24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe
Size

414KB
MD5

af30f071234a0b12342f6f40ca61f01c
SHA1

0809efdfce74643f09ef788d1b26bb4e8d472f65
SHA256

24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4
SHA512

79adecf6a216583a5b7a9e4e0b50af07f0d0bf08f4de6db4b0c292ad7daff4d3c2a089b5d460b4b12af3753604af15223c76f5cb20e06b5486b855e61d448916
SSDEEP

6144:s5CFwkhdy8ly0ZYv59234BBWDoP1e6A8uCJsaE+N8PVT5BcOsg:k+wUdyjEYv592IADoP13uJ4YBB5

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1336	odypek.exe

Deletes itself 1 IoCs

pid	Process
432	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe
1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	odypek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Axosko\\odypek.exe"	odypek.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 432	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	27

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe
1336	odypek.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe
1336	odypek.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1336	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	26
PID 1504 wrote to memory of 1336	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	26
PID 1504 wrote to memory of 1336	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	26
PID 1504 wrote to memory of 1336	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	26
PID 1336 wrote to memory of 1260	1336	odypek.exe	17
PID 1336 wrote to memory of 1260	1336	odypek.exe	17
PID 1336 wrote to memory of 1260	1336	odypek.exe	17
PID 1336 wrote to memory of 1260	1336	odypek.exe	17
PID 1336 wrote to memory of 1260	1336	odypek.exe	17
PID 1336 wrote to memory of 1344	1336	odypek.exe	11
PID 1336 wrote to memory of 1344	1336	odypek.exe	11
PID 1336 wrote to memory of 1344	1336	odypek.exe	11
PID 1336 wrote to memory of 1344	1336	odypek.exe	11
PID 1336 wrote to memory of 1344	1336	odypek.exe	11
PID 1336 wrote to memory of 1396	1336	odypek.exe	16
PID 1336 wrote to memory of 1396	1336	odypek.exe	16
PID 1336 wrote to memory of 1396	1336	odypek.exe	16
PID 1336 wrote to memory of 1396	1336	odypek.exe	16
PID 1336 wrote to memory of 1396	1336	odypek.exe	16
PID 1336 wrote to memory of 1504	1336	odypek.exe	25
PID 1336 wrote to memory of 1504	1336	odypek.exe	25
PID 1336 wrote to memory of 1504	1336	odypek.exe	25
PID 1336 wrote to memory of 1504	1336	odypek.exe	25
PID 1336 wrote to memory of 1504	1336	odypek.exe	25
PID 1504 wrote to memory of 432	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	27
PID 1504 wrote to memory of 432	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	27
PID 1504 wrote to memory of 432	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	27
PID 1504 wrote to memory of 432	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	27
PID 1504 wrote to memory of 432	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	27
PID 1504 wrote to memory of 432	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	27
PID 1504 wrote to memory of 432	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	27
PID 1504 wrote to memory of 432	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	27
PID 1504 wrote to memory of 432	1504	24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe	27

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe
  "C:\Users\Admin\AppData\Local\Temp\24ebf6413d2c444c65f20691264afa0f2c2bc40d3dd5f9a5d6444cd8979cebe4.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Roaming\Axosko\odypek.exe
    "C:\Users\Admin\AppData\Roaming\Axosko\odypek.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6ad5e49a.bat"
    3⤵
    - Deletes itself
    PID:432

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6ad5e49a.bat

Filesize
307B

MD5
8242bfd202172370e70652eabd093863

SHA1
7220f4dbd18ec03346e7dc48004c20096f12adac

SHA256
2d7cf3082d2738e955212b06c8f10a9c637a8587b757a43a434e7cf0f53806b8

SHA512
f6986f65f6757576b26a3e683b295ef9041366ce2604a35f8b5431139987470bfd6075a26fbeef06c83bf1d8ae21e5f849913ca0a6a2fb285cc4277fc611a1b8

Download Submit
C:\Users\Admin\AppData\Roaming\Axosko\odypek.exe

Filesize
414KB

MD5
8d1df0a0be568d51083f5643d44adcf1

SHA1
cc357bf9cc6312ec15c0090e4c2c82ce49a02ff8

SHA256
d1971184f866302ca7cb904fe011bf7a65307a6c88642667cb76f764c6f0307a

SHA512
c34bbde3c534f4dcb285a6593dc76d153e0de4f39f7afa216b2eea8aaefe614503f65559a00cdd164c560e96f753b77636f099c29fd103e13dd2d4f5d671980c

Download Submit
C:\Users\Admin\AppData\Roaming\Axosko\odypek.exe

Filesize
414KB

MD5
8d1df0a0be568d51083f5643d44adcf1

SHA1
cc357bf9cc6312ec15c0090e4c2c82ce49a02ff8

SHA256
d1971184f866302ca7cb904fe011bf7a65307a6c88642667cb76f764c6f0307a

SHA512
c34bbde3c534f4dcb285a6593dc76d153e0de4f39f7afa216b2eea8aaefe614503f65559a00cdd164c560e96f753b77636f099c29fd103e13dd2d4f5d671980c

Download Submit
\Users\Admin\AppData\Roaming\Axosko\odypek.exe

Filesize
414KB

MD5
8d1df0a0be568d51083f5643d44adcf1

SHA1
cc357bf9cc6312ec15c0090e4c2c82ce49a02ff8

SHA256
d1971184f866302ca7cb904fe011bf7a65307a6c88642667cb76f764c6f0307a

SHA512
c34bbde3c534f4dcb285a6593dc76d153e0de4f39f7afa216b2eea8aaefe614503f65559a00cdd164c560e96f753b77636f099c29fd103e13dd2d4f5d671980c

Download Submit
\Users\Admin\AppData\Roaming\Axosko\odypek.exe

Filesize
414KB

MD5
8d1df0a0be568d51083f5643d44adcf1

SHA1
cc357bf9cc6312ec15c0090e4c2c82ce49a02ff8

SHA256
d1971184f866302ca7cb904fe011bf7a65307a6c88642667cb76f764c6f0307a

SHA512
c34bbde3c534f4dcb285a6593dc76d153e0de4f39f7afa216b2eea8aaefe614503f65559a00cdd164c560e96f753b77636f099c29fd103e13dd2d4f5d671980c

Download Submit
memory/432-90-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/432-92-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/432-105-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/432-93-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/432-103-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/432-94-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1260-66-0x0000000001DC0000-0x0000000001E0C000-memory.dmp

Filesize
304KB

Download
memory/1260-69-0x0000000001DC0000-0x0000000001E0C000-memory.dmp

Filesize
304KB

Download
memory/1260-68-0x0000000001DC0000-0x0000000001E0C000-memory.dmp

Filesize
304KB

Download
memory/1260-67-0x0000000001DC0000-0x0000000001E0C000-memory.dmp

Filesize
304KB

Download
memory/1260-64-0x0000000001DC0000-0x0000000001E0C000-memory.dmp

Filesize
304KB

Download
memory/1336-97-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1336-96-0x0000000000310000-0x000000000035C000-memory.dmp

Filesize
304KB

Download
memory/1344-72-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1344-73-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1344-74-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1344-75-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1396-80-0x0000000002540000-0x000000000258C000-memory.dmp

Filesize
304KB

Download
memory/1396-81-0x0000000002540000-0x000000000258C000-memory.dmp

Filesize
304KB

Download
memory/1396-78-0x0000000002540000-0x000000000258C000-memory.dmp

Filesize
304KB

Download
memory/1396-79-0x0000000002540000-0x000000000258C000-memory.dmp

Filesize
304KB

Download
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1504-84-0x00000000007F0000-0x000000000083C000-memory.dmp

Filesize
304KB

Download
memory/1504-95-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1504-87-0x00000000007F0000-0x000000000083C000-memory.dmp

Filesize
304KB

Download
memory/1504-85-0x00000000007F0000-0x000000000083C000-memory.dmp

Filesize
304KB

Download
memory/1504-98-0x00000000007F0000-0x000000000083C000-memory.dmp

Filesize
304KB

Download
memory/1504-101-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1504-100-0x0000000000320000-0x000000000036C000-memory.dmp

Filesize
304KB

Download
memory/1504-86-0x00000000007F0000-0x000000000083C000-memory.dmp

Filesize
304KB

Download
memory/1504-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1504-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1504-55-0x0000000000320000-0x000000000036C000-memory.dmp

Filesize
304KB

Download