6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 18:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe
Size

307KB
MD5

2e4ae4d7662e8ab4d81beea58f3d81de
SHA1

fffe46c808034474c4b4b3363e36959a0a8b2099
SHA256

6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771
SHA512

bab8846d96afc2dc214ae39ebeaae65cd4dbb9f6b63114617bec1309c14e441eadcf2bfc172466528f436ec08f8b99f755b435ad80191e9cf167f07651a9eeb6
SSDEEP

6144:74vCe0M3fQnSmjtbcHCWOP+CbsQMdf4g28DImvtvJaeOyN:7JeSnRVcxaVWh4LmlhpOyN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
452	oluv.exe
1540	oluv.exe

Deletes itself 1 IoCs

pid	Process
1472	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe
1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	oluv.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	oluv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zuacnien = "C:\\Users\\Admin\\AppData\\Roaming\\Ovadri\\oluv.exe"	oluv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 832 set thread context of 1728	832	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	28
PID 452 set thread context of 1540	452	oluv.exe	30

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe
1540	oluv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe
Token: SeSecurityPrivilege	1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1728	832	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	28
PID 832 wrote to memory of 1728	832	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	28
PID 832 wrote to memory of 1728	832	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	28
PID 832 wrote to memory of 1728	832	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	28
PID 832 wrote to memory of 1728	832	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	28
PID 832 wrote to memory of 1728	832	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	28
PID 832 wrote to memory of 1728	832	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	28
PID 832 wrote to memory of 1728	832	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	28
PID 832 wrote to memory of 1728	832	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	28
PID 1728 wrote to memory of 452	1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	29
PID 1728 wrote to memory of 452	1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	29
PID 1728 wrote to memory of 452	1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	29
PID 1728 wrote to memory of 452	1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	29
PID 452 wrote to memory of 1540	452	oluv.exe	30
PID 452 wrote to memory of 1540	452	oluv.exe	30
PID 452 wrote to memory of 1540	452	oluv.exe	30
PID 452 wrote to memory of 1540	452	oluv.exe	30
PID 452 wrote to memory of 1540	452	oluv.exe	30
PID 452 wrote to memory of 1540	452	oluv.exe	30
PID 452 wrote to memory of 1540	452	oluv.exe	30
PID 452 wrote to memory of 1540	452	oluv.exe	30
PID 452 wrote to memory of 1540	452	oluv.exe	30
PID 1728 wrote to memory of 1472	1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	31
PID 1728 wrote to memory of 1472	1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	31
PID 1728 wrote to memory of 1472	1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	31
PID 1728 wrote to memory of 1472	1728	6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe	31
PID 1540 wrote to memory of 1112	1540	oluv.exe	17
PID 1540 wrote to memory of 1112	1540	oluv.exe	17
PID 1540 wrote to memory of 1112	1540	oluv.exe	17
PID 1540 wrote to memory of 1112	1540	oluv.exe	17
PID 1540 wrote to memory of 1112	1540	oluv.exe	17
PID 1540 wrote to memory of 1180	1540	oluv.exe	16
PID 1540 wrote to memory of 1180	1540	oluv.exe	16
PID 1540 wrote to memory of 1180	1540	oluv.exe	16
PID 1540 wrote to memory of 1180	1540	oluv.exe	16
PID 1540 wrote to memory of 1180	1540	oluv.exe	16
PID 1540 wrote to memory of 1208	1540	oluv.exe	15
PID 1540 wrote to memory of 1208	1540	oluv.exe	15
PID 1540 wrote to memory of 1208	1540	oluv.exe	15
PID 1540 wrote to memory of 1208	1540	oluv.exe	15
PID 1540 wrote to memory of 1208	1540	oluv.exe	15
PID 1540 wrote to memory of 1820	1540	oluv.exe	33
PID 1540 wrote to memory of 1820	1540	oluv.exe	33
PID 1540 wrote to memory of 1820	1540	oluv.exe	33
PID 1540 wrote to memory of 1820	1540	oluv.exe	33
PID 1540 wrote to memory of 1820	1540	oluv.exe	33
PID 1540 wrote to memory of 1344	1540	oluv.exe	34
PID 1540 wrote to memory of 1344	1540	oluv.exe	34
PID 1540 wrote to memory of 1344	1540	oluv.exe	34
PID 1540 wrote to memory of 1344	1540	oluv.exe	34
PID 1540 wrote to memory of 1344	1540	oluv.exe	34
PID 1540 wrote to memory of 1572	1540	oluv.exe	35
PID 1540 wrote to memory of 1572	1540	oluv.exe	35
PID 1540 wrote to memory of 1572	1540	oluv.exe	35
PID 1540 wrote to memory of 1572	1540	oluv.exe	35
PID 1540 wrote to memory of 1572	1540	oluv.exe	35
PID 1540 wrote to memory of 1732	1540	oluv.exe	36
PID 1540 wrote to memory of 1732	1540	oluv.exe	36
PID 1540 wrote to memory of 1732	1540	oluv.exe	36
PID 1540 wrote to memory of 1732	1540	oluv.exe	36
PID 1540 wrote to memory of 1732	1540	oluv.exe	36
PID 1540 wrote to memory of 1168	1540	oluv.exe	37
PID 1540 wrote to memory of 1168	1540	oluv.exe	37
PID 1540 wrote to memory of 1168	1540	oluv.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe
  "C:\Users\Admin\AppData\Local\Temp\6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe
    "C:\Users\Admin\AppData\Local\Temp\6faa41765a7a72c7df7f3ab287938e906fc61b2dd60882cd59e92f995cb0f771.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Users\Admin\AppData\Roaming\Ovadri\oluv.exe
      "C:\Users\Admin\AppData\Roaming\Ovadri\oluv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Users\Admin\AppData\Roaming\Ovadri\oluv.exe
        
        "C:\Users\Admin\AppData\Roaming\Ovadri\oluv.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp79ad2fe6.bat"
      4⤵
      Deletes itself
      PID:1472

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1820

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1732

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1168

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp79ad2fe6.bat

Filesize
307B

MD5
c9859090168070c617ab48f29f90d766

SHA1
526f22e295e99ab7f3d37383413fe4fdc46e6366

SHA256
412227af1a5942521c0be0301f9e5d24e36ea2b45f85028be5f9fd2a904defa0

SHA512
494002a670160822fbed9fd3b6853a0495e40664293d1303f978e3504f97225759a37faa48e9f60aa8f33772fa614611f09f54035b84bc9c6ace7e98e3b4b4b5

Download Submit
C:\Users\Admin\AppData\Roaming\Ovadri\oluv.exe

Filesize
307KB

MD5
75da0a636edfb96344b6fc4e4ab1fbd6

SHA1
f34087d4a2091eaccc70a4c78938900e6ea37f38

SHA256
2b05e39648848cb37727eb9f3015ef6d42753e36587303c8725cce0944a84020

SHA512
da4c954ad7bd2e85d2e789c0d7373a1fb6c1df87c9897aa6a650c0e51a5ec616ceac75e312962243404e15969d0059d9f1070d0b6de978ca4b820f7a28dd4b27

Download Submit
C:\Users\Admin\AppData\Roaming\Ovadri\oluv.exe

Filesize
307KB

MD5
75da0a636edfb96344b6fc4e4ab1fbd6

SHA1
f34087d4a2091eaccc70a4c78938900e6ea37f38

SHA256
2b05e39648848cb37727eb9f3015ef6d42753e36587303c8725cce0944a84020

SHA512
da4c954ad7bd2e85d2e789c0d7373a1fb6c1df87c9897aa6a650c0e51a5ec616ceac75e312962243404e15969d0059d9f1070d0b6de978ca4b820f7a28dd4b27

Download Submit
C:\Users\Admin\AppData\Roaming\Ovadri\oluv.exe

Filesize
307KB

MD5
75da0a636edfb96344b6fc4e4ab1fbd6

SHA1
f34087d4a2091eaccc70a4c78938900e6ea37f38

SHA256
2b05e39648848cb37727eb9f3015ef6d42753e36587303c8725cce0944a84020

SHA512
da4c954ad7bd2e85d2e789c0d7373a1fb6c1df87c9897aa6a650c0e51a5ec616ceac75e312962243404e15969d0059d9f1070d0b6de978ca4b820f7a28dd4b27

Download Submit
\Users\Admin\AppData\Roaming\Ovadri\oluv.exe

Filesize
307KB

MD5
75da0a636edfb96344b6fc4e4ab1fbd6

SHA1
f34087d4a2091eaccc70a4c78938900e6ea37f38

SHA256
2b05e39648848cb37727eb9f3015ef6d42753e36587303c8725cce0944a84020

SHA512
da4c954ad7bd2e85d2e789c0d7373a1fb6c1df87c9897aa6a650c0e51a5ec616ceac75e312962243404e15969d0059d9f1070d0b6de978ca4b820f7a28dd4b27

Download Submit
\Users\Admin\AppData\Roaming\Ovadri\oluv.exe

Filesize
307KB

MD5
75da0a636edfb96344b6fc4e4ab1fbd6

SHA1
f34087d4a2091eaccc70a4c78938900e6ea37f38

SHA256
2b05e39648848cb37727eb9f3015ef6d42753e36587303c8725cce0944a84020

SHA512
da4c954ad7bd2e85d2e789c0d7373a1fb6c1df87c9897aa6a650c0e51a5ec616ceac75e312962243404e15969d0059d9f1070d0b6de978ca4b820f7a28dd4b27

Download Submit
memory/452-76-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/452-86-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/452-74-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/832-63-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/832-65-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/832-54-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/832-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1112-95-0x0000000001E00000-0x0000000001E3B000-memory.dmp

Filesize
236KB

Download
memory/1112-91-0x0000000001E00000-0x0000000001E3B000-memory.dmp

Filesize
236KB

Download
memory/1112-96-0x0000000001E00000-0x0000000001E3B000-memory.dmp

Filesize
236KB

Download
memory/1112-94-0x0000000001E00000-0x0000000001E3B000-memory.dmp

Filesize
236KB

Download
memory/1112-93-0x0000000001E00000-0x0000000001E3B000-memory.dmp

Filesize
236KB

Download
memory/1168-137-0x0000000002210000-0x000000000224B000-memory.dmp

Filesize
236KB

Download
memory/1168-138-0x0000000002210000-0x000000000224B000-memory.dmp

Filesize
236KB

Download
memory/1180-103-0x0000000001AC0000-0x0000000001AFB000-memory.dmp

Filesize
236KB

Download
memory/1180-102-0x0000000001AC0000-0x0000000001AFB000-memory.dmp

Filesize
236KB

Download
memory/1180-101-0x0000000001AC0000-0x0000000001AFB000-memory.dmp

Filesize
236KB

Download
memory/1180-100-0x0000000001AC0000-0x0000000001AFB000-memory.dmp

Filesize
236KB

Download
memory/1208-106-0x0000000002600000-0x000000000263B000-memory.dmp

Filesize
236KB

Download
memory/1208-107-0x0000000002600000-0x000000000263B000-memory.dmp

Filesize
236KB

Download
memory/1208-109-0x0000000002600000-0x000000000263B000-memory.dmp

Filesize
236KB

Download
memory/1208-108-0x0000000002600000-0x000000000263B000-memory.dmp

Filesize
236KB

Download
memory/1344-119-0x0000000001C20000-0x0000000001C5B000-memory.dmp

Filesize
236KB

Download
memory/1344-122-0x0000000001C20000-0x0000000001C5B000-memory.dmp

Filesize
236KB

Download
memory/1344-121-0x0000000001C20000-0x0000000001C5B000-memory.dmp

Filesize
236KB

Download
memory/1344-120-0x0000000001C20000-0x0000000001C5B000-memory.dmp

Filesize
236KB

Download
memory/1540-110-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1572-128-0x0000000001B40000-0x0000000001B7B000-memory.dmp

Filesize
236KB

Download
memory/1572-126-0x0000000001B40000-0x0000000001B7B000-memory.dmp

Filesize
236KB

Download
memory/1572-127-0x0000000001B40000-0x0000000001B7B000-memory.dmp

Filesize
236KB

Download
memory/1572-125-0x0000000001B40000-0x0000000001B7B000-memory.dmp

Filesize
236KB

Download
memory/1728-75-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-60-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1728-67-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-73-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download
memory/1728-57-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1728-72-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download
memory/1728-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-66-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1728-62-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1728-59-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1728-56-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1732-131-0x0000000000110000-0x000000000014B000-memory.dmp

Filesize
236KB

Download
memory/1732-132-0x0000000000110000-0x000000000014B000-memory.dmp

Filesize
236KB

Download
memory/1732-133-0x0000000000110000-0x000000000014B000-memory.dmp

Filesize
236KB

Download
memory/1732-134-0x0000000000110000-0x000000000014B000-memory.dmp

Filesize
236KB

Download
memory/1820-114-0x0000000003A50000-0x0000000003A8B000-memory.dmp

Filesize
236KB

Download
memory/1820-113-0x0000000003A50000-0x0000000003A8B000-memory.dmp

Filesize
236KB

Download
memory/1820-115-0x0000000003A50000-0x0000000003A8B000-memory.dmp

Filesize
236KB

Download
memory/1820-116-0x0000000003A50000-0x0000000003A8B000-memory.dmp

Filesize
236KB

Download