Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 06:45
Behavioral task
behavioral1
Sample
76aa540cabd3fb9bb10485b47fc5d97f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
76aa540cabd3fb9bb10485b47fc5d97f.exe
Resource
win10v2004-20231215-en
General
-
Target
76aa540cabd3fb9bb10485b47fc5d97f.exe
-
Size
198KB
-
MD5
76aa540cabd3fb9bb10485b47fc5d97f
-
SHA1
41f6e35a4537dd145a25bac1c4a3835f4d26e682
-
SHA256
dc346ddbdd9fbf380829eb2b337b80963cd2078bd620dec741388eb51a2af6a3
-
SHA512
07f195d876fd3780837314769b85199ad0bc55dfbac96458eda8f906357db47fb6ffde3fb6d37a921d756e14be9a684e355a0311698a5edf5ecd0264b9b369a6
-
SSDEEP
3072:OeuvyJMduOak7cON4JFBTRDBtXSGifdZPvs76F0qCCzeztzWzHjorObO/:NuvyAakZ4rjBpCrs7ZAy0j
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 584 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2736 ytkeanw.exe -
Loads dropped DLL 2 IoCs
pid Process 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe -
resource yara_rule behavioral1/memory/2316-0-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/files/0x000a000000014af6-5.dat upx behavioral1/memory/2316-11-0x00000000004A0000-0x00000000004E4000-memory.dmp upx behavioral1/memory/2736-14-0x0000000000400000-0x0000000000444000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8D4C3D58-7D41-80A6-C7BD-4E953F2131C0} = "C:\\Users\\Admin\\AppData\\Roaming\\Woexu\\ytkeanw.exe" ytkeanw.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2316 set thread context of 584 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 30 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy 76aa540cabd3fb9bb10485b47fc5d97f.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 76aa540cabd3fb9bb10485b47fc5d97f.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\19BC163E-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe 2736 ytkeanw.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeLoadDriverPrivilege 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe Token: SeLoadDriverPrivilege 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe Token: SeSecurityPrivilege 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe Token: SeLoadDriverPrivilege 2736 ytkeanw.exe Token: SeLoadDriverPrivilege 2736 ytkeanw.exe Token: SeSecurityPrivilege 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe Token: SeSecurityPrivilege 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe Token: SeManageVolumePrivilege 2508 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2508 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2508 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2508 WinMail.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2736 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 28 PID 2316 wrote to memory of 2736 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 28 PID 2316 wrote to memory of 2736 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 28 PID 2316 wrote to memory of 2736 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 28 PID 2736 wrote to memory of 1196 2736 ytkeanw.exe 8 PID 2736 wrote to memory of 1196 2736 ytkeanw.exe 8 PID 2736 wrote to memory of 1196 2736 ytkeanw.exe 8 PID 2736 wrote to memory of 1196 2736 ytkeanw.exe 8 PID 2736 wrote to memory of 1196 2736 ytkeanw.exe 8 PID 2736 wrote to memory of 1280 2736 ytkeanw.exe 7 PID 2736 wrote to memory of 1280 2736 ytkeanw.exe 7 PID 2736 wrote to memory of 1280 2736 ytkeanw.exe 7 PID 2736 wrote to memory of 1280 2736 ytkeanw.exe 7 PID 2736 wrote to memory of 1280 2736 ytkeanw.exe 7 PID 2736 wrote to memory of 1312 2736 ytkeanw.exe 6 PID 2736 wrote to memory of 1312 2736 ytkeanw.exe 6 PID 2736 wrote to memory of 1312 2736 ytkeanw.exe 6 PID 2736 wrote to memory of 1312 2736 ytkeanw.exe 6 PID 2736 wrote to memory of 1312 2736 ytkeanw.exe 6 PID 2736 wrote to memory of 1336 2736 ytkeanw.exe 4 PID 2736 wrote to memory of 1336 2736 ytkeanw.exe 4 PID 2736 wrote to memory of 1336 2736 ytkeanw.exe 4 PID 2736 wrote to memory of 1336 2736 ytkeanw.exe 4 PID 2736 wrote to memory of 1336 2736 ytkeanw.exe 4 PID 2736 wrote to memory of 2316 2736 ytkeanw.exe 13 PID 2736 wrote to memory of 2316 2736 ytkeanw.exe 13 PID 2736 wrote to memory of 2316 2736 ytkeanw.exe 13 PID 2736 wrote to memory of 2316 2736 ytkeanw.exe 13 PID 2736 wrote to memory of 2316 2736 ytkeanw.exe 13 PID 2316 wrote to memory of 584 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 30 PID 2316 wrote to memory of 584 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 30 PID 2316 wrote to memory of 584 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 30 PID 2316 wrote to memory of 584 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 30 PID 2316 wrote to memory of 584 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 30 PID 2316 wrote to memory of 584 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 30 PID 2316 wrote to memory of 584 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 30 PID 2316 wrote to memory of 584 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 30 PID 2316 wrote to memory of 584 2316 76aa540cabd3fb9bb10485b47fc5d97f.exe 30 PID 2736 wrote to memory of 2348 2736 ytkeanw.exe 31 PID 2736 wrote to memory of 2348 2736 ytkeanw.exe 31 PID 2736 wrote to memory of 2348 2736 ytkeanw.exe 31 PID 2736 wrote to memory of 2348 2736 ytkeanw.exe 31 PID 2736 wrote to memory of 2348 2736 ytkeanw.exe 31 PID 2736 wrote to memory of 2968 2736 ytkeanw.exe 33 PID 2736 wrote to memory of 2968 2736 ytkeanw.exe 33 PID 2736 wrote to memory of 2968 2736 ytkeanw.exe 33 PID 2736 wrote to memory of 2968 2736 ytkeanw.exe 33 PID 2736 wrote to memory of 2968 2736 ytkeanw.exe 33 PID 2736 wrote to memory of 2600 2736 ytkeanw.exe 34 PID 2736 wrote to memory of 2600 2736 ytkeanw.exe 34 PID 2736 wrote to memory of 2600 2736 ytkeanw.exe 34 PID 2736 wrote to memory of 2600 2736 ytkeanw.exe 34 PID 2736 wrote to memory of 2600 2736 ytkeanw.exe 34
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1336
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\76aa540cabd3fb9bb10485b47fc5d97f.exe"C:\Users\Admin\AppData\Local\Temp\76aa540cabd3fb9bb10485b47fc5d97f.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Roaming\Woexu\ytkeanw.exe"C:\Users\Admin\AppData\Roaming\Woexu\ytkeanw.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6e8b6262.bat"3⤵
- Deletes itself
PID:584
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1280
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1196
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2508
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2348
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2968
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD52ea56bb8646390480246ddd1f757e6a9
SHA1f84f3e367f9d4e5c919123ddedf0324c1ab4a70b
SHA2565cb22b3c61f2aa7aa944008a96a9184a4db48e27c908f61363ab29871db89bd0
SHA512bb08989682c2fb58bd4af35f186277c6936599cabbe3d4e76dc2bfcc47465ca8e059dd942ffaaea46e68fed4d01fe7dd08634291e309753a62fa0e07229de2bd
-
Filesize
243B
MD5f2bcc9ec19b5008d55572b59674b7087
SHA1fe2f91cdc2fec4a1a23ba41487d20f6f28e04d99
SHA256928fe1cfa3d7c3872c941dcb9a24a90e55e7bbeac176c91c7132b85302a16c6f
SHA5128e7db46dc30921b58ac5599243739518d198343e4a21fa20e5c23985699d6d6cba757fec775b8c3113ee16af56a599a77773c295dc22776dafbcbfc06bc08607
-
Filesize
366B
MD569483b5e904eeeaface807f9a58b9cf4
SHA198116e970af541c7ab775bdf39db82e175c9b5ee
SHA25667ffd96ceda1eb9ae6da64928dce31a41e864b55a7c97d432981f71a53aae5ec
SHA51284e4fcd32bd16ee2f82570ebbeb99c7e257f0a4d33ccabbde68db3e50b8832c970a38d9d23e03e97c1c527e0e26cc817962c929ba941f4552dff54a69a472cbf
-
Filesize
198KB
MD545a99154b2a8dfb6f15d839309e7f208
SHA177096b9a18ad46152651fdf3db238064af610549
SHA2566f621e5f2f597d14c5a986e8d64a30f2ab0fcdd5248bf055a4a42e300041023f
SHA512a74034d3e67c8d9f5c5f4e4591e91497c47ebe41d37a1698a3d41fe11e3ba33a923cb9199da550229d67492456e2e81595e3123fcca91438d587fd47344b3032