a9e.exe	28
PID 1548 wrote to memory of 536	1548	73d1c008f0c1d0f15dd82e2034801a9e.exe	28
PID 1548 wrote to memory of 536	1548	73d1c008f0c1d0f15dd82e2034801a9e.exe	28
PID 1548 wrote to memory of 536	1548	73d1c008f0c1d0f15dd82e2034801a9e.exe	28
PID 1548 wrote to memory of 536	1548	73d1c008f0c1d0f15dd82e2034801a9e.exe	28
PID 536 wrote to memory of 2692	536	73d1c008f0c1d0f15dd82e2034801a9e.exe	29
PID 536 wrote to memory of 2692	536	73d1c008f0c1d0f15dd82e2034801a9e.exe	29
PID 536 wrote to memory of 2692	536	73d1c008f0c1d0f15dd82e2034801a9e.exe	29
PID 536 wrote to memory of 2692	536	73d1c008f0c1d0f15dd82e2034801a9e.exe	29
PID 2692 wrote to memory of 2352	2692	veyp.exe	30
PID 2692 wrote to memory of 2352	2692	veyp.exe	30
PID 2692 wrote to memory of 2352	2692	veyp.exe	30
PID 2692 wrote to memory of 2352	2692	veyp.exe	30
PID 2692 wrote to memory of 2352	2692	veyp.exe	30
PID 2692 wrote to memory of 2352	2692	veyp.exe	30
PID 2692 wrote to memory of 2352	2692	veyp.exe	30
PID 2692 wrote to memory of 2352	2692	veyp.exe	30
PID 2692 wrote to memory of 2352	2692	veyp.exe	30
PID 536 wrote to memory of 2752	536	73d1c008f0c1d0f15dd82e2034801a9e.exe	31
PID 536 wrote to memory of 2752	536	73d1c008f0c1d0f15dd82e2034801a9e.exe	31
PID 536 wrote to memory of 2752	536	73d1c008f0c1d0f15dd82e2034801a9e.exe	31
PID 536 wrote to memory of 2752	536	73d1c008f0c1d0f15dd82e2034801a9e.exe	31
PID 2352 wrote to memory of 1148	2352	veyp.exe	13
PID 2352 wrote to memory of 1148	2352	veyp.exe	13
PID 2352 wrote to memory of 1148	2352	veyp.exe	13
PID 2352 wrote to memory of 1148	2352	veyp.exe	13
PID 2352 wrote to memory of 1148	2352	veyp.exe	13
PID 2352 wrote to memory of 1220	2352	veyp.exe	14
PID 2352 wrote to memory of 1220	2352	veyp.exe	14
PID 2352 wrote to memory of 1220	2352	veyp.exe	14
PID 2352 wrote to memory of 1220	2352	veyp.exe	14
PID 2352 wrote to memory of 1220	2352	veyp.exe	14
PID 2352 wrote to memory of 1296	2352	veyp.exe	17
PID 2352 wrote to memory of 1296	2352	veyp.exe	17
PID 2352 wrote to memory of 1296	2352	veyp.exe	17
PID 2352 wrote to memory of 1296	2352	veyp.exe	17
PID 2352 wrote to memory of 1296	2352	veyp.exe	17
PID 2352 wrote to memory of 1976	2352	veyp.exe	22
PID 2352 wrote to memory of 1976	2352	veyp.exe	22
PID 2352 wrote to memory of 1976	2352	veyp.exe	22
PID 2352 wrote to memory of 1976	2352	veyp.exe	22
PID 2352 wrote to memory of 1976	2352	veyp.exe	22

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296
- C:\Users\Admin\AppData\Local\Temp\73d1c008f0c1d0f15dd82e2034801a9e.exe
  "C:\Users\Admin\AppData\Local\Temp\73d1c008f0c1d0f15dd82e2034801a9e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\73d1c008f0c1d0f15dd82e2034801a9e.exe
    C:\Users\Admin\AppData\Local\Temp\73d1c008f0c1d0f15dd82e2034801a9e.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Users\Admin\AppData\Roaming\Ufwi\veyp.exe
      "C:\Users\Admin\AppData\Roaming\Ufwi\veyp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Roaming\Ufwi\veyp.exe
        
        C:\Users\Admin\AppData\Roaming\Ufwi\veyp.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp998d5018.bat"
      4⤵
      Deletes itself
      PID:2752

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp998d5018.bat

Filesize
243B

MD5
c3e17d670d646cf9a6b4aee34f968c8d

SHA1
a2e96e2948861f6d869af646452b71c0c1586cd1

SHA256
87b34141492eb1f0feaec76f4f4d33318f8f5c5f4da6c00315ce2cab8772c703

SHA512
7883f7a863b7a639b459af67b2b4a8cd6e95ca46e72dc3b61fd7c219b4619d49df0ff229d91a0ebfff60344b0f12fe8feec99f4ab00acfecfa65e4b9d0256b38

Download Submit
\Users\Admin\AppData\Roaming\Ufwi\veyp.exe

Filesize
213KB

MD5
132d8bb0f1b710c0f93797b6fdd388bb

SHA1
71a5018dedb6d1f961f820ff451ce5a4a511a52c

SHA256
a9bf1c14fb04d2c1b6c74fdec7dff2afa587d66c386830906e949b44cb3ddc42

SHA512
96e596465a9dc6faa180852004183f90aa47d8e08240322cc52a60614ec59e3275227406a43cd4c709e17cbc448dc2fbb4d61d6826f60674ee56f0e4251bbc42

Download Submit
memory/536-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/536-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/536-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-15-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/536-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1148-67-0x0000000001B40000-0x0000000001B7C000-memory.dmp

Filesize
240KB

Download
memory/1148-66-0x0000000001B40000-0x0000000001B7C000-memory.dmp

Filesize
240KB

Download
memory/1148-65-0x0000000001B40000-0x0000000001B7C000-memory.dmp

Filesize
240KB

Download
memory/1148-64-0x0000000001B40000-0x0000000001B7C000-memory.dmp

Filesize
240KB

Download
memory/1220-71-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/1220-72-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/1220-69-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/1220-70-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/1296-76-0x00000000029B0000-0x00000000029EC000-memory.dmp

Filesize
240KB

Download
memory/1296-78-0x00000000029B0000-0x00000000029EC000-memory.dmp

Filesize
240KB

Download
memory/1296-77-0x00000000029B0000-0x00000000029EC000-memory.dmp

Filesize
240KB

Download
memory/1296-75-0x00000000029B0000-0x00000000029EC000-memory.dmp

Filesize
240KB

Download
memory/1548-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2352-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-52-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2692-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download