6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d

Analysis

max time kernel
151s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe
Size

299KB
MD5

67e90c38bf3d4f868cf1cc4a5f612230
SHA1

2da64c880e2329d66a2a7a4bd69de0b814ef32e9
SHA256

6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d
SHA512

0da010ce77dd30f18543b1c553bc3a47351fd43ecf73e78c381187e9ab9a8ba40029a5d120c8f34167d78a96a7a7e670460a0f0feaadb4449b39414913c692fe
SSDEEP

6144:63QqI/8IV7hSMzHjQ29jZ6rRzLoCHocb1mlA1W9fPtE6q7f8l:Ks/z4ujIRPocUlAz6qL8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1272	ogih.exe

Deletes itself 1 IoCs

pid	Process
1608	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe
912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	ogih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ogih = "C:\\Users\\Admin\\AppData\\Roaming\\Dauz\\ogih.exe"	ogih.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 912 set thread context of 1608	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	28

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe
1272	ogih.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1272	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	27
PID 912 wrote to memory of 1272	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	27
PID 912 wrote to memory of 1272	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	27
PID 912 wrote to memory of 1272	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	27
PID 1272 wrote to memory of 1092	1272	ogih.exe	17
PID 1272 wrote to memory of 1092	1272	ogih.exe	17
PID 1272 wrote to memory of 1092	1272	ogih.exe	17
PID 1272 wrote to memory of 1092	1272	ogih.exe	17
PID 1272 wrote to memory of 1092	1272	ogih.exe	17
PID 1272 wrote to memory of 1180	1272	ogih.exe	16
PID 1272 wrote to memory of 1180	1272	ogih.exe	16
PID 1272 wrote to memory of 1180	1272	ogih.exe	16
PID 1272 wrote to memory of 1180	1272	ogih.exe	16
PID 1272 wrote to memory of 1180	1272	ogih.exe	16
PID 1272 wrote to memory of 1208	1272	ogih.exe	15
PID 1272 wrote to memory of 1208	1272	ogih.exe	15
PID 1272 wrote to memory of 1208	1272	ogih.exe	15
PID 1272 wrote to memory of 1208	1272	ogih.exe	15
PID 1272 wrote to memory of 1208	1272	ogih.exe	15
PID 1272 wrote to memory of 912	1272	ogih.exe	21
PID 1272 wrote to memory of 912	1272	ogih.exe	21
PID 1272 wrote to memory of 912	1272	ogih.exe	21
PID 1272 wrote to memory of 912	1272	ogih.exe	21
PID 1272 wrote to memory of 912	1272	ogih.exe	21
PID 912 wrote to memory of 1608	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	28
PID 912 wrote to memory of 1608	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	28
PID 912 wrote to memory of 1608	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	28
PID 912 wrote to memory of 1608	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	28
PID 912 wrote to memory of 1608	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	28
PID 912 wrote to memory of 1608	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	28
PID 912 wrote to memory of 1608	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	28
PID 912 wrote to memory of 1608	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	28
PID 912 wrote to memory of 1608	912	6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe
  "C:\Users\Admin\AppData\Local\Temp\6b85abceea814bac850a6dd9472816db90e1259919a0f206239ee123ae73cb7d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Roaming\Dauz\ogih.exe
    "C:\Users\Admin\AppData\Roaming\Dauz\ogih.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\LRQCD0C.bat"
    3⤵
    - Deletes itself
    PID:1608

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LRQCD0C.bat

Filesize
303B

MD5
880d6a402840ef38053421ce4b0925d3

SHA1
39301a5656fa4f8ce881891e04819c274220f663

SHA256
7cf401066ee6e8904338a71db692a0e4ca08343543d3645ee7c1f88cb0af7a1f

SHA512
5659cce62b1871ec0b5bce91531359d4feb336d667a76462dbd196588cd1b6b4aea3027acacb092bce81363f70d31d0befe652d4a291f53a6b51b98a7605a95c

Download Submit
C:\Users\Admin\AppData\Roaming\Dauz\ogih.exe

Filesize
299KB

MD5
0f99d2ed502e7c171cd564c26774682e

SHA1
b2ba5183cc0b1bff651db01468b6536bb15d83c3

SHA256
7981439b286b7db51311cc7239c2bde8917dad9e1595671e28a5b9555fe40be5

SHA512
48cbe671f4e70dc3918d7245a4561b4bdcae7578512d20804b7bfad7b571adfa4130f385a2f7c66c13a6e26f2a86ba9410725bfc2803ae59499d82e74d2f76f6

Download Submit
C:\Users\Admin\AppData\Roaming\Dauz\ogih.exe

Filesize
299KB

MD5
0f99d2ed502e7c171cd564c26774682e

SHA1
b2ba5183cc0b1bff651db01468b6536bb15d83c3

SHA256
7981439b286b7db51311cc7239c2bde8917dad9e1595671e28a5b9555fe40be5

SHA512
48cbe671f4e70dc3918d7245a4561b4bdcae7578512d20804b7bfad7b571adfa4130f385a2f7c66c13a6e26f2a86ba9410725bfc2803ae59499d82e74d2f76f6

Download Submit
\Users\Admin\AppData\Roaming\Dauz\ogih.exe

Filesize
299KB

MD5
0f99d2ed502e7c171cd564c26774682e

SHA1
b2ba5183cc0b1bff651db01468b6536bb15d83c3

SHA256
7981439b286b7db51311cc7239c2bde8917dad9e1595671e28a5b9555fe40be5

SHA512
48cbe671f4e70dc3918d7245a4561b4bdcae7578512d20804b7bfad7b571adfa4130f385a2f7c66c13a6e26f2a86ba9410725bfc2803ae59499d82e74d2f76f6

Download Submit
\Users\Admin\AppData\Roaming\Dauz\ogih.exe

Filesize
299KB

MD5
0f99d2ed502e7c171cd564c26774682e

SHA1
b2ba5183cc0b1bff651db01468b6536bb15d83c3

SHA256
7981439b286b7db51311cc7239c2bde8917dad9e1595671e28a5b9555fe40be5

SHA512
48cbe671f4e70dc3918d7245a4561b4bdcae7578512d20804b7bfad7b571adfa4130f385a2f7c66c13a6e26f2a86ba9410725bfc2803ae59499d82e74d2f76f6

Download Submit
memory/912-103-0x0000000000390000-0x00000000003D8000-memory.dmp

Filesize
288KB

Download
memory/912-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/912-55-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/912-85-0x0000000000390000-0x00000000003D8000-memory.dmp

Filesize
288KB

Download
memory/912-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/912-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/912-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/912-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/912-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/912-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/912-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/912-88-0x0000000000390000-0x00000000003D8000-memory.dmp

Filesize
288KB

Download
memory/912-87-0x0000000000390000-0x00000000003D8000-memory.dmp

Filesize
288KB

Download
memory/912-86-0x0000000000390000-0x00000000003D8000-memory.dmp

Filesize
288KB

Download
memory/1092-68-0x0000000001CB0000-0x0000000001CF8000-memory.dmp

Filesize
288KB

Download
memory/1092-70-0x0000000001CB0000-0x0000000001CF8000-memory.dmp

Filesize
288KB

Download
memory/1092-65-0x0000000001CB0000-0x0000000001CF8000-memory.dmp

Filesize
288KB

Download
memory/1092-67-0x0000000001CB0000-0x0000000001CF8000-memory.dmp

Filesize
288KB

Download
memory/1092-69-0x0000000001CB0000-0x0000000001CF8000-memory.dmp

Filesize
288KB

Download
memory/1180-74-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1180-75-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1180-73-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1180-76-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1208-79-0x0000000002940000-0x0000000002988000-memory.dmp

Filesize
288KB

Download
memory/1208-80-0x0000000002940000-0x0000000002988000-memory.dmp

Filesize
288KB

Download
memory/1208-82-0x0000000002940000-0x0000000002988000-memory.dmp

Filesize
288KB

Download
memory/1208-81-0x0000000002940000-0x0000000002988000-memory.dmp

Filesize
288KB

Download
memory/1272-63-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1608-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1608-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1608-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1608-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1608-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1608-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1608-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1608-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1608-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1608-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1608-112-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1608-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download