0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe
Size

388KB
MD5

884f23c133aabcab9cabb5c3dd3f2c24
SHA1

03b1bf9b1860bce33098cb8bfeca870ce84ae8f5
SHA256

0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708
SHA512

fdc724b68db8d1c3594e88ed187547ca9e4dd0ad44af4fa15e928088419782ca717fea05b905f6f927f81892e84c88eec98d2cc13111749a07f895171eeff6f8
SSDEEP

6144:HNAXIjJ+erLRzXQW/lU9dhG3vKDbgUlXLm0MmSpNyM:HNAIjJ++VDT/lkECf3XpXM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	ugulse.exe

Loads dropped DLL 2 IoCs

pid	Process
808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe
808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2FF1FB48-8463-AD4E-783C-A76D5E948470} = "C:\\Users\\Admin\\AppData\\Roaming\\Ujso\\ugulse.exe"	ugulse.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 808 set thread context of 1664	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1120	1664	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Privacy	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe
1808	ugulse.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe
1808	ugulse.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 1808	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	28
PID 808 wrote to memory of 1808	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	28
PID 808 wrote to memory of 1808	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	28
PID 808 wrote to memory of 1808	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	28
PID 1808 wrote to memory of 1124	1808	ugulse.exe	19
PID 1808 wrote to memory of 1124	1808	ugulse.exe	19
PID 1808 wrote to memory of 1124	1808	ugulse.exe	19
PID 1808 wrote to memory of 1124	1808	ugulse.exe	19
PID 1808 wrote to memory of 1124	1808	ugulse.exe	19
PID 1808 wrote to memory of 1180	1808	ugulse.exe	20
PID 1808 wrote to memory of 1180	1808	ugulse.exe	20
PID 1808 wrote to memory of 1180	1808	ugulse.exe	20
PID 1808 wrote to memory of 1180	1808	ugulse.exe	20
PID 1808 wrote to memory of 1180	1808	ugulse.exe	20
PID 1808 wrote to memory of 1240	1808	ugulse.exe	21
PID 1808 wrote to memory of 1240	1808	ugulse.exe	21
PID 1808 wrote to memory of 1240	1808	ugulse.exe	21
PID 1808 wrote to memory of 1240	1808	ugulse.exe	21
PID 1808 wrote to memory of 1240	1808	ugulse.exe	21
PID 1808 wrote to memory of 1904	1808	ugulse.exe	23
PID 1808 wrote to memory of 1904	1808	ugulse.exe	23
PID 1808 wrote to memory of 1904	1808	ugulse.exe	23
PID 1808 wrote to memory of 1904	1808	ugulse.exe	23
PID 1808 wrote to memory of 1904	1808	ugulse.exe	23
PID 1808 wrote to memory of 808	1808	ugulse.exe	27
PID 1808 wrote to memory of 808	1808	ugulse.exe	27
PID 1808 wrote to memory of 808	1808	ugulse.exe	27
PID 1808 wrote to memory of 808	1808	ugulse.exe	27
PID 1808 wrote to memory of 808	1808	ugulse.exe	27
PID 808 wrote to memory of 1664	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	29
PID 808 wrote to memory of 1664	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	29
PID 808 wrote to memory of 1664	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	29
PID 808 wrote to memory of 1664	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	29
PID 808 wrote to memory of 1664	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	29
PID 808 wrote to memory of 1664	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	29
PID 808 wrote to memory of 1664	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	29
PID 808 wrote to memory of 1664	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	29
PID 808 wrote to memory of 1664	808	0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe	29
PID 1664 wrote to memory of 1120	1664	cmd.exe	31
PID 1664 wrote to memory of 1120	1664	cmd.exe	31
PID 1664 wrote to memory of 1120	1664	cmd.exe	31
PID 1664 wrote to memory of 1120	1664	cmd.exe	31
PID 1808 wrote to memory of 1488	1808	ugulse.exe	30
PID 1808 wrote to memory of 1488	1808	ugulse.exe	30
PID 1808 wrote to memory of 1488	1808	ugulse.exe	30
PID 1808 wrote to memory of 1488	1808	ugulse.exe	30
PID 1808 wrote to memory of 1488	1808	ugulse.exe	30
PID 1808 wrote to memory of 1120	1808	ugulse.exe	31
PID 1808 wrote to memory of 1120	1808	ugulse.exe	31
PID 1808 wrote to memory of 1120	1808	ugulse.exe	31
PID 1808 wrote to memory of 1120	1808	ugulse.exe	31
PID 1808 wrote to memory of 1120	1808	ugulse.exe	31
PID 1808 wrote to memory of 2412	1808	ugulse.exe	34
PID 1808 wrote to memory of 2412	1808	ugulse.exe	34
PID 1808 wrote to memory of 2412	1808	ugulse.exe	34
PID 1808 wrote to memory of 2412	1808	ugulse.exe	34
PID 1808 wrote to memory of 2412	1808	ugulse.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe
  "C:\Users\Admin\AppData\Local\Temp\0206f71769d162e7e5e563e2b6592c939ebf608e22e641d97aeb39ae9987b708.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Roaming\Ujso\ugulse.exe
    "C:\Users\Admin\AppData\Roaming\Ujso\ugulse.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3444d2f6.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 116
      4⤵
      Program crash
      PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1077888949-2087504227-1401066804-9677459821507446712-1170214561-5717212181413364989"
1⤵
PID:1488

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Ujso\ugulse.exe

Filesize
388KB

MD5
d42ac16d2e7236e4b2e458b28fe174ad

SHA1
81f3f4b66ca39e42b673bd7f875d7849a189ab3d

SHA256
885635ca4a7a1559a3f724febb623ef47496574ea3a714d86897b3c7b823a503

SHA512
fb3139b459c4b3dc96b9bbd59abb0d3344f3098e55187f1bfb0ee0edc25efbee2bb565aa7a9cf6d9ab1a4ed4bb81ada84ac930a09d6d204c0ac27c5068c3e10d

Download Submit
memory/808-62-0x00000000776E0000-0x00000000776E1000-memory.dmp

Filesize
4KB

Download
memory/808-66-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/808-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/808-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/808-0-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/808-59-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/808-57-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/808-55-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/808-53-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/808-174-0x0000000000380000-0x00000000003E8000-memory.dmp

Filesize
416KB

Download
memory/808-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/808-154-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-1-0x0000000000380000-0x00000000003E8000-memory.dmp

Filesize
416KB

Download
memory/808-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/808-78-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-74-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-76-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-80-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-72-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-70-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-68-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-82-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-60-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-64-0x00000000776E0000-0x00000000776E1000-memory.dmp

Filesize
4KB

Download
memory/808-63-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-51-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/1120-283-0x0000000002460000-0x00000000024A4000-memory.dmp

Filesize
272KB

Download
memory/1120-284-0x00000000776E0000-0x00000000776E1000-memory.dmp

Filesize
4KB

Download
memory/1120-285-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/1120-291-0x0000000002460000-0x00000000024A4000-memory.dmp

Filesize
272KB

Download
memory/1124-21-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1124-19-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1124-23-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1124-22-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1124-18-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1180-32-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1180-26-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1180-28-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1180-30-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1240-38-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1240-35-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1240-36-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1240-37-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1808-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1808-16-0x0000000000360000-0x00000000003C8000-memory.dmp

Filesize
416KB

Download
memory/1808-288-0x0000000000360000-0x00000000003C8000-memory.dmp

Filesize
416KB

Download
memory/1808-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1808-15-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1904-47-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1904-41-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1904-43-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1904-45-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download