a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d

Analysis

max time kernel
151s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe
Size

374KB
MD5

a4a4e10bbbe8b039c5a66303bbf1d7c7
SHA1

de6be64208fe4362823e4e6f850bb60dd1166b9e
SHA256

a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d
SHA512

eba5e8e61a18538a1c7b3d0b5b3d372913ed739fe49128800247c5310a03d0d65192abd539c5cda9d194648777b9c799792732fdc6479441e5787141b8fc478d
SSDEEP

6144:sAXnI5hWP3cPkLCWp+kxLaazQ/rJ6aQ/UReERT2ElYRktprr58:sA45h83cPkLXp+k5bzQ/V6a/04eury

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	vuom.exe

Deletes itself 1 IoCs

pid	Process
1704	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe
1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	vuom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Atode\\vuom.exe"	vuom.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1572 set thread context of 1704	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe
2008	vuom.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe
2008	vuom.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2008	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	27
PID 1572 wrote to memory of 2008	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	27
PID 1572 wrote to memory of 2008	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	27
PID 1572 wrote to memory of 2008	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	27
PID 2008 wrote to memory of 1260	2008	vuom.exe	11
PID 2008 wrote to memory of 1260	2008	vuom.exe	11
PID 2008 wrote to memory of 1260	2008	vuom.exe	11
PID 2008 wrote to memory of 1260	2008	vuom.exe	11
PID 2008 wrote to memory of 1260	2008	vuom.exe	11
PID 2008 wrote to memory of 1364	2008	vuom.exe	9
PID 2008 wrote to memory of 1364	2008	vuom.exe	9
PID 2008 wrote to memory of 1364	2008	vuom.exe	9
PID 2008 wrote to memory of 1364	2008	vuom.exe	9
PID 2008 wrote to memory of 1364	2008	vuom.exe	9
PID 2008 wrote to memory of 1420	2008	vuom.exe	8
PID 2008 wrote to memory of 1420	2008	vuom.exe	8
PID 2008 wrote to memory of 1420	2008	vuom.exe	8
PID 2008 wrote to memory of 1420	2008	vuom.exe	8
PID 2008 wrote to memory of 1420	2008	vuom.exe	8
PID 2008 wrote to memory of 1572	2008	vuom.exe	10
PID 2008 wrote to memory of 1572	2008	vuom.exe	10
PID 2008 wrote to memory of 1572	2008	vuom.exe	10
PID 2008 wrote to memory of 1572	2008	vuom.exe	10
PID 2008 wrote to memory of 1572	2008	vuom.exe	10
PID 1572 wrote to memory of 1704	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	28
PID 1572 wrote to memory of 1704	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	28
PID 1572 wrote to memory of 1704	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	28
PID 1572 wrote to memory of 1704	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	28
PID 1572 wrote to memory of 1704	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	28
PID 1572 wrote to memory of 1704	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	28
PID 1572 wrote to memory of 1704	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	28
PID 1572 wrote to memory of 1704	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	28
PID 1572 wrote to memory of 1704	1572	a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe	28
PID 2008 wrote to memory of 964	2008	vuom.exe	30
PID 2008 wrote to memory of 964	2008	vuom.exe	30
PID 2008 wrote to memory of 964	2008	vuom.exe	30
PID 2008 wrote to memory of 964	2008	vuom.exe	30
PID 2008 wrote to memory of 964	2008	vuom.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1420
- C:\Users\Admin\AppData\Local\Temp\a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe
  "C:\Users\Admin\AppData\Local\Temp\a6e48771a34ec19481eccab97fe3e267aaf3f19458548a5b1f81e5f97aeb420d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Roaming\Atode\vuom.exe
    "C:\Users\Admin\AppData\Roaming\Atode\vuom.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3e19890c.bat"
    3⤵
    - Deletes itself
    PID:1704

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1364

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3e19890c.bat

Filesize
307B

MD5
754eb866e1f52307f7abc677ce5f5a7a

SHA1
9c64fe021d8b6f0d578aac009a69d7e225975d64

SHA256
8d0d6a99c95e7a7814b67913741cbc8f54d14dbef47630714b9416d474bb3899

SHA512
179a50722ba2d72155ca3bff560edb6b395189362502bda212e593683253324b25441ba8adf8f0a1c58ba0449fec04a9d0b5d9c2680e725b95cc6c8759066e2e

Download Submit
C:\Users\Admin\AppData\Roaming\Atode\vuom.exe

Filesize
374KB

MD5
33e40b80ca176b2723242d53973df93d

SHA1
f95c99712932b741fbf06bc791f71e4e4a6e770c

SHA256
2010bde22a24255c8f30b415e76b7e5207e559db276e7fd4dcaa4f379323d10b

SHA512
60abb71690106efd88d209ea03576565d85d186c5d0c99571cfe76af6ef466c0d34751e2cdd35cc4c68d40dd5bd2e56333f3fe999f7c5c2a35e3fbd16a4969e9

Download Submit
C:\Users\Admin\AppData\Roaming\Atode\vuom.exe

Filesize
374KB

MD5
33e40b80ca176b2723242d53973df93d

SHA1
f95c99712932b741fbf06bc791f71e4e4a6e770c

SHA256
2010bde22a24255c8f30b415e76b7e5207e559db276e7fd4dcaa4f379323d10b

SHA512
60abb71690106efd88d209ea03576565d85d186c5d0c99571cfe76af6ef466c0d34751e2cdd35cc4c68d40dd5bd2e56333f3fe999f7c5c2a35e3fbd16a4969e9

Download Submit
\Users\Admin\AppData\Roaming\Atode\vuom.exe

Filesize
374KB

MD5
33e40b80ca176b2723242d53973df93d

SHA1
f95c99712932b741fbf06bc791f71e4e4a6e770c

SHA256
2010bde22a24255c8f30b415e76b7e5207e559db276e7fd4dcaa4f379323d10b

SHA512
60abb71690106efd88d209ea03576565d85d186c5d0c99571cfe76af6ef466c0d34751e2cdd35cc4c68d40dd5bd2e56333f3fe999f7c5c2a35e3fbd16a4969e9

Download Submit
\Users\Admin\AppData\Roaming\Atode\vuom.exe

Filesize
374KB

MD5
33e40b80ca176b2723242d53973df93d

SHA1
f95c99712932b741fbf06bc791f71e4e4a6e770c

SHA256
2010bde22a24255c8f30b415e76b7e5207e559db276e7fd4dcaa4f379323d10b

SHA512
60abb71690106efd88d209ea03576565d85d186c5d0c99571cfe76af6ef466c0d34751e2cdd35cc4c68d40dd5bd2e56333f3fe999f7c5c2a35e3fbd16a4969e9

Download Submit
memory/964-109-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/964-110-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/964-111-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/964-112-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1260-66-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1260-68-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1260-69-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1260-70-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1260-71-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1364-76-0x0000000001AE0000-0x0000000001B24000-memory.dmp

Filesize
272KB

Download
memory/1364-77-0x0000000001AE0000-0x0000000001B24000-memory.dmp

Filesize
272KB

Download
memory/1364-74-0x0000000001AE0000-0x0000000001B24000-memory.dmp

Filesize
272KB

Download
memory/1364-75-0x0000000001AE0000-0x0000000001B24000-memory.dmp

Filesize
272KB

Download
memory/1420-82-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/1420-83-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/1420-80-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/1420-81-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/1572-87-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1572-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1572-86-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1572-99-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1572-89-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1572-88-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1572-55-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/1572-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1572-57-0x0000000000350000-0x00000000003B4000-memory.dmp

Filesize
400KB

Download
memory/1572-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1572-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1572-59-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1704-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1704-102-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1704-95-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1704-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1704-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/2008-103-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/2008-104-0x0000000000470000-0x00000000004D4000-memory.dmp

Filesize
400KB

Download
memory/2008-105-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2008-106-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download