Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 12:50
Static task
static1
Behavioral task
behavioral1
Sample
9730e701dad73a9d1e8119c13a721898.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9730e701dad73a9d1e8119c13a721898.exe
Resource
win10v2004-20231215-en
General
-
Target
9730e701dad73a9d1e8119c13a721898.exe
-
Size
262KB
-
MD5
9730e701dad73a9d1e8119c13a721898
-
SHA1
9c1b9d079cd0dbc82190c44fb401787efb3cff06
-
SHA256
c179df3235c0e7e820186eb3147e5305ebd0e5399d37c45aa232bb643d3824f2
-
SHA512
93159cddff7e95a526f270ab16f43b777eec6c957cf73a598623419758fcb32f2a5e94e0b3be105b9b59788634a3767fc6bf9c92c8223bf9a8c5473c2609c25b
-
SSDEEP
6144:uT8Gp+df0afmVTRMdGdpn94sLrNXel9cXb98+MAUr:I8YkfXf4TRM+94svNuzcb9Z+
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2124 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
buyl.exepid process 2668 buyl.exe -
Loads dropped DLL 1 IoCs
Processes:
9730e701dad73a9d1e8119c13a721898.exepid process 2376 9730e701dad73a9d1e8119c13a721898.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
buyl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\{40C758C8-CEFB-AD4E-7138-F2B16CEAD1AC} = "C:\\Users\\Admin\\AppData\\Roaming\\Ecxof\\buyl.exe" buyl.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9730e701dad73a9d1e8119c13a721898.exedescription pid process target process PID 2376 set thread context of 2124 2376 9730e701dad73a9d1e8119c13a721898.exe cmd.exe -
Processes:
9730e701dad73a9d1e8119c13a721898.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy 9730e701dad73a9d1e8119c13a721898.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 9730e701dad73a9d1e8119c13a721898.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
buyl.exepid process 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe 2668 buyl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9730e701dad73a9d1e8119c13a721898.exedescription pid process Token: SeSecurityPrivilege 2376 9730e701dad73a9d1e8119c13a721898.exe Token: SeSecurityPrivilege 2376 9730e701dad73a9d1e8119c13a721898.exe Token: SeSecurityPrivilege 2376 9730e701dad73a9d1e8119c13a721898.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
9730e701dad73a9d1e8119c13a721898.exebuyl.exepid process 2376 9730e701dad73a9d1e8119c13a721898.exe 2668 buyl.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
9730e701dad73a9d1e8119c13a721898.exebuyl.exedescription pid process target process PID 2376 wrote to memory of 2668 2376 9730e701dad73a9d1e8119c13a721898.exe buyl.exe PID 2376 wrote to memory of 2668 2376 9730e701dad73a9d1e8119c13a721898.exe buyl.exe PID 2376 wrote to memory of 2668 2376 9730e701dad73a9d1e8119c13a721898.exe buyl.exe PID 2376 wrote to memory of 2668 2376 9730e701dad73a9d1e8119c13a721898.exe buyl.exe PID 2668 wrote to memory of 1048 2668 buyl.exe Dwm.exe PID 2668 wrote to memory of 1048 2668 buyl.exe Dwm.exe PID 2668 wrote to memory of 1048 2668 buyl.exe Dwm.exe PID 2668 wrote to memory of 1048 2668 buyl.exe Dwm.exe PID 2668 wrote to memory of 1048 2668 buyl.exe Dwm.exe PID 2668 wrote to memory of 1076 2668 buyl.exe Explorer.EXE PID 2668 wrote to memory of 1076 2668 buyl.exe Explorer.EXE PID 2668 wrote to memory of 1076 2668 buyl.exe Explorer.EXE PID 2668 wrote to memory of 1076 2668 buyl.exe Explorer.EXE PID 2668 wrote to memory of 1076 2668 buyl.exe Explorer.EXE PID 2668 wrote to memory of 1116 2668 buyl.exe taskhost.exe PID 2668 wrote to memory of 1116 2668 buyl.exe taskhost.exe PID 2668 wrote to memory of 1116 2668 buyl.exe taskhost.exe PID 2668 wrote to memory of 1116 2668 buyl.exe taskhost.exe PID 2668 wrote to memory of 1116 2668 buyl.exe taskhost.exe PID 2668 wrote to memory of 2172 2668 buyl.exe DllHost.exe PID 2668 wrote to memory of 2172 2668 buyl.exe DllHost.exe PID 2668 wrote to memory of 2172 2668 buyl.exe DllHost.exe PID 2668 wrote to memory of 2172 2668 buyl.exe DllHost.exe PID 2668 wrote to memory of 2172 2668 buyl.exe DllHost.exe PID 2668 wrote to memory of 2376 2668 buyl.exe 9730e701dad73a9d1e8119c13a721898.exe PID 2668 wrote to memory of 2376 2668 buyl.exe 9730e701dad73a9d1e8119c13a721898.exe PID 2668 wrote to memory of 2376 2668 buyl.exe 9730e701dad73a9d1e8119c13a721898.exe PID 2668 wrote to memory of 2376 2668 buyl.exe 9730e701dad73a9d1e8119c13a721898.exe PID 2668 wrote to memory of 2376 2668 buyl.exe 9730e701dad73a9d1e8119c13a721898.exe PID 2376 wrote to memory of 2124 2376 9730e701dad73a9d1e8119c13a721898.exe cmd.exe PID 2376 wrote to memory of 2124 2376 9730e701dad73a9d1e8119c13a721898.exe cmd.exe PID 2376 wrote to memory of 2124 2376 9730e701dad73a9d1e8119c13a721898.exe cmd.exe PID 2376 wrote to memory of 2124 2376 9730e701dad73a9d1e8119c13a721898.exe cmd.exe PID 2376 wrote to memory of 2124 2376 9730e701dad73a9d1e8119c13a721898.exe cmd.exe PID 2376 wrote to memory of 2124 2376 9730e701dad73a9d1e8119c13a721898.exe cmd.exe PID 2376 wrote to memory of 2124 2376 9730e701dad73a9d1e8119c13a721898.exe cmd.exe PID 2376 wrote to memory of 2124 2376 9730e701dad73a9d1e8119c13a721898.exe cmd.exe PID 2376 wrote to memory of 2124 2376 9730e701dad73a9d1e8119c13a721898.exe cmd.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2172
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\9730e701dad73a9d1e8119c13a721898.exe"C:\Users\Admin\AppData\Local\Temp\9730e701dad73a9d1e8119c13a721898.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Roaming\Ecxof\buyl.exe"C:\Users\Admin\AppData\Roaming\Ecxof\buyl.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5a66602a.bat"3⤵
- Deletes itself
PID:2124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243B
MD5d082911835ae438fa1f8196c4da43243
SHA1fc9da0866933c9d156c9d99fc7671ee1a15d3638
SHA2561c2e20ab027bbc0acc8d3e73826f6dd86201ab85e84905df2f4ed6d828b07ee0
SHA51203f13a43c2784f7c55e39df6c76c1b7cb2940002176a7068ea2ca92cf2260ddd94f229e510b79f635d2ed7f2537405329b871b033e3ad93625afb1b0686e7750
-
Filesize
366B
MD5f4ee92ab2629226c6ae46559a9785df8
SHA1ffcde77f7d20f812b8712c97742c79fb841addbb
SHA256969c8a1519f5606c36fac5c90312ce8bf98713ff9150fcc7e982caf78855740e
SHA51230d1e4e85763f2b44ad0cf2fdc47a2757d115f39f892ba7e0a462d629688a3266931ddbdd4dfbe331c7ed8b082a74260640e689cdf8de87b22c4cb6820b944d8
-
Filesize
262KB
MD52ee9d84520bc9ebc85891aa2a0cf0a2a
SHA118d0e9f8f20d00d82b20d07737474538c7fd6fa7
SHA2566a78a96ce26ee75056f86909a790997569d43fbc8d88299e4bfb0d71056ea6fb
SHA51215c01774f90491beaa988eeb2662f7049417f42108b3e2a8f42e5e410b104f6030c61875bc28088304bb8a5d185b4a78719a8c0b108e5efe1ef90d955e8a9ba8