27bb67656f06fc1a191945ccb9c3901a6fa1f120dc9683c8e52a16d93c7643bb

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba7ff1c7291fffc5d73975abe06f43ee.exe
Size

293KB
MD5

ba7ff1c7291fffc5d73975abe06f43ee
SHA1

c8d590b0cf3fd32d86aa6c60dbc13fbbd3db0994
SHA256

27bb67656f06fc1a191945ccb9c3901a6fa1f120dc9683c8e52a16d93c7643bb
SHA512

02a0e205a8abe8ff7600867ed2174b497275fc8c48fe3c624cc3705e695303c90414712713f137ae71292ab8c735b9f22303b23b970f0524f41a2e2141fcc241
SSDEEP

6144:GPdMcMANEVzGlcEDUl4qaRYVQ9JTGbusJRhgnGXcND7Xm2BeddhMHH6li:iNEh8cSLqd+sisDhgnGCBBedDMn6A

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2316	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1432	efot.exe

Loads dropped DLL 2 IoCs

pid	Process
1132	ba7ff1c7291fffc5d73975abe06f43ee.exe
1132	ba7ff1c7291fffc5d73975abe06f43ee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9001F4C8-8465-AD4E-4A54-86C64CCDA5DB} = "C:\\Users\\Admin\\AppData\\Roaming\\Acqao\\efot.exe"	efot.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 2316	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Privacy	ba7ff1c7291fffc5d73975abe06f43ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ba7ff1c7291fffc5d73975abe06f43ee.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe
1432	efot.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe
Token: SeSecurityPrivilege	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe
Token: SeSecurityPrivilege	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1132	ba7ff1c7291fffc5d73975abe06f43ee.exe
1432	efot.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1432	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	28
PID 1132 wrote to memory of 1432	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	28
PID 1132 wrote to memory of 1432	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	28
PID 1132 wrote to memory of 1432	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	28
PID 1432 wrote to memory of 1116	1432	efot.exe	19
PID 1432 wrote to memory of 1116	1432	efot.exe	19
PID 1432 wrote to memory of 1116	1432	efot.exe	19
PID 1432 wrote to memory of 1116	1432	efot.exe	19
PID 1432 wrote to memory of 1116	1432	efot.exe	19
PID 1432 wrote to memory of 1176	1432	efot.exe	20
PID 1432 wrote to memory of 1176	1432	efot.exe	20
PID 1432 wrote to memory of 1176	1432	efot.exe	20
PID 1432 wrote to memory of 1176	1432	efot.exe	20
PID 1432 wrote to memory of 1176	1432	efot.exe	20
PID 1432 wrote to memory of 1208	1432	efot.exe	21
PID 1432 wrote to memory of 1208	1432	efot.exe	21
PID 1432 wrote to memory of 1208	1432	efot.exe	21
PID 1432 wrote to memory of 1208	1432	efot.exe	21
PID 1432 wrote to memory of 1208	1432	efot.exe	21
PID 1432 wrote to memory of 1636	1432	efot.exe	23
PID 1432 wrote to memory of 1636	1432	efot.exe	23
PID 1432 wrote to memory of 1636	1432	efot.exe	23
PID 1432 wrote to memory of 1636	1432	efot.exe	23
PID 1432 wrote to memory of 1636	1432	efot.exe	23
PID 1432 wrote to memory of 1132	1432	efot.exe	27
PID 1432 wrote to memory of 1132	1432	efot.exe	27
PID 1432 wrote to memory of 1132	1432	efot.exe	27
PID 1432 wrote to memory of 1132	1432	efot.exe	27
PID 1432 wrote to memory of 1132	1432	efot.exe	27
PID 1132 wrote to memory of 2316	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	29
PID 1132 wrote to memory of 2316	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	29
PID 1132 wrote to memory of 2316	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	29
PID 1132 wrote to memory of 2316	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	29
PID 1132 wrote to memory of 2316	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	29
PID 1132 wrote to memory of 2316	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	29
PID 1132 wrote to memory of 2316	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	29
PID 1132 wrote to memory of 2316	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	29
PID 1132 wrote to memory of 2316	1132	ba7ff1c7291fffc5d73975abe06f43ee.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\ba7ff1c7291fffc5d73975abe06f43ee.exe
  "C:\Users\Admin\AppData\Local\Temp\ba7ff1c7291fffc5d73975abe06f43ee.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Roaming\Acqao\efot.exe
    "C:\Users\Admin\AppData\Roaming\Acqao\efot.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp480b6e6d.bat"
    3⤵
    - Deletes itself
    PID:2316

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp480b6e6d.bat

Filesize
243B

MD5
c48b8201c8e62875ae544fade141f69d

SHA1
2d0aef75a777f225212873b99ab058408497be0d

SHA256
8cc1faab2708d2ef0f8f6ae831de9a7a9d0c98e627054592d85f11884b0baa51

SHA512
af08987555470ad47da271074d8e59a2951616d8f6237f0150cab5a64c31085a8d4c39c4d63c1dcb98ffe12be1960ba42dfa24a376959b686266e889c8409b24

Download Submit
C:\Users\Admin\AppData\Roaming\Dypoy\vyjo.ypt

Filesize
366B

MD5
412bda50cca7a9b7a308caa5cadb7321

SHA1
e86867d5ec3b86cc84fc1a887779b17c0dd3d151

SHA256
312be804def7b428d9c072ff820fd8233f88a1e88d66718e30685c296b07a0fa

SHA512
e6faf07a018b67bf20cf1c90b02eb69577b675a4e333471188f7884620bad6f2850f07091dddb2e9ecc2b4bdc41c4b367b46aa92ca9ffa45f56c533bf9daf054

Download Submit
\Users\Admin\AppData\Roaming\Acqao\efot.exe

Filesize
293KB

MD5
cd111d51fb535a1ab5407d80216ce05a

SHA1
9ac63f236f3c9ec8823bd2261fdaf282d57c74f4

SHA256
6ef0db9a86500b343386cb3b85fe11e6e31e54c834cf046dd5c1d77d8244c723

SHA512
1f64dca3e5d6ced04f0c8e17332ac4d3371060b2d3ba7ebe3e7d84622009d958374ebc070b2982fbc076fff338f4a895d4c97e930e79d935c55d34dcf5129cca

Download Submit
memory/1116-21-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1116-27-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1116-25-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1116-17-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1116-23-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1132-52-0x0000000000530000-0x0000000000571000-memory.dmp

Filesize
260KB

Download
memory/1132-61-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1132-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1132-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1132-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1132-2-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download
memory/1132-54-0x0000000000530000-0x0000000000571000-memory.dmp

Filesize
260KB

Download
memory/1132-56-0x0000000000530000-0x0000000000571000-memory.dmp

Filesize
260KB

Download
memory/1132-58-0x0000000000530000-0x0000000000571000-memory.dmp

Filesize
260KB

Download
memory/1132-59-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-65-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-151-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-69-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-73-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-50-0x0000000000530000-0x0000000000571000-memory.dmp

Filesize
260KB

Download
memory/1132-0-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/1132-77-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-79-0x0000000077B40000-0x0000000077B41000-memory.dmp

Filesize
4KB

Download
memory/1132-80-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1132-75-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1176-31-0x0000000002230000-0x0000000002271000-memory.dmp

Filesize
260KB

Download
memory/1176-35-0x0000000002230000-0x0000000002271000-memory.dmp

Filesize
260KB

Download
memory/1176-37-0x0000000002230000-0x0000000002271000-memory.dmp

Filesize
260KB

Download
memory/1176-33-0x0000000002230000-0x0000000002271000-memory.dmp

Filesize
260KB

Download
memory/1208-41-0x0000000002D00000-0x0000000002D41000-memory.dmp

Filesize
260KB

Download
memory/1208-42-0x0000000002D00000-0x0000000002D41000-memory.dmp

Filesize
260KB

Download
memory/1208-43-0x0000000002D00000-0x0000000002D41000-memory.dmp

Filesize
260KB

Download
memory/1208-40-0x0000000002D00000-0x0000000002D41000-memory.dmp

Filesize
260KB

Download
memory/1432-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-18-0x0000000000380000-0x00000000003CB000-memory.dmp

Filesize
300KB

Download
memory/1432-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-16-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/1636-47-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1636-45-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1636-46-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1636-48-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/2316-173-0x0000000000090000-0x00000000000D1000-memory.dmp

Filesize
260KB

Download
memory/2316-175-0x0000000077B40000-0x0000000077B41000-memory.dmp

Filesize
4KB

Download
memory/2316-271-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2316-272-0x0000000000090000-0x00000000000D1000-memory.dmp

Filesize
260KB

Download