555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 19:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe
Size

388KB
MD5

8e8efacf252d4443acb6e413d62629e0
SHA1

47751ff44368426bd2ec626c185c723eac7d436e
SHA256

555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040
SHA512

6b6abf48faca95f9f4b8a50c469e4aaa6aba7c91418adc132e49c4aee09565767705ee39a0c3a46033d91b26f39ec89c6b7de8ae065d7e2ef25df74cbf8c7d6a
SSDEEP

6144:mR+XIjJUerLRzXQW/lU9dhG3vKDbgAXLm0MmSpNy0:mRyIjJU+VDT/lkECf7XpX0

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1264	usvuoh.exe

Deletes itself 1 IoCs

pid	Process
884	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe
832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	usvuoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Owha\\usvuoh.exe"	usvuoh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 832 set thread context of 884	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe
1264	usvuoh.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe
1264	usvuoh.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1264	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	28
PID 832 wrote to memory of 1264	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	28
PID 832 wrote to memory of 1264	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	28
PID 832 wrote to memory of 1264	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	28
PID 1264 wrote to memory of 1112	1264	usvuoh.exe	10
PID 1264 wrote to memory of 1112	1264	usvuoh.exe	10
PID 1264 wrote to memory of 1112	1264	usvuoh.exe	10
PID 1264 wrote to memory of 1112	1264	usvuoh.exe	10
PID 1264 wrote to memory of 1112	1264	usvuoh.exe	10
PID 1264 wrote to memory of 1180	1264	usvuoh.exe	16
PID 1264 wrote to memory of 1180	1264	usvuoh.exe	16
PID 1264 wrote to memory of 1180	1264	usvuoh.exe	16
PID 1264 wrote to memory of 1180	1264	usvuoh.exe	16
PID 1264 wrote to memory of 1180	1264	usvuoh.exe	16
PID 1264 wrote to memory of 1208	1264	usvuoh.exe	15
PID 1264 wrote to memory of 1208	1264	usvuoh.exe	15
PID 1264 wrote to memory of 1208	1264	usvuoh.exe	15
PID 1264 wrote to memory of 1208	1264	usvuoh.exe	15
PID 1264 wrote to memory of 1208	1264	usvuoh.exe	15
PID 1264 wrote to memory of 832	1264	usvuoh.exe	27
PID 1264 wrote to memory of 832	1264	usvuoh.exe	27
PID 1264 wrote to memory of 832	1264	usvuoh.exe	27
PID 1264 wrote to memory of 832	1264	usvuoh.exe	27
PID 1264 wrote to memory of 832	1264	usvuoh.exe	27
PID 832 wrote to memory of 884	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	29
PID 832 wrote to memory of 884	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	29
PID 832 wrote to memory of 884	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	29
PID 832 wrote to memory of 884	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	29
PID 832 wrote to memory of 884	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	29
PID 832 wrote to memory of 884	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	29
PID 832 wrote to memory of 884	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	29
PID 832 wrote to memory of 884	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	29
PID 832 wrote to memory of 884	832	555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe	29
PID 1264 wrote to memory of 1716	1264	usvuoh.exe	31
PID 1264 wrote to memory of 1716	1264	usvuoh.exe	31
PID 1264 wrote to memory of 1716	1264	usvuoh.exe	31
PID 1264 wrote to memory of 1716	1264	usvuoh.exe	31
PID 1264 wrote to memory of 1716	1264	usvuoh.exe	31
PID 1264 wrote to memory of 1572	1264	usvuoh.exe	32
PID 1264 wrote to memory of 1572	1264	usvuoh.exe	32
PID 1264 wrote to memory of 1572	1264	usvuoh.exe	32
PID 1264 wrote to memory of 1572	1264	usvuoh.exe	32
PID 1264 wrote to memory of 1572	1264	usvuoh.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe
  "C:\Users\Admin\AppData\Local\Temp\555e225ec9a5d67192873c1d59ae5a330f82abe295f1765a8c61f003f8151040.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Users\Admin\AppData\Roaming\Owha\usvuoh.exe
    "C:\Users\Admin\AppData\Roaming\Owha\usvuoh.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa8dd8031.bat"
    3⤵
    - Deletes itself
    PID:884

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1716

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa8dd8031.bat

Filesize
307B

MD5
db7b6912b8aa3039b534d0b55d091525

SHA1
18bbe5bebf085fe54b8406e626d0c6ab1d5878bf

SHA256
535ac15a4f0cd81e951caf3923ad6c6902ba14415cac5747a85064ab5e0c9618

SHA512
c29a47cb97b7d128ea718a7d0b3d6ed392609b954a8ec916c6107b8b743d08e5f238e9293971d2586a0d92cd76fffeab0138910f85d689941c7cb3b088c5b168

Download Submit
C:\Users\Admin\AppData\Roaming\Owha\usvuoh.exe

Filesize
388KB

MD5
e743c07adc0ba9af8f32fe300842dc5d

SHA1
abebe45ff336685e3e1198f98336eaf5e8313166

SHA256
739c6f4590300f2ce543a169c2bc7e5faaa6061b9652812204d9b7894495852d

SHA512
66294777bf636b7cccc1321ccaa55d431ecafcdd4f9dc2cb4c09cac9bff9fdd3dfbd1e236763e634fb2a89b84048ec509f555310c3632a2573d06f95bf1e76d7

Download Submit
C:\Users\Admin\AppData\Roaming\Owha\usvuoh.exe

Filesize
388KB

MD5
e743c07adc0ba9af8f32fe300842dc5d

SHA1
abebe45ff336685e3e1198f98336eaf5e8313166

SHA256
739c6f4590300f2ce543a169c2bc7e5faaa6061b9652812204d9b7894495852d

SHA512
66294777bf636b7cccc1321ccaa55d431ecafcdd4f9dc2cb4c09cac9bff9fdd3dfbd1e236763e634fb2a89b84048ec509f555310c3632a2573d06f95bf1e76d7

Download Submit
\Users\Admin\AppData\Roaming\Owha\usvuoh.exe

Filesize
388KB

MD5
e743c07adc0ba9af8f32fe300842dc5d

SHA1
abebe45ff336685e3e1198f98336eaf5e8313166

SHA256
739c6f4590300f2ce543a169c2bc7e5faaa6061b9652812204d9b7894495852d

SHA512
66294777bf636b7cccc1321ccaa55d431ecafcdd4f9dc2cb4c09cac9bff9fdd3dfbd1e236763e634fb2a89b84048ec509f555310c3632a2573d06f95bf1e76d7

Download Submit
\Users\Admin\AppData\Roaming\Owha\usvuoh.exe

Filesize
388KB

MD5
e743c07adc0ba9af8f32fe300842dc5d

SHA1
abebe45ff336685e3e1198f98336eaf5e8313166

SHA256
739c6f4590300f2ce543a169c2bc7e5faaa6061b9652812204d9b7894495852d

SHA512
66294777bf636b7cccc1321ccaa55d431ecafcdd4f9dc2cb4c09cac9bff9fdd3dfbd1e236763e634fb2a89b84048ec509f555310c3632a2573d06f95bf1e76d7

Download Submit
memory/832-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-100-0x0000000001E20000-0x0000000001E89000-memory.dmp

Filesize
420KB

Download
memory/832-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/832-103-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/832-91-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/832-86-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/832-85-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/832-84-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/832-83-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/832-95-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/832-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-93-0x0000000000470000-0x00000000004D9000-memory.dmp

Filesize
420KB

Download
memory/884-106-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/884-89-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/884-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/884-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/884-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1112-63-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1112-67-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1112-66-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1112-65-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1112-68-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1180-74-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1180-71-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1180-72-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1180-73-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1208-77-0x00000000025E0000-0x0000000002624000-memory.dmp

Filesize
272KB

Download
memory/1208-78-0x00000000025E0000-0x0000000002624000-memory.dmp

Filesize
272KB

Download
memory/1208-80-0x00000000025E0000-0x0000000002624000-memory.dmp

Filesize
272KB

Download
memory/1208-79-0x00000000025E0000-0x0000000002624000-memory.dmp

Filesize
272KB

Download
memory/1264-98-0x0000000000370000-0x00000000003D9000-memory.dmp

Filesize
420KB

Download
memory/1264-99-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1264-97-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1264-107-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1572-116-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/1572-118-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/1572-117-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/1572-119-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/1716-111-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1716-112-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1716-113-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1716-110-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download