7a981d743a601ca2ae40f78547430bcd404f93520b0ba78e2ca53edf8a0f31f0

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a0c95be8a40ae5419f7d97bb3e91b2b.exe
Size

405KB
MD5

8a0c95be8a40ae5419f7d97bb3e91b2b
SHA1

3fb703474bc750c5e99da9ad5426128a8936a118
SHA256

b04637c11c63dd5a4a599d7104f0c5880717b5d5b32e0104de5a416963f06118
SHA512

2a474d39e985907afc0e7ea0ef0d46d0978ff60a19f3048578d6328228aad530340e3d1291fbd7da3368308501e81cacd4854c0f8b5e0bc634eb0860254935c8
SSDEEP

12288:v2EBbXiJU1L1l8XgxixExbY9+fZlYeFk9kZRyQWwVzxu:v2EVXiu1BlnxixExb3ptZUQP4

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2084 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

emaq.exe

pid process

2100 emaq.exe
Loads dropped DLL 2 IoCs

Processes:

8a0c95be8a40ae5419f7d97bb3e91b2b.exe

pid process

1700 8a0c95be8a40ae5419f7d97bb3e91b2b.exe
1700 8a0c95be8a40ae5419f7d97bb3e91b2b.exe

pid	process
2084	cmd.exe

pid	process
2100	emaq.exe

pid	process
1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe
1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\emaq.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Hiyfpi\\emaq.exe"	explorer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

emaq.exe8a0c95be8a40ae5419f7d97bb3e91b2b.exe

description ioc process

File opened for modification \??\PhysicalDrive0 emaq.exe
File opened for modification \??\PhysicalDrive0 8a0c95be8a40ae5419f7d97bb3e91b2b.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	emaq.exe
File opened for modification	\??\PhysicalDrive0	8a0c95be8a40ae5419f7d97bb3e91b2b.exe

Modifies registry class 6 IoCs

Processes:

8a0c95be8a40ae5419f7d97bb3e91b2b.exeemaq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	8a0c95be8a40ae5419f7d97bb3e91b2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	8a0c95be8a40ae5419f7d97bb3e91b2b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	emaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	emaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	emaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	8a0c95be8a40ae5419f7d97bb3e91b2b.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\6C3D475F-00000001.eml:OECustomProperty WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\6C3D475F-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

explorer.exeemaq.exe

pid	process
2664	explorer.exe
2100	emaq.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8a0c95be8a40ae5419f7d97bb3e91b2b.exeWinMail.exe

description pid process

Token: SeSecurityPrivilege 1700 8a0c95be8a40ae5419f7d97bb3e91b2b.exe
Token: SeManageVolumePrivilege 1732 WinMail.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1732 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1732 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1732 WinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe
Token: SeManageVolumePrivilege	1732	WinMail.exe

pid	process
1732	WinMail.exe

pid	process
1732	WinMail.exe

pid	process
1732	WinMail.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

8a0c95be8a40ae5419f7d97bb3e91b2b.exeemaq.exeexplorer.exe

description	pid	process	target process
PID 1700 wrote to memory of 2100	1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe	emaq.exe
PID 1700 wrote to memory of 2100	1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe	emaq.exe
PID 1700 wrote to memory of 2100	1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe	emaq.exe
PID 1700 wrote to memory of 2100	1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe	emaq.exe
PID 2100 wrote to memory of 2664	2100	emaq.exe	explorer.exe
PID 2100 wrote to memory of 2664	2100	emaq.exe	explorer.exe
PID 2100 wrote to memory of 2664	2100	emaq.exe	explorer.exe
PID 2100 wrote to memory of 2664	2100	emaq.exe	explorer.exe
PID 2100 wrote to memory of 2664	2100	emaq.exe	explorer.exe
PID 2100 wrote to memory of 2664	2100	emaq.exe	explorer.exe
PID 2100 wrote to memory of 2664	2100	emaq.exe	explorer.exe
PID 2100 wrote to memory of 2664	2100	emaq.exe	explorer.exe
PID 2100 wrote to memory of 2664	2100	emaq.exe	explorer.exe
PID 2664 wrote to memory of 1260	2664	explorer.exe	taskhost.exe
PID 2664 wrote to memory of 1260	2664	explorer.exe	taskhost.exe
PID 2664 wrote to memory of 1260	2664	explorer.exe	taskhost.exe
PID 2664 wrote to memory of 1260	2664	explorer.exe	taskhost.exe
PID 2664 wrote to memory of 1260	2664	explorer.exe	taskhost.exe
PID 2664 wrote to memory of 1328	2664	explorer.exe	Dwm.exe
PID 2664 wrote to memory of 1328	2664	explorer.exe	Dwm.exe
PID 2664 wrote to memory of 1328	2664	explorer.exe	Dwm.exe
PID 2664 wrote to memory of 1328	2664	explorer.exe	Dwm.exe
PID 2664 wrote to memory of 1328	2664	explorer.exe	Dwm.exe
PID 2664 wrote to memory of 1372	2664	explorer.exe	Explorer.EXE
PID 2664 wrote to memory of 1372	2664	explorer.exe	Explorer.EXE
PID 2664 wrote to memory of 1372	2664	explorer.exe	Explorer.EXE
PID 2664 wrote to memory of 1372	2664	explorer.exe	Explorer.EXE
PID 2664 wrote to memory of 1372	2664	explorer.exe	Explorer.EXE
PID 2664 wrote to memory of 1700	2664	explorer.exe	8a0c95be8a40ae5419f7d97bb3e91b2b.exe
PID 2664 wrote to memory of 1700	2664	explorer.exe	8a0c95be8a40ae5419f7d97bb3e91b2b.exe
PID 2664 wrote to memory of 1700	2664	explorer.exe	8a0c95be8a40ae5419f7d97bb3e91b2b.exe
PID 2664 wrote to memory of 1700	2664	explorer.exe	8a0c95be8a40ae5419f7d97bb3e91b2b.exe
PID 2664 wrote to memory of 1700	2664	explorer.exe	8a0c95be8a40ae5419f7d97bb3e91b2b.exe
PID 2664 wrote to memory of 2100	2664	explorer.exe	emaq.exe
PID 2664 wrote to memory of 2100	2664	explorer.exe	emaq.exe
PID 2664 wrote to memory of 2100	2664	explorer.exe	emaq.exe
PID 2664 wrote to memory of 2100	2664	explorer.exe	emaq.exe
PID 2664 wrote to memory of 2100	2664	explorer.exe	emaq.exe
PID 1700 wrote to memory of 2084	1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe	cmd.exe
PID 1700 wrote to memory of 2084	1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe	cmd.exe
PID 1700 wrote to memory of 2084	1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe	cmd.exe
PID 1700 wrote to memory of 2084	1700	8a0c95be8a40ae5419f7d97bb3e91b2b.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\8a0c95be8a40ae5419f7d97bb3e91b2b.exe
"C:\Users\Admin\AppData\Local\Temp\8a0c95be8a40ae5419f7d97bb3e91b2b.exe"
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\Hiyfpi\emaq.exe
"C:\Users\Admin\AppData\Roaming\Hiyfpi\emaq.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpac937d9a.bat"
3⤵
- Deletes itself
PID:2084

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
Filesize
2.0MB

MD5
318f36d78bc93c0a4306243cf5f17ca2

SHA1
476bb0ff42a06c9041428204ce5d1d5a608808ce

SHA256
a0e261636bda6a245431e79866526de394d56dfdec64d0e56cca23b029297e68

SHA512
b7a7e28ce1fcba20f84335f2573e23856cce5f8107b76ac960d6735790b224aef04ed8d8fa8afd2e3ac5e7186f1ea1a1948e8d0de046c8052db63ced6b73d767

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpac937d9a.bat
Filesize
243B

MD5
8767117e82151bbad8db6be77374029f

SHA1
1fac55d67797e2a1bec908232d16cb4bd81770bd

SHA256
9f461f089a9bc0f86aa9be62ae7d23ae0b59014e8e298d9b626f4a6d2eb26e15

SHA512
ed4ab61cfde26e8933b7358839f969adae9ff5639132013c1948d3511660b30aa98d61bdd7630dd285931f87f4ec6f376b54dea1d797171d460ef40150d73888

Download Submit
\Users\Admin\AppData\Roaming\Hiyfpi\emaq.exe
Filesize
405KB

MD5
47c47f3b45c333b2255f1189daad950b

SHA1
7e41822dc1189bc87d7f9bcda9f9112c9e7b4dd5

SHA256
019c12cc6bf285af6992d8b1fed9316a74e946ba815bad73b1ae99ed069fe6f3

SHA512
acde7752d0c296ad1573d3cb0dc1f8c20ceccbcef19cac32947b3db7ea62389ce8f5e20d48d5863924ace6a169edc94aec31ba18c27b5fc89727f0bf6a42cc49

Download Submit
memory/1700-16-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-39-0x00000000026F0000-0x00000000027D5000-memory.dmp

Filesize
916KB

Download
memory/1700-27-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-26-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-25-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-24-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-12-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-22-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-21-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-20-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-19-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-18-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-17-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-239-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1700-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1700-28-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-23-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-11-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-10-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-9-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-7-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-6-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-5-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-4-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-3-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1700-29-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1700-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-15-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1700-14-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1732-97-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1732-91-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1732-108-0x0000000003FE0000-0x0000000003FE2000-memory.dmp

Filesize
8KB

Download
memory/1732-116-0x0000000004020000-0x0000000004022000-memory.dmp

Filesize
8KB

Download
memory/1732-115-0x00000000044B0000-0x00000000044B2000-memory.dmp

Filesize
8KB

Download
memory/2100-40-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2100-237-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2664-88-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-84-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-81-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-79-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-77-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-71-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-69-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-83-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-67-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-87-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-73-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-86-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-85-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-75-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-90-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-89-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-65-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-63-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-61-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-42-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-44-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-48-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-51-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-52-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2664-59-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-57-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-55-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-53-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download