27949c8114e197819f4c2c8e2c01bec36a13a5aff22ebe187e003f06a6a1e60b

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df39cdb49ecc679e08f909bd0fcdc421.exe
Size

185KB
MD5

df39cdb49ecc679e08f909bd0fcdc421
SHA1

7d49b3ea3b92c627a5ffadf7f235090eb0ec3c90
SHA256

27949c8114e197819f4c2c8e2c01bec36a13a5aff22ebe187e003f06a6a1e60b
SHA512

9e48c823d26d65c854181f978f5f7d4779fc1a040f67159b2c9108640d40dc33e155b85ad738ce4c0422fb1d54d7da307042da73d256f901a153659dc4f72143
SSDEEP

3072:ah5M6FKaIrXmdqos0iTfRp85XyVznUtU2fpch8uRXm2S+hUZTtViolfSbn+dPoPL:Wf4oyfRpiyKtzBCn81jio9SbiPAM66+v

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1584	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3036	elwyr.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	df39cdb49ecc679e08f909bd0fcdc421.exe
2936	df39cdb49ecc679e08f909bd0fcdc421.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000400000-0x000000000077B000-memory.dmp	upx
behavioral1/files/0x000d00000001450b-12.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E97AF648-8469-AD4E-B6B3-012D8E7B2230} = "C:\\Users\\Admin\\AppData\\Roaming\\Emyn\\elwyr.exe"	elwyr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2936 set thread context of 1584	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy	df39cdb49ecc679e08f909bd0fcdc421.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	df39cdb49ecc679e08f909bd0fcdc421.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe
3036	elwyr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2936	df39cdb49ecc679e08f909bd0fcdc421.exe
Token: SeSecurityPrivilege	2936	df39cdb49ecc679e08f909bd0fcdc421.exe
Token: SeSecurityPrivilege	2936	df39cdb49ecc679e08f909bd0fcdc421.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 3036	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	28
PID 2936 wrote to memory of 3036	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	28
PID 2936 wrote to memory of 3036	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	28
PID 2936 wrote to memory of 3036	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	28
PID 3036 wrote to memory of 1124	3036	elwyr.exe	19
PID 3036 wrote to memory of 1124	3036	elwyr.exe	19
PID 3036 wrote to memory of 1124	3036	elwyr.exe	19
PID 3036 wrote to memory of 1124	3036	elwyr.exe	19
PID 3036 wrote to memory of 1124	3036	elwyr.exe	19
PID 3036 wrote to memory of 1168	3036	elwyr.exe	20
PID 3036 wrote to memory of 1168	3036	elwyr.exe	20
PID 3036 wrote to memory of 1168	3036	elwyr.exe	20
PID 3036 wrote to memory of 1168	3036	elwyr.exe	20
PID 3036 wrote to memory of 1168	3036	elwyr.exe	20
PID 3036 wrote to memory of 1200	3036	elwyr.exe	21
PID 3036 wrote to memory of 1200	3036	elwyr.exe	21
PID 3036 wrote to memory of 1200	3036	elwyr.exe	21
PID 3036 wrote to memory of 1200	3036	elwyr.exe	21
PID 3036 wrote to memory of 1200	3036	elwyr.exe	21
PID 3036 wrote to memory of 2016	3036	elwyr.exe	23
PID 3036 wrote to memory of 2016	3036	elwyr.exe	23
PID 3036 wrote to memory of 2016	3036	elwyr.exe	23
PID 3036 wrote to memory of 2016	3036	elwyr.exe	23
PID 3036 wrote to memory of 2016	3036	elwyr.exe	23
PID 3036 wrote to memory of 2936	3036	elwyr.exe	27
PID 3036 wrote to memory of 2936	3036	elwyr.exe	27
PID 3036 wrote to memory of 2936	3036	elwyr.exe	27
PID 3036 wrote to memory of 2936	3036	elwyr.exe	27
PID 3036 wrote to memory of 2936	3036	elwyr.exe	27
PID 2936 wrote to memory of 1584	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	29
PID 2936 wrote to memory of 1584	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	29
PID 2936 wrote to memory of 1584	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	29
PID 2936 wrote to memory of 1584	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	29
PID 2936 wrote to memory of 1584	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	29
PID 2936 wrote to memory of 1584	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	29
PID 2936 wrote to memory of 1584	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	29
PID 2936 wrote to memory of 1584	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	29
PID 2936 wrote to memory of 1584	2936	df39cdb49ecc679e08f909bd0fcdc421.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\df39cdb49ecc679e08f909bd0fcdc421.exe
  "C:\Users\Admin\AppData\Local\Temp\df39cdb49ecc679e08f909bd0fcdc421.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Roaming\Emyn\elwyr.exe
    "C:\Users\Admin\AppData\Roaming\Emyn\elwyr.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpea1748ef.bat"
    3⤵
    - Deletes itself
    PID:1584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpea1748ef.bat

Filesize
243B

MD5
af80416266bf059176a78a3ebcf32e2f

SHA1
c4aa8f8f58e9a51712cd04ce3476f4b7fa0089ef

SHA256
e106156f7de3b79a2161a4a91db877c6b3e90fa12345e7bca4747a0a200628ae

SHA512
1fffcbe1d0d875c12a18f3a4d0bdbc630c503751a06205763ebacb160df0578d07b737226066e25df231731c7cd5c990ab6081a5dd9bfe30399894ffc8d98d3f

Download Submit
C:\Users\Admin\AppData\Roaming\Afhiuc\niohw.abo

Filesize
366B

MD5
f0d2d98606f3fd5f3d091a10ecd816bc

SHA1
d685faea92344235f3f98e6abd6682e197f3d6cf

SHA256
07f58bc85d7a52c7af8ea54eb54ec899150e8395736df03e799fa7fb4f2b5c6f

SHA512
e655257049c47be9707c47b5b656bea774f67234d18276e5cbebe669972293c4cb8636369b0fb30a05f8d5f31a45c84d74453b84b845e458b14ce7edc4139681

Download Submit
C:\Users\Admin\AppData\Roaming\Emyn\elwyr.exe

Filesize
185KB

MD5
3b471ab004c91139e64728821c9fe3c0

SHA1
296afa79c0a3d3308d9d9e596b8f395e0357740e

SHA256
71f6322a153feb40ee8007e05f65faa31b099a1d3e7af537c763e3a606b6ec13

SHA512
ad3e8f1cac87033e2c8d7f50568a9b9c2f1f33f8ab3b89bb2e178837c3c707a24c9c646f2ec551c59951b19fcbf116d3536d3d60e1ffff280da249aafbbce20f

Download Submit
memory/1124-25-0x00000000021E0000-0x0000000002215000-memory.dmp

Filesize
212KB

Download
memory/1124-23-0x00000000021E0000-0x0000000002215000-memory.dmp

Filesize
212KB

Download
memory/1124-21-0x00000000021E0000-0x0000000002215000-memory.dmp

Filesize
212KB

Download
memory/1124-18-0x00000000021E0000-0x0000000002215000-memory.dmp

Filesize
212KB

Download
memory/1124-14-0x00000000021E0000-0x0000000002215000-memory.dmp

Filesize
212KB

Download
memory/1168-29-0x0000000002060000-0x0000000002095000-memory.dmp

Filesize
212KB

Download
memory/1168-31-0x0000000002060000-0x0000000002095000-memory.dmp

Filesize
212KB

Download
memory/1168-35-0x0000000002060000-0x0000000002095000-memory.dmp

Filesize
212KB

Download
memory/1168-33-0x0000000002060000-0x0000000002095000-memory.dmp

Filesize
212KB

Download
memory/1200-45-0x0000000002E90000-0x0000000002EC5000-memory.dmp

Filesize
212KB

Download
memory/1200-39-0x0000000002E90000-0x0000000002EC5000-memory.dmp

Filesize
212KB

Download
memory/1200-41-0x0000000002E90000-0x0000000002EC5000-memory.dmp

Filesize
212KB

Download
memory/1200-43-0x0000000002E90000-0x0000000002EC5000-memory.dmp

Filesize
212KB

Download
memory/1584-275-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1584-181-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/1584-177-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/1584-276-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/2016-48-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/2016-50-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/2016-52-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/2016-54-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/2936-60-0x0000000000780000-0x00000000007B5000-memory.dmp

Filesize
212KB

Download
memory/2936-76-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-58-0x0000000000780000-0x00000000007B5000-memory.dmp

Filesize
212KB

Download
memory/2936-61-0x0000000000780000-0x00000000007B5000-memory.dmp

Filesize
212KB

Download
memory/2936-62-0x0000000000780000-0x00000000007B5000-memory.dmp

Filesize
212KB

Download
memory/2936-64-0x0000000000780000-0x00000000007B5000-memory.dmp

Filesize
212KB

Download
memory/2936-66-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/2936-68-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/2936-67-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-63-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-70-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-72-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-74-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-59-0x0000000000780000-0x00000000007B5000-memory.dmp

Filesize
212KB

Download
memory/2936-78-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-80-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-82-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-162-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-19-0x0000000007FD0000-0x000000000834B000-memory.dmp

Filesize
3.5MB

Download
memory/2936-173-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2936-175-0x0000000000780000-0x00000000007B5000-memory.dmp

Filesize
212KB

Download
memory/2936-15-0x0000000007FD0000-0x000000000834B000-memory.dmp

Filesize
3.5MB

Download
memory/2936-11-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2936-2-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2936-1-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2936-0-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/3036-17-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/3036-277-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download