a1589ed6f5ee39d426e7769fc06f04dca3fff89e32fb9be1b6bfb03209a583f1

Analysis

max time kernel
152s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

899a9b29918f65aa44a13b6781d154f9.exe
Size

363KB
MD5

899a9b29918f65aa44a13b6781d154f9
SHA1

448a053765c225afcdcd8241e902cad555d149cc
SHA256

a1589ed6f5ee39d426e7769fc06f04dca3fff89e32fb9be1b6bfb03209a583f1
SHA512

a758207f0e2108bd397cb3a222513e073ee610423122c508cee725c1eb38049932af6e45686a7a6721a1af170bec8b9eea92bf193460bf8cfb3f22b830e1726c
SSDEEP

6144:0Qq03ilYKQWwsctuEDBHlC8w9WuKc9mfhTNSBLJeQAJrs+z:0/0SlFvwVdNdeuphkBNRwrs+z

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2188	voubyt.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	899a9b29918f65aa44a13b6781d154f9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8D03B3C8-CEC5-AD4E-9D6C-4FF59E096CE8} = "C:\\Users\\Admin\\AppData\\Roaming\\Seomk\\voubyt.exe"	voubyt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 756	2264	899a9b29918f65aa44a13b6781d154f9.exe	29

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2908	756	WerFault.exe	29
1616	2908	WerFault.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	899a9b29918f65aa44a13b6781d154f9.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy	899a9b29918f65aa44a13b6781d154f9.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe
2188	voubyt.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2264	899a9b29918f65aa44a13b6781d154f9.exe
2188	voubyt.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2188	2264	899a9b29918f65aa44a13b6781d154f9.exe	28
PID 2264 wrote to memory of 2188	2264	899a9b29918f65aa44a13b6781d154f9.exe	28
PID 2264 wrote to memory of 2188	2264	899a9b29918f65aa44a13b6781d154f9.exe	28
PID 2264 wrote to memory of 2188	2264	899a9b29918f65aa44a13b6781d154f9.exe	28
PID 2188 wrote to memory of 1128	2188	voubyt.exe	8
PID 2188 wrote to memory of 1128	2188	voubyt.exe	8
PID 2188 wrote to memory of 1128	2188	voubyt.exe	8
PID 2188 wrote to memory of 1128	2188	voubyt.exe	8
PID 2188 wrote to memory of 1128	2188	voubyt.exe	8
PID 2188 wrote to memory of 1216	2188	voubyt.exe	7
PID 2188 wrote to memory of 1216	2188	voubyt.exe	7
PID 2188 wrote to memory of 1216	2188	voubyt.exe	7
PID 2188 wrote to memory of 1216	2188	voubyt.exe	7
PID 2188 wrote to memory of 1216	2188	voubyt.exe	7
PID 2188 wrote to memory of 1256	2188	voubyt.exe	6
PID 2188 wrote to memory of 1256	2188	voubyt.exe	6
PID 2188 wrote to memory of 1256	2188	voubyt.exe	6
PID 2188 wrote to memory of 1256	2188	voubyt.exe	6
PID 2188 wrote to memory of 1256	2188	voubyt.exe	6
PID 2188 wrote to memory of 1632	2188	voubyt.exe	4
PID 2188 wrote to memory of 1632	2188	voubyt.exe	4
PID 2188 wrote to memory of 1632	2188	voubyt.exe	4
PID 2188 wrote to memory of 1632	2188	voubyt.exe	4
PID 2188 wrote to memory of 1632	2188	voubyt.exe	4
PID 2188 wrote to memory of 2264	2188	voubyt.exe	16
PID 2188 wrote to memory of 2264	2188	voubyt.exe	16
PID 2188 wrote to memory of 2264	2188	voubyt.exe	16
PID 2188 wrote to memory of 2264	2188	voubyt.exe	16
PID 2188 wrote to memory of 2264	2188	voubyt.exe	16
PID 2264 wrote to memory of 756	2264	899a9b29918f65aa44a13b6781d154f9.exe	29
PID 2264 wrote to memory of 756	2264	899a9b29918f65aa44a13b6781d154f9.exe	29
PID 2264 wrote to memory of 756	2264	899a9b29918f65aa44a13b6781d154f9.exe	29
PID 2264 wrote to memory of 756	2264	899a9b29918f65aa44a13b6781d154f9.exe	29
PID 2264 wrote to memory of 756	2264	899a9b29918f65aa44a13b6781d154f9.exe	29
PID 2264 wrote to memory of 756	2264	899a9b29918f65aa44a13b6781d154f9.exe	29
PID 2264 wrote to memory of 756	2264	899a9b29918f65aa44a13b6781d154f9.exe	29
PID 2264 wrote to memory of 756	2264	899a9b29918f65aa44a13b6781d154f9.exe	29
PID 2264 wrote to memory of 756	2264	899a9b29918f65aa44a13b6781d154f9.exe	29
PID 756 wrote to memory of 2908	756	cmd.exe	31
PID 756 wrote to memory of 2908	756	cmd.exe	31
PID 756 wrote to memory of 2908	756	cmd.exe	31
PID 756 wrote to memory of 2908	756	cmd.exe	31
PID 2188 wrote to memory of 2128	2188	voubyt.exe	30
PID 2188 wrote to memory of 2128	2188	voubyt.exe	30
PID 2188 wrote to memory of 2128	2188	voubyt.exe	30
PID 2188 wrote to memory of 2128	2188	voubyt.exe	30
PID 2188 wrote to memory of 2128	2188	voubyt.exe	30
PID 2188 wrote to memory of 2908	2188	voubyt.exe	31
PID 2188 wrote to memory of 2908	2188	voubyt.exe	31
PID 2188 wrote to memory of 2908	2188	voubyt.exe	31
PID 2188 wrote to memory of 2908	2188	voubyt.exe	31
PID 2188 wrote to memory of 2908	2188	voubyt.exe	31
PID 2908 wrote to memory of 1616	2908	WerFault.exe	32
PID 2908 wrote to memory of 1616	2908	WerFault.exe	32
PID 2908 wrote to memory of 1616	2908	WerFault.exe	32
PID 2908 wrote to memory of 1616	2908	WerFault.exe	32

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1632

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\899a9b29918f65aa44a13b6781d154f9.exe
  "C:\Users\Admin\AppData\Local\Temp\899a9b29918f65aa44a13b6781d154f9.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Roaming\Seomk\voubyt.exe
    "C:\Users\Admin\AppData\Roaming\Seomk\voubyt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc5d8d510.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 116
      4⤵
      Program crash
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 536
        5⤵
        Program crash
        
        PID:1616

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2734379519411917562137382872-19743674288006063001706700938-811254384-734949846"
1⤵
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Seomk\voubyt.exe

Filesize
363KB

MD5
2bdd4aa67fe665b549483f0f8c4eeb59

SHA1
405e28651bda328b8a3e85a576608fddad0c77c4

SHA256
73a4b1fe33e6e28bab56e8f88fb081280b967fb7650b16f4a70b5744f9ce23ee

SHA512
a11c0ef54d2ea7f1ad38e228a8b97f27863fe05f3a6d0adefea089bafcc51fda8e47880acd5dd4eed67734182c050431fef07f2e5f4ae63b34ab1fa3d70f4897

Download Submit
memory/1128-19-0x0000000001DF0000-0x0000000001E32000-memory.dmp

Filesize
264KB

Download
memory/1128-15-0x0000000001DF0000-0x0000000001E32000-memory.dmp

Filesize
264KB

Download
memory/1128-18-0x0000000001DF0000-0x0000000001E32000-memory.dmp

Filesize
264KB

Download
memory/1128-16-0x0000000001DF0000-0x0000000001E32000-memory.dmp

Filesize
264KB

Download
memory/1128-20-0x0000000001DF0000-0x0000000001E32000-memory.dmp

Filesize
264KB

Download
memory/1216-25-0x0000000001BE0000-0x0000000001C22000-memory.dmp

Filesize
264KB

Download
memory/1216-22-0x0000000001BE0000-0x0000000001C22000-memory.dmp

Filesize
264KB

Download
memory/1216-23-0x0000000001BE0000-0x0000000001C22000-memory.dmp

Filesize
264KB

Download
memory/1216-24-0x0000000001BE0000-0x0000000001C22000-memory.dmp

Filesize
264KB

Download
memory/1256-28-0x0000000002B20000-0x0000000002B62000-memory.dmp

Filesize
264KB

Download
memory/1256-29-0x0000000002B20000-0x0000000002B62000-memory.dmp

Filesize
264KB

Download
memory/1256-27-0x0000000002B20000-0x0000000002B62000-memory.dmp

Filesize
264KB

Download
memory/1256-30-0x0000000002B20000-0x0000000002B62000-memory.dmp

Filesize
264KB

Download
memory/1632-34-0x0000000001CF0000-0x0000000001D32000-memory.dmp

Filesize
264KB

Download
memory/1632-33-0x0000000001CF0000-0x0000000001D32000-memory.dmp

Filesize
264KB

Download
memory/1632-35-0x0000000001CF0000-0x0000000001D32000-memory.dmp

Filesize
264KB

Download
memory/1632-32-0x0000000001CF0000-0x0000000001D32000-memory.dmp

Filesize
264KB

Download
memory/2188-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-14-0x0000000000350000-0x00000000003AE000-memory.dmp

Filesize
376KB

Download
memory/2188-12-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/2264-79-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-59-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-47-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/2264-51-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-53-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-49-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-46-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-137-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-77-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-75-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-73-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-71-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-69-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-67-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-65-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-63-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-61-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-45-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/2264-57-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-55-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-39-0x0000000001D80000-0x0000000001DC2000-memory.dmp

Filesize
264KB

Download
memory/2264-37-0x0000000001D80000-0x0000000001DC2000-memory.dmp

Filesize
264KB

Download
memory/2264-38-0x0000000001D80000-0x0000000001DC2000-memory.dmp

Filesize
264KB

Download
memory/2264-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-159-0x0000000001D80000-0x0000000001DC2000-memory.dmp

Filesize
264KB

Download
memory/2264-43-0x0000000001D80000-0x0000000001DC2000-memory.dmp

Filesize
264KB

Download
memory/2264-42-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2264-41-0x0000000001D80000-0x0000000001DC2000-memory.dmp

Filesize
264KB

Download
memory/2264-40-0x0000000001D80000-0x0000000001DC2000-memory.dmp

Filesize
264KB

Download
memory/2264-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-0-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2264-1-0x00000000002D0000-0x000000000032E000-memory.dmp

Filesize
376KB

Download