608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91

General

Target

608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe
Size

187KB
MD5

2c9525ae85eb7baac4af5107cc66c7a5
SHA1

db20b571beb9af2b436bd957469083210b08bdd6
SHA256

608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91
SHA512

81f1abe3e922b4027d674765d8dc36b468b75afb33c9045f48b4cc5fe40ea992e8aaf8975dadad4c6684bc501728e1fd259062947f1adde19f9f585212aa0fc4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

odqee.exe

pid process

1764 odqee.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1624 cmd.exe

pid	process
1624	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe

pid	process
1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe
1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

odqee.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\Currentversion\Run	odqee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D3A68ADF-6C16-F847-8E97-75822C896C77} = "C:\\Users\\Admin\\AppData\\Roaming\\Ykrevo\\odqee.exe"	odqee.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe

description	pid	process	target process
PID 1804 set thread context of 1624	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Privacy	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

odqee.exe

pid	process
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe
1764	odqee.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe

description pid process

Token: SeSecurityPrivilege 1804 608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe

description	pid	process
Token: SeSecurityPrivilege	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exeodqee.exe

description	pid	process	target process
PID 1804 wrote to memory of 1764	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	odqee.exe
PID 1804 wrote to memory of 1764	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	odqee.exe
PID 1804 wrote to memory of 1764	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	odqee.exe
PID 1804 wrote to memory of 1764	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	odqee.exe
PID 1764 wrote to memory of 1124	1764	odqee.exe	taskhost.exe
PID 1764 wrote to memory of 1124	1764	odqee.exe	taskhost.exe
PID 1764 wrote to memory of 1124	1764	odqee.exe	taskhost.exe
PID 1764 wrote to memory of 1124	1764	odqee.exe	taskhost.exe
PID 1764 wrote to memory of 1124	1764	odqee.exe	taskhost.exe
PID 1764 wrote to memory of 1168	1764	odqee.exe	Dwm.exe
PID 1764 wrote to memory of 1168	1764	odqee.exe	Dwm.exe
PID 1764 wrote to memory of 1168	1764	odqee.exe	Dwm.exe
PID 1764 wrote to memory of 1168	1764	odqee.exe	Dwm.exe
PID 1764 wrote to memory of 1168	1764	odqee.exe	Dwm.exe
PID 1764 wrote to memory of 1224	1764	odqee.exe	Explorer.EXE
PID 1764 wrote to memory of 1224	1764	odqee.exe	Explorer.EXE
PID 1764 wrote to memory of 1224	1764	odqee.exe	Explorer.EXE
PID 1764 wrote to memory of 1224	1764	odqee.exe	Explorer.EXE
PID 1764 wrote to memory of 1224	1764	odqee.exe	Explorer.EXE
PID 1764 wrote to memory of 1804	1764	odqee.exe	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe
PID 1764 wrote to memory of 1804	1764	odqee.exe	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe
PID 1764 wrote to memory of 1804	1764	odqee.exe	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe
PID 1764 wrote to memory of 1804	1764	odqee.exe	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe
PID 1764 wrote to memory of 1804	1764	odqee.exe	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe
PID 1804 wrote to memory of 1624	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	cmd.exe
PID 1804 wrote to memory of 1624	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	cmd.exe
PID 1804 wrote to memory of 1624	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	cmd.exe
PID 1804 wrote to memory of 1624	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	cmd.exe
PID 1804 wrote to memory of 1624	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	cmd.exe
PID 1804 wrote to memory of 1624	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	cmd.exe
PID 1804 wrote to memory of 1624	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	cmd.exe
PID 1804 wrote to memory of 1624	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	cmd.exe
PID 1804 wrote to memory of 1624	1804	608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe
"C:\Users\Admin\AppData\Local\Temp\608876df58ef20d0c0586e42a87d9a423f1fcc23959bcb47055aadfb05739b91.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Roaming\Ykrevo\odqee.exe
"C:\Users\Admin\AppData\Roaming\Ykrevo\odqee.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd92c1ee2.bat"
3⤵
- Deletes itself
PID:1624

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd92c1ee2.bat
MD5
d87acb3fea5320c5c0a562326e444fca

SHA1
71531fba724bf18da372b75c2ae102157e440a68

SHA256
1adb5431e1ae94516b1883774e039b376389c532d710d1e2a7f32542d1d74d89

SHA512
01693a00c9ad0203d4295d0527fd9ab20efd5564e37eb2ad5823341e982a5c63e0ae95eee254dc1a91688fe381833d820f40dc576b013a4b1ec90e9a7393b5c9

Download Submit
C:\Users\Admin\AppData\Roaming\Ykrevo\odqee.exe
MD5
ce2fe36ad54f0b59b78d6fb74946d8ea

SHA1
a85f7372c29c6d7d85bd1dadbfdc7a4c00fd3fb2

SHA256
d2f8800643fec20f45f3b73b9ca9756d7dfd94536424ccf7722767d86ee7b1d3

SHA512
4001d2b25d4299a5ce60b41aaabcf80ae3708a89b66dfb38b1d4e33ddd77d323c0182aec44049dd54034c48f0166bd97ebf972e9f1361ddf0092cb6aa7be4f30

Download Submit
C:\Users\Admin\AppData\Roaming\Ykrevo\odqee.exe
MD5
ce2fe36ad54f0b59b78d6fb74946d8ea

SHA1
a85f7372c29c6d7d85bd1dadbfdc7a4c00fd3fb2

SHA256
d2f8800643fec20f45f3b73b9ca9756d7dfd94536424ccf7722767d86ee7b1d3

SHA512
4001d2b25d4299a5ce60b41aaabcf80ae3708a89b66dfb38b1d4e33ddd77d323c0182aec44049dd54034c48f0166bd97ebf972e9f1361ddf0092cb6aa7be4f30

Download Submit
\Users\Admin\AppData\Roaming\Ykrevo\odqee.exe
MD5
ce2fe36ad54f0b59b78d6fb74946d8ea

SHA1
a85f7372c29c6d7d85bd1dadbfdc7a4c00fd3fb2

SHA256
d2f8800643fec20f45f3b73b9ca9756d7dfd94536424ccf7722767d86ee7b1d3

SHA512
4001d2b25d4299a5ce60b41aaabcf80ae3708a89b66dfb38b1d4e33ddd77d323c0182aec44049dd54034c48f0166bd97ebf972e9f1361ddf0092cb6aa7be4f30

Download Submit
\Users\Admin\AppData\Roaming\Ykrevo\odqee.exe
MD5
ce2fe36ad54f0b59b78d6fb74946d8ea

SHA1
a85f7372c29c6d7d85bd1dadbfdc7a4c00fd3fb2

SHA256
d2f8800643fec20f45f3b73b9ca9756d7dfd94536424ccf7722767d86ee7b1d3

SHA512
4001d2b25d4299a5ce60b41aaabcf80ae3708a89b66dfb38b1d4e33ddd77d323c0182aec44049dd54034c48f0166bd97ebf972e9f1361ddf0092cb6aa7be4f30

Download Submit
memory/1624-6-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1624-7-0x0000000000056FEE-mapping.dmp

Download
memory/1764-2-0x0000000000000000-mapping.dmp

Download
memory/1804-5-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads