34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072e

Analysis

max time kernel
120s
max time network
106s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe
Size

377KB
MD5

e47935f74644aaae0af4f2d72c238d70
SHA1

766290a2ba0daca37b1f123ff69447eee87b8efa
SHA256

34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072e
SHA512

c4e9e4f5debbeaedc36a1fb6c52a150115bbe5f139e5211ec4458bf3fc15c3c2cc7f855d07ca2a9f0cab065c941f1c7a18c8bc36aa144d539274e24fa924cce5
SSDEEP

6144:DB8wev8CcOsW1D8fBUTEv8a6dRPMfbt4xb7s5evZJEVe+:DmwevXfsgofyTHREfbSbfvZ4

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
348	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	guimpe.exe

Loads dropped DLL 2 IoCs

pid	Process
1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe
1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D2BEAD48-3C80-AD4F-FE01-FCCCDCDBDFD1} = "C:\\Users\\Admin\\AppData\\Roaming\\Uqix\\guimpe.exe"	guimpe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 348	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guimpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Privacy	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe
3052	guimpe.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe
3052	guimpe.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3052	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	30
PID 1984 wrote to memory of 3052	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	30
PID 1984 wrote to memory of 3052	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	30
PID 1984 wrote to memory of 3052	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	30
PID 3052 wrote to memory of 1120	3052	guimpe.exe	19
PID 3052 wrote to memory of 1120	3052	guimpe.exe	19
PID 3052 wrote to memory of 1120	3052	guimpe.exe	19
PID 3052 wrote to memory of 1120	3052	guimpe.exe	19
PID 3052 wrote to memory of 1120	3052	guimpe.exe	19
PID 3052 wrote to memory of 1184	3052	guimpe.exe	20
PID 3052 wrote to memory of 1184	3052	guimpe.exe	20
PID 3052 wrote to memory of 1184	3052	guimpe.exe	20
PID 3052 wrote to memory of 1184	3052	guimpe.exe	20
PID 3052 wrote to memory of 1184	3052	guimpe.exe	20
PID 3052 wrote to memory of 1236	3052	guimpe.exe	21
PID 3052 wrote to memory of 1236	3052	guimpe.exe	21
PID 3052 wrote to memory of 1236	3052	guimpe.exe	21
PID 3052 wrote to memory of 1236	3052	guimpe.exe	21
PID 3052 wrote to memory of 1236	3052	guimpe.exe	21
PID 3052 wrote to memory of 1288	3052	guimpe.exe	23
PID 3052 wrote to memory of 1288	3052	guimpe.exe	23
PID 3052 wrote to memory of 1288	3052	guimpe.exe	23
PID 3052 wrote to memory of 1288	3052	guimpe.exe	23
PID 3052 wrote to memory of 1288	3052	guimpe.exe	23
PID 3052 wrote to memory of 1984	3052	guimpe.exe	29
PID 3052 wrote to memory of 1984	3052	guimpe.exe	29
PID 3052 wrote to memory of 1984	3052	guimpe.exe	29
PID 3052 wrote to memory of 1984	3052	guimpe.exe	29
PID 3052 wrote to memory of 1984	3052	guimpe.exe	29
PID 1984 wrote to memory of 348	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	31
PID 1984 wrote to memory of 348	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	31
PID 1984 wrote to memory of 348	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	31
PID 1984 wrote to memory of 348	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	31
PID 1984 wrote to memory of 348	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	31
PID 1984 wrote to memory of 348	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	31
PID 1984 wrote to memory of 348	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	31
PID 1984 wrote to memory of 348	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	31
PID 1984 wrote to memory of 348	1984	34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe
  "C:\Users\Admin\AppData\Local\Temp\34d886d7d1459b6d421a3e4747d85eeaf9d43b0c24780c153ab6a700f287072eN.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Roaming\Uqix\guimpe.exe
    "C:\Users\Admin\AppData\Roaming\Uqix\guimpe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa1179738.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa1179738.bat

Filesize
309B

MD5
40dad91b15441de4331dca7983a92de0

SHA1
30261ab03802d61911e0cf7eab19eefe3bceab60

SHA256
1f9bbe3cc293d6d2657378138c9cb23879027a3412f13524a79d3d7cbf59d292

SHA512
ffd9609b7bd9a1d67cc8b831bd575b960f2bce5eee8930609c573aaf358e1336f76fc4640ebca8ee5d49ed6a8ea1b323a48d01fdc006ef9960783ffff50f6d65

Download Submit
\Users\Admin\AppData\Roaming\Uqix\guimpe.exe

Filesize
377KB

MD5
ef93378b4fa6d8b29bd8af6346274f97

SHA1
fde961a1f307a07090e8704d5df71b03969540f2

SHA256
16e080bac4635115e41c4d4db1fed9df34f557496b333f5487aa1d76be1b4b79

SHA512
cc974ad4d13b43615ced040f1c88175aeaba3b9c5c280106021c7b6cfcb5479fedbbd6792313dc758be0ba6105952f07aa85fcc2eec2ddf90810454e93ec475b

Download Submit
memory/1120-26-0x0000000002080000-0x00000000020C2000-memory.dmp

Filesize
264KB

Download
memory/1120-24-0x0000000002080000-0x00000000020C2000-memory.dmp

Filesize
264KB

Download
memory/1120-20-0x0000000002080000-0x00000000020C2000-memory.dmp

Filesize
264KB

Download
memory/1120-22-0x0000000002080000-0x00000000020C2000-memory.dmp

Filesize
264KB

Download
memory/1120-18-0x0000000002080000-0x00000000020C2000-memory.dmp

Filesize
264KB

Download
memory/1184-30-0x00000000001F0000-0x0000000000232000-memory.dmp

Filesize
264KB

Download
memory/1184-36-0x00000000001F0000-0x0000000000232000-memory.dmp

Filesize
264KB

Download
memory/1184-32-0x00000000001F0000-0x0000000000232000-memory.dmp

Filesize
264KB

Download
memory/1184-34-0x00000000001F0000-0x0000000000232000-memory.dmp

Filesize
264KB

Download
memory/1236-42-0x0000000002E90000-0x0000000002ED2000-memory.dmp

Filesize
264KB

Download
memory/1236-39-0x0000000002E90000-0x0000000002ED2000-memory.dmp

Filesize
264KB

Download
memory/1236-40-0x0000000002E90000-0x0000000002ED2000-memory.dmp

Filesize
264KB

Download
memory/1236-41-0x0000000002E90000-0x0000000002ED2000-memory.dmp

Filesize
264KB

Download
memory/1288-46-0x0000000001E70000-0x0000000001EB2000-memory.dmp

Filesize
264KB

Download
memory/1288-47-0x0000000001E70000-0x0000000001EB2000-memory.dmp

Filesize
264KB

Download
memory/1288-44-0x0000000001E70000-0x0000000001EB2000-memory.dmp

Filesize
264KB

Download
memory/1288-45-0x0000000001E70000-0x0000000001EB2000-memory.dmp

Filesize
264KB

Download
memory/1984-59-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-80-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-66-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-65-0x0000000077C80000-0x0000000077C81000-memory.dmp

Filesize
4KB

Download
memory/1984-63-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-61-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-57-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-54-0x0000000002310000-0x0000000002352000-memory.dmp

Filesize
264KB

Download
memory/1984-52-0x0000000002310000-0x0000000002352000-memory.dmp

Filesize
264KB

Download
memory/1984-50-0x0000000002310000-0x0000000002352000-memory.dmp

Filesize
264KB

Download
memory/1984-49-0x0000000002310000-0x0000000002352000-memory.dmp

Filesize
264KB

Download
memory/1984-68-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-72-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-74-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-78-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-138-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-76-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-70-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-1-0x0000000000380000-0x00000000003E1000-memory.dmp

Filesize
388KB

Download
memory/1984-56-0x0000000002310000-0x0000000002352000-memory.dmp

Filesize
264KB

Download
memory/1984-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-0-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/3052-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3052-15-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3052-279-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3052-280-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3052-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download