46cbb37d075e320c5b82588db52cc5a2a62a7f3bce1f4e6aee89a12e279fb5c0

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5ef238856b6f471f5cf047c2a55f741.exe
Size

366KB
MD5

c5ef238856b6f471f5cf047c2a55f741
SHA1

48ea9c0c17287a1bc919ba6135b824f98e332aad
SHA256

46cbb37d075e320c5b82588db52cc5a2a62a7f3bce1f4e6aee89a12e279fb5c0
SHA512

9354020317b3f98e228f78e9d599d471747cf97f200403417e762c438c355f3f2e0f84cdeeac1c8879157c66c899e449c9d9a716aeea101c0d64713dfde372ea
SSDEEP

6144:aVJnk1h+bfx1qrGtkr7aMhimD2rlIc/BJd9jFOaUXnx/oqrAzC5e2P:ik14fx1qsMPidZLTfjFOaUXjrAzEem

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2076	yzviu.exe

Loads dropped DLL 2 IoCs

pid	Process
2820	c5ef238856b6f471f5cf047c2a55f741.exe
2820	c5ef238856b6f471f5cf047c2a55f741.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8AB77948-8466-AD4E-E8B6-6988D6F14A95} = "C:\\Users\\Admin\\AppData\\Roaming\\Uzme\\yzviu.exe"	yzviu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2820 set thread context of 624	2820	c5ef238856b6f471f5cf047c2a55f741.exe	29

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1656	624	WerFault.exe	29
1596	1656	WerFault.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Privacy	c5ef238856b6f471f5cf047c2a55f741.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	c5ef238856b6f471f5cf047c2a55f741.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe
2076	yzviu.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2820	c5ef238856b6f471f5cf047c2a55f741.exe
2076	yzviu.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2076	2820	c5ef238856b6f471f5cf047c2a55f741.exe	28
PID 2820 wrote to memory of 2076	2820	c5ef238856b6f471f5cf047c2a55f741.exe	28
PID 2820 wrote to memory of 2076	2820	c5ef238856b6f471f5cf047c2a55f741.exe	28
PID 2820 wrote to memory of 2076	2820	c5ef238856b6f471f5cf047c2a55f741.exe	28
PID 2076 wrote to memory of 1256	2076	yzviu.exe	19
PID 2076 wrote to memory of 1256	2076	yzviu.exe	19
PID 2076 wrote to memory of 1256	2076	yzviu.exe	19
PID 2076 wrote to memory of 1256	2076	yzviu.exe	19
PID 2076 wrote to memory of 1256	2076	yzviu.exe	19
PID 2076 wrote to memory of 1352	2076	yzviu.exe	20
PID 2076 wrote to memory of 1352	2076	yzviu.exe	20
PID 2076 wrote to memory of 1352	2076	yzviu.exe	20
PID 2076 wrote to memory of 1352	2076	yzviu.exe	20
PID 2076 wrote to memory of 1352	2076	yzviu.exe	20
PID 2076 wrote to memory of 1396	2076	yzviu.exe	21
PID 2076 wrote to memory of 1396	2076	yzviu.exe	21
PID 2076 wrote to memory of 1396	2076	yzviu.exe	21
PID 2076 wrote to memory of 1396	2076	yzviu.exe	21
PID 2076 wrote to memory of 1396	2076	yzviu.exe	21
PID 2076 wrote to memory of 2180	2076	yzviu.exe	23
PID 2076 wrote to memory of 2180	2076	yzviu.exe	23
PID 2076 wrote to memory of 2180	2076	yzviu.exe	23
PID 2076 wrote to memory of 2180	2076	yzviu.exe	23
PID 2076 wrote to memory of 2180	2076	yzviu.exe	23
PID 2076 wrote to memory of 2820	2076	yzviu.exe	27
PID 2076 wrote to memory of 2820	2076	yzviu.exe	27
PID 2076 wrote to memory of 2820	2076	yzviu.exe	27
PID 2076 wrote to memory of 2820	2076	yzviu.exe	27
PID 2076 wrote to memory of 2820	2076	yzviu.exe	27
PID 2820 wrote to memory of 624	2820	c5ef238856b6f471f5cf047c2a55f741.exe	29
PID 2820 wrote to memory of 624	2820	c5ef238856b6f471f5cf047c2a55f741.exe	29
PID 2820 wrote to memory of 624	2820	c5ef238856b6f471f5cf047c2a55f741.exe	29
PID 2820 wrote to memory of 624	2820	c5ef238856b6f471f5cf047c2a55f741.exe	29
PID 2820 wrote to memory of 624	2820	c5ef238856b6f471f5cf047c2a55f741.exe	29
PID 2820 wrote to memory of 624	2820	c5ef238856b6f471f5cf047c2a55f741.exe	29
PID 2820 wrote to memory of 624	2820	c5ef238856b6f471f5cf047c2a55f741.exe	29
PID 2820 wrote to memory of 624	2820	c5ef238856b6f471f5cf047c2a55f741.exe	29
PID 2820 wrote to memory of 624	2820	c5ef238856b6f471f5cf047c2a55f741.exe	29
PID 624 wrote to memory of 1656	624	cmd.exe	31
PID 624 wrote to memory of 1656	624	cmd.exe	31
PID 624 wrote to memory of 1656	624	cmd.exe	31
PID 624 wrote to memory of 1656	624	cmd.exe	31
PID 2076 wrote to memory of 2000	2076	yzviu.exe	30
PID 2076 wrote to memory of 2000	2076	yzviu.exe	30
PID 2076 wrote to memory of 2000	2076	yzviu.exe	30
PID 2076 wrote to memory of 2000	2076	yzviu.exe	30
PID 2076 wrote to memory of 2000	2076	yzviu.exe	30
PID 2076 wrote to memory of 1656	2076	yzviu.exe	31
PID 2076 wrote to memory of 1656	2076	yzviu.exe	31
PID 2076 wrote to memory of 1656	2076	yzviu.exe	31
PID 2076 wrote to memory of 1656	2076	yzviu.exe	31
PID 2076 wrote to memory of 1656	2076	yzviu.exe	31
PID 1656 wrote to memory of 1596	1656	WerFault.exe	32
PID 1656 wrote to memory of 1596	1656	WerFault.exe	32
PID 1656 wrote to memory of 1596	1656	WerFault.exe	32
PID 1656 wrote to memory of 1596	1656	WerFault.exe	32
PID 2076 wrote to memory of 1164	2076	yzviu.exe	35
PID 2076 wrote to memory of 1164	2076	yzviu.exe	35
PID 2076 wrote to memory of 1164	2076	yzviu.exe	35
PID 2076 wrote to memory of 1164	2076	yzviu.exe	35
PID 2076 wrote to memory of 1164	2076	yzviu.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1256

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\c5ef238856b6f471f5cf047c2a55f741.exe
  "C:\Users\Admin\AppData\Local\Temp\c5ef238856b6f471f5cf047c2a55f741.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Roaming\Uzme\yzviu.exe
    "C:\Users\Admin\AppData\Roaming\Uzme\yzviu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpee652553.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 116
      4⤵
      Program crash
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 536
        5⤵
        Program crash
        
        PID:1596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1362174894997157891574212697-16711472821444878491113721282710795233611616196722"
1⤵
PID:2000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Uzme\yzviu.exe

Filesize
366KB

MD5
d14fa5e25364b5582dd16c5cb6602ea0

SHA1
bc3811e60646b708214e9fd1ccce7d3bced4d787

SHA256
7869c519c7edbd7821ed58f32e1d6d0f33690027508ffa4d1c7068f865bd29d4

SHA512
f4350406eb1794d79b54b9ee6375dcd0bf16c37a351746cb0c52b830a5c94759e5e13f4e5b461888976d7a8f7be0886ac77d8c5fa8f8ba4303b92c07c3b07ca5

Download Submit
memory/1256-22-0x00000000000E0000-0x0000000000124000-memory.dmp

Filesize
272KB

Download
memory/1256-18-0x00000000000E0000-0x0000000000124000-memory.dmp

Filesize
272KB

Download
memory/1256-19-0x00000000000E0000-0x0000000000124000-memory.dmp

Filesize
272KB

Download
memory/1256-20-0x00000000000E0000-0x0000000000124000-memory.dmp

Filesize
272KB

Download
memory/1256-21-0x00000000000E0000-0x0000000000124000-memory.dmp

Filesize
272KB

Download
memory/1352-27-0x0000000001D60000-0x0000000001DA4000-memory.dmp

Filesize
272KB

Download
memory/1352-26-0x0000000001D60000-0x0000000001DA4000-memory.dmp

Filesize
272KB

Download
memory/1352-25-0x0000000001D60000-0x0000000001DA4000-memory.dmp

Filesize
272KB

Download
memory/1352-24-0x0000000001D60000-0x0000000001DA4000-memory.dmp

Filesize
272KB

Download
memory/1396-29-0x0000000002A40000-0x0000000002A84000-memory.dmp

Filesize
272KB

Download
memory/1396-30-0x0000000002A40000-0x0000000002A84000-memory.dmp

Filesize
272KB

Download
memory/1396-31-0x0000000002A40000-0x0000000002A84000-memory.dmp

Filesize
272KB

Download
memory/1396-32-0x0000000002A40000-0x0000000002A84000-memory.dmp

Filesize
272KB

Download
memory/2076-15-0x0000000001C50000-0x0000000001CA3000-memory.dmp

Filesize
332KB

Download
memory/2076-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2076-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2076-14-0x00000000004D0000-0x0000000000514000-memory.dmp

Filesize
272KB

Download
memory/2180-40-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/2180-34-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/2180-36-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/2180-38-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/2820-1-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2820-59-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-44-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/2820-46-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/2820-48-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/2820-50-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/2820-52-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/2820-53-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-56-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-57-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2820-55-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2820-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-61-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-63-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-65-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-67-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-69-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-71-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-73-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-75-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-77-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-79-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-81-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-147-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2820-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-0-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download