7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325

Analysis

max time kernel
154s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe
Size

291KB
MD5

719e9ac862ed0daf84d3b63caea86090
SHA1

40ecfacfec7565fc06a81b084032487d4b9af3cd
SHA256

7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325
SHA512

f1127766fe9bbf01235d4a8088ef47595413f509f4c9ec797e45162130552488d992c417fdf191dbdbd0b20d381114b8d0e1845d8cf43a97afbfade968616e25
SSDEEP

6144:S+yv3oO1yhEn/sA2/bgVPEid5pV7Ib8rINuDC75d1Y+VCV+UZ:wzn/sHoPJJ7VC75oc

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1724	ufud.exe

Deletes itself 1 IoCs

pid	Process
824	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe
1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	ufud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ufud = "C:\\Users\\Admin\\AppData\\Roaming\\Owykix\\ufud.exe"	ufud.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 824	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	29

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe
1724	ufud.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1724	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	28
PID 1976 wrote to memory of 1724	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	28
PID 1976 wrote to memory of 1724	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	28
PID 1976 wrote to memory of 1724	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	28
PID 1724 wrote to memory of 1128	1724	ufud.exe	17
PID 1724 wrote to memory of 1128	1724	ufud.exe	17
PID 1724 wrote to memory of 1128	1724	ufud.exe	17
PID 1724 wrote to memory of 1128	1724	ufud.exe	17
PID 1724 wrote to memory of 1128	1724	ufud.exe	17
PID 1724 wrote to memory of 1192	1724	ufud.exe	16
PID 1724 wrote to memory of 1192	1724	ufud.exe	16
PID 1724 wrote to memory of 1192	1724	ufud.exe	16
PID 1724 wrote to memory of 1192	1724	ufud.exe	16
PID 1724 wrote to memory of 1192	1724	ufud.exe	16
PID 1724 wrote to memory of 1268	1724	ufud.exe	15
PID 1724 wrote to memory of 1268	1724	ufud.exe	15
PID 1724 wrote to memory of 1268	1724	ufud.exe	15
PID 1724 wrote to memory of 1268	1724	ufud.exe	15
PID 1724 wrote to memory of 1268	1724	ufud.exe	15
PID 1724 wrote to memory of 1976	1724	ufud.exe	20
PID 1724 wrote to memory of 1976	1724	ufud.exe	20
PID 1724 wrote to memory of 1976	1724	ufud.exe	20
PID 1724 wrote to memory of 1976	1724	ufud.exe	20
PID 1724 wrote to memory of 1976	1724	ufud.exe	20
PID 1976 wrote to memory of 824	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	29
PID 1976 wrote to memory of 824	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	29
PID 1976 wrote to memory of 824	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	29
PID 1976 wrote to memory of 824	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	29
PID 1976 wrote to memory of 824	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	29
PID 1976 wrote to memory of 824	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	29
PID 1976 wrote to memory of 824	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	29
PID 1976 wrote to memory of 824	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	29
PID 1976 wrote to memory of 824	1976	7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe
  "C:\Users\Admin\AppData\Local\Temp\7ac12ae32975fc07735005ae239312471e2cbc17fc0cebb502235b73d41d3325.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Roaming\Owykix\ufud.exe
    "C:\Users\Admin\AppData\Roaming\Owykix\ufud.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\PLJE0E9.bat"
    3⤵
    - Deletes itself
    PID:824

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PLJE0E9.bat

Filesize
303B

MD5
479d31aad32feb1ce398c8ac0a37a111

SHA1
31d5ad776635a683af65bb7577a65b3634e709a1

SHA256
9c3a86a9a5c64f7873b10ef543b14e5c732f42de84466d17d044b429c9d896d8

SHA512
fcb57a6f432a1702f08c0a71b8a7a6b48a051571462d49eeb6bb71cae287ecbe7569c0d740678ef39c9957bb2283637bc03192af3a8508734bb5329b7bbbb1d2

Download Submit
C:\Users\Admin\AppData\Roaming\Owykix\ufud.exe

Filesize
291KB

MD5
43a694101c8ac8ace3d52bae86dea1ef

SHA1
70113a1b4fd8fcb2c8aadeac378d15b388a5d211

SHA256
67ee6c55c4ded92477d214b70be29baea4f116e986274cb3a0e8db6e58aae4d4

SHA512
de136bd7cadadc05b8104f823e34ac4d2044254a5e30134009b49063ae8f23647ca518e63392c6b9805f4b62d0d83c13a051d389c7268042b2704a0b48bf39cc

Download Submit
C:\Users\Admin\AppData\Roaming\Owykix\ufud.exe

Filesize
291KB

MD5
43a694101c8ac8ace3d52bae86dea1ef

SHA1
70113a1b4fd8fcb2c8aadeac378d15b388a5d211

SHA256
67ee6c55c4ded92477d214b70be29baea4f116e986274cb3a0e8db6e58aae4d4

SHA512
de136bd7cadadc05b8104f823e34ac4d2044254a5e30134009b49063ae8f23647ca518e63392c6b9805f4b62d0d83c13a051d389c7268042b2704a0b48bf39cc

Download Submit
\Users\Admin\AppData\Roaming\Owykix\ufud.exe

Filesize
291KB

MD5
43a694101c8ac8ace3d52bae86dea1ef

SHA1
70113a1b4fd8fcb2c8aadeac378d15b388a5d211

SHA256
67ee6c55c4ded92477d214b70be29baea4f116e986274cb3a0e8db6e58aae4d4

SHA512
de136bd7cadadc05b8104f823e34ac4d2044254a5e30134009b49063ae8f23647ca518e63392c6b9805f4b62d0d83c13a051d389c7268042b2704a0b48bf39cc

Download Submit
\Users\Admin\AppData\Roaming\Owykix\ufud.exe

Filesize
291KB

MD5
43a694101c8ac8ace3d52bae86dea1ef

SHA1
70113a1b4fd8fcb2c8aadeac378d15b388a5d211

SHA256
67ee6c55c4ded92477d214b70be29baea4f116e986274cb3a0e8db6e58aae4d4

SHA512
de136bd7cadadc05b8104f823e34ac4d2044254a5e30134009b49063ae8f23647ca518e63392c6b9805f4b62d0d83c13a051d389c7268042b2704a0b48bf39cc

Download Submit
memory/824-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/824-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/824-112-0x00000000000A0000-0x00000000000E8000-memory.dmp

Filesize
288KB

Download
memory/824-97-0x00000000000A0000-0x00000000000E8000-memory.dmp

Filesize
288KB

Download
memory/824-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/824-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/824-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/824-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/824-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/824-101-0x00000000000A0000-0x00000000000E8000-memory.dmp

Filesize
288KB

Download
memory/824-99-0x00000000000A0000-0x00000000000E8000-memory.dmp

Filesize
288KB

Download
memory/824-100-0x00000000000A0000-0x00000000000E8000-memory.dmp

Filesize
288KB

Download
memory/1128-69-0x0000000001CB0000-0x0000000001CF8000-memory.dmp

Filesize
288KB

Download
memory/1128-70-0x0000000001CB0000-0x0000000001CF8000-memory.dmp

Filesize
288KB

Download
memory/1128-67-0x0000000001CB0000-0x0000000001CF8000-memory.dmp

Filesize
288KB

Download
memory/1128-68-0x0000000001CB0000-0x0000000001CF8000-memory.dmp

Filesize
288KB

Download
memory/1128-65-0x0000000001CB0000-0x0000000001CF8000-memory.dmp

Filesize
288KB

Download
memory/1192-76-0x0000000001C00000-0x0000000001C48000-memory.dmp

Filesize
288KB

Download
memory/1192-73-0x0000000001C00000-0x0000000001C48000-memory.dmp

Filesize
288KB

Download
memory/1192-74-0x0000000001C00000-0x0000000001C48000-memory.dmp

Filesize
288KB

Download
memory/1192-75-0x0000000001C00000-0x0000000001C48000-memory.dmp

Filesize
288KB

Download
memory/1268-82-0x0000000002610000-0x0000000002658000-memory.dmp

Filesize
288KB

Download
memory/1268-80-0x0000000002610000-0x0000000002658000-memory.dmp

Filesize
288KB

Download
memory/1268-81-0x0000000002610000-0x0000000002658000-memory.dmp

Filesize
288KB

Download
memory/1268-79-0x0000000002610000-0x0000000002658000-memory.dmp

Filesize
288KB

Download
memory/1724-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1976-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-103-0x0000000001E30000-0x0000000001E78000-memory.dmp

Filesize
288KB

Download
memory/1976-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1976-88-0x0000000001E30000-0x0000000001E78000-memory.dmp

Filesize
288KB

Download
memory/1976-87-0x0000000001E30000-0x0000000001E78000-memory.dmp

Filesize
288KB

Download
memory/1976-86-0x0000000001E30000-0x0000000001E78000-memory.dmp

Filesize
288KB

Download
memory/1976-85-0x0000000001E30000-0x0000000001E78000-memory.dmp

Filesize
288KB

Download
memory/1976-56-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1976-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download