32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe
Size

311KB
MD5

1805da093d14dce4466aac6574252ee0
SHA1

e4e28ccef363ce2f0dd0e10896191f4c66c04cc1
SHA256

32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466
SHA512

c3013354131c9a5a56c77d260708dcd8cd5bb7062f7547078685a0743fd0febfe2a4b62fc96a36962a91c7667c9db1cf24baee60c19d86a3ab2a1adb30be4631
SSDEEP

6144:ff1eELPVMcyWzdiGTjj+5oUBl06CoYEcnOkwYKrivp6fyRU:ffDpyWzdTCouqbEBGvp8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1604	odalcu.exe

Deletes itself 1 IoCs

pid	Process
840	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Uszere\\odalcu.exe"	odalcu.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	odalcu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 840	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe
1604	odalcu.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1604	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	27
PID 1488 wrote to memory of 1604	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	27
PID 1488 wrote to memory of 1604	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	27
PID 1488 wrote to memory of 1604	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	27
PID 1604 wrote to memory of 1228	1604	odalcu.exe	12
PID 1604 wrote to memory of 1228	1604	odalcu.exe	12
PID 1604 wrote to memory of 1228	1604	odalcu.exe	12
PID 1604 wrote to memory of 1228	1604	odalcu.exe	12
PID 1604 wrote to memory of 1228	1604	odalcu.exe	12
PID 1604 wrote to memory of 1316	1604	odalcu.exe	11
PID 1604 wrote to memory of 1316	1604	odalcu.exe	11
PID 1604 wrote to memory of 1316	1604	odalcu.exe	11
PID 1604 wrote to memory of 1316	1604	odalcu.exe	11
PID 1604 wrote to memory of 1316	1604	odalcu.exe	11
PID 1604 wrote to memory of 1352	1604	odalcu.exe	10
PID 1604 wrote to memory of 1352	1604	odalcu.exe	10
PID 1604 wrote to memory of 1352	1604	odalcu.exe	10
PID 1604 wrote to memory of 1352	1604	odalcu.exe	10
PID 1604 wrote to memory of 1352	1604	odalcu.exe	10
PID 1604 wrote to memory of 1488	1604	odalcu.exe	26
PID 1604 wrote to memory of 1488	1604	odalcu.exe	26
PID 1604 wrote to memory of 1488	1604	odalcu.exe	26
PID 1604 wrote to memory of 1488	1604	odalcu.exe	26
PID 1604 wrote to memory of 1488	1604	odalcu.exe	26
PID 1488 wrote to memory of 840	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	28
PID 1488 wrote to memory of 840	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	28
PID 1488 wrote to memory of 840	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	28
PID 1488 wrote to memory of 840	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	28
PID 1488 wrote to memory of 840	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	28
PID 1488 wrote to memory of 840	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	28
PID 1488 wrote to memory of 840	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	28
PID 1488 wrote to memory of 840	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	28
PID 1488 wrote to memory of 840	1488	32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe
  "C:\Users\Admin\AppData\Local\Temp\32d72efdd9e2788bea225e149c7fdbcfac07c63eaae6f330bacc2d858fcbe466.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Users\Admin\AppData\Roaming\Uszere\odalcu.exe
    "C:\Users\Admin\AppData\Roaming\Uszere\odalcu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp31b8fe91.bat"
    3⤵
    - Deletes itself
    PID:840

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp31b8fe91.bat

Filesize
307B

MD5
08188ed4384b3db671023753e96f60d6

SHA1
77b8fb26a4d89c8350ff6c0d1e4e025fcf40aeb4

SHA256
862471906ab2fc091c5194a57ddb7a78dacd67f25e015051a121974b01110804

SHA512
2cda4f334e1764303e786be51945f6ec74d9d4dc6d93f6aef922fe48b3afe02783d0dcddfda964516e5bab688096a5518855080a656a4765fe7e24838bfc3294

Download Submit
C:\Users\Admin\AppData\Roaming\Uszere\odalcu.exe

Filesize
311KB

MD5
58bfc421286907b0b2acb792fc49f2b4

SHA1
0e613297743144a08b533541f4362a1c78ffb06c

SHA256
162109fced44052495be6180ca9ca6c10d3f1fc760dbe05e27d1e71f6a55faae

SHA512
e1ef5e73515cf2c8c9f02a756fa2998128646e5b4144f31715c6c35aeb4fa5da7d5bcdf86c5df5bca85b14607ac26f25653d5c03beea37daaa54979e1f010c17

Download Submit
C:\Users\Admin\AppData\Roaming\Uszere\odalcu.exe

Filesize
311KB

MD5
58bfc421286907b0b2acb792fc49f2b4

SHA1
0e613297743144a08b533541f4362a1c78ffb06c

SHA256
162109fced44052495be6180ca9ca6c10d3f1fc760dbe05e27d1e71f6a55faae

SHA512
e1ef5e73515cf2c8c9f02a756fa2998128646e5b4144f31715c6c35aeb4fa5da7d5bcdf86c5df5bca85b14607ac26f25653d5c03beea37daaa54979e1f010c17

Download Submit
\Users\Admin\AppData\Roaming\Uszere\odalcu.exe

Filesize
311KB

MD5
58bfc421286907b0b2acb792fc49f2b4

SHA1
0e613297743144a08b533541f4362a1c78ffb06c

SHA256
162109fced44052495be6180ca9ca6c10d3f1fc760dbe05e27d1e71f6a55faae

SHA512
e1ef5e73515cf2c8c9f02a756fa2998128646e5b4144f31715c6c35aeb4fa5da7d5bcdf86c5df5bca85b14607ac26f25653d5c03beea37daaa54979e1f010c17

Download Submit
memory/840-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/840-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/840-105-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/840-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/840-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1228-70-0x0000000001BA0000-0x0000000001BE4000-memory.dmp

Filesize
272KB

Download
memory/1228-68-0x0000000001BA0000-0x0000000001BE4000-memory.dmp

Filesize
272KB

Download
memory/1228-66-0x0000000001BA0000-0x0000000001BE4000-memory.dmp

Filesize
272KB

Download
memory/1228-71-0x0000000001BA0000-0x0000000001BE4000-memory.dmp

Filesize
272KB

Download
memory/1228-69-0x0000000001BA0000-0x0000000001BE4000-memory.dmp

Filesize
272KB

Download
memory/1316-74-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1316-75-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1316-76-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1316-77-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1352-83-0x0000000002630000-0x0000000002674000-memory.dmp

Filesize
272KB

Download
memory/1352-82-0x0000000002630000-0x0000000002674000-memory.dmp

Filesize
272KB

Download
memory/1352-80-0x0000000002630000-0x0000000002674000-memory.dmp

Filesize
272KB

Download
memory/1352-81-0x0000000002630000-0x0000000002674000-memory.dmp

Filesize
272KB

Download
memory/1488-88-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1488-54-0x0000000000A40000-0x0000000000A90000-memory.dmp

Filesize
320KB

Download
memory/1488-86-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1488-87-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1488-89-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1488-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1488-91-0x0000000000110000-0x0000000000160000-memory.dmp

Filesize
320KB

Download
memory/1488-102-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1488-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1488-55-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1488-63-0x0000000000110000-0x0000000000160000-memory.dmp

Filesize
320KB

Download
memory/1488-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1488-100-0x0000000000A40000-0x0000000000A90000-memory.dmp

Filesize
320KB

Download
memory/1488-101-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1604-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1604-64-0x00000000009F0000-0x0000000000A40000-memory.dmp

Filesize
320KB

Download
memory/1604-106-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1604-107-0x00000000009F0000-0x0000000000A40000-memory.dmp

Filesize
320KB

Download