32fcae1acf5ba4a8558b7d8e2234b40955dadef9252cc026afd887843130717a

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c55e2ae7a44ec1f8998b72dff1d9c836.exe
Size

286KB
MD5

c55e2ae7a44ec1f8998b72dff1d9c836
SHA1

8ab911604d659d40d03d0e3ca495fd4a56a6bd76
SHA256

32fcae1acf5ba4a8558b7d8e2234b40955dadef9252cc026afd887843130717a
SHA512

9748067a2b77679e3d38e7d9d3df704fd669fb6bc832ad877e8fb8007b153478256d5427177ea7289618a9fd6af92b6e482cd11a6385634330566b4d5902c615
SSDEEP

6144:A9dsSDnX6woeClLYXfL0dVBGx7d1Va1pMH90BhMlg0IMY:wdBoblLYP45Gx7d1dH9KhKGMY

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2620	isul.exe
2576	isul.exe

Loads dropped DLL 3 IoCs

pid	Process
1872	c55e2ae7a44ec1f8998b72dff1d9c836.exe
1872	c55e2ae7a44ec1f8998b72dff1d9c836.exe
2620	isul.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2FF1FB48-8463-AD4E-783C-A76D5E948470} = "C:\\Users\\Admin\\AppData\\Roaming\\Kyub\\isul.exe"	isul.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 1872	2088	c55e2ae7a44ec1f8998b72dff1d9c836.exe	28
PID 2620 set thread context of 2576	2620	isul.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Privacy	c55e2ae7a44ec1f8998b72dff1d9c836.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	c55e2ae7a44ec1f8998b72dff1d9c836.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe
2576	isul.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1872	2088	c55e2ae7a44ec1f8998b72dff1d9c836.exe	28
PID 2088 wrote to memory of 1872	2088	c55e2ae7a44ec1f8998b72dff1d9c836.exe	28
PID 2088 wrote to memory of 1872	2088	c55e2ae7a44ec1f8998b72dff1d9c836.exe	28
PID 2088 wrote to memory of 1872	2088	c55e2ae7a44ec1f8998b72dff1d9c836.exe	28
PID 2088 wrote to memory of 1872	2088	c55e2ae7a44ec1f8998b72dff1d9c836.exe	28
PID 2088 wrote to memory of 1872	2088	c55e2ae7a44ec1f8998b72dff1d9c836.exe	28
PID 2088 wrote to memory of 1872	2088	c55e2ae7a44ec1f8998b72dff1d9c836.exe	28
PID 2088 wrote to memory of 1872	2088	c55e2ae7a44ec1f8998b72dff1d9c836.exe	28
PID 2088 wrote to memory of 1872	2088	c55e2ae7a44ec1f8998b72dff1d9c836.exe	28
PID 1872 wrote to memory of 2620	1872	c55e2ae7a44ec1f8998b72dff1d9c836.exe	29
PID 1872 wrote to memory of 2620	1872	c55e2ae7a44ec1f8998b72dff1d9c836.exe	29
PID 1872 wrote to memory of 2620	1872	c55e2ae7a44ec1f8998b72dff1d9c836.exe	29
PID 1872 wrote to memory of 2620	1872	c55e2ae7a44ec1f8998b72dff1d9c836.exe	29
PID 2620 wrote to memory of 2576	2620	isul.exe	30
PID 2620 wrote to memory of 2576	2620	isul.exe	30
PID 2620 wrote to memory of 2576	2620	isul.exe	30
PID 2620 wrote to memory of 2576	2620	isul.exe	30
PID 2620 wrote to memory of 2576	2620	isul.exe	30
PID 2620 wrote to memory of 2576	2620	isul.exe	30
PID 2620 wrote to memory of 2576	2620	isul.exe	30
PID 2620 wrote to memory of 2576	2620	isul.exe	30
PID 2620 wrote to memory of 2576	2620	isul.exe	30
PID 2576 wrote to memory of 1116	2576	isul.exe	19
PID 2576 wrote to memory of 1116	2576	isul.exe	19
PID 2576 wrote to memory of 1116	2576	isul.exe	19
PID 2576 wrote to memory of 1116	2576	isul.exe	19
PID 2576 wrote to memory of 1116	2576	isul.exe	19
PID 2576 wrote to memory of 1200	2576	isul.exe	20
PID 2576 wrote to memory of 1200	2576	isul.exe	20
PID 2576 wrote to memory of 1200	2576	isul.exe	20
PID 2576 wrote to memory of 1200	2576	isul.exe	20
PID 2576 wrote to memory of 1200	2576	isul.exe	20
PID 2576 wrote to memory of 1256	2576	isul.exe	21
PID 2576 wrote to memory of 1256	2576	isul.exe	21
PID 2576 wrote to memory of 1256	2576	isul.exe	21
PID 2576 wrote to memory of 1256	2576	isul.exe	21
PID 2576 wrote to memory of 1256	2576	isul.exe	21
PID 2576 wrote to memory of 2396	2576	isul.exe	23
PID 2576 wrote to memory of 2396	2576	isul.exe	23
PID 2576 wrote to memory of 2396	2576	isul.exe	23
PID 2576 wrote to memory of 2396	2576	isul.exe	23
PID 2576 wrote to memory of 2396	2576	isul.exe	23
PID 2576 wrote to memory of 1872	2576	isul.exe	28
PID 2576 wrote to memory of 1872	2576	isul.exe	28
PID 2576 wrote to memory of 1872	2576	isul.exe	28
PID 2576 wrote to memory of 1872	2576	isul.exe	28
PID 2576 wrote to memory of 1872	2576	isul.exe	28
PID 1872 wrote to memory of 2560	1872	c55e2ae7a44ec1f8998b72dff1d9c836.exe	31
PID 1872 wrote to memory of 2560	1872	c55e2ae7a44ec1f8998b72dff1d9c836.exe	31
PID 1872 wrote to memory of 2560	1872	c55e2ae7a44ec1f8998b72dff1d9c836.exe	31
PID 1872 wrote to memory of 2560	1872	c55e2ae7a44ec1f8998b72dff1d9c836.exe	31
PID 2576 wrote to memory of 2560	2576	isul.exe	31
PID 2576 wrote to memory of 2560	2576	isul.exe	31
PID 2576 wrote to memory of 2560	2576	isul.exe	31
PID 2576 wrote to memory of 2560	2576	isul.exe	31
PID 2576 wrote to memory of 2560	2576	isul.exe	31
PID 2576 wrote to memory of 2708	2576	isul.exe	32
PID 2576 wrote to memory of 1608	2576	isul.exe	35
PID 2576 wrote to memory of 1608	2576	isul.exe	35
PID 2576 wrote to memory of 1608	2576	isul.exe	35
PID 2576 wrote to memory of 1608	2576	isul.exe	35
PID 2576 wrote to memory of 1608	2576	isul.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\c55e2ae7a44ec1f8998b72dff1d9c836.exe
  "C:\Users\Admin\AppData\Local\Temp\c55e2ae7a44ec1f8998b72dff1d9c836.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\c55e2ae7a44ec1f8998b72dff1d9c836.exe
    "C:\Users\Admin\AppData\Local\Temp\c55e2ae7a44ec1f8998b72dff1d9c836.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Roaming\Kyub\isul.exe
      "C:\Users\Admin\AppData\Roaming\Kyub\isul.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Users\Admin\AppData\Roaming\Kyub\isul.exe
        
        "C:\Users\Admin\AppData\Roaming\Kyub\isul.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcb00ae5a.bat"
      4⤵
      Deletes itself
      PID:2560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-37498710-1250125346581763446360070183-2047133228125538699133832524-1087400149"
1⤵
PID:2708

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcb00ae5a.bat

Filesize
243B

MD5
ff8613a356702ba088a2e9cd00ee67b0

SHA1
1ba9f0b6e2ec5686260ea055d550cbf8a5f81085

SHA256
d56c37e1ddca96ed61a5036c57dcc51bf4b97623485739a733adc90226e93ae0

SHA512
e0d3556a5e0dce6a3275475da079aeeef7b28a1c5add10fcc5859756e1d653df59804c82bf32e6f4e65be3686db4289d39ab17251fcbadfde943c70d14b92177

Download Submit
C:\Users\Admin\AppData\Roaming\Kyub\isul.exe

Filesize
286KB

MD5
83729bf7aedb65b68e1ded9d31c8576c

SHA1
f0093f6184492a495393523d1f12a0c47c47b33d

SHA256
3bde185ce8319d31a1085b82349c3fbedcd397e6f9af581cc800840406a95fe5

SHA512
e8d8783ca269c51d2b374bf8275a5a240d1573aedbfa3853c8c6f63e02d05a2b8de0f3089888c247990c853b36be0e1c39d006cafca49aa79c7849133375e4ea

Download Submit
memory/1116-53-0x0000000001E90000-0x0000000001ED4000-memory.dmp

Filesize
272KB

Download
memory/1116-54-0x0000000001E90000-0x0000000001ED4000-memory.dmp

Filesize
272KB

Download
memory/1116-52-0x0000000001E90000-0x0000000001ED4000-memory.dmp

Filesize
272KB

Download
memory/1116-51-0x0000000001E90000-0x0000000001ED4000-memory.dmp

Filesize
272KB

Download
memory/1200-57-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1200-59-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1200-58-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1200-56-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1256-64-0x0000000002B60000-0x0000000002BA4000-memory.dmp

Filesize
272KB

Download
memory/1256-61-0x0000000002B60000-0x0000000002BA4000-memory.dmp

Filesize
272KB

Download
memory/1256-63-0x0000000002B60000-0x0000000002BA4000-memory.dmp

Filesize
272KB

Download
memory/1256-62-0x0000000002B60000-0x0000000002BA4000-memory.dmp

Filesize
272KB

Download
memory/1872-81-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1872-79-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1872-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-181-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1872-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1872-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-28-0x0000000000490000-0x00000000004DD000-memory.dmp

Filesize
308KB

Download
memory/1872-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-170-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1872-91-0x00000000773B0000-0x00000000773B1000-memory.dmp

Filesize
4KB

Download
memory/1872-76-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1872-71-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1872-72-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1872-73-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1872-74-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1872-77-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1872-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-75-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1872-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-83-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2088-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2088-12-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2396-66-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/2396-69-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/2396-68-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/2396-67-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/2576-50-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2620-29-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2620-45-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2620-32-0x0000000000340000-0x000000000038D000-memory.dmp

Filesize
308KB

Download