dc346ddbdd9fbf380829eb2b337b80963cd2078bd620dec741388eb51a2af6a3

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76aa540cabd3fb9bb10485b47fc5d97f.exe
Size

198KB
MD5

76aa540cabd3fb9bb10485b47fc5d97f
SHA1

41f6e35a4537dd145a25bac1c4a3835f4d26e682
SHA256

dc346ddbdd9fbf380829eb2b337b80963cd2078bd620dec741388eb51a2af6a3
SHA512

07f195d876fd3780837314769b85199ad0bc55dfbac96458eda8f906357db47fb6ffde3fb6d37a921d756e14be9a684e355a0311698a5edf5ecd0264b9b369a6
SSDEEP

3072:OeuvyJMduOak7cON4JFBTRDBtXSGifdZPvs76F0qCCzeztzWzHjorObO/:NuvyAakZ4rjBpCrs7ZAy0j

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
584	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	ytkeanw.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	76aa540cabd3fb9bb10485b47fc5d97f.exe
2316	76aa540cabd3fb9bb10485b47fc5d97f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x000a000000014af6-5.dat	upx
behavioral1/memory/2316-11-0x00000000004A0000-0x00000000004E4000-memory.dmp	upx
behavioral1/memory/2736-14-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8D4C3D58-7D41-80A6-C7BD-4E953F2131C0} = "C:\\Users\\Admin\\AppData\\Roaming\\Woexu\\ytkeanw.exe"	ytkeanw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 584	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy	76aa540cabd3fb9bb10485b47fc5d97f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	76aa540cabd3fb9bb10485b47fc5d97f.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\19BC163E-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe
2736	ytkeanw.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe
Token: SeLoadDriverPrivilege	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe
Token: SeSecurityPrivilege	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe
Token: SeLoadDriverPrivilege	2736	ytkeanw.exe
Token: SeLoadDriverPrivilege	2736	ytkeanw.exe
Token: SeSecurityPrivilege	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe
Token: SeSecurityPrivilege	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe
Token: SeManageVolumePrivilege	2508	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2508	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2508	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2508	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2736	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	28
PID 2316 wrote to memory of 2736	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	28
PID 2316 wrote to memory of 2736	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	28
PID 2316 wrote to memory of 2736	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	28
PID 2736 wrote to memory of 1196	2736	ytkeanw.exe	8
PID 2736 wrote to memory of 1196	2736	ytkeanw.exe	8
PID 2736 wrote to memory of 1196	2736	ytkeanw.exe	8
PID 2736 wrote to memory of 1196	2736	ytkeanw.exe	8
PID 2736 wrote to memory of 1196	2736	ytkeanw.exe	8
PID 2736 wrote to memory of 1280	2736	ytkeanw.exe	7
PID 2736 wrote to memory of 1280	2736	ytkeanw.exe	7
PID 2736 wrote to memory of 1280	2736	ytkeanw.exe	7
PID 2736 wrote to memory of 1280	2736	ytkeanw.exe	7
PID 2736 wrote to memory of 1280	2736	ytkeanw.exe	7
PID 2736 wrote to memory of 1312	2736	ytkeanw.exe	6
PID 2736 wrote to memory of 1312	2736	ytkeanw.exe	6
PID 2736 wrote to memory of 1312	2736	ytkeanw.exe	6
PID 2736 wrote to memory of 1312	2736	ytkeanw.exe	6
PID 2736 wrote to memory of 1312	2736	ytkeanw.exe	6
PID 2736 wrote to memory of 1336	2736	ytkeanw.exe	4
PID 2736 wrote to memory of 1336	2736	ytkeanw.exe	4
PID 2736 wrote to memory of 1336	2736	ytkeanw.exe	4
PID 2736 wrote to memory of 1336	2736	ytkeanw.exe	4
PID 2736 wrote to memory of 1336	2736	ytkeanw.exe	4
PID 2736 wrote to memory of 2316	2736	ytkeanw.exe	13
PID 2736 wrote to memory of 2316	2736	ytkeanw.exe	13
PID 2736 wrote to memory of 2316	2736	ytkeanw.exe	13
PID 2736 wrote to memory of 2316	2736	ytkeanw.exe	13
PID 2736 wrote to memory of 2316	2736	ytkeanw.exe	13
PID 2316 wrote to memory of 584	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	30
PID 2316 wrote to memory of 584	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	30
PID 2316 wrote to memory of 584	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	30
PID 2316 wrote to memory of 584	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	30
PID 2316 wrote to memory of 584	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	30
PID 2316 wrote to memory of 584	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	30
PID 2316 wrote to memory of 584	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	30
PID 2316 wrote to memory of 584	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	30
PID 2316 wrote to memory of 584	2316	76aa540cabd3fb9bb10485b47fc5d97f.exe	30
PID 2736 wrote to memory of 2348	2736	ytkeanw.exe	31
PID 2736 wrote to memory of 2348	2736	ytkeanw.exe	31
PID 2736 wrote to memory of 2348	2736	ytkeanw.exe	31
PID 2736 wrote to memory of 2348	2736	ytkeanw.exe	31
PID 2736 wrote to memory of 2348	2736	ytkeanw.exe	31
PID 2736 wrote to memory of 2968	2736	ytkeanw.exe	33
PID 2736 wrote to memory of 2968	2736	ytkeanw.exe	33
PID 2736 wrote to memory of 2968	2736	ytkeanw.exe	33
PID 2736 wrote to memory of 2968	2736	ytkeanw.exe	33
PID 2736 wrote to memory of 2968	2736	ytkeanw.exe	33
PID 2736 wrote to memory of 2600	2736	ytkeanw.exe	34
PID 2736 wrote to memory of 2600	2736	ytkeanw.exe	34
PID 2736 wrote to memory of 2600	2736	ytkeanw.exe	34
PID 2736 wrote to memory of 2600	2736	ytkeanw.exe	34
PID 2736 wrote to memory of 2600	2736	ytkeanw.exe	34

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\76aa540cabd3fb9bb10485b47fc5d97f.exe
  "C:\Users\Admin\AppData\Local\Temp\76aa540cabd3fb9bb10485b47fc5d97f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Roaming\Woexu\ytkeanw.exe
    "C:\Users\Admin\AppData\Roaming\Woexu\ytkeanw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6e8b6262.bat"
    3⤵
    - Deletes itself
    PID:584

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1280

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1196

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
2ea56bb8646390480246ddd1f757e6a9

SHA1
f84f3e367f9d4e5c919123ddedf0324c1ab4a70b

SHA256
5cb22b3c61f2aa7aa944008a96a9184a4db48e27c908f61363ab29871db89bd0

SHA512
bb08989682c2fb58bd4af35f186277c6936599cabbe3d4e76dc2bfcc47465ca8e059dd942ffaaea46e68fed4d01fe7dd08634291e309753a62fa0e07229de2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6e8b6262.bat

Filesize
243B

MD5
f2bcc9ec19b5008d55572b59674b7087

SHA1
fe2f91cdc2fec4a1a23ba41487d20f6f28e04d99

SHA256
928fe1cfa3d7c3872c941dcb9a24a90e55e7bbeac176c91c7132b85302a16c6f

SHA512
8e7db46dc30921b58ac5599243739518d198343e4a21fa20e5c23985699d6d6cba757fec775b8c3113ee16af56a599a77773c295dc22776dafbcbfc06bc08607

Download Submit
C:\Users\Admin\AppData\Roaming\Vuxeavt\igamol.vir

Filesize
366B

MD5
69483b5e904eeeaface807f9a58b9cf4

SHA1
98116e970af541c7ab775bdf39db82e175c9b5ee

SHA256
67ffd96ceda1eb9ae6da64928dce31a41e864b55a7c97d432981f71a53aae5ec

SHA512
84e4fcd32bd16ee2f82570ebbeb99c7e257f0a4d33ccabbde68db3e50b8832c970a38d9d23e03e97c1c527e0e26cc817962c929ba941f4552dff54a69a472cbf

Download Submit
\Users\Admin\AppData\Roaming\Woexu\ytkeanw.exe

Filesize
198KB

MD5
45a99154b2a8dfb6f15d839309e7f208

SHA1
77096b9a18ad46152651fdf3db238064af610549

SHA256
6f621e5f2f597d14c5a986e8d64a30f2ab0fcdd5248bf055a4a42e300041023f

SHA512
a74034d3e67c8d9f5c5f4e4591e91497c47ebe41d37a1698a3d41fe11e3ba33a923cb9199da550229d67492456e2e81595e3123fcca91438d587fd47344b3032

Download Submit
memory/584-315-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/584-301-0x0000000077990000-0x0000000077991000-memory.dmp

Filesize
4KB

Download
memory/584-221-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1196-19-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1196-21-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1196-23-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1196-25-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1196-17-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1280-30-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1280-31-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1280-28-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1280-29-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1312-34-0x0000000002EF0000-0x0000000002F17000-memory.dmp

Filesize
156KB

Download
memory/1312-35-0x0000000002EF0000-0x0000000002F17000-memory.dmp

Filesize
156KB

Download
memory/1312-33-0x0000000002EF0000-0x0000000002F17000-memory.dmp

Filesize
156KB

Download
memory/1312-36-0x0000000002EF0000-0x0000000002F17000-memory.dmp

Filesize
156KB

Download
memory/1336-41-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/1336-40-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/1336-39-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/1336-38-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/2316-49-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/2316-71-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-45-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/2316-47-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/2316-48-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/2316-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-51-0x0000000077990000-0x0000000077991000-memory.dmp

Filesize
4KB

Download
memory/2316-50-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-53-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-55-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-57-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-59-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-61-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-63-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-65-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-67-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-69-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-44-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/2316-73-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-75-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-77-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-79-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-92-0x0000000077990000-0x0000000077991000-memory.dmp

Filesize
4KB

Download
memory/2316-141-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2316-46-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/2316-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-1-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2316-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-220-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/2316-13-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/2316-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-11-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/2736-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2736-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download