0fd0899e365646ef59c5971addf8666f066015bfe400d7977291ebb145f9937e

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88b328a1ccd518514da2fe88c61bfee2.exe
Size

364KB
MD5

88b328a1ccd518514da2fe88c61bfee2
SHA1

594b94463da34d5b23068a0c37197989728a243a
SHA256

0fd0899e365646ef59c5971addf8666f066015bfe400d7977291ebb145f9937e
SHA512

cc16ea812fa3deac3418e1c48a6eef398f609958178ccc85152a91f90d48796f9aef0c7c32a6350fab96fee742f97d47dc29347296fd126d921ed8bb16ba1d08
SSDEEP

6144:Xn8ukcbLviSGqJjW8lE0crUTMX+82IXpW0vH66RVas3Gmxq2/2eW/ZDUp/fIIbGi:Xn8HcbL6Sdvu0YUTk1ZW0vH66vW92/Cu

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
804	ekzo.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	88b328a1ccd518514da2fe88c61bfee2.exe
2356	88b328a1ccd518514da2fe88c61bfee2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d0000000141c0-14.dat	upx
behavioral1/files/0x000d0000000141c0-12.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F08D48C8-DA76-AD4E-F540-ECC2E1DBCFDF} = "C:\\Users\\Admin\\AppData\\Roaming\\Acvoe\\ekzo.exe"	ekzo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 1864	2356	88b328a1ccd518514da2fe88c61bfee2.exe	16

Program crash 1 IoCs

pid	pid_target	Process
1512	1864	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy	88b328a1ccd518514da2fe88c61bfee2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	88b328a1ccd518514da2fe88c61bfee2.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe
804	ekzo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2356	88b328a1ccd518514da2fe88c61bfee2.exe
Token: SeSecurityPrivilege	2356	88b328a1ccd518514da2fe88c61bfee2.exe
Token: SeSecurityPrivilege	2356	88b328a1ccd518514da2fe88c61bfee2.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 804	2356	88b328a1ccd518514da2fe88c61bfee2.exe	17
PID 2356 wrote to memory of 804	2356	88b328a1ccd518514da2fe88c61bfee2.exe	17
PID 2356 wrote to memory of 804	2356	88b328a1ccd518514da2fe88c61bfee2.exe	17
PID 2356 wrote to memory of 804	2356	88b328a1ccd518514da2fe88c61bfee2.exe	17
PID 804 wrote to memory of 1272	804	ekzo.exe	9
PID 804 wrote to memory of 1272	804	ekzo.exe	9
PID 804 wrote to memory of 1272	804	ekzo.exe	9
PID 804 wrote to memory of 1272	804	ekzo.exe	9
PID 804 wrote to memory of 1272	804	ekzo.exe	9
PID 804 wrote to memory of 1340	804	ekzo.exe	8
PID 804 wrote to memory of 1340	804	ekzo.exe	8
PID 804 wrote to memory of 1340	804	ekzo.exe	8
PID 804 wrote to memory of 1340	804	ekzo.exe	8
PID 804 wrote to memory of 1340	804	ekzo.exe	8
PID 804 wrote to memory of 1372	804	ekzo.exe	7
PID 804 wrote to memory of 1372	804	ekzo.exe	7
PID 804 wrote to memory of 1372	804	ekzo.exe	7
PID 804 wrote to memory of 1372	804	ekzo.exe	7
PID 804 wrote to memory of 1372	804	ekzo.exe	7
PID 804 wrote to memory of 1968	804	ekzo.exe	5
PID 804 wrote to memory of 1968	804	ekzo.exe	5
PID 804 wrote to memory of 1968	804	ekzo.exe	5
PID 804 wrote to memory of 1968	804	ekzo.exe	5
PID 804 wrote to memory of 1968	804	ekzo.exe	5
PID 804 wrote to memory of 2356	804	ekzo.exe	1
PID 804 wrote to memory of 2356	804	ekzo.exe	1
PID 804 wrote to memory of 2356	804	ekzo.exe	1
PID 804 wrote to memory of 2356	804	ekzo.exe	1
PID 804 wrote to memory of 2356	804	ekzo.exe	1
PID 2356 wrote to memory of 1864	2356	88b328a1ccd518514da2fe88c61bfee2.exe	16
PID 2356 wrote to memory of 1864	2356	88b328a1ccd518514da2fe88c61bfee2.exe	16
PID 2356 wrote to memory of 1864	2356	88b328a1ccd518514da2fe88c61bfee2.exe	16
PID 2356 wrote to memory of 1864	2356	88b328a1ccd518514da2fe88c61bfee2.exe	16
PID 2356 wrote to memory of 1864	2356	88b328a1ccd518514da2fe88c61bfee2.exe	16
PID 2356 wrote to memory of 1864	2356	88b328a1ccd518514da2fe88c61bfee2.exe	16
PID 2356 wrote to memory of 1864	2356	88b328a1ccd518514da2fe88c61bfee2.exe	16
PID 2356 wrote to memory of 1864	2356	88b328a1ccd518514da2fe88c61bfee2.exe	16
PID 2356 wrote to memory of 1864	2356	88b328a1ccd518514da2fe88c61bfee2.exe	16
PID 1864 wrote to memory of 1512	1864	cmd.exe	14
PID 1864 wrote to memory of 1512	1864	cmd.exe	14
PID 1864 wrote to memory of 1512	1864	cmd.exe	14
PID 1864 wrote to memory of 1512	1864	cmd.exe	14
PID 804 wrote to memory of 380	804	ekzo.exe	15
PID 804 wrote to memory of 380	804	ekzo.exe	15
PID 804 wrote to memory of 380	804	ekzo.exe	15
PID 804 wrote to memory of 380	804	ekzo.exe	15
PID 804 wrote to memory of 380	804	ekzo.exe	15
PID 804 wrote to memory of 1512	804	ekzo.exe	14
PID 804 wrote to memory of 1512	804	ekzo.exe	14
PID 804 wrote to memory of 1512	804	ekzo.exe	14
PID 804 wrote to memory of 1512	804	ekzo.exe	14
PID 804 wrote to memory of 1512	804	ekzo.exe	14

C:\Users\Admin\AppData\Local\Temp\88b328a1ccd518514da2fe88c61bfee2.exe
"C:\Users\Admin\AppData\Local\Temp\88b328a1ccd518514da2fe88c61bfee2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe020d382.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- C:\Users\Admin\AppData\Roaming\Acvoe\ekzo.exe
  "C:\Users\Admin\AppData\Roaming\Acvoe\ekzo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:804

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1968

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 112
1⤵
- Program crash
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-72238316479261442616869617291388848372449990717-1742936445221381447807014376"
1⤵
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Acvoe\ekzo.exe

Filesize
364KB

MD5
89e38462934f3e4b2851e4d10496cc68

SHA1
a150f1a93883abcf3bd9fcfaccc1754e0bbd98dc

SHA256
d92423038001bc74a848c4defe11f9ca99f51836e9a9717e6b99c39e894d1c8b

SHA512
65c7ec5a6fafe98b76c8139419967b63404f752b6cc4eadc9c99429405bf243267366aaae8f0df0375d555e5ebd2995e4053723056313fdc9d7cedde0788bab1

Download Submit
C:\Users\Admin\AppData\Roaming\Acvoe\ekzo.exe

Filesize
225KB

MD5
85f943eaa44212d0e4d837dfdea8003a

SHA1
1616b815eddb4e513d2e789b51bb63deb0c9776a

SHA256
87748b42432690060e34ffa5db97f01cba312ead1fe240afcbc412ab9f2812c7

SHA512
e1158c09e43e870d2d5061702e39d15826295cdb4e366f08881f820cc3ddc71d3b03f8441a1e6a6c7fd557054fc16dd54deecdf1d72dc46a455d9035cc262006

Download Submit
C:\Users\Admin\AppData\Roaming\Yfym\wetug.feb

Filesize
366B

MD5
d6936e39b89db0671880e5976968a1d6

SHA1
6b1147c9d57898b0da79b6b1c9d8c0a960766388

SHA256
262e6ae5ed92e32746be6e5aae85a782c1440159385d0021f3990fb44cf84cb2

SHA512
2de89b18d9791675e32b1e55446b148fd9ba2d571d2df30bf5639249a090d46aa6995c9c4de2eea53c72d7fe7f2e91af7f146df4b10a9e6be5655b4c7683b332

Download Submit
memory/804-16-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/804-280-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/804-18-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1272-25-0x0000000000410000-0x000000000044F000-memory.dmp

Filesize
252KB

Download
memory/1272-23-0x0000000000410000-0x000000000044F000-memory.dmp

Filesize
252KB

Download
memory/1272-19-0x0000000000410000-0x000000000044F000-memory.dmp

Filesize
252KB

Download
memory/1272-21-0x0000000000410000-0x000000000044F000-memory.dmp

Filesize
252KB

Download
memory/1272-15-0x0000000000410000-0x000000000044F000-memory.dmp

Filesize
252KB

Download
memory/1340-35-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1340-29-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1340-33-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1340-31-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1372-39-0x0000000002960000-0x000000000299F000-memory.dmp

Filesize
252KB

Download
memory/1372-38-0x0000000002960000-0x000000000299F000-memory.dmp

Filesize
252KB

Download
memory/1372-41-0x0000000002960000-0x000000000299F000-memory.dmp

Filesize
252KB

Download
memory/1372-40-0x0000000002960000-0x000000000299F000-memory.dmp

Filesize
252KB

Download
memory/1512-281-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1512-284-0x0000000002AD0000-0x0000000002B0F000-memory.dmp

Filesize
252KB

Download
memory/1512-276-0x0000000002AD0000-0x0000000002B0F000-memory.dmp

Filesize
252KB

Download
memory/1512-278-0x00000000778B0000-0x00000000778B1000-memory.dmp

Filesize
4KB

Download
memory/1968-47-0x0000000000390000-0x00000000003CF000-memory.dmp

Filesize
252KB

Download
memory/1968-44-0x0000000000390000-0x00000000003CF000-memory.dmp

Filesize
252KB

Download
memory/1968-45-0x0000000000390000-0x00000000003CF000-memory.dmp

Filesize
252KB

Download
memory/1968-46-0x0000000000390000-0x00000000003CF000-memory.dmp

Filesize
252KB

Download
memory/2356-170-0x0000000000390000-0x00000000003CF000-memory.dmp

Filesize
252KB

Download
memory/2356-56-0x0000000000390000-0x00000000003CF000-memory.dmp

Filesize
252KB

Download
memory/2356-55-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-59-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-61-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-63-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-65-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-67-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-69-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-71-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-73-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-75-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-77-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-79-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-90-0x00000000778B0000-0x00000000778B1000-memory.dmp

Filesize
4KB

Download
memory/2356-169-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2356-1-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2356-152-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-13-0x0000000002370000-0x00000000024A6000-memory.dmp

Filesize
1.2MB

Download
memory/2356-81-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2356-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2356-57-0x00000000778B0000-0x00000000778B1000-memory.dmp

Filesize
4KB

Download
memory/2356-53-0x0000000000390000-0x00000000003CF000-memory.dmp

Filesize
252KB

Download
memory/2356-54-0x0000000000390000-0x00000000003CF000-memory.dmp

Filesize
252KB

Download
memory/2356-3-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2356-0-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download