9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710

Analysis

max time kernel
154s
max time network
181s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe
Size

321KB
MD5

436230e12169baa1409256b04baccd0a
SHA1

3fc12cbc6a9d86459f34c496c19176c29cd47716
SHA256

9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710
SHA512

44737125dbbedea17362095717765d73ccffed99934fd6a1aa1175a2131e2edda9ae695eb0c1660e9fb38d593f0c2fbe7c2e243f756ec37713ec7896382abecc
SSDEEP

6144:n/38eaNr4x2EwrICAwRpbLNjZTXDs+DY+6QrTakwsg90PtT:n/haNkwICAwDBjZ7maa6g90

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
948	puso.exe

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	puso.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Ofke\\puso.exe"	puso.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1716	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	28

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe
948	puso.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe
948	puso.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 948	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	27
PID 1636 wrote to memory of 948	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	27
PID 1636 wrote to memory of 948	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	27
PID 1636 wrote to memory of 948	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	27
PID 948 wrote to memory of 1240	948	puso.exe	10
PID 948 wrote to memory of 1240	948	puso.exe	10
PID 948 wrote to memory of 1240	948	puso.exe	10
PID 948 wrote to memory of 1240	948	puso.exe	10
PID 948 wrote to memory of 1240	948	puso.exe	10
PID 948 wrote to memory of 1340	948	puso.exe	9
PID 948 wrote to memory of 1340	948	puso.exe	9
PID 948 wrote to memory of 1340	948	puso.exe	9
PID 948 wrote to memory of 1340	948	puso.exe	9
PID 948 wrote to memory of 1340	948	puso.exe	9
PID 948 wrote to memory of 1380	948	puso.exe	8
PID 948 wrote to memory of 1380	948	puso.exe	8
PID 948 wrote to memory of 1380	948	puso.exe	8
PID 948 wrote to memory of 1380	948	puso.exe	8
PID 948 wrote to memory of 1380	948	puso.exe	8
PID 948 wrote to memory of 1636	948	puso.exe	5
PID 948 wrote to memory of 1636	948	puso.exe	5
PID 948 wrote to memory of 1636	948	puso.exe	5
PID 948 wrote to memory of 1636	948	puso.exe	5
PID 948 wrote to memory of 1636	948	puso.exe	5
PID 1636 wrote to memory of 1716	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	28
PID 1636 wrote to memory of 1716	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	28
PID 1636 wrote to memory of 1716	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	28
PID 1636 wrote to memory of 1716	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	28
PID 1636 wrote to memory of 1716	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	28
PID 1636 wrote to memory of 1716	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	28
PID 1636 wrote to memory of 1716	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	28
PID 1636 wrote to memory of 1716	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	28
PID 1636 wrote to memory of 1716	1636	9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe	28

C:\Users\Admin\AppData\Local\Temp\9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe
"C:\Users\Admin\AppData\Local\Temp\9d3263383d5e01fae72a7a54dd6cdc72954d426bf253ac3eaab09ca0edd4e710.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Roaming\Ofke\puso.exe
  "C:\Users\Admin\AppData\Roaming\Ofke\puso.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4a103607.bat"
  2⤵
  - Deletes itself
  PID:1716

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4a103607.bat

Filesize
307B

MD5
37e8a90fa22d5be848ff18fe245146ee

SHA1
f5b3f9d798aa8d83fd1d9d15673b0b3bf34fd40c

SHA256
9e995542e15638e9a18f0a4ae118579382108a9ac6c4c864c36ddd83e1266886

SHA512
0033ba522062f1b0bbd20764802212a178d2e8b0ddc32b97cbf44975f44c5cb03d78dae3b111238f144001ca9d2dec144c6b78333ce7e7c6d3924fe5a3dc9aed

Download Submit
C:\Users\Admin\AppData\Roaming\Ofke\puso.exe

Filesize
321KB

MD5
1c12242403bc2fadcbdd2e999adf4344

SHA1
1f878e7d0deb99c36c233c5931fb10f65046e34e

SHA256
6b3b8968f0765f2826368dc59c482df2545aa2eaf891cdd14cb4da2a9e6b38b5

SHA512
e86faa8d9c7d37019de08801e93f4298c434d3190a658f11cb892cb56bc4a20de74eef97a4cc619b0cb02955fa914dcb01386bd13a268f1ee4c9b0d3f4fd655a

Download Submit
C:\Users\Admin\AppData\Roaming\Ofke\puso.exe

Filesize
321KB

MD5
1c12242403bc2fadcbdd2e999adf4344

SHA1
1f878e7d0deb99c36c233c5931fb10f65046e34e

SHA256
6b3b8968f0765f2826368dc59c482df2545aa2eaf891cdd14cb4da2a9e6b38b5

SHA512
e86faa8d9c7d37019de08801e93f4298c434d3190a658f11cb892cb56bc4a20de74eef97a4cc619b0cb02955fa914dcb01386bd13a268f1ee4c9b0d3f4fd655a

Download Submit
\Users\Admin\AppData\Roaming\Ofke\puso.exe

Filesize
321KB

MD5
1c12242403bc2fadcbdd2e999adf4344

SHA1
1f878e7d0deb99c36c233c5931fb10f65046e34e

SHA256
6b3b8968f0765f2826368dc59c482df2545aa2eaf891cdd14cb4da2a9e6b38b5

SHA512
e86faa8d9c7d37019de08801e93f4298c434d3190a658f11cb892cb56bc4a20de74eef97a4cc619b0cb02955fa914dcb01386bd13a268f1ee4c9b0d3f4fd655a

Download Submit
memory/948-117-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-116-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-58-0x0000000000000000-mapping.dmp

Download
memory/948-113-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-114-0x00000000001C0000-0x0000000000210000-memory.dmp

Filesize
320KB

Download
memory/948-115-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1240-66-0x0000000001BD0000-0x0000000001C17000-memory.dmp

Filesize
284KB

Download
memory/1240-67-0x0000000001BD0000-0x0000000001C17000-memory.dmp

Filesize
284KB

Download
memory/1240-65-0x0000000001BD0000-0x0000000001C17000-memory.dmp

Filesize
284KB

Download
memory/1240-64-0x0000000001BD0000-0x0000000001C17000-memory.dmp

Filesize
284KB

Download
memory/1240-62-0x0000000001BD0000-0x0000000001C17000-memory.dmp

Filesize
284KB

Download
memory/1340-73-0x0000000001BD0000-0x0000000001C17000-memory.dmp

Filesize
284KB

Download
memory/1380-76-0x0000000002700000-0x0000000002747000-memory.dmp

Filesize
284KB

Download
memory/1380-77-0x0000000002700000-0x0000000002747000-memory.dmp

Filesize
284KB

Download
memory/1380-78-0x0000000002700000-0x0000000002747000-memory.dmp

Filesize
284KB

Download
memory/1380-79-0x0000000002700000-0x0000000002747000-memory.dmp

Filesize
284KB

Download
memory/1636-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1636-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1636-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-85-0x00000000006D0000-0x0000000000717000-memory.dmp

Filesize
284KB

Download
memory/1636-86-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1636-82-0x00000000006D0000-0x0000000000717000-memory.dmp

Filesize
284KB

Download
memory/1636-83-0x00000000006D0000-0x0000000000717000-memory.dmp

Filesize
284KB

Download
memory/1636-100-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1636-101-0x00000000002B0000-0x0000000000300000-memory.dmp

Filesize
320KB

Download
memory/1636-102-0x00000000006D0000-0x0000000000717000-memory.dmp

Filesize
284KB

Download
memory/1636-84-0x00000000006D0000-0x0000000000717000-memory.dmp

Filesize
284KB

Download
memory/1716-96-0x0000000000090000-0x00000000000D7000-memory.dmp

Filesize
284KB

Download
memory/1716-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1716-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1716-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1716-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1716-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1716-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1716-112-0x0000000000090000-0x00000000000D7000-memory.dmp

Filesize
284KB

Download
memory/1716-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1716-99-0x00000000000A02A5-mapping.dmp

Download
memory/1716-98-0x0000000000090000-0x00000000000D7000-memory.dmp

Filesize
284KB

Download
memory/1716-97-0x0000000000090000-0x00000000000D7000-memory.dmp

Filesize
284KB

Download
memory/1716-94-0x0000000000090000-0x00000000000D7000-memory.dmp

Filesize
284KB

Download