0c65d60588a0e2c85600c94f6d048ff7eb702bcb304ba8712ebb67133095533b

Analysis

max time kernel
179s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 08:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c65d60588a0e2c85600c94f6d048ff7eb702bcb304ba8712ebb67133095533b.exe
Size

301KB
MD5

6226835f90e6674b1795c38530eef930
SHA1

19d514a3ffe554c04f6f35bbb95909cb8743f534
SHA256

0c65d60588a0e2c85600c94f6d048ff7eb702bcb304ba8712ebb67133095533b
SHA512

2c1e7413b2246b81c7f084d21a207734a44daeda67c3592f1aebff41af938aa28585d47a26db498ea9e3862fd15be69d56174a9417a716ad3caec608a4fff8b9
SSDEEP

6144:ulQYcP+wbqVjtc8Es+evxozk5OBqYjyvC63jXe6z2iAFsDIyDwgs3A8o8jBw:nJb0Gbs7vi+a7yq6q6z27Fskg83A8JB

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	unaweb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	unaweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Unaweb = "C:\\Users\\Admin\\AppData\\Roaming\\Asofr\\unaweb.exe"	unaweb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5000 set thread context of 2820	5000	0c65d60588a0e2c85600c94f6d048ff7eb702bcb304ba8712ebb67133095533b.exe	83

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe
2008	unaweb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 2008	5000	0c65d60588a0e2c85600c94f6d048ff7eb702bcb304ba8712ebb67133095533b.exe	82
PID 5000 wrote to memory of 2008	5000	0c65d60588a0e2c85600c94f6d048ff7eb702bcb304ba8712ebb67133095533b.exe	82
PID 5000 wrote to memory of 2008	5000	0c65d60588a0e2c85600c94f6d048ff7eb702bcb304ba8712ebb67133095533b.exe	82
PID 2008 wrote to memory of 2772	2008	unaweb.exe	42
PID 2008 wrote to memory of 2772	2008	unaweb.exe	42
PID 2008 wrote to memory of 2772	2008	unaweb.exe	42
PID 2008 wrote to memory of 2772	2008	unaweb.exe	42
PID 2008 wrote to memory of 2772	2008	unaweb.exe	42
PID 2008 wrote to memory of 2808	2008	unaweb.exe	41
PID 2008 wrote to memory of 2808	2008	unaweb.exe	41
PID 2008 wrote to memory of 2808	2008	unaweb.exe	41
PID 2008 wrote to memory of 2808	2008	unaweb.exe	41
PID 2008 wrote to memory of 2808	2008	unaweb.exe	41
PID 2008 wrote to memory of 2924	2008	unaweb.exe	39
PID 2008 wrote to memory of 2924	2008	unaweb.exe	39
PID 2008 wrote to memory of 2924	2008	unaweb.exe	39
PID 2008 wrote to memory of 2924	2008	unaweb.exe	39
PID 2008 wrote to memory of 2924	2008	unaweb.exe	39
PID 2008 wrote to memory of 1040	2008	unaweb.exe	38
PID 2008 wrote to memory of 1040	2008	unaweb.exe	38
PID 2008 wrote to memory of 1040	2008	unaweb.exe	38
PID 2008 wrote to memory of 1040	2008	unaweb.exe	38
PID 2008 wrote to memory of 1040	2008	unaweb.exe	38
PID 2008 wrote to memory of 3080	2008	unaweb.exe	37
PID 2008 wrote to memory of 3080	2008	unaweb.exe	37
PID 2008 wrote to memory of 3080	2008	unaweb.exe	37
PID 2008 wrote to memory of 3080	2008	unaweb.exe	37
PID 2008 wrote to memory of 3080	2008	unaweb.exe	37
PID 2008 wrote to memory of 3292	2008	unaweb.exe	36
PID 2008 wrote to memory of 3292	2008	unaweb.exe	36
PID 2008 wrote to memory of 3292	2008	unaweb.exe	36
PID 2008 wrote to memory of 3292	2008	unaweb.exe	36
PID 2008 wrote to memory of 3292	2008	unaweb.exe	36
PID 2008 wrote to memory of 3380	2008	unaweb.exe	35
PID 2008 wrote to memory of 3380	2008	unaweb.exe	35
PID 2008 wrote to memory of 3380	2008	unaweb.exe	35
PID 2008 wrote to memory of 3380	2008	unaweb.exe	35
PID 2008 wrote to memory of 3380	2008	unaweb.exe	35
PID 2008 wrote to memory of 3452	2008	unaweb.exe	34
PID 2008 wrote to memory of 3452	2008	unaweb.exe	34
PID 2008 wrote to memory of 3452	2008	unaweb.exe	34
PID 2008 wrote to memory of 3452	2008	unaweb.exe	34
PID 2008 wrote to memory of 3452	2008	unaweb.exe	34
PID 2008 wrote to memory of 3560	2008	unaweb.exe	33
PID 2008 wrote to memory of 3560	2008	unaweb.exe	33
PID 2008 wrote to memory of 3560	2008	unaweb.exe	33
PID 2008 wrote to memory of 3560	2008	unaweb.exe	33
PID 2008 wrote to memory of 3560	2008	unaweb.exe	33
PID 2008 wrote to memory of 3752	2008	unaweb.exe	32
PID 2008 wrote to memory of 3752	2008	unaweb.exe	32
PID 2008 wrote to memory of 3752	2008	unaweb.exe	32
PID 2008 wrote to memory of 3752	2008	unaweb.exe	32
PID 2008 wrote to memory of 3752	2008	unaweb.exe	32
PID 2008 wrote to memory of 4616	2008	unaweb.exe	29
PID 2008 wrote to memory of 4616	2008	unaweb.exe	29
PID 2008 wrote to memory of 4616	2008	unaweb.exe	29
PID 2008 wrote to memory of 4616	2008	unaweb.exe	29
PID 2008 wrote to memory of 4616	2008	unaweb.exe	29
PID 2008 wrote to memory of 4900	2008	unaweb.exe	14
PID 2008 wrote to memory of 4900	2008	unaweb.exe	14
PID 2008 wrote to memory of 4900	2008	unaweb.exe	14
PID 2008 wrote to memory of 4900	2008	unaweb.exe	14
PID 2008 wrote to memory of 4900	2008	unaweb.exe	14
PID 2008 wrote to memory of 5000	2008	unaweb.exe	79

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4616

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3560

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\0c65d60588a0e2c85600c94f6d048ff7eb702bcb304ba8712ebb67133095533b.exe
  "C:\Users\Admin\AppData\Local\Temp\0c65d60588a0e2c85600c94f6d048ff7eb702bcb304ba8712ebb67133095533b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Roaming\Asofr\unaweb.exe
    "C:\Users\Admin\AppData\Roaming\Asofr\unaweb.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\QCRA167.bat"
    3⤵
    PID:2820

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2808

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QCRA167.bat

Filesize
303B

MD5
ee83df74da7370677a42aee89d608111

SHA1
c4ea5ed9ea331f6a8af07b6cb6c13022e4912ee7

SHA256
f10b7489e7dd70cb7f675dd97580fb9bc468d0c62959a79441572fce5ab769da

SHA512
38eb1de0cc49ca086d5ed5807bec156679089c814f49f9bdc53df56f4e3e83a17a384195029828985e2ae4ad2c62a73186fb63d05ef72d8da313390ca7027abd

Download Submit
C:\Users\Admin\AppData\Roaming\Asofr\unaweb.exe

Filesize
301KB

MD5
594fbd78b2f643824b746bdfafd29e3b

SHA1
0b65f977661e0aaf5b01bc5edb291ddc5c8a2ceb

SHA256
5aac1dca961463cddb5a3b7eaed006ac0afd65fd89379cacdc4dc263d43e1dfb

SHA512
1fff72bb87cb6d480b146f896c6ffc0de2675163801042976e077bbbb5570cac83b0c02313734667edb7c7866048b0b9492d1e26f920153d21bc04772a9146a1

Download Submit
C:\Users\Admin\AppData\Roaming\Asofr\unaweb.exe

Filesize
301KB

MD5
594fbd78b2f643824b746bdfafd29e3b

SHA1
0b65f977661e0aaf5b01bc5edb291ddc5c8a2ceb

SHA256
5aac1dca961463cddb5a3b7eaed006ac0afd65fd89379cacdc4dc263d43e1dfb

SHA512
1fff72bb87cb6d480b146f896c6ffc0de2675163801042976e077bbbb5570cac83b0c02313734667edb7c7866048b0b9492d1e26f920153d21bc04772a9146a1

Download Submit
memory/2008-137-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2820-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2820-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2820-155-0x0000000000F70000-0x0000000000FB9000-memory.dmp

Filesize
292KB

Download
memory/2820-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2820-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2820-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2820-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2820-146-0x0000000000F70000-0x0000000000FB9000-memory.dmp

Filesize
292KB

Download
memory/2820-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5000-147-0x0000000000A80000-0x0000000000AC9000-memory.dmp

Filesize
292KB

Download
memory/5000-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5000-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5000-132-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5000-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5000-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5000-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5000-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5000-133-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download