74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8

Analysis

max time kernel
168s
max time network
230s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe
Size

290KB
MD5

a0bd8e0ef5563a0d0f60be4bd6d7f96e
SHA1

85b5404e81d0b61ffd437a1f5d85d2d06b78bb60
SHA256

74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8
SHA512

ad645082e4e52bbd719d3f715d6a0b8cc34ae3c8715ce7d3f1aec97eafa99f84adbe09a90af95cb51808529175aa1502bda94af1756c73b1ce5ffb5607bdcc6f
SSDEEP

6144:hfsoV09Du+Rc9DMQtc9LMojzmx1i68Nbp67pkkDvarudYLx3IhpD:hR2C9DGh1wi6ApephDvvY13QpD

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1388	osakx.exe

Deletes itself 1 IoCs

pid	Process
700	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe
908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	osakx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Abfufy\\osakx.exe"	osakx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 908 set thread context of 700	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe
1388	osakx.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe
Token: SeSecurityPrivilege	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe
Token: SeSecurityPrivilege	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe
1388	osakx.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1388	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	28
PID 908 wrote to memory of 1388	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	28
PID 908 wrote to memory of 1388	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	28
PID 908 wrote to memory of 1388	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	28
PID 1388 wrote to memory of 1116	1388	osakx.exe	17
PID 1388 wrote to memory of 1116	1388	osakx.exe	17
PID 1388 wrote to memory of 1116	1388	osakx.exe	17
PID 1388 wrote to memory of 1116	1388	osakx.exe	17
PID 1388 wrote to memory of 1116	1388	osakx.exe	17
PID 1388 wrote to memory of 1188	1388	osakx.exe	16
PID 1388 wrote to memory of 1188	1388	osakx.exe	16
PID 1388 wrote to memory of 1188	1388	osakx.exe	16
PID 1388 wrote to memory of 1188	1388	osakx.exe	16
PID 1388 wrote to memory of 1188	1388	osakx.exe	16
PID 1388 wrote to memory of 1216	1388	osakx.exe	9
PID 1388 wrote to memory of 1216	1388	osakx.exe	9
PID 1388 wrote to memory of 1216	1388	osakx.exe	9
PID 1388 wrote to memory of 1216	1388	osakx.exe	9
PID 1388 wrote to memory of 1216	1388	osakx.exe	9
PID 1388 wrote to memory of 908	1388	osakx.exe	19
PID 1388 wrote to memory of 908	1388	osakx.exe	19
PID 1388 wrote to memory of 908	1388	osakx.exe	19
PID 1388 wrote to memory of 908	1388	osakx.exe	19
PID 1388 wrote to memory of 908	1388	osakx.exe	19
PID 908 wrote to memory of 700	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	29
PID 908 wrote to memory of 700	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	29
PID 908 wrote to memory of 700	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	29
PID 908 wrote to memory of 700	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	29
PID 908 wrote to memory of 700	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	29
PID 908 wrote to memory of 700	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	29
PID 908 wrote to memory of 700	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	29
PID 908 wrote to memory of 700	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	29
PID 908 wrote to memory of 700	908	74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe
  "C:\Users\Admin\AppData\Local\Temp\74bf7b60dce3eebeec21eacaccce1fe3197d3836f9fe01485cb57db7fddcf5c8.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Users\Admin\AppData\Roaming\Abfufy\osakx.exe
    "C:\Users\Admin\AppData\Roaming\Abfufy\osakx.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaeb9b3dd.bat"
    3⤵
    - Deletes itself
    PID:700

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpaeb9b3dd.bat

Filesize
307B

MD5
3c94ad0f0aba262b164d96ba5ec36118

SHA1
b7e2d3cf1f0800f25cc3488d8cfb3ccc704bb48a

SHA256
53e3f634a2cf2465728fbf90eb48421ef56e9f21df3f192f3734abfd23ddc610

SHA512
d1480026bd0d21a9180fcf665c6ffcc008b43115a0f5e4c9653e0b1b8afeb772e11ca83500a0dca31cb4f4cdd87f65bc3ca3a97811340401fccc1e9b8eed714f

Download Submit
C:\Users\Admin\AppData\Roaming\Abfufy\osakx.exe

Filesize
290KB

MD5
f9dc920a0bb4a826f3809f5438571176

SHA1
adc3b6d005f4342c5abceea2661c64c525da71db

SHA256
ac3a7b0ca67cf2e6ecdb8824b33b82147a787fee37d324da992e19227917ce34

SHA512
4239212673b8851c2490dd55069f743290c8e0d17692f23c802d2adfd2a1d7af8cbd893822d666a19853547273c3c45efb6371065a42cb7a088acb409182c2d9

Download Submit
C:\Users\Admin\AppData\Roaming\Abfufy\osakx.exe

Filesize
290KB

MD5
f9dc920a0bb4a826f3809f5438571176

SHA1
adc3b6d005f4342c5abceea2661c64c525da71db

SHA256
ac3a7b0ca67cf2e6ecdb8824b33b82147a787fee37d324da992e19227917ce34

SHA512
4239212673b8851c2490dd55069f743290c8e0d17692f23c802d2adfd2a1d7af8cbd893822d666a19853547273c3c45efb6371065a42cb7a088acb409182c2d9

Download Submit
C:\Users\Admin\AppData\Roaming\Ygme\ytpek.yxv

Filesize
398B

MD5
76a2b94f35ee2c1df28491e040139729

SHA1
896e760d75ed25efef193ec9a933b1ff7e0f717c

SHA256
aa8c681f92d9306f92567cfb1b832a29a9e2a8284501b7d65add3379dc903d6f

SHA512
11b3e3ac0c737d1384088f9befbd00f9b8704686983068d12dcc123cc47dd517fa2c676d56c07744974506e84b5bc66a94215ca40fbdc5bfee2537882c4b976b

Download Submit
\Users\Admin\AppData\Roaming\Abfufy\osakx.exe

Filesize
290KB

MD5
f9dc920a0bb4a826f3809f5438571176

SHA1
adc3b6d005f4342c5abceea2661c64c525da71db

SHA256
ac3a7b0ca67cf2e6ecdb8824b33b82147a787fee37d324da992e19227917ce34

SHA512
4239212673b8851c2490dd55069f743290c8e0d17692f23c802d2adfd2a1d7af8cbd893822d666a19853547273c3c45efb6371065a42cb7a088acb409182c2d9

Download Submit
\Users\Admin\AppData\Roaming\Abfufy\osakx.exe

Filesize
290KB

MD5
f9dc920a0bb4a826f3809f5438571176

SHA1
adc3b6d005f4342c5abceea2661c64c525da71db

SHA256
ac3a7b0ca67cf2e6ecdb8824b33b82147a787fee37d324da992e19227917ce34

SHA512
4239212673b8851c2490dd55069f743290c8e0d17692f23c802d2adfd2a1d7af8cbd893822d666a19853547273c3c45efb6371065a42cb7a088acb409182c2d9

Download Submit
memory/700-92-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/700-94-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/700-103-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/700-95-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/700-96-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/908-100-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/908-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/908-98-0x00000000003B0000-0x0000000000400000-memory.dmp

Filesize
320KB

Download
memory/908-56-0x00000000003B0000-0x0000000000400000-memory.dmp

Filesize
320KB

Download
memory/908-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/908-58-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/908-86-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/908-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/908-55-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/908-88-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/908-87-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/908-85-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1116-65-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/1116-70-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/1116-67-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/1116-68-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/1116-69-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/1188-76-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1188-75-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1188-74-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1188-73-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1216-82-0x00000000029C0000-0x0000000002A01000-memory.dmp

Filesize
260KB

Download
memory/1216-79-0x00000000029C0000-0x0000000002A01000-memory.dmp

Filesize
260KB

Download
memory/1216-80-0x00000000029C0000-0x0000000002A01000-memory.dmp

Filesize
260KB

Download
memory/1216-81-0x00000000029C0000-0x0000000002A01000-memory.dmp

Filesize
260KB

Download
memory/1388-104-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1388-105-0x0000000000350000-0x00000000003A0000-memory.dmp

Filesize
320KB

Download
memory/1388-106-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1388-107-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download