21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24

Analysis

max time kernel
151s
max time network
129s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
Size

388KB
MD5

73f7b9c101b90e2dac28bd32c29aca80
SHA1

a17b7e465412b7364f38ee9b44357ee475b86b5d
SHA256

21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24
SHA512

49ab3916e55b9c83e100c609fad1571df7bffa7b327747c108fa3c061d0c71c7dd0e11f58b150edd2433243c3a66ba4f9209f4d7dc353045765db58f4fa37755
SSDEEP

6144:r1QOfKY6okmXBP1+EV/7XpzqAfveLO1/tjJNy4:xi69d+OT5zqA+E44

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
824	niyhf.exe
588	niyhf.exe

Deletes itself 1 IoCs

pid	Process
1272	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	niyhf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	niyhf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acsagux = "C:\\Users\\Admin\\AppData\\Roaming\\Ozeq\\niyhf.exe"	niyhf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 1696	1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	26
PID 824 set thread context of 588	824	niyhf.exe	28

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe
588	niyhf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
Token: SeSecurityPrivilege	1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
824	niyhf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1696	1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	26
PID 1464 wrote to memory of 1696	1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	26
PID 1464 wrote to memory of 1696	1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	26
PID 1464 wrote to memory of 1696	1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	26
PID 1464 wrote to memory of 1696	1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	26
PID 1464 wrote to memory of 1696	1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	26
PID 1464 wrote to memory of 1696	1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	26
PID 1464 wrote to memory of 1696	1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	26
PID 1464 wrote to memory of 1696	1464	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	26
PID 1696 wrote to memory of 824	1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	27
PID 1696 wrote to memory of 824	1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	27
PID 1696 wrote to memory of 824	1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	27
PID 1696 wrote to memory of 824	1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	27
PID 824 wrote to memory of 588	824	niyhf.exe	28
PID 824 wrote to memory of 588	824	niyhf.exe	28
PID 824 wrote to memory of 588	824	niyhf.exe	28
PID 824 wrote to memory of 588	824	niyhf.exe	28
PID 824 wrote to memory of 588	824	niyhf.exe	28
PID 824 wrote to memory of 588	824	niyhf.exe	28
PID 824 wrote to memory of 588	824	niyhf.exe	28
PID 824 wrote to memory of 588	824	niyhf.exe	28
PID 824 wrote to memory of 588	824	niyhf.exe	28
PID 1696 wrote to memory of 1272	1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	29
PID 1696 wrote to memory of 1272	1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	29
PID 1696 wrote to memory of 1272	1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	29
PID 1696 wrote to memory of 1272	1696	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	29
PID 588 wrote to memory of 1228	588	niyhf.exe	7
PID 588 wrote to memory of 1228	588	niyhf.exe	7
PID 588 wrote to memory of 1228	588	niyhf.exe	7
PID 588 wrote to memory of 1228	588	niyhf.exe	7
PID 588 wrote to memory of 1228	588	niyhf.exe	7
PID 588 wrote to memory of 1308	588	niyhf.exe	13
PID 588 wrote to memory of 1308	588	niyhf.exe	13
PID 588 wrote to memory of 1308	588	niyhf.exe	13
PID 588 wrote to memory of 1308	588	niyhf.exe	13
PID 588 wrote to memory of 1308	588	niyhf.exe	13
PID 588 wrote to memory of 1360	588	niyhf.exe	12
PID 588 wrote to memory of 1360	588	niyhf.exe	12
PID 588 wrote to memory of 1360	588	niyhf.exe	12
PID 588 wrote to memory of 1360	588	niyhf.exe	12
PID 588 wrote to memory of 1360	588	niyhf.exe	12
PID 588 wrote to memory of 1840	588	niyhf.exe	31
PID 588 wrote to memory of 1840	588	niyhf.exe	31
PID 588 wrote to memory of 1840	588	niyhf.exe	31
PID 588 wrote to memory of 1840	588	niyhf.exe	31
PID 588 wrote to memory of 1840	588	niyhf.exe	31
PID 588 wrote to memory of 1888	588	niyhf.exe	32
PID 588 wrote to memory of 1888	588	niyhf.exe	32
PID 588 wrote to memory of 1888	588	niyhf.exe	32
PID 588 wrote to memory of 1888	588	niyhf.exe	32
PID 588 wrote to memory of 1888	588	niyhf.exe	32
PID 588 wrote to memory of 1948	588	niyhf.exe	33
PID 588 wrote to memory of 1948	588	niyhf.exe	33
PID 588 wrote to memory of 1948	588	niyhf.exe	33
PID 588 wrote to memory of 1948	588	niyhf.exe	33
PID 588 wrote to memory of 1948	588	niyhf.exe	33
PID 588 wrote to memory of 1564	588	niyhf.exe	34
PID 588 wrote to memory of 1564	588	niyhf.exe	34
PID 588 wrote to memory of 1564	588	niyhf.exe	34
PID 588 wrote to memory of 1564	588	niyhf.exe	34
PID 588 wrote to memory of 1564	588	niyhf.exe	34
PID 588 wrote to memory of 1352	588	niyhf.exe	35
PID 588 wrote to memory of 1352	588	niyhf.exe	35
PID 588 wrote to memory of 1352	588	niyhf.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
  "C:\Users\Admin\AppData\Local\Temp\21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
    "C:\Users\Admin\AppData\Local\Temp\21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Roaming\Ozeq\niyhf.exe
      "C:\Users\Admin\AppData\Roaming\Ozeq\niyhf.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Users\Admin\AppData\Roaming\Ozeq\niyhf.exe
        
        "C:\Users\Admin\AppData\Roaming\Ozeq\niyhf.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:588
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf3159d00.bat"
      4⤵
      Deletes itself
      PID:1272

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1352

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1752

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpf3159d00.bat

Filesize
307B

MD5
b1be6c158afac40f89741af59787beec

SHA1
427ebd4e1a362b0e21fac50580e51e6d12409130

SHA256
afe7bdcf84a2c2b12514367f5ae1408a71e65f3f607ffe6f0b7cc024384f8c70

SHA512
3513c00c5e43eb9ae9385cbd6f033d3a9803603b45716234c1feaa41cc91cb624ee1ca1df62ae4a0e4da6ceba9dc33dc6c4cd107e3390554ee74cd22cb398806

Download Submit
C:\Users\Admin\AppData\Roaming\Ozeq\niyhf.exe

Filesize
388KB

MD5
2388b86456832170b3eb6f42e9d2fcb8

SHA1
12331749e4bb9d2eddccd156491d81ca65dce217

SHA256
239f4ec2953f6b962666817d79e64c781973d471edd2a539950e6b8dac7d62e8

SHA512
8c48c18ce84cb73753ec378152dc2a0559af9151e9028b960a15e9022a939e82619dc6367a4d5adea11e5cdf0b241c5d6960939f6b076b94cd06ccfa283318aa

Download Submit
C:\Users\Admin\AppData\Roaming\Ozeq\niyhf.exe

Filesize
388KB

MD5
2388b86456832170b3eb6f42e9d2fcb8

SHA1
12331749e4bb9d2eddccd156491d81ca65dce217

SHA256
239f4ec2953f6b962666817d79e64c781973d471edd2a539950e6b8dac7d62e8

SHA512
8c48c18ce84cb73753ec378152dc2a0559af9151e9028b960a15e9022a939e82619dc6367a4d5adea11e5cdf0b241c5d6960939f6b076b94cd06ccfa283318aa

Download Submit
C:\Users\Admin\AppData\Roaming\Ozeq\niyhf.exe

Filesize
388KB

MD5
2388b86456832170b3eb6f42e9d2fcb8

SHA1
12331749e4bb9d2eddccd156491d81ca65dce217

SHA256
239f4ec2953f6b962666817d79e64c781973d471edd2a539950e6b8dac7d62e8

SHA512
8c48c18ce84cb73753ec378152dc2a0559af9151e9028b960a15e9022a939e82619dc6367a4d5adea11e5cdf0b241c5d6960939f6b076b94cd06ccfa283318aa

Download Submit
\Users\Admin\AppData\Roaming\Ozeq\niyhf.exe

Filesize
388KB

MD5
2388b86456832170b3eb6f42e9d2fcb8

SHA1
12331749e4bb9d2eddccd156491d81ca65dce217

SHA256
239f4ec2953f6b962666817d79e64c781973d471edd2a539950e6b8dac7d62e8

SHA512
8c48c18ce84cb73753ec378152dc2a0559af9151e9028b960a15e9022a939e82619dc6367a4d5adea11e5cdf0b241c5d6960939f6b076b94cd06ccfa283318aa

Download Submit
\Users\Admin\AppData\Roaming\Ozeq\niyhf.exe

Filesize
388KB

MD5
2388b86456832170b3eb6f42e9d2fcb8

SHA1
12331749e4bb9d2eddccd156491d81ca65dce217

SHA256
239f4ec2953f6b962666817d79e64c781973d471edd2a539950e6b8dac7d62e8

SHA512
8c48c18ce84cb73753ec378152dc2a0559af9151e9028b960a15e9022a939e82619dc6367a4d5adea11e5cdf0b241c5d6960939f6b076b94cd06ccfa283318aa

Download Submit
memory/320-133-0x0000000000110000-0x000000000014B000-memory.dmp

Filesize
236KB

Download
memory/320-134-0x0000000000110000-0x000000000014B000-memory.dmp

Filesize
236KB

Download
memory/376-130-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/376-127-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/376-128-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/376-129-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/588-94-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1228-79-0x0000000000420000-0x000000000045B000-memory.dmp

Filesize
236KB

Download
memory/1228-80-0x0000000000420000-0x000000000045B000-memory.dmp

Filesize
236KB

Download
memory/1228-76-0x0000000000420000-0x000000000045B000-memory.dmp

Filesize
236KB

Download
memory/1228-78-0x0000000000420000-0x000000000045B000-memory.dmp

Filesize
236KB

Download
memory/1228-73-0x0000000000420000-0x000000000045B000-memory.dmp

Filesize
236KB

Download
memory/1308-83-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1308-84-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1308-86-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1308-87-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1352-123-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1352-122-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1352-121-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1352-124-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1360-92-0x00000000026D0000-0x000000000270B000-memory.dmp

Filesize
236KB

Download
memory/1360-93-0x00000000026D0000-0x000000000270B000-memory.dmp

Filesize
236KB

Download
memory/1360-90-0x00000000026D0000-0x000000000270B000-memory.dmp

Filesize
236KB

Download
memory/1360-91-0x00000000026D0000-0x000000000270B000-memory.dmp

Filesize
236KB

Download
memory/1564-117-0x0000000001CC0000-0x0000000001CFB000-memory.dmp

Filesize
236KB

Download
memory/1564-118-0x0000000001CC0000-0x0000000001CFB000-memory.dmp

Filesize
236KB

Download
memory/1564-115-0x0000000001CC0000-0x0000000001CFB000-memory.dmp

Filesize
236KB

Download
memory/1564-116-0x0000000001CC0000-0x0000000001CFB000-memory.dmp

Filesize
236KB

Download
memory/1696-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1696-59-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1696-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1696-77-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1840-98-0x0000000003B50000-0x0000000003B8B000-memory.dmp

Filesize
236KB

Download
memory/1840-100-0x0000000003B50000-0x0000000003B8B000-memory.dmp

Filesize
236KB

Download
memory/1840-99-0x0000000003B50000-0x0000000003B8B000-memory.dmp

Filesize
236KB

Download
memory/1840-97-0x0000000003B50000-0x0000000003B8B000-memory.dmp

Filesize
236KB

Download
memory/1888-104-0x00000000002B0000-0x00000000002EB000-memory.dmp

Filesize
236KB

Download
memory/1888-103-0x00000000002B0000-0x00000000002EB000-memory.dmp

Filesize
236KB

Download
memory/1888-105-0x00000000002B0000-0x00000000002EB000-memory.dmp

Filesize
236KB

Download
memory/1888-106-0x00000000002B0000-0x00000000002EB000-memory.dmp

Filesize
236KB

Download
memory/1948-109-0x0000000001BF0000-0x0000000001C2B000-memory.dmp

Filesize
236KB

Download
memory/1948-110-0x0000000001BF0000-0x0000000001C2B000-memory.dmp

Filesize
236KB

Download
memory/1948-111-0x0000000001BF0000-0x0000000001C2B000-memory.dmp

Filesize
236KB

Download
memory/1948-112-0x0000000001BF0000-0x0000000001C2B000-memory.dmp

Filesize
236KB

Download