b8914b69268957fa1fa00e5bf3025f307960f2f4ba9168614f45eb713cf4ce36

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bccfc1708d0a502c7e162d44e76ea6a4.exe
Size

293KB
MD5

bccfc1708d0a502c7e162d44e76ea6a4
SHA1

95f5e2037a7c5a55c2788970d0be3da541485fed
SHA256

b8914b69268957fa1fa00e5bf3025f307960f2f4ba9168614f45eb713cf4ce36
SHA512

3cac224121f9cab8e6c9f63a267e561f081d1b201987dc43435af895750b5daae868463ddb3eb2d18fcff2a77e104b56b34cadea2147807d2ef70974a8f711c9
SSDEEP

6144:yPdM6MANEVzGlcEDUl4qaRYVQOJTGbusJRhgnGXcbD7Xm2BeddhMHWDiu:ENEh8cSLqdJsisDhgnGMBBedDM2Dt

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

izcye.exe

pid process

2968 izcye.exe
Loads dropped DLL 2 IoCs

Processes:

bccfc1708d0a502c7e162d44e76ea6a4.exe

pid process

2908 bccfc1708d0a502c7e162d44e76ea6a4.exe
2908 bccfc1708d0a502c7e162d44e76ea6a4.exe

pid	process
2908	bccfc1708d0a502c7e162d44e76ea6a4.exe
2908	bccfc1708d0a502c7e162d44e76ea6a4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

izcye.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\{58C936C8-997F-AD4E-D42C-E216E5D1C10B} = "C:\\Users\\Admin\\AppData\\Roaming\\Zafei\\izcye.exe"	izcye.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bccfc1708d0a502c7e162d44e76ea6a4.exe

description pid process target process

PID 2908 set thread context of 1672 2908 bccfc1708d0a502c7e162d44e76ea6a4.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2120 1672 WerFault.exe cmd.exe

description	pid	process	target process
PID 2908 set thread context of 1672	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	cmd.exe

pid	pid_target	process	target process
2120	1672	WerFault.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

bccfc1708d0a502c7e162d44e76ea6a4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Privacy	bccfc1708d0a502c7e162d44e76ea6a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	bccfc1708d0a502c7e162d44e76ea6a4.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

izcye.exe

pid	process
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe
2968	izcye.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bccfc1708d0a502c7e162d44e76ea6a4.exe

description	pid	process
Token: SeSecurityPrivilege	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe
Token: SeSecurityPrivilege	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe
Token: SeSecurityPrivilege	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

bccfc1708d0a502c7e162d44e76ea6a4.exeizcye.exe

pid process

2908 bccfc1708d0a502c7e162d44e76ea6a4.exe
2968 izcye.exe

pid	process
2908	bccfc1708d0a502c7e162d44e76ea6a4.exe
2968	izcye.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

bccfc1708d0a502c7e162d44e76ea6a4.exeizcye.execmd.exe

description	pid	process	target process
PID 2908 wrote to memory of 2968	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	izcye.exe
PID 2908 wrote to memory of 2968	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	izcye.exe
PID 2908 wrote to memory of 2968	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	izcye.exe
PID 2908 wrote to memory of 2968	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	izcye.exe
PID 2968 wrote to memory of 1080	2968	izcye.exe	taskhost.exe
PID 2968 wrote to memory of 1080	2968	izcye.exe	taskhost.exe
PID 2968 wrote to memory of 1080	2968	izcye.exe	taskhost.exe
PID 2968 wrote to memory of 1080	2968	izcye.exe	taskhost.exe
PID 2968 wrote to memory of 1080	2968	izcye.exe	taskhost.exe
PID 2968 wrote to memory of 1088	2968	izcye.exe	Dwm.exe
PID 2968 wrote to memory of 1088	2968	izcye.exe	Dwm.exe
PID 2968 wrote to memory of 1088	2968	izcye.exe	Dwm.exe
PID 2968 wrote to memory of 1088	2968	izcye.exe	Dwm.exe
PID 2968 wrote to memory of 1088	2968	izcye.exe	Dwm.exe
PID 2968 wrote to memory of 1156	2968	izcye.exe	Explorer.EXE
PID 2968 wrote to memory of 1156	2968	izcye.exe	Explorer.EXE
PID 2968 wrote to memory of 1156	2968	izcye.exe	Explorer.EXE
PID 2968 wrote to memory of 1156	2968	izcye.exe	Explorer.EXE
PID 2968 wrote to memory of 1156	2968	izcye.exe	Explorer.EXE
PID 2968 wrote to memory of 1508	2968	izcye.exe	DllHost.exe
PID 2968 wrote to memory of 1508	2968	izcye.exe	DllHost.exe
PID 2968 wrote to memory of 1508	2968	izcye.exe	DllHost.exe
PID 2968 wrote to memory of 1508	2968	izcye.exe	DllHost.exe
PID 2968 wrote to memory of 1508	2968	izcye.exe	DllHost.exe
PID 2968 wrote to memory of 2908	2968	izcye.exe	bccfc1708d0a502c7e162d44e76ea6a4.exe
PID 2968 wrote to memory of 2908	2968	izcye.exe	bccfc1708d0a502c7e162d44e76ea6a4.exe
PID 2968 wrote to memory of 2908	2968	izcye.exe	bccfc1708d0a502c7e162d44e76ea6a4.exe
PID 2968 wrote to memory of 2908	2968	izcye.exe	bccfc1708d0a502c7e162d44e76ea6a4.exe
PID 2968 wrote to memory of 2908	2968	izcye.exe	bccfc1708d0a502c7e162d44e76ea6a4.exe
PID 2908 wrote to memory of 1672	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	cmd.exe
PID 2908 wrote to memory of 1672	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	cmd.exe
PID 2908 wrote to memory of 1672	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	cmd.exe
PID 2908 wrote to memory of 1672	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	cmd.exe
PID 2908 wrote to memory of 1672	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	cmd.exe
PID 2908 wrote to memory of 1672	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	cmd.exe
PID 2908 wrote to memory of 1672	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	cmd.exe
PID 2908 wrote to memory of 1672	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	cmd.exe
PID 2908 wrote to memory of 1672	2908	bccfc1708d0a502c7e162d44e76ea6a4.exe	cmd.exe
PID 1672 wrote to memory of 2120	1672	cmd.exe	WerFault.exe
PID 1672 wrote to memory of 2120	1672	cmd.exe	WerFault.exe
PID 1672 wrote to memory of 2120	1672	cmd.exe	WerFault.exe
PID 1672 wrote to memory of 2120	1672	cmd.exe	WerFault.exe
PID 2968 wrote to memory of 2032	2968	izcye.exe	conhost.exe
PID 2968 wrote to memory of 2032	2968	izcye.exe	conhost.exe
PID 2968 wrote to memory of 2032	2968	izcye.exe	conhost.exe
PID 2968 wrote to memory of 2032	2968	izcye.exe	conhost.exe
PID 2968 wrote to memory of 2032	2968	izcye.exe	conhost.exe
PID 2968 wrote to memory of 2120	2968	izcye.exe	WerFault.exe
PID 2968 wrote to memory of 2120	2968	izcye.exe	WerFault.exe
PID 2968 wrote to memory of 2120	2968	izcye.exe	WerFault.exe
PID 2968 wrote to memory of 2120	2968	izcye.exe	WerFault.exe
PID 2968 wrote to memory of 2120	2968	izcye.exe	WerFault.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1080

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\bccfc1708d0a502c7e162d44e76ea6a4.exe
"C:\Users\Admin\AppData\Local\Temp\bccfc1708d0a502c7e162d44e76ea6a4.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2908

C:\Users\Admin\AppData\Roaming\Zafei\izcye.exe
"C:\Users\Admin\AppData\Roaming\Zafei\izcye.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp11bda06d.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 112
4⤵
- Program crash
PID:2120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-688310912-1406257393741478682-21665164610069051731969759215585827971950474690"
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ubga\ymel.adf

Filesize
366B

MD5
df2354167d9cd8f5eb552ae483bb51f7

SHA1
a5678451279d3b59866df934e034954b8060c1d6

SHA256
b76fa99b8088286f4edce4ab2cb3d66b3e7e1625b5a43634adc5e0a621989943

SHA512
94b8efe9bf43f700ce90018a9622085ea09414b1be88aee624569c4dcd442151ecafb8267efea98c2dec8edf395289ff7d09966edea6a55fa4d7654a7bacface

Download Submit
\Users\Admin\AppData\Roaming\Zafei\izcye.exe

Filesize
293KB

MD5
bb6106bbeac0ed99215bb01a0b539efc

SHA1
47feb751ee1c1e898d78e283d543fcba9043b9f4

SHA256
808c7d0c040c624b28f33e72ac6ee834063ce39a70a6130bb28c2eb9e6e1c0b0

SHA512
b81344109b131dfac0b18e84f4ea8d3c52148041a2ee6af03c7a1f7a920bcf3976b475a46fdb95416597d6f6acdbc8612912cdf1a478ccebb1dce976bcfd783c

Download Submit
memory/1080-18-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/1080-20-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/1080-22-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/1080-24-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/1080-26-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/1088-30-0x0000000000160000-0x00000000001A1000-memory.dmp

Filesize
260KB

Download
memory/1088-32-0x0000000000160000-0x00000000001A1000-memory.dmp

Filesize
260KB

Download
memory/1088-31-0x0000000000160000-0x00000000001A1000-memory.dmp

Filesize
260KB

Download
memory/1088-29-0x0000000000160000-0x00000000001A1000-memory.dmp

Filesize
260KB

Download
memory/1156-35-0x0000000002EF0000-0x0000000002F31000-memory.dmp

Filesize
260KB

Download
memory/1156-34-0x0000000002EF0000-0x0000000002F31000-memory.dmp

Filesize
260KB

Download
memory/1156-36-0x0000000002EF0000-0x0000000002F31000-memory.dmp

Filesize
260KB

Download
memory/1156-37-0x0000000002EF0000-0x0000000002F31000-memory.dmp

Filesize
260KB

Download
memory/1508-40-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1508-42-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1508-44-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1508-46-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2120-187-0x0000000002540000-0x0000000002581000-memory.dmp

Filesize
260KB

Download
memory/2120-208-0x0000000077940000-0x0000000077941000-memory.dmp

Filesize
4KB

Download
memory/2120-282-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2120-287-0x0000000002540000-0x0000000002581000-memory.dmp

Filesize
260KB

Download
memory/2908-55-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/2908-76-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-53-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/2908-49-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/2908-57-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/2908-58-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-61-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-60-0x0000000077940000-0x0000000077941000-memory.dmp

Filesize
4KB

Download
memory/2908-62-0x0000000077940000-0x0000000077941000-memory.dmp

Filesize
4KB

Download
memory/2908-64-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-66-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-68-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-70-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-72-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-74-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-51-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/2908-78-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-80-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-151-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-0-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2908-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-2-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/2908-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-15-0x0000000001C30000-0x0000000001C7B000-memory.dmp

Filesize
300KB

Download
memory/2968-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-14-0x0000000001BE0000-0x0000000001C21000-memory.dmp

Filesize
260KB

Download