e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4

Analysis

max time kernel
151s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe
Size

297KB
MD5

6aea899bd235c0c0a72138aaf2b01c46
SHA1

c14aada908fa6fc8318290ff7c10862e88f8eda7
SHA256

e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4
SHA512

28778cfbfc25dc7922db9d64c4bdb2ceefd4ea17e749be842a0ff255a69eca3ad9fd9ac3de4e49a7b107f28f89e648721a29ac086cea9618248d73bb5137570d
SSDEEP

6144:/yVr8Qy0LNkK6AEHRdQrfuZzEXt8kqu+OyQGX8V9sms8+Y:Qyz3dlZa8kqX2GM9d/b

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	alufo.exe

Deletes itself 1 IoCs

pid	Process
664	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe
544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	alufo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Alufo = "C:\\Users\\Admin\\AppData\\Roaming\\Kosoi\\alufo.exe"	alufo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 544 set thread context of 664	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	27

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe
1984	alufo.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1984	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	26
PID 544 wrote to memory of 1984	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	26
PID 544 wrote to memory of 1984	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	26
PID 544 wrote to memory of 1984	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	26
PID 1984 wrote to memory of 1244	1984	alufo.exe	18
PID 1984 wrote to memory of 1244	1984	alufo.exe	18
PID 1984 wrote to memory of 1244	1984	alufo.exe	18
PID 1984 wrote to memory of 1244	1984	alufo.exe	18
PID 1984 wrote to memory of 1244	1984	alufo.exe	18
PID 1984 wrote to memory of 1328	1984	alufo.exe	12
PID 1984 wrote to memory of 1328	1984	alufo.exe	12
PID 1984 wrote to memory of 1328	1984	alufo.exe	12
PID 1984 wrote to memory of 1328	1984	alufo.exe	12
PID 1984 wrote to memory of 1328	1984	alufo.exe	12
PID 1984 wrote to memory of 1352	1984	alufo.exe	17
PID 1984 wrote to memory of 1352	1984	alufo.exe	17
PID 1984 wrote to memory of 1352	1984	alufo.exe	17
PID 1984 wrote to memory of 1352	1984	alufo.exe	17
PID 1984 wrote to memory of 1352	1984	alufo.exe	17
PID 1984 wrote to memory of 544	1984	alufo.exe	25
PID 1984 wrote to memory of 544	1984	alufo.exe	25
PID 1984 wrote to memory of 544	1984	alufo.exe	25
PID 1984 wrote to memory of 544	1984	alufo.exe	25
PID 1984 wrote to memory of 544	1984	alufo.exe	25
PID 544 wrote to memory of 664	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	27
PID 544 wrote to memory of 664	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	27
PID 544 wrote to memory of 664	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	27
PID 544 wrote to memory of 664	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	27
PID 544 wrote to memory of 664	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	27
PID 544 wrote to memory of 664	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	27
PID 544 wrote to memory of 664	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	27
PID 544 wrote to memory of 664	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	27
PID 544 wrote to memory of 664	544	e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe	27

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\e29532d67152213dcf65a08aeaff9035c08adfe54f2f0c609dddf54c4b912ee4.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Roaming\Kosoi\alufo.exe
    "C:\Users\Admin\AppData\Roaming\Kosoi\alufo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\NGDE23B.bat"
    3⤵
    - Deletes itself
    PID:664

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NGDE23B.bat

Filesize
303B

MD5
5dd11c368f64693d25d801eec1d90ad2

SHA1
95960f316146c8c1b49d4fb97f0964dd46544373

SHA256
da541b8b8c3c71e33516fd458501b544a560eae0c109abc82bde71e22bada1f3

SHA512
c398d16577651d0658bedc4677fd156ad670a552440f4e514d42cb80bf67eb8ac365999dc64fcdcbd76096497afd49dd6d603ea8bffcda3cd213b5838a23faf3

Download Submit
C:\Users\Admin\AppData\Roaming\Kosoi\alufo.exe

Filesize
297KB

MD5
5d49f164f79e06ae9736bd7499389dcd

SHA1
e2fa9a2aa991e3c8bd2a9cd5bb49dd4c7a6919b0

SHA256
7a2000129b457464cf2e4faf4121cde1311b376e1212f362f06b73f5968941bc

SHA512
8566452426866c049cfe038b9a46991e79a8aabe5ff5607edc1fa9dc87158bc72cf0423a8eaf94acd5aa3835a87b58ce8d140edb1a165dc1e2a16a26033ff695

Download Submit
C:\Users\Admin\AppData\Roaming\Kosoi\alufo.exe

Filesize
297KB

MD5
5d49f164f79e06ae9736bd7499389dcd

SHA1
e2fa9a2aa991e3c8bd2a9cd5bb49dd4c7a6919b0

SHA256
7a2000129b457464cf2e4faf4121cde1311b376e1212f362f06b73f5968941bc

SHA512
8566452426866c049cfe038b9a46991e79a8aabe5ff5607edc1fa9dc87158bc72cf0423a8eaf94acd5aa3835a87b58ce8d140edb1a165dc1e2a16a26033ff695

Download Submit
\Users\Admin\AppData\Roaming\Kosoi\alufo.exe

Filesize
297KB

MD5
5d49f164f79e06ae9736bd7499389dcd

SHA1
e2fa9a2aa991e3c8bd2a9cd5bb49dd4c7a6919b0

SHA256
7a2000129b457464cf2e4faf4121cde1311b376e1212f362f06b73f5968941bc

SHA512
8566452426866c049cfe038b9a46991e79a8aabe5ff5607edc1fa9dc87158bc72cf0423a8eaf94acd5aa3835a87b58ce8d140edb1a165dc1e2a16a26033ff695

Download Submit
\Users\Admin\AppData\Roaming\Kosoi\alufo.exe

Filesize
297KB

MD5
5d49f164f79e06ae9736bd7499389dcd

SHA1
e2fa9a2aa991e3c8bd2a9cd5bb49dd4c7a6919b0

SHA256
7a2000129b457464cf2e4faf4121cde1311b376e1212f362f06b73f5968941bc

SHA512
8566452426866c049cfe038b9a46991e79a8aabe5ff5607edc1fa9dc87158bc72cf0423a8eaf94acd5aa3835a87b58ce8d140edb1a165dc1e2a16a26033ff695

Download Submit
memory/544-103-0x00000000023B0000-0x00000000023F8000-memory.dmp

Filesize
288KB

Download
memory/544-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/544-55-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/544-86-0x00000000023B0000-0x00000000023F8000-memory.dmp

Filesize
288KB

Download
memory/544-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/544-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/544-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/544-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/544-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/544-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/544-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/544-88-0x00000000023B0000-0x00000000023F8000-memory.dmp

Filesize
288KB

Download
memory/544-87-0x00000000023B0000-0x00000000023F8000-memory.dmp

Filesize
288KB

Download
memory/544-85-0x00000000023B0000-0x00000000023F8000-memory.dmp

Filesize
288KB

Download
memory/664-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/664-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/664-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/664-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/664-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/664-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/664-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/664-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/664-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/664-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/664-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/664-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1244-67-0x0000000001C20000-0x0000000001C68000-memory.dmp

Filesize
288KB

Download
memory/1244-65-0x0000000001C20000-0x0000000001C68000-memory.dmp

Filesize
288KB

Download
memory/1244-68-0x0000000001C20000-0x0000000001C68000-memory.dmp

Filesize
288KB

Download
memory/1244-69-0x0000000001C20000-0x0000000001C68000-memory.dmp

Filesize
288KB

Download
memory/1244-70-0x0000000001C20000-0x0000000001C68000-memory.dmp

Filesize
288KB

Download
memory/1328-74-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1328-73-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1328-75-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1328-76-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1352-81-0x0000000002670000-0x00000000026B8000-memory.dmp

Filesize
288KB

Download
memory/1352-82-0x0000000002670000-0x00000000026B8000-memory.dmp

Filesize
288KB

Download
memory/1352-79-0x0000000002670000-0x00000000026B8000-memory.dmp

Filesize
288KB

Download
memory/1352-80-0x0000000002670000-0x00000000026B8000-memory.dmp

Filesize
288KB

Download
memory/1984-63-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download