9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e

Analysis

max time kernel
151s
max time network
171s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe
Size

350KB
MD5

01fe1c04bcc2ca15d32bffa0158f9b20
SHA1

e6ad82b5e6bc08bcf328cb148d10da88ad0055f2
SHA256

9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e
SHA512

a230cc17da8d7fc188a9af871390c9220d2d7924d2e9feb20d784b573fb84a7674984ce96d24975fe3f560ed481b00ff1a7307cec03aabe8c061cc9cd876df6d
SSDEEP

6144:s7Yn9jgZngovqAHaxOp6W6teumW+XGccIuZENT3rdp3N:skpgZ7vwxH/PmDXkIhp3

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1312	kounw.exe

Deletes itself 1 IoCs

pid	Process
1340	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	kounw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Ojov\\kounw.exe"	kounw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 1340	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	29

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe
1312	kounw.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe
1312	kounw.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1312	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	28
PID 880 wrote to memory of 1312	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	28
PID 880 wrote to memory of 1312	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	28
PID 880 wrote to memory of 1312	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	28
PID 1312 wrote to memory of 1192	1312	kounw.exe	14
PID 1312 wrote to memory of 1192	1312	kounw.exe	14
PID 1312 wrote to memory of 1192	1312	kounw.exe	14
PID 1312 wrote to memory of 1192	1312	kounw.exe	14
PID 1312 wrote to memory of 1192	1312	kounw.exe	14
PID 1312 wrote to memory of 1220	1312	kounw.exe	13
PID 1312 wrote to memory of 1220	1312	kounw.exe	13
PID 1312 wrote to memory of 1220	1312	kounw.exe	13
PID 1312 wrote to memory of 1220	1312	kounw.exe	13
PID 1312 wrote to memory of 1220	1312	kounw.exe	13
PID 1312 wrote to memory of 1284	1312	kounw.exe	12
PID 1312 wrote to memory of 1284	1312	kounw.exe	12
PID 1312 wrote to memory of 1284	1312	kounw.exe	12
PID 1312 wrote to memory of 1284	1312	kounw.exe	12
PID 1312 wrote to memory of 1284	1312	kounw.exe	12
PID 1312 wrote to memory of 880	1312	kounw.exe	16
PID 1312 wrote to memory of 880	1312	kounw.exe	16
PID 1312 wrote to memory of 880	1312	kounw.exe	16
PID 1312 wrote to memory of 880	1312	kounw.exe	16
PID 1312 wrote to memory of 880	1312	kounw.exe	16
PID 880 wrote to memory of 1340	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	29
PID 880 wrote to memory of 1340	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	29
PID 880 wrote to memory of 1340	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	29
PID 880 wrote to memory of 1340	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	29
PID 880 wrote to memory of 1340	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	29
PID 880 wrote to memory of 1340	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	29
PID 880 wrote to memory of 1340	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	29
PID 880 wrote to memory of 1340	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	29
PID 880 wrote to memory of 1340	880	9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe
  "C:\Users\Admin\AppData\Local\Temp\9c961eb89e4c8ca9c44651dbf635dff7b62adb03c8483fe26e3bcfd5598bb57e.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Roaming\Ojov\kounw.exe
    "C:\Users\Admin\AppData\Roaming\Ojov\kounw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe0ea9799.bat"
    3⤵
    - Deletes itself
    PID:1340

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe0ea9799.bat

Filesize
307B

MD5
055b88c53f001d93c463824acb3b39e6

SHA1
9a1e2f69e20133cb3f9fac716a63ae90e53c0a85

SHA256
e27bef6c242b79f023744bd84db9e2329cba41f851580cde9c509e3b405c1361

SHA512
17810d11854df227310831c341902d205712e0990ab5b6e526a9d8288ed6edabaab9af6bd6732ad9ade0c82472ede9bcc0420e130a7201ef735f442ff1610e2c

Download Submit
C:\Users\Admin\AppData\Roaming\Ojov\kounw.exe

Filesize
350KB

MD5
fc90222877e360eaf735a3026321dddd

SHA1
45d2aa609d3b30242d6e252ca3383c56719512ee

SHA256
85d7b42bf42a90a859b92587cf2aca3c6832c649bde942d9fdaae4ace6c01cd4

SHA512
aad1c9a82d81fa498130eb9e672c0ad7731856db841042f2a45f01c66531734a46619f7462414a92a2b2216202ebd2abdf5ab14b4cf049940f55117b3f66bdf0

Download Submit
C:\Users\Admin\AppData\Roaming\Ojov\kounw.exe

Filesize
350KB

MD5
fc90222877e360eaf735a3026321dddd

SHA1
45d2aa609d3b30242d6e252ca3383c56719512ee

SHA256
85d7b42bf42a90a859b92587cf2aca3c6832c649bde942d9fdaae4ace6c01cd4

SHA512
aad1c9a82d81fa498130eb9e672c0ad7731856db841042f2a45f01c66531734a46619f7462414a92a2b2216202ebd2abdf5ab14b4cf049940f55117b3f66bdf0

Download Submit
\Users\Admin\AppData\Roaming\Ojov\kounw.exe

Filesize
350KB

MD5
fc90222877e360eaf735a3026321dddd

SHA1
45d2aa609d3b30242d6e252ca3383c56719512ee

SHA256
85d7b42bf42a90a859b92587cf2aca3c6832c649bde942d9fdaae4ace6c01cd4

SHA512
aad1c9a82d81fa498130eb9e672c0ad7731856db841042f2a45f01c66531734a46619f7462414a92a2b2216202ebd2abdf5ab14b4cf049940f55117b3f66bdf0

Download Submit
memory/880-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/880-82-0x0000000001F80000-0x0000000001FC7000-memory.dmp

Filesize
284KB

Download
memory/880-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/880-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/880-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/880-86-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/880-85-0x0000000001F80000-0x0000000001FC7000-memory.dmp

Filesize
284KB

Download
memory/880-84-0x0000000001F80000-0x0000000001FC7000-memory.dmp

Filesize
284KB

Download
memory/880-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/880-105-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/880-106-0x0000000001F80000-0x0000000001FC7000-memory.dmp

Filesize
284KB

Download
memory/880-103-0x0000000001F80000-0x0000000001FDB000-memory.dmp

Filesize
364KB

Download
memory/880-100-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/880-99-0x00000000004D0000-0x0000000000517000-memory.dmp

Filesize
284KB

Download
memory/880-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/880-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/880-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/880-83-0x0000000001F80000-0x0000000001FC7000-memory.dmp

Filesize
284KB

Download
memory/1192-65-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/1192-66-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/1192-67-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/1192-64-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/1192-62-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/1220-70-0x00000000001D0000-0x0000000000217000-memory.dmp

Filesize
284KB

Download
memory/1220-71-0x00000000001D0000-0x0000000000217000-memory.dmp

Filesize
284KB

Download
memory/1220-72-0x00000000001D0000-0x0000000000217000-memory.dmp

Filesize
284KB

Download
memory/1220-73-0x00000000001D0000-0x0000000000217000-memory.dmp

Filesize
284KB

Download
memory/1284-78-0x0000000002A00000-0x0000000002A47000-memory.dmp

Filesize
284KB

Download
memory/1284-77-0x0000000002A00000-0x0000000002A47000-memory.dmp

Filesize
284KB

Download
memory/1284-76-0x0000000002A00000-0x0000000002A47000-memory.dmp

Filesize
284KB

Download
memory/1284-79-0x0000000002A00000-0x0000000002A47000-memory.dmp

Filesize
284KB

Download
memory/1312-101-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1312-102-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1340-94-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1340-98-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1340-96-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1340-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-97-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1340-116-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download