a008888ed66104286105d5e97013f55cb2518bac97d5e1f7ac3dfeedcc2b8913

General

Target

7e31fe3c00357e145fbe96a03c9e557c.exe
Size

193KB
MD5

7e31fe3c00357e145fbe96a03c9e557c
SHA1

d1a68e9caf33a3e19a76c420fb117629533fb4c2
SHA256

a008888ed66104286105d5e97013f55cb2518bac97d5e1f7ac3dfeedcc2b8913
SHA512

f2b1646b843274656e71f0d2fe7a7675190878cd0f7737c14308066e39e60d2b1178354816e1595ecf57fa22a8641887b8b4c9540cd3fc412f3364795757672f
SSDEEP

3072:O821bBnaBdHs+mC21JJ/427M2vmH6HST/nAPGcBCcmcu66DQnxP2Qhfe:+bBV+gJQ2A2vmHNTYP//mV6FP3hf

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2592 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

xiidh.exe

pid process

2624 xiidh.exe
Loads dropped DLL 2 IoCs

Processes:

7e31fe3c00357e145fbe96a03c9e557c.exe

pid process

1896 7e31fe3c00357e145fbe96a03c9e557c.exe
1896 7e31fe3c00357e145fbe96a03c9e557c.exe

pid	process
2592	cmd.exe

pid	process
1896	7e31fe3c00357e145fbe96a03c9e557c.exe
1896	7e31fe3c00357e145fbe96a03c9e557c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1896-0-0x0000000000400000-0x0000000000443000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Peuse\xiidh.exe	upx
behavioral1/memory/2624-14-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xiidh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\{41702729-DC4A-B3A2-277B-42142C56C6A7} = "C:\\Users\\Admin\\AppData\\Roaming\\Peuse\\xiidh.exe"	xiidh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7e31fe3c00357e145fbe96a03c9e557c.exe

description pid process target process

PID 1896 set thread context of 2592 1896 7e31fe3c00357e145fbe96a03c9e557c.exe cmd.exe

description	pid	process	target process
PID 1896 set thread context of 2592	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

7e31fe3c00357e145fbe96a03c9e557c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy	7e31fe3c00357e145fbe96a03c9e557c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7e31fe3c00357e145fbe96a03c9e557c.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

xiidh.exe

pid	process
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe
2624	xiidh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7e31fe3c00357e145fbe96a03c9e557c.exe

description	pid	process
Token: SeSecurityPrivilege	1896	7e31fe3c00357e145fbe96a03c9e557c.exe
Token: SeSecurityPrivilege	1896	7e31fe3c00357e145fbe96a03c9e557c.exe
Token: SeSecurityPrivilege	1896	7e31fe3c00357e145fbe96a03c9e557c.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

7e31fe3c00357e145fbe96a03c9e557c.exexiidh.exe

description	pid	process	target process
PID 1896 wrote to memory of 2624	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	xiidh.exe
PID 1896 wrote to memory of 2624	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	xiidh.exe
PID 1896 wrote to memory of 2624	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	xiidh.exe
PID 1896 wrote to memory of 2624	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	xiidh.exe
PID 2624 wrote to memory of 1056	2624	xiidh.exe	taskhost.exe
PID 2624 wrote to memory of 1056	2624	xiidh.exe	taskhost.exe
PID 2624 wrote to memory of 1056	2624	xiidh.exe	taskhost.exe
PID 2624 wrote to memory of 1056	2624	xiidh.exe	taskhost.exe
PID 2624 wrote to memory of 1056	2624	xiidh.exe	taskhost.exe
PID 2624 wrote to memory of 1112	2624	xiidh.exe	Dwm.exe
PID 2624 wrote to memory of 1112	2624	xiidh.exe	Dwm.exe
PID 2624 wrote to memory of 1112	2624	xiidh.exe	Dwm.exe
PID 2624 wrote to memory of 1112	2624	xiidh.exe	Dwm.exe
PID 2624 wrote to memory of 1112	2624	xiidh.exe	Dwm.exe
PID 2624 wrote to memory of 1164	2624	xiidh.exe	Explorer.EXE
PID 2624 wrote to memory of 1164	2624	xiidh.exe	Explorer.EXE
PID 2624 wrote to memory of 1164	2624	xiidh.exe	Explorer.EXE
PID 2624 wrote to memory of 1164	2624	xiidh.exe	Explorer.EXE
PID 2624 wrote to memory of 1164	2624	xiidh.exe	Explorer.EXE
PID 2624 wrote to memory of 1784	2624	xiidh.exe	DllHost.exe
PID 2624 wrote to memory of 1784	2624	xiidh.exe	DllHost.exe
PID 2624 wrote to memory of 1784	2624	xiidh.exe	DllHost.exe
PID 2624 wrote to memory of 1784	2624	xiidh.exe	DllHost.exe
PID 2624 wrote to memory of 1784	2624	xiidh.exe	DllHost.exe
PID 2624 wrote to memory of 1896	2624	xiidh.exe	7e31fe3c00357e145fbe96a03c9e557c.exe
PID 2624 wrote to memory of 1896	2624	xiidh.exe	7e31fe3c00357e145fbe96a03c9e557c.exe
PID 2624 wrote to memory of 1896	2624	xiidh.exe	7e31fe3c00357e145fbe96a03c9e557c.exe
PID 2624 wrote to memory of 1896	2624	xiidh.exe	7e31fe3c00357e145fbe96a03c9e557c.exe
PID 2624 wrote to memory of 1896	2624	xiidh.exe	7e31fe3c00357e145fbe96a03c9e557c.exe
PID 1896 wrote to memory of 2592	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	cmd.exe
PID 1896 wrote to memory of 2592	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	cmd.exe
PID 1896 wrote to memory of 2592	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	cmd.exe
PID 1896 wrote to memory of 2592	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	cmd.exe
PID 1896 wrote to memory of 2592	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	cmd.exe
PID 1896 wrote to memory of 2592	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	cmd.exe
PID 1896 wrote to memory of 2592	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	cmd.exe
PID 1896 wrote to memory of 2592	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	cmd.exe
PID 1896 wrote to memory of 2592	1896	7e31fe3c00357e145fbe96a03c9e557c.exe	cmd.exe
PID 2624 wrote to memory of 2508	2624	xiidh.exe	DllHost.exe
PID 2624 wrote to memory of 2508	2624	xiidh.exe	DllHost.exe
PID 2624 wrote to memory of 2508	2624	xiidh.exe	DllHost.exe
PID 2624 wrote to memory of 2508	2624	xiidh.exe	DllHost.exe
PID 2624 wrote to memory of 2508	2624	xiidh.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\7e31fe3c00357e145fbe96a03c9e557c.exe
"C:\Users\Admin\AppData\Local\Temp\7e31fe3c00357e145fbe96a03c9e557c.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Roaming\Peuse\xiidh.exe
"C:\Users\Admin\AppData\Roaming\Peuse\xiidh.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb1db86ba.bat"
3⤵
- Deletes itself
PID:2592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1784

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1112

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb1db86ba.bat
Filesize
243B

MD5
cefaa4716a0976c11f9e8db5821ac5bd

SHA1
520bd794c72c5267504d99c78c0dabd623fdaada

SHA256
33f0830c4f1786b427cb38e1202de5fd4a8a4b1bb8daeb69746c432fd9520c84

SHA512
dae739cc647aa311b0d277ca363a9bbf8b53401f56f5fd9f5730582bd0c384eb334d8a5af50ea2824e76b691d8aab89720be8f637f8484735c0db7e5470b706b

Download Submit
C:\Users\Admin\AppData\Roaming\Aquhs\amil.utp
Filesize
366B

MD5
8cec228c4527d001d5bf63e36e0fcf4b

SHA1
569e6bf369009065e197688f0497f0de04f74eb5

SHA256
eddb3924706430f68701a5221c8224a38aaa978f48af5fdea1b94bb10c26753c

SHA512
6923c1a99aaefb3ffb22a7f3eb5002fd3d6143c32d18692b0f824cdfec8b2da487cc750df9b849bedca2c0f1f3142d526a90bbb789a1bbf4516feb3b4703532c

Download Submit
\Users\Admin\AppData\Roaming\Peuse\xiidh.exe
Filesize
193KB

MD5
b1efa2e9532fd8ebc27c78b240a8fe03

SHA1
501460e284f28b335a39413205e2c47e1470e5b8

SHA256
bca91aa7d6ede5f5631f9572494f748bc2c7faaffa0f0a2282881b46c1b08890

SHA512
1bf3cdaaac3a1ef881542da87757b21c6a4185f99bf37374cee6d565c621a67a93d3745ce907ecde586292c14335627e55a116ee454a6e1768edc21139834ded

Download Submit
memory/1056-17-0x0000000002130000-0x0000000002156000-memory.dmp

Filesize
152KB

Download
memory/1056-19-0x0000000002130000-0x0000000002156000-memory.dmp

Filesize
152KB

Download
memory/1056-21-0x0000000002130000-0x0000000002156000-memory.dmp

Filesize
152KB

Download
memory/1056-23-0x0000000002130000-0x0000000002156000-memory.dmp

Filesize
152KB

Download
memory/1056-25-0x0000000002130000-0x0000000002156000-memory.dmp

Filesize
152KB

Download
memory/1112-30-0x0000000001EB0000-0x0000000001ED6000-memory.dmp

Filesize
152KB

Download
memory/1112-28-0x0000000001EB0000-0x0000000001ED6000-memory.dmp

Filesize
152KB

Download
memory/1112-29-0x0000000001EB0000-0x0000000001ED6000-memory.dmp

Filesize
152KB

Download
memory/1112-31-0x0000000001EB0000-0x0000000001ED6000-memory.dmp

Filesize
152KB

Download
memory/1164-35-0x0000000002DB0000-0x0000000002DD6000-memory.dmp

Filesize
152KB

Download
memory/1164-36-0x0000000002DB0000-0x0000000002DD6000-memory.dmp

Filesize
152KB

Download
memory/1164-34-0x0000000002DB0000-0x0000000002DD6000-memory.dmp

Filesize
152KB

Download
memory/1164-33-0x0000000002DB0000-0x0000000002DD6000-memory.dmp

Filesize
152KB

Download
memory/1784-38-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1784-41-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1784-39-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1784-40-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1896-75-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-63-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-67-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-96-0x00000000779E0000-0x00000000779E1000-memory.dmp

Filesize
4KB

Download
memory/1896-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-1-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1896-140-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-50-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/1896-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-73-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-71-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-69-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-13-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1896-65-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-61-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-59-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-12-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1896-44-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/1896-57-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-55-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-53-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-52-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/1896-48-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/1896-46-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/2592-247-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/2592-236-0x00000000779E0000-0x00000000779E1000-memory.dmp

Filesize
4KB

Download
memory/2592-155-0x00000000779E0000-0x00000000779E1000-memory.dmp

Filesize
4KB

Download
memory/2592-153-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/2624-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2624-259-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads