Overview

overview

8

Static

static

8

3aa3908754...17.exe

windows7-x64

8

3aa3908754...17.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2022, 13:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3aa39087540f43ff64e3cc720c1a457c6973cbf7bd3b65f58a8665234f489b17.exe

  • Size

    222KB

  • MD5

    6396fe234920a22a1484758ccd00fba0

  • SHA1

    cec8df87025f0d1e94d70a5f6ae00e19b810c4b4

  • SHA256

    3aa39087540f43ff64e3cc720c1a457c6973cbf7bd3b65f58a8665234f489b17

  • SHA512

    06b7649f7af54df42cde18e64ab15036887a4581b0666ab7bf50b6a3b7887dbe4205044c882427119c3849317a2985117ca34f4c2c8b79046dfe9be8bd8ae843

  • SSDEEP

    6144:WI8ujnboSeL3WexPtoPYStiAfCeNU7nyREO46IRHKbEp:J8uLboSeLWGsdZNWqgp

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\3aa39087540f43ff64e3cc720c1a457c6973cbf7bd3b65f58a8665234f489b17.exe
        "C:\Users\Admin\AppData\Local\Temp\3aa39087540f43ff64e3cc720c1a457c6973cbf7bd3b65f58a8665234f489b17.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Users\Admin\AppData\Roaming\Orhog\xyiq.exe
          "C:\Users\Admin\AppData\Roaming\Orhog\xyiq.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:824
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp20ea406b.bat"
          3⤵
          • Deletes itself
          • Suspicious use of AdjustPrivilegeToken
          PID:856
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1220
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1128
        • C:\Program Files\Windows Mail\WinMail.exe
          "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
          1⤵
          • NTFS ADS
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:900
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:556
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "-1847995657-17564191599973015801259005137-1909834138540077682891479965-1291545244"
            1⤵
              PID:1848
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:1800
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:1796
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                  1⤵
                    PID:1136
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                    1⤵
                      PID:1736
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                      1⤵
                        PID:1644

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\tmp20ea406b.bat
                              Filesize

                              307B

                              MD5

                              4de36e52b7af9399aa56b4e90a2e5b00

                              SHA1

                              564ab190bfac7975f09efb84b745ee825dfbf913

                              SHA256

                              da4d014b3d0138dd072870e6a5ac70e3d5bb6ed768d159f3c5ebc1d5a6bdc0fd

                              SHA512

                              365f0d61040fdb2fb1d9f5d2784ed619d36cee5f6f34f4985c8a19f96104f5cf1bcbb20cc6e0078dd866abf632cabff605810d653a2348c475b3c2253a96e079

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Modyet\egva.pev
                              Filesize

                              4KB

                              MD5

                              7df5fc1e37c455d6aba9a82f8c788984

                              SHA1

                              4886b3db69f0c711f2ae0679c12494ead69f8f85

                              SHA256

                              93d68d289385293c2a09c60df5fb087f31990c7ee9bd3f580345ddce6e629e07

                              SHA512

                              d66cc7831027786106ed184df37969e2312a6e39c7802bb07118557d3ebcacfb0d6f36854a578f3fca7ee330ef8f944d1e115268fd1a4ef31d97866d701569de

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Orhog\xyiq.exe
                              Filesize

                              222KB

                              MD5

                              918732b643666f32811f535a52976ea3

                              SHA1

                              ee625733a4aae5f910f4ee8627e21904c34c1a8d

                              SHA256

                              05a6ae8ee4f515af5f37dcb2fbf2de0c71e0952509b184d5d9781333abd26089

                              SHA512

                              1052b50bd359cd77d325510ecb1c4461bdf76caf0ddf5acd2655266effa6886536b9c37a47b202ee5b06549986171e27f9129d6ae72409d3fa910620603794aa

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Orhog\xyiq.exe
                              Filesize

                              222KB

                              MD5

                              918732b643666f32811f535a52976ea3

                              SHA1

                              ee625733a4aae5f910f4ee8627e21904c34c1a8d

                              SHA256

                              05a6ae8ee4f515af5f37dcb2fbf2de0c71e0952509b184d5d9781333abd26089

                              SHA512

                              1052b50bd359cd77d325510ecb1c4461bdf76caf0ddf5acd2655266effa6886536b9c37a47b202ee5b06549986171e27f9129d6ae72409d3fa910620603794aa

                              Download Submit

                            • \Users\Admin\AppData\Roaming\Orhog\xyiq.exe
                              Filesize

                              222KB

                              MD5

                              918732b643666f32811f535a52976ea3

                              SHA1

                              ee625733a4aae5f910f4ee8627e21904c34c1a8d

                              SHA256

                              05a6ae8ee4f515af5f37dcb2fbf2de0c71e0952509b184d5d9781333abd26089

                              SHA512

                              1052b50bd359cd77d325510ecb1c4461bdf76caf0ddf5acd2655266effa6886536b9c37a47b202ee5b06549986171e27f9129d6ae72409d3fa910620603794aa

                              Download Submit

                            • \Users\Admin\AppData\Roaming\Orhog\xyiq.exe
                              Filesize

                              222KB

                              MD5

                              918732b643666f32811f535a52976ea3

                              SHA1

                              ee625733a4aae5f910f4ee8627e21904c34c1a8d

                              SHA256

                              05a6ae8ee4f515af5f37dcb2fbf2de0c71e0952509b184d5d9781333abd26089

                              SHA512

                              1052b50bd359cd77d325510ecb1c4461bdf76caf0ddf5acd2655266effa6886536b9c37a47b202ee5b06549986171e27f9129d6ae72409d3fa910620603794aa

                              Download Submit

                            • memory/824-120-0x00000000030C0000-0x0000000003115000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/824-122-0x00000000030C0000-0x0000000003115000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/824-274-0x00000000030C0000-0x0000000003115000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/824-273-0x00000000030C0000-0x0000000003115000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/824-272-0x00000000030C0000-0x0000000003115000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/824-271-0x00000000030C0000-0x0000000003115000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/824-264-0x0000000000400000-0x0000000000455000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/824-90-0x0000000000400000-0x0000000000455000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/824-121-0x00000000030C0000-0x0000000003115000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/856-249-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-131-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-129-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-127-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-125-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-133-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-135-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-275-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-119-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-118-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-117-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-277-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/856-115-0x0000000000050000-0x0000000000092000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/900-94-0x0000000002360000-0x0000000002370000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/900-92-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/900-93-0x000007FEF62E1000-0x000007FEF62E3000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/900-100-0x0000000002490000-0x00000000024A0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/900-111-0x0000000003CB0000-0x0000000003CF2000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/900-110-0x0000000003CB0000-0x0000000003CF2000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/900-109-0x0000000003CB0000-0x0000000003CF2000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/900-108-0x0000000003CB0000-0x0000000003CF2000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1128-66-0x0000000001BB0000-0x0000000001BF2000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1128-63-0x0000000001BB0000-0x0000000001BF2000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1128-65-0x0000000001BB0000-0x0000000001BF2000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1128-67-0x0000000001BB0000-0x0000000001BF2000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1128-68-0x0000000001BB0000-0x0000000001BF2000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1220-74-0x0000000001D40000-0x0000000001D82000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1220-71-0x0000000001D40000-0x0000000001D82000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1220-72-0x0000000001D40000-0x0000000001D82000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1220-73-0x0000000001D40000-0x0000000001D82000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1272-80-0x00000000029C0000-0x0000000002A02000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1272-79-0x00000000029C0000-0x0000000002A02000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1272-78-0x00000000029C0000-0x0000000002A02000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1272-77-0x00000000029C0000-0x0000000002A02000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1408-91-0x0000000000400000-0x0000000000455000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/1408-83-0x0000000000350000-0x0000000000392000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1408-84-0x0000000000350000-0x0000000000392000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1408-250-0x0000000000400000-0x0000000000455000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/1408-251-0x0000000000350000-0x0000000000392000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1408-85-0x0000000000350000-0x0000000000392000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1408-86-0x0000000000350000-0x0000000000392000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1408-87-0x0000000000350000-0x0000000000392000-memory.dmp

                              Filesize

                              264KB

                              Download

                            • memory/1408-88-0x0000000000350000-0x00000000003A5000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/1408-89-0x0000000000350000-0x00000000003A5000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/1408-56-0x0000000000400000-0x0000000000455000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/1408-55-0x0000000000400000-0x0000000000455000-memory.dmp

                              Filesize

                              340KB

                              Download