7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc

Analysis

max time kernel
189s
max time network
185s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe
Size

303KB
MD5

6dc2bef1f55511eb0ba1f9ee37501a60
SHA1

4fa3ab3cd078d9a406019093be589027ffdfe43b
SHA256

7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc
SHA512

74a82ebf9aa07518c6769905d8dcb69f64b726ba667146424173b92042e7fbdcc0e67cebb40dc0d46f532c1fe7e2bcdc37725a26709879d1feb3b142eca51d21
SSDEEP

6144:yrnMzbLZKhBlT6cNfIQoskb/P5XY3jWCi4pb74b3uSa6dEDlwY:yYjEhB93fIQ5+35e3pbUb3Q66lw

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
960	xoruri.exe

Deletes itself 1 IoCs

pid	Process
636	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe
1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Fatayx\\xoruri.exe"	xoruri.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	xoruri.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 636	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe
960	xoruri.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 960	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	27
PID 1488 wrote to memory of 960	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	27
PID 1488 wrote to memory of 960	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	27
PID 1488 wrote to memory of 960	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	27
PID 960 wrote to memory of 1228	960	xoruri.exe	17
PID 960 wrote to memory of 1228	960	xoruri.exe	17
PID 960 wrote to memory of 1228	960	xoruri.exe	17
PID 960 wrote to memory of 1228	960	xoruri.exe	17
PID 960 wrote to memory of 1228	960	xoruri.exe	17
PID 960 wrote to memory of 1316	960	xoruri.exe	16
PID 960 wrote to memory of 1316	960	xoruri.exe	16
PID 960 wrote to memory of 1316	960	xoruri.exe	16
PID 960 wrote to memory of 1316	960	xoruri.exe	16
PID 960 wrote to memory of 1316	960	xoruri.exe	16
PID 960 wrote to memory of 1360	960	xoruri.exe	15
PID 960 wrote to memory of 1360	960	xoruri.exe	15
PID 960 wrote to memory of 1360	960	xoruri.exe	15
PID 960 wrote to memory of 1360	960	xoruri.exe	15
PID 960 wrote to memory of 1360	960	xoruri.exe	15
PID 960 wrote to memory of 1488	960	xoruri.exe	22
PID 960 wrote to memory of 1488	960	xoruri.exe	22
PID 960 wrote to memory of 1488	960	xoruri.exe	22
PID 960 wrote to memory of 1488	960	xoruri.exe	22
PID 960 wrote to memory of 1488	960	xoruri.exe	22
PID 1488 wrote to memory of 636	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	28
PID 1488 wrote to memory of 636	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	28
PID 1488 wrote to memory of 636	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	28
PID 1488 wrote to memory of 636	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	28
PID 1488 wrote to memory of 636	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	28
PID 1488 wrote to memory of 636	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	28
PID 1488 wrote to memory of 636	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	28
PID 1488 wrote to memory of 636	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	28
PID 1488 wrote to memory of 636	1488	7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe
  "C:\Users\Admin\AppData\Local\Temp\7c99268cdcf67615f9777e9957b1ef5da529e809caca880f54ae4682654548dc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Users\Admin\AppData\Roaming\Fatayx\xoruri.exe
    "C:\Users\Admin\AppData\Roaming\Fatayx\xoruri.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0035bd6f.bat"
    3⤵
    - Deletes itself
    PID:636

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0035bd6f.bat

Filesize
307B

MD5
5cf80aa50801138c0682a6c997d0fd96

SHA1
679d548e0750c0d2d2ae171d13b6f2b22dbc05e3

SHA256
263b5421f0ce63e917fa6bc6e37c006f574e635e8806fed7ea9a6f0a17756004

SHA512
f470ae7d2c091acf7d2d08c846d59d5c1beee4b0082777f8b6ce61f1d5170710e79aeec953b2876c6903398446ce428bf1bbc0d32fce5535a1629f908dba1f41

Download Submit
C:\Users\Admin\AppData\Roaming\Fatayx\xoruri.exe

Filesize
303KB

MD5
e9797d39ac052f48c915064cb63e7b52

SHA1
e1b139d478b5a6c91d99bd346c499f12c9bbdb3e

SHA256
f48765375a0f40e3445aaf556b25e6ff0bb2a69fdb40c127ca20250d8753aa57

SHA512
fe56db402871af884a8bcc6befc0c351a1f80d32ee146f334ef8af04b4f5e302d0279aff165336712f3ceba26acd9b89a669fb5373b1d8a8c2a849576af1818d

Download Submit
C:\Users\Admin\AppData\Roaming\Fatayx\xoruri.exe

Filesize
303KB

MD5
e9797d39ac052f48c915064cb63e7b52

SHA1
e1b139d478b5a6c91d99bd346c499f12c9bbdb3e

SHA256
f48765375a0f40e3445aaf556b25e6ff0bb2a69fdb40c127ca20250d8753aa57

SHA512
fe56db402871af884a8bcc6befc0c351a1f80d32ee146f334ef8af04b4f5e302d0279aff165336712f3ceba26acd9b89a669fb5373b1d8a8c2a849576af1818d

Download Submit
\Users\Admin\AppData\Roaming\Fatayx\xoruri.exe

Filesize
303KB

MD5
e9797d39ac052f48c915064cb63e7b52

SHA1
e1b139d478b5a6c91d99bd346c499f12c9bbdb3e

SHA256
f48765375a0f40e3445aaf556b25e6ff0bb2a69fdb40c127ca20250d8753aa57

SHA512
fe56db402871af884a8bcc6befc0c351a1f80d32ee146f334ef8af04b4f5e302d0279aff165336712f3ceba26acd9b89a669fb5373b1d8a8c2a849576af1818d

Download Submit
\Users\Admin\AppData\Roaming\Fatayx\xoruri.exe

Filesize
303KB

MD5
e9797d39ac052f48c915064cb63e7b52

SHA1
e1b139d478b5a6c91d99bd346c499f12c9bbdb3e

SHA256
f48765375a0f40e3445aaf556b25e6ff0bb2a69fdb40c127ca20250d8753aa57

SHA512
fe56db402871af884a8bcc6befc0c351a1f80d32ee146f334ef8af04b4f5e302d0279aff165336712f3ceba26acd9b89a669fb5373b1d8a8c2a849576af1818d

Download Submit
memory/636-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/636-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/636-114-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/636-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/636-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/636-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/636-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/636-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/636-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/636-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/636-102-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/636-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1228-69-0x0000000001CA0000-0x0000000001CE8000-memory.dmp

Filesize
288KB

Download
memory/1228-65-0x0000000001CA0000-0x0000000001CE8000-memory.dmp

Filesize
288KB

Download
memory/1228-67-0x0000000001CA0000-0x0000000001CE8000-memory.dmp

Filesize
288KB

Download
memory/1228-68-0x0000000001CA0000-0x0000000001CE8000-memory.dmp

Filesize
288KB

Download
memory/1228-70-0x0000000001CA0000-0x0000000001CE8000-memory.dmp

Filesize
288KB

Download
memory/1316-76-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1316-73-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1316-74-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1316-75-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1360-81-0x0000000002160000-0x00000000021A8000-memory.dmp

Filesize
288KB

Download
memory/1360-80-0x0000000002160000-0x00000000021A8000-memory.dmp

Filesize
288KB

Download
memory/1360-79-0x0000000002160000-0x00000000021A8000-memory.dmp

Filesize
288KB

Download
memory/1360-82-0x0000000002160000-0x00000000021A8000-memory.dmp

Filesize
288KB

Download
memory/1488-104-0x00000000021E0000-0x0000000002228000-memory.dmp

Filesize
288KB

Download
memory/1488-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1488-101-0x00000000021E0000-0x000000000222E000-memory.dmp

Filesize
312KB

Download
memory/1488-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1488-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1488-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1488-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1488-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1488-88-0x00000000021E0000-0x0000000002228000-memory.dmp

Filesize
288KB

Download
memory/1488-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1488-87-0x00000000021E0000-0x0000000002228000-memory.dmp

Filesize
288KB

Download
memory/1488-86-0x00000000021E0000-0x0000000002228000-memory.dmp

Filesize
288KB

Download
memory/1488-85-0x00000000021E0000-0x0000000002228000-memory.dmp

Filesize
288KB

Download
memory/1488-55-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1488-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download