cb5c12b4a3fa286e1995422a88edf24b36f297395cf564bb21dd595d477626ab

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w9ks9.exe
Size

268KB
MD5

dae810ed8cf180a99a0c0572b4f8f9b5
SHA1

1923b46caac111b8fa04345cbfe9861e5fca7c32
SHA256

f781f7a6d12d8e7581fa4ccd6365f3026af61df4b4a1b2d27d56e8b6bf118aea
SHA512

5792e317bba8c5d4ca305fd427b03dd972e1e8057190695df6aac41b705ab7e3686fedb3da54fd806e1ebb04cc7a3eac1525a5f7a0c8e20279915a830505b7e8
SSDEEP

6144:SKDFWqyd3oxcdzOjcufgM7e3lSQtZ0PoOKEtq70uHRinFBqLTabu0W:lDwu+OjcufWlvQoOKEtY/xUBqLSxW

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2948	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2836	enesn.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	w9ks9.exe
2316	w9ks9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D82C35C8-3C80-AD4F-E5F4-3B51F60A184C} = "C:\\Users\\Admin\\AppData\\Roaming\\Ipyh\\enesn.exe"	enesn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 2948	2316	w9ks9.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w9ks9.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Privacy	w9ks9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	w9ks9.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe
2836	enesn.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2316	w9ks9.exe
2836	enesn.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2836	2316	w9ks9.exe	30
PID 2316 wrote to memory of 2836	2316	w9ks9.exe	30
PID 2316 wrote to memory of 2836	2316	w9ks9.exe	30
PID 2316 wrote to memory of 2836	2316	w9ks9.exe	30
PID 2836 wrote to memory of 1104	2836	enesn.exe	19
PID 2836 wrote to memory of 1104	2836	enesn.exe	19
PID 2836 wrote to memory of 1104	2836	enesn.exe	19
PID 2836 wrote to memory of 1104	2836	enesn.exe	19
PID 2836 wrote to memory of 1104	2836	enesn.exe	19
PID 2836 wrote to memory of 1168	2836	enesn.exe	20
PID 2836 wrote to memory of 1168	2836	enesn.exe	20
PID 2836 wrote to memory of 1168	2836	enesn.exe	20
PID 2836 wrote to memory of 1168	2836	enesn.exe	20
PID 2836 wrote to memory of 1168	2836	enesn.exe	20
PID 2836 wrote to memory of 1252	2836	enesn.exe	21
PID 2836 wrote to memory of 1252	2836	enesn.exe	21
PID 2836 wrote to memory of 1252	2836	enesn.exe	21
PID 2836 wrote to memory of 1252	2836	enesn.exe	21
PID 2836 wrote to memory of 1252	2836	enesn.exe	21
PID 2836 wrote to memory of 1348	2836	enesn.exe	23
PID 2836 wrote to memory of 1348	2836	enesn.exe	23
PID 2836 wrote to memory of 1348	2836	enesn.exe	23
PID 2836 wrote to memory of 1348	2836	enesn.exe	23
PID 2836 wrote to memory of 1348	2836	enesn.exe	23
PID 2836 wrote to memory of 2316	2836	enesn.exe	29
PID 2836 wrote to memory of 2316	2836	enesn.exe	29
PID 2836 wrote to memory of 2316	2836	enesn.exe	29
PID 2836 wrote to memory of 2316	2836	enesn.exe	29
PID 2836 wrote to memory of 2316	2836	enesn.exe	29
PID 2316 wrote to memory of 2948	2316	w9ks9.exe	31
PID 2316 wrote to memory of 2948	2316	w9ks9.exe	31
PID 2316 wrote to memory of 2948	2316	w9ks9.exe	31
PID 2316 wrote to memory of 2948	2316	w9ks9.exe	31
PID 2316 wrote to memory of 2948	2316	w9ks9.exe	31
PID 2316 wrote to memory of 2948	2316	w9ks9.exe	31
PID 2316 wrote to memory of 2948	2316	w9ks9.exe	31
PID 2316 wrote to memory of 2948	2316	w9ks9.exe	31
PID 2316 wrote to memory of 2948	2316	w9ks9.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\w9ks9.exe
  "C:\Users\Admin\AppData\Local\Temp\w9ks9.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Roaming\Ipyh\enesn.exe
    "C:\Users\Admin\AppData\Roaming\Ipyh\enesn.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp62b284cb.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp62b284cb.bat

Filesize
189B

MD5
9c574ee52b3f4adae01498a7481f4d8a

SHA1
20869d75e53291852002f66814bb880b9cae0f8c

SHA256
438ba353ec6e93e03d00acb98f3cd43dcc3d1e43f35ed336cc2765fd5b55ffcc

SHA512
c4ade2e5cf037bffd09aa9bad0d2d097104be64449e2aa08e3ff0564aced302669b9cb7d44aa1774102a98f2a4eaf6d83a157442f7f208b923fb56583850abb5

Download Submit
\Users\Admin\AppData\Roaming\Ipyh\enesn.exe

Filesize
268KB

MD5
ac8df799e6d4a6be8aa982ef2c7cc329

SHA1
f7b9892572668b394281d35881a259d5abdd3004

SHA256
cb8d67a10f8cbee7b1b7118ec3d16e6ffa37df249de75aec989b098025e83d15

SHA512
34f73fdd486dad6952be3b87290b2f698e824712462b54ea5f140b48bee3fab8e0ccd99eca623f79bfbe7425bbdbe51da8a4f6311884cb13138386a844b756f2

Download Submit
memory/1104-18-0x0000000002380000-0x00000000023C2000-memory.dmp

Filesize
264KB

Download
memory/1104-19-0x0000000002380000-0x00000000023C2000-memory.dmp

Filesize
264KB

Download
memory/1104-21-0x0000000002380000-0x00000000023C2000-memory.dmp

Filesize
264KB

Download
memory/1104-20-0x0000000002380000-0x00000000023C2000-memory.dmp

Filesize
264KB

Download
memory/1104-22-0x0000000002380000-0x00000000023C2000-memory.dmp

Filesize
264KB

Download
memory/1168-25-0x0000000002130000-0x0000000002172000-memory.dmp

Filesize
264KB

Download
memory/1168-27-0x0000000002130000-0x0000000002172000-memory.dmp

Filesize
264KB

Download
memory/1168-29-0x0000000002130000-0x0000000002172000-memory.dmp

Filesize
264KB

Download
memory/1168-31-0x0000000002130000-0x0000000002172000-memory.dmp

Filesize
264KB

Download
memory/1252-34-0x0000000002510000-0x0000000002552000-memory.dmp

Filesize
264KB

Download
memory/1252-35-0x0000000002510000-0x0000000002552000-memory.dmp

Filesize
264KB

Download
memory/1252-36-0x0000000002510000-0x0000000002552000-memory.dmp

Filesize
264KB

Download
memory/1252-37-0x0000000002510000-0x0000000002552000-memory.dmp

Filesize
264KB

Download
memory/1348-39-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1348-40-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1348-41-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1348-42-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/2316-49-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2316-45-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2316-70-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-68-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-134-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-158-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2316-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-74-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-64-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-62-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-60-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-58-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2316-56-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-54-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-52-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-50-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-48-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2316-72-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-76-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-78-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-80-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-66-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-59-0x0000000077890000-0x0000000077891000-memory.dmp

Filesize
4KB

Download
memory/2316-0-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2316-47-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2316-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-1-0x0000000000370000-0x00000000003BA000-memory.dmp

Filesize
296KB

Download
memory/2316-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-46-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2316-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2836-15-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2836-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2836-276-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2836-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download