15c63614aad6a6db91a8bea97f3074c94f25bf4ea34dc5e0efb75540fe60ef4e

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab028b215246fa42f1f700af7ce490eb.exe
Size

148KB
MD5

ab028b215246fa42f1f700af7ce490eb
SHA1

2f2ded652e72bfbf4c081f1a3ab9b18a7e079c17
SHA256

15c63614aad6a6db91a8bea97f3074c94f25bf4ea34dc5e0efb75540fe60ef4e
SHA512

83f886d93ba36f77e01336e8e9a06052d615bb46c426cfa609158b79bc3e847428ab091a33769f297a7a9cc117342dfdcf0a80b87d8e7ad606db975b5afa9a90
SSDEEP

3072:YwCnQVNeMfC/BQcQl3u/CUHpxDgREcDYH8ss8zm4CXzw:YXQqMfu/KUJxMREUYH8ss8FCX8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1276	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	mybaw.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	ab028b215246fa42f1f700af7ce490eb.exe
2244	ab028b215246fa42f1f700af7ce490eb.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C3E35EA7-6467-ABC6-4A07-9318C384D86C} = "C:\\Users\\Admin\\AppData\\Roaming\\Ypec\\mybaw.exe"	mybaw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 1276	2244	ab028b215246fa42f1f700af7ce490eb.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Privacy	ab028b215246fa42f1f700af7ce490eb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ab028b215246fa42f1f700af7ce490eb.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4B9120DC-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe
2632	mybaw.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2244	ab028b215246fa42f1f700af7ce490eb.exe
Token: SeSecurityPrivilege	2244	ab028b215246fa42f1f700af7ce490eb.exe
Token: SeSecurityPrivilege	2244	ab028b215246fa42f1f700af7ce490eb.exe
Token: SeManageVolumePrivilege	1468	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1468	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1468	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1468	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2632	2244	ab028b215246fa42f1f700af7ce490eb.exe	1
PID 2244 wrote to memory of 2632	2244	ab028b215246fa42f1f700af7ce490eb.exe	1
PID 2244 wrote to memory of 2632	2244	ab028b215246fa42f1f700af7ce490eb.exe	1
PID 2244 wrote to memory of 2632	2244	ab028b215246fa42f1f700af7ce490eb.exe	1
PID 2632 wrote to memory of 1112	2632	mybaw.exe	10
PID 2632 wrote to memory of 1112	2632	mybaw.exe	10
PID 2632 wrote to memory of 1112	2632	mybaw.exe	10
PID 2632 wrote to memory of 1112	2632	mybaw.exe	10
PID 2632 wrote to memory of 1112	2632	mybaw.exe	10
PID 2632 wrote to memory of 1168	2632	mybaw.exe	9
PID 2632 wrote to memory of 1168	2632	mybaw.exe	9
PID 2632 wrote to memory of 1168	2632	mybaw.exe	9
PID 2632 wrote to memory of 1168	2632	mybaw.exe	9
PID 2632 wrote to memory of 1168	2632	mybaw.exe	9
PID 2632 wrote to memory of 1192	2632	mybaw.exe	8
PID 2632 wrote to memory of 1192	2632	mybaw.exe	8
PID 2632 wrote to memory of 1192	2632	mybaw.exe	8
PID 2632 wrote to memory of 1192	2632	mybaw.exe	8
PID 2632 wrote to memory of 1192	2632	mybaw.exe	8
PID 2632 wrote to memory of 2216	2632	mybaw.exe	6
PID 2632 wrote to memory of 2216	2632	mybaw.exe	6
PID 2632 wrote to memory of 2216	2632	mybaw.exe	6
PID 2632 wrote to memory of 2216	2632	mybaw.exe	6
PID 2632 wrote to memory of 2216	2632	mybaw.exe	6
PID 2632 wrote to memory of 2244	2632	mybaw.exe	2
PID 2632 wrote to memory of 2244	2632	mybaw.exe	2
PID 2632 wrote to memory of 2244	2632	mybaw.exe	2
PID 2632 wrote to memory of 2244	2632	mybaw.exe	2
PID 2632 wrote to memory of 2244	2632	mybaw.exe	2
PID 2244 wrote to memory of 1276	2244	ab028b215246fa42f1f700af7ce490eb.exe	30
PID 2244 wrote to memory of 1276	2244	ab028b215246fa42f1f700af7ce490eb.exe	30
PID 2244 wrote to memory of 1276	2244	ab028b215246fa42f1f700af7ce490eb.exe	30
PID 2244 wrote to memory of 1276	2244	ab028b215246fa42f1f700af7ce490eb.exe	30
PID 2244 wrote to memory of 1276	2244	ab028b215246fa42f1f700af7ce490eb.exe	30
PID 2244 wrote to memory of 1276	2244	ab028b215246fa42f1f700af7ce490eb.exe	30
PID 2244 wrote to memory of 1276	2244	ab028b215246fa42f1f700af7ce490eb.exe	30
PID 2244 wrote to memory of 1276	2244	ab028b215246fa42f1f700af7ce490eb.exe	30
PID 2244 wrote to memory of 1276	2244	ab028b215246fa42f1f700af7ce490eb.exe	30
PID 2632 wrote to memory of 616	2632	mybaw.exe	32
PID 2632 wrote to memory of 616	2632	mybaw.exe	32
PID 2632 wrote to memory of 616	2632	mybaw.exe	32
PID 2632 wrote to memory of 616	2632	mybaw.exe	32
PID 2632 wrote to memory of 616	2632	mybaw.exe	32
PID 2632 wrote to memory of 2936	2632	mybaw.exe	33
PID 2632 wrote to memory of 2936	2632	mybaw.exe	33
PID 2632 wrote to memory of 2936	2632	mybaw.exe	33
PID 2632 wrote to memory of 2936	2632	mybaw.exe	33
PID 2632 wrote to memory of 2936	2632	mybaw.exe	33
PID 2632 wrote to memory of 2196	2632	mybaw.exe	36
PID 2632 wrote to memory of 2196	2632	mybaw.exe	36
PID 2632 wrote to memory of 2196	2632	mybaw.exe	36
PID 2632 wrote to memory of 2196	2632	mybaw.exe	36
PID 2632 wrote to memory of 2196	2632	mybaw.exe	36

C:\Users\Admin\AppData\Roaming\Ypec\mybaw.exe
"C:\Users\Admin\AppData\Roaming\Ypec\mybaw.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\ab028b215246fa42f1f700af7ce490eb.exe
"C:\Users\Admin\AppData\Local\Temp\ab028b215246fa42f1f700af7ce490eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1bbdb344.bat"
  2⤵
  - Deletes itself
  PID:1276

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2216

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
1008KB

MD5
17df5f9abdac28ed5c24adba3b199e27

SHA1
602de67b6d4b90f9e854b1e02b4e41c1aff1a81f

SHA256
7ee38da023d56ebc286a2a091095e4cc6ae840f94ae107231bcf9944d15c7b72

SHA512
bfeda55a5f164fab612e4d8a681edd47bc0e155cb656c5ed9b4c4608c567bbb3a524cc368e62be7cdf5ef42b8cfc676c8b82418f735bb228c6069d9e0a2b4302

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1bbdb344.bat

Filesize
243B

MD5
3ea6a9bb15d07871dc0971f22b654e3a

SHA1
31b8d144f5859f4988e057bc269b6be2ee2195ab

SHA256
179b8ced63a648e5306cd10c51549e3832031c6c86b2ec05ff9e481e9a09fa7e

SHA512
c33dd3dd8aae6e8e0a93ace338687e33fd7f5ec8221d72593c2ab6098887ed60a3a82824eba9e3df25d70143788b1fd5ebea76283598fb151533ae9931793b80

Download Submit
C:\Users\Admin\AppData\Roaming\Kayz\qoegi.izc

Filesize
366B

MD5
f896939d2798e7b65e0ca22cfae74ed6

SHA1
c55818e7b89493bf8521cd267b4451d7bc983330

SHA256
b4da664f98bec0d33f6400a76cb3d96c80f7b5073015b064330c47c288c0038d

SHA512
30a089b186d63cbb9b2d15ea12a5d79fadaad2621ee364d9c21bba9b0150fc47f57b938526131eb365a8b3eaae1d812c60aeee38b1f3fd266384d6333051ed39

Download Submit
C:\Users\Admin\AppData\Roaming\Ypec\mybaw.exe

Filesize
148KB

MD5
9f4ef372508a719bd06418418c887e02

SHA1
af4dcf8c15a90d0c0f6ca4608958dd84976cabea

SHA256
0b8fc1215a8b166a75ba3d78333f1f6d9b91eb19e508bfa0be6cfff31f3758b7

SHA512
cb0ba75ec0f193e798718755ec653ac0653850a3694d054d001b06b31626d539e6520d924967fdecff672342a905e52e00cb9f0e22ce68683394b67fb1223e55

Download Submit
memory/1112-19-0x0000000001D80000-0x0000000001DA7000-memory.dmp

Filesize
156KB

Download
memory/1112-21-0x0000000001D80000-0x0000000001DA7000-memory.dmp

Filesize
156KB

Download
memory/1112-23-0x0000000001D80000-0x0000000001DA7000-memory.dmp

Filesize
156KB

Download
memory/1112-25-0x0000000001D80000-0x0000000001DA7000-memory.dmp

Filesize
156KB

Download
memory/1112-27-0x0000000001D80000-0x0000000001DA7000-memory.dmp

Filesize
156KB

Download
memory/1168-37-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1168-31-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1168-35-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1168-33-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1192-40-0x0000000002AD0000-0x0000000002AF7000-memory.dmp

Filesize
156KB

Download
memory/1192-43-0x0000000002AD0000-0x0000000002AF7000-memory.dmp

Filesize
156KB

Download
memory/1192-41-0x0000000002AD0000-0x0000000002AF7000-memory.dmp

Filesize
156KB

Download
memory/1192-42-0x0000000002AD0000-0x0000000002AF7000-memory.dmp

Filesize
156KB

Download
memory/1276-326-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1276-255-0x0000000077440000-0x0000000077441000-memory.dmp

Filesize
4KB

Download
memory/1276-327-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1276-231-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2216-45-0x0000000001B90000-0x0000000001BB7000-memory.dmp

Filesize
156KB

Download
memory/2216-46-0x0000000001B90000-0x0000000001BB7000-memory.dmp

Filesize
156KB

Download
memory/2216-47-0x0000000001B90000-0x0000000001BB7000-memory.dmp

Filesize
156KB

Download
memory/2216-48-0x0000000001B90000-0x0000000001BB7000-memory.dmp

Filesize
156KB

Download
memory/2244-71-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-182-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-78-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-74-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-80-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-82-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-63-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-61-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-59-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-146-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-58-0x0000000001D50000-0x0000000001D77000-memory.dmp

Filesize
156KB

Download
memory/2244-54-0x0000000001D50000-0x0000000001D77000-memory.dmp

Filesize
156KB

Download
memory/2244-76-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-52-0x0000000001D50000-0x0000000001D77000-memory.dmp

Filesize
156KB

Download
memory/2244-50-0x0000000001D50000-0x0000000001D77000-memory.dmp

Filesize
156KB

Download
memory/2244-56-0x0000000001D50000-0x0000000001D77000-memory.dmp

Filesize
156KB

Download
memory/2244-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-2-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2244-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-65-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-72-0x0000000077440000-0x0000000077441000-memory.dmp

Filesize
4KB

Download
memory/2244-69-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2244-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-67-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2632-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2632-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2632-16-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/2632-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2632-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download