38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c

Analysis

max time kernel
169s
max time network
164s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe
Size

366KB
MD5

04ec27e0d9aec6e5feda7ec835d80af0
SHA1

6277bba0f58a067d0098a881301d29756994393a
SHA256

38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c
SHA512

3b504cd13c412f8a933b42d6d3c2cedb91c4286cfb82cd382cfd2f85a2d0d47aa69ee2335f697b52b94f6d3d3a97423c4f27edbb03a0114d6f4add81d7d2fb23
SSDEEP

6144:jVJnk1u+bfx1qrGtkrFaMhimQ2rlIc/BJd9jFOaUXnx/oqrAzC5e2A:Hk1xfx1qsePi0ZLTfjFOaUXjrAzEe9

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
952	oviq.exe

Deletes itself 1 IoCs

pid	Process
1712	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe
900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	oviq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Jeuszu\\oviq.exe"	oviq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1712	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe
952	oviq.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe
952	oviq.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 952	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	27
PID 900 wrote to memory of 952	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	27
PID 900 wrote to memory of 952	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	27
PID 900 wrote to memory of 952	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	27
PID 952 wrote to memory of 1124	952	oviq.exe	15
PID 952 wrote to memory of 1124	952	oviq.exe	15
PID 952 wrote to memory of 1124	952	oviq.exe	15
PID 952 wrote to memory of 1124	952	oviq.exe	15
PID 952 wrote to memory of 1124	952	oviq.exe	15
PID 952 wrote to memory of 1184	952	oviq.exe	14
PID 952 wrote to memory of 1184	952	oviq.exe	14
PID 952 wrote to memory of 1184	952	oviq.exe	14
PID 952 wrote to memory of 1184	952	oviq.exe	14
PID 952 wrote to memory of 1184	952	oviq.exe	14
PID 952 wrote to memory of 1244	952	oviq.exe	13
PID 952 wrote to memory of 1244	952	oviq.exe	13
PID 952 wrote to memory of 1244	952	oviq.exe	13
PID 952 wrote to memory of 1244	952	oviq.exe	13
PID 952 wrote to memory of 1244	952	oviq.exe	13
PID 952 wrote to memory of 900	952	oviq.exe	26
PID 952 wrote to memory of 900	952	oviq.exe	26
PID 952 wrote to memory of 900	952	oviq.exe	26
PID 952 wrote to memory of 900	952	oviq.exe	26
PID 952 wrote to memory of 900	952	oviq.exe	26
PID 900 wrote to memory of 1712	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	28
PID 900 wrote to memory of 1712	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	28
PID 900 wrote to memory of 1712	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	28
PID 900 wrote to memory of 1712	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	28
PID 900 wrote to memory of 1712	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	28
PID 900 wrote to memory of 1712	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	28
PID 900 wrote to memory of 1712	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	28
PID 900 wrote to memory of 1712	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	28
PID 900 wrote to memory of 1712	900	38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe
  "C:\Users\Admin\AppData\Local\Temp\38b27af99733f329236655f78bcfb2c949a2105ad4b02b0d6b88ef259850799c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Roaming\Jeuszu\oviq.exe
    "C:\Users\Admin\AppData\Roaming\Jeuszu\oviq.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6a7e56d3.bat"
    3⤵
    - Deletes itself
    PID:1712

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6a7e56d3.bat

Filesize
307B

MD5
db33b56a83d8f93a4c22245eccb114b9

SHA1
84d069960c7ba303d9b63554fbdc7adbba70d0e0

SHA256
a91d67bd1c9dc52677ed179c953f227667125a31adccad96f236af05aba9f9bb

SHA512
6c07c0d6d002009bbd65bfbe9657c6863c8cbed97d0f55655bf5452d3814a17ad51261c13a9b1b412b5b8ec275acc67296937f763bfa3444d751e4b0b0384f8d

Download Submit
C:\Users\Admin\AppData\Roaming\Jeuszu\oviq.exe

Filesize
366KB

MD5
352cdd8360b4ca43541d9b2c47e4ce35

SHA1
4abbb3fa68d0cf2e9b722f8607c8398981f30103

SHA256
9b35b23ef07f08c4367132b4d226959dcd7820fed787c21aea90b438bb6f9bdf

SHA512
b20071ce751e27421b200d606d86def3c1500f5bf60f319720746124600cb1a5ede66d09d7de52604bdb6b602c6552dd064df7f69e598a1c106127d893758839

Download Submit
C:\Users\Admin\AppData\Roaming\Jeuszu\oviq.exe

Filesize
366KB

MD5
352cdd8360b4ca43541d9b2c47e4ce35

SHA1
4abbb3fa68d0cf2e9b722f8607c8398981f30103

SHA256
9b35b23ef07f08c4367132b4d226959dcd7820fed787c21aea90b438bb6f9bdf

SHA512
b20071ce751e27421b200d606d86def3c1500f5bf60f319720746124600cb1a5ede66d09d7de52604bdb6b602c6552dd064df7f69e598a1c106127d893758839

Download Submit
\Users\Admin\AppData\Roaming\Jeuszu\oviq.exe

Filesize
366KB

MD5
352cdd8360b4ca43541d9b2c47e4ce35

SHA1
4abbb3fa68d0cf2e9b722f8607c8398981f30103

SHA256
9b35b23ef07f08c4367132b4d226959dcd7820fed787c21aea90b438bb6f9bdf

SHA512
b20071ce751e27421b200d606d86def3c1500f5bf60f319720746124600cb1a5ede66d09d7de52604bdb6b602c6552dd064df7f69e598a1c106127d893758839

Download Submit
\Users\Admin\AppData\Roaming\Jeuszu\oviq.exe

Filesize
366KB

MD5
352cdd8360b4ca43541d9b2c47e4ce35

SHA1
4abbb3fa68d0cf2e9b722f8607c8398981f30103

SHA256
9b35b23ef07f08c4367132b4d226959dcd7820fed787c21aea90b438bb6f9bdf

SHA512
b20071ce751e27421b200d606d86def3c1500f5bf60f319720746124600cb1a5ede66d09d7de52604bdb6b602c6552dd064df7f69e598a1c106127d893758839

Download Submit
memory/900-83-0x0000000001F50000-0x0000000001F94000-memory.dmp

Filesize
272KB

Download
memory/900-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/900-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/900-96-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/900-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/900-98-0x0000000001F50000-0x0000000001F94000-memory.dmp

Filesize
272KB

Download
memory/900-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/900-95-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/900-86-0x0000000001F50000-0x0000000001F94000-memory.dmp

Filesize
272KB

Download
memory/900-85-0x0000000001F50000-0x0000000001F94000-memory.dmp

Filesize
272KB

Download
memory/900-84-0x0000000001F50000-0x0000000001F94000-memory.dmp

Filesize
272KB

Download
memory/952-102-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/952-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/952-103-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1124-67-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1124-68-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1124-66-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1124-65-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1124-63-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1184-74-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/1184-73-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/1184-72-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/1184-71-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/1244-78-0x0000000002AE0000-0x0000000002B24000-memory.dmp

Filesize
272KB

Download
memory/1244-80-0x0000000002AE0000-0x0000000002B24000-memory.dmp

Filesize
272KB

Download
memory/1244-79-0x0000000002AE0000-0x0000000002B24000-memory.dmp

Filesize
272KB

Download
memory/1244-77-0x0000000002AE0000-0x0000000002B24000-memory.dmp

Filesize
272KB

Download
memory/1712-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1712-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1712-91-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1712-89-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1712-101-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download