f706eee356d07bade5c477067e579804ba32f3e28472999a8742d12af45d28a2

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b64f943dd4c0922baf34d73dc673cb2.exe
Size

262KB
MD5

7b64f943dd4c0922baf34d73dc673cb2
SHA1

52f2e206f85e0184f24ae3225bbf9493d6dd5dfc
SHA256

f706eee356d07bade5c477067e579804ba32f3e28472999a8742d12af45d28a2
SHA512

e60fa8ef0933279a2c925c1316c60626d5a8dc8bf3822593277727fa7172f01367bab1331e0f8be19089da0bb9d17054996b0ad1b81fc57480bde2e6247af36a
SSDEEP

6144:/58Gp+df0afmVTRMdbdpn94sLrNXel9Bb98+MAt/:B8YkfXf4TRMl94svNuzBb9Zr

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

moewo.exe

pid process

1700 moewo.exe
Loads dropped DLL 1 IoCs

Processes:

7b64f943dd4c0922baf34d73dc673cb2.exe

pid process

1748 7b64f943dd4c0922baf34d73dc673cb2.exe

pid	process
1748	7b64f943dd4c0922baf34d73dc673cb2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

moewo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9DB029C8-CEC5-AD4E-0EA6-58580BF07B45} = "C:\\Users\\Admin\\AppData\\Roaming\\Ylitl\\moewo.exe"	moewo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7b64f943dd4c0922baf34d73dc673cb2.exe

description pid process target process

PID 1748 set thread context of 1564 1748 7b64f943dd4c0922baf34d73dc673cb2.exe cmd.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

296 1564 WerFault.exe cmd.exe
1568 296 WerFault.exe WerFault.exe

description	pid	process	target process
PID 1748 set thread context of 1564	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	cmd.exe

pid	pid_target	process	target process
296	1564	WerFault.exe	cmd.exe
1568	296	WerFault.exe	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

7b64f943dd4c0922baf34d73dc673cb2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy	7b64f943dd4c0922baf34d73dc673cb2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7b64f943dd4c0922baf34d73dc673cb2.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

moewo.exe

pid	process
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe
1700	moewo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7b64f943dd4c0922baf34d73dc673cb2.exe

description	pid	process
Token: SeSecurityPrivilege	1748	7b64f943dd4c0922baf34d73dc673cb2.exe
Token: SeSecurityPrivilege	1748	7b64f943dd4c0922baf34d73dc673cb2.exe
Token: SeSecurityPrivilege	1748	7b64f943dd4c0922baf34d73dc673cb2.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

7b64f943dd4c0922baf34d73dc673cb2.exemoewo.exe

pid process

1748 7b64f943dd4c0922baf34d73dc673cb2.exe
1700 moewo.exe

pid	process
1748	7b64f943dd4c0922baf34d73dc673cb2.exe
1700	moewo.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

7b64f943dd4c0922baf34d73dc673cb2.exemoewo.execmd.exeWerFault.exe

description	pid	process	target process
PID 1748 wrote to memory of 1700	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	moewo.exe
PID 1748 wrote to memory of 1700	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	moewo.exe
PID 1748 wrote to memory of 1700	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	moewo.exe
PID 1748 wrote to memory of 1700	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	moewo.exe
PID 1700 wrote to memory of 1112	1700	moewo.exe	taskhost.exe
PID 1700 wrote to memory of 1112	1700	moewo.exe	taskhost.exe
PID 1700 wrote to memory of 1112	1700	moewo.exe	taskhost.exe
PID 1700 wrote to memory of 1112	1700	moewo.exe	taskhost.exe
PID 1700 wrote to memory of 1112	1700	moewo.exe	taskhost.exe
PID 1700 wrote to memory of 1216	1700	moewo.exe	Dwm.exe
PID 1700 wrote to memory of 1216	1700	moewo.exe	Dwm.exe
PID 1700 wrote to memory of 1216	1700	moewo.exe	Dwm.exe
PID 1700 wrote to memory of 1216	1700	moewo.exe	Dwm.exe
PID 1700 wrote to memory of 1216	1700	moewo.exe	Dwm.exe
PID 1700 wrote to memory of 1284	1700	moewo.exe	Explorer.EXE
PID 1700 wrote to memory of 1284	1700	moewo.exe	Explorer.EXE
PID 1700 wrote to memory of 1284	1700	moewo.exe	Explorer.EXE
PID 1700 wrote to memory of 1284	1700	moewo.exe	Explorer.EXE
PID 1700 wrote to memory of 1284	1700	moewo.exe	Explorer.EXE
PID 1700 wrote to memory of 1600	1700	moewo.exe	DllHost.exe
PID 1700 wrote to memory of 1600	1700	moewo.exe	DllHost.exe
PID 1700 wrote to memory of 1600	1700	moewo.exe	DllHost.exe
PID 1700 wrote to memory of 1600	1700	moewo.exe	DllHost.exe
PID 1700 wrote to memory of 1600	1700	moewo.exe	DllHost.exe
PID 1700 wrote to memory of 1748	1700	moewo.exe	7b64f943dd4c0922baf34d73dc673cb2.exe
PID 1700 wrote to memory of 1748	1700	moewo.exe	7b64f943dd4c0922baf34d73dc673cb2.exe
PID 1700 wrote to memory of 1748	1700	moewo.exe	7b64f943dd4c0922baf34d73dc673cb2.exe
PID 1700 wrote to memory of 1748	1700	moewo.exe	7b64f943dd4c0922baf34d73dc673cb2.exe
PID 1700 wrote to memory of 1748	1700	moewo.exe	7b64f943dd4c0922baf34d73dc673cb2.exe
PID 1748 wrote to memory of 1564	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	cmd.exe
PID 1748 wrote to memory of 1564	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	cmd.exe
PID 1748 wrote to memory of 1564	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	cmd.exe
PID 1748 wrote to memory of 1564	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	cmd.exe
PID 1748 wrote to memory of 1564	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	cmd.exe
PID 1748 wrote to memory of 1564	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	cmd.exe
PID 1748 wrote to memory of 1564	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	cmd.exe
PID 1748 wrote to memory of 1564	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	cmd.exe
PID 1748 wrote to memory of 1564	1748	7b64f943dd4c0922baf34d73dc673cb2.exe	cmd.exe
PID 1564 wrote to memory of 296	1564	cmd.exe	WerFault.exe
PID 1564 wrote to memory of 296	1564	cmd.exe	WerFault.exe
PID 1564 wrote to memory of 296	1564	cmd.exe	WerFault.exe
PID 1564 wrote to memory of 296	1564	cmd.exe	WerFault.exe
PID 1700 wrote to memory of 1624	1700	moewo.exe	conhost.exe
PID 1700 wrote to memory of 1624	1700	moewo.exe	conhost.exe
PID 1700 wrote to memory of 1624	1700	moewo.exe	conhost.exe
PID 1700 wrote to memory of 1624	1700	moewo.exe	conhost.exe
PID 1700 wrote to memory of 1624	1700	moewo.exe	conhost.exe
PID 1700 wrote to memory of 296	1700	moewo.exe	WerFault.exe
PID 1700 wrote to memory of 296	1700	moewo.exe	WerFault.exe
PID 1700 wrote to memory of 296	1700	moewo.exe	WerFault.exe
PID 1700 wrote to memory of 296	1700	moewo.exe	WerFault.exe
PID 1700 wrote to memory of 296	1700	moewo.exe	WerFault.exe
PID 296 wrote to memory of 1568	296	WerFault.exe	WerFault.exe
PID 296 wrote to memory of 1568	296	WerFault.exe	WerFault.exe
PID 296 wrote to memory of 1568	296	WerFault.exe	WerFault.exe
PID 296 wrote to memory of 1568	296	WerFault.exe	WerFault.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\7b64f943dd4c0922baf34d73dc673cb2.exe
"C:\Users\Admin\AppData\Local\Temp\7b64f943dd4c0922baf34d73dc673cb2.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\Ylitl\moewo.exe
"C:\Users\Admin\AppData\Roaming\Ylitl\moewo.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd0f8c5bf.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 116
4⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 536
5⤵
- Program crash
PID:1568

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4449869711033818924962026904407812889531793647-1180426640-326568025-1596758403"
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ciigc\ahva.abe

Filesize
366B

MD5
572d2f7526f1cc860618ae8691eba0b5

SHA1
abc2d6ae8baa09ce6998e03f441c66e33ff638d1

SHA256
6fbc1f18f60cf8216a3fb209aca169dde2ccb02df6061bd1cdf3e501abb7581d

SHA512
29728e64a499afbb4f8d21fac2037c02f4ffed2a5cf2058ddb2fb2246158be5e5d5a6c40b44257b729f171e2583c4c90b5a0a165e6dfea5fe882c9f494dda84c

Download Submit
\Users\Admin\AppData\Roaming\Ylitl\moewo.exe

Filesize
262KB

MD5
6697ba1782e32d0eb9f461dd2f033965

SHA1
8f04499e9819166a390bfa3da5506f6f9bbdfabd

SHA256
b0011e861d0fb37051c0f90df4b372216da003cc04b135a248f3aba4e0f84982

SHA512
f9042b8a3eef0fb8cb07970c51d98a9ddb1c1bc2d5243b0d96069e59af431f94a825b259028a53fb1688c9f452a9cb0889119cf6906f4d199fac8b4fffe30fca

Download Submit
memory/1112-20-0x0000000001C90000-0x0000000001CD1000-memory.dmp

Filesize
260KB

Download
memory/1112-16-0x0000000001C90000-0x0000000001CD1000-memory.dmp

Filesize
260KB

Download
memory/1112-14-0x0000000001C90000-0x0000000001CD1000-memory.dmp

Filesize
260KB

Download
memory/1112-18-0x0000000001C90000-0x0000000001CD1000-memory.dmp

Filesize
260KB

Download
memory/1112-19-0x0000000001C90000-0x0000000001CD1000-memory.dmp

Filesize
260KB

Download
memory/1216-25-0x0000000001AF0000-0x0000000001B31000-memory.dmp

Filesize
260KB

Download
memory/1216-24-0x0000000001AF0000-0x0000000001B31000-memory.dmp

Filesize
260KB

Download
memory/1216-23-0x0000000001AF0000-0x0000000001B31000-memory.dmp

Filesize
260KB

Download
memory/1216-22-0x0000000001AF0000-0x0000000001B31000-memory.dmp

Filesize
260KB

Download
memory/1284-29-0x0000000002970000-0x00000000029B1000-memory.dmp

Filesize
260KB

Download
memory/1284-30-0x0000000002970000-0x00000000029B1000-memory.dmp

Filesize
260KB

Download
memory/1284-28-0x0000000002970000-0x00000000029B1000-memory.dmp

Filesize
260KB

Download
memory/1284-27-0x0000000002970000-0x00000000029B1000-memory.dmp

Filesize
260KB

Download
memory/1600-34-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1600-35-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1600-33-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1600-32-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1700-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1700-15-0x00000000003A0000-0x00000000003E5000-memory.dmp

Filesize
276KB

Download
memory/1700-13-0x0000000000350000-0x0000000000391000-memory.dmp

Filesize
260KB

Download
memory/1700-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1748-39-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1748-72-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1748-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1748-38-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1748-0-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1748-40-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1748-41-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1748-46-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-44-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-48-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1748-42-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-52-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-54-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-76-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-78-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-74-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-37-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1748-136-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-70-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-68-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-66-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-64-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-62-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-60-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-58-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-56-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-50-0x0000000077A60000-0x0000000077A61000-memory.dmp

Filesize
4KB

Download
memory/1748-49-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1748-1-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/1748-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1748-160-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1748-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download