eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8

General

Target

eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe
Size

243KB
MD5

91809ba8f3e9fd41628cb1b0820ef840
SHA1

0acf715b44e4cdc934b8cf4e49bf0651e22b50a7
SHA256

eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8
SHA512

2873d58420b9c5a19a24b10c7b39c4591bd75dab32ab7c11f3dc9ecfbcafeea93e979a215a098a0e0b769d8c143dc2ed4950206274915829394311b7c82ec526
SSDEEP

6144:dFB2fiDv6glRq2QtRwuQ7S4+QCDmDraBNHGU54dqhs/dHW:dFBDv6glJQ8S4+QCKDrINmUehd2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1716	winsec.exe
1440	oronf.exe
564	oronf.exe

Deletes itself 1 IoCs

pid	Process
1272	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1044	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1524141042 = "C:\\Users\\Admin\\AppData\\Roaming\\Kuymopdy\\oronf.exe"	oronf.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	oronf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\1524141042 = "C:\\Users\\Admin\\AppData\\Roaming\\Kuymopdy\\oronf.exe"	oronf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	oronf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winsec.exe	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe
File created	C:\Windows\SysWOW64\winsec.exe	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Security Center Update - 4233470357.job	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	oronf.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
564	oronf.exe
564	oronf.exe
564	oronf.exe
564	oronf.exe
564	oronf.exe
564	oronf.exe
564	oronf.exe
564	oronf.exe
564	oronf.exe
564	oronf.exe
564	oronf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
564	oronf.exe
564	oronf.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1440	1044	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe	28
PID 1044 wrote to memory of 1440	1044	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe	28
PID 1044 wrote to memory of 1440	1044	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe	28
PID 1044 wrote to memory of 1440	1044	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe	28
PID 1440 wrote to memory of 564	1440	oronf.exe	29
PID 1440 wrote to memory of 564	1440	oronf.exe	29
PID 1440 wrote to memory of 564	1440	oronf.exe	29
PID 1440 wrote to memory of 564	1440	oronf.exe	29
PID 1440 wrote to memory of 564	1440	oronf.exe	29
PID 1440 wrote to memory of 564	1440	oronf.exe	29
PID 1440 wrote to memory of 564	1440	oronf.exe	29
PID 1440 wrote to memory of 564	1440	oronf.exe	29
PID 1440 wrote to memory of 564	1440	oronf.exe	29
PID 1440 wrote to memory of 564	1440	oronf.exe	29
PID 1044 wrote to memory of 1272	1044	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe	30
PID 1044 wrote to memory of 1272	1044	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe	30
PID 1044 wrote to memory of 1272	1044	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe	30
PID 1044 wrote to memory of 1272	1044	eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe	30
PID 564 wrote to memory of 1640	564	oronf.exe	32
PID 564 wrote to memory of 1640	564	oronf.exe	32
PID 564 wrote to memory of 1640	564	oronf.exe	32
PID 564 wrote to memory of 1640	564	oronf.exe	32

C:\Users\Admin\AppData\Local\Temp\eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe
"C:\Users\Admin\AppData\Local\Temp\eaa8c0d6281c2a3317402338405628dd438e6abcda0f79c1602e18b7690f18f8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Roaming\Kuymopdy\oronf.exe
  "C:\Users\Admin\AppData\Roaming\Kuymopdy\oronf.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Roaming\Kuymopdy\oronf.exe
    "C:\Users\Admin\AppData\Roaming\Kuymopdy\oronf.exe" -child
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:1640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3189f685.bat"
  2⤵
  - Deletes itself
  PID:1272

C:\Windows\SysWOW64\winsec.exe
"C:\Windows\SysWOW64\winsec.exe" -service "C:\Users\Admin\AppData\Roaming\Kuymopdy\oronf.exe"
1⤵
- Executes dropped EXE
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3189f685.bat

Filesize
307B

MD5
6d8da7af11f64feb1e401ba3f471d14a

SHA1
c131a494c1d60c8e26f43392e8892078f05a665a

SHA256
28e74117d6a116a27a26ab6c7e27f0afc5e47d902932c3736be3e136c0153f5a

SHA512
be0a788eacdf67d3d1431191db34c1814a9b89588881c58315d1d8e5fb5441f872b6e6a1dd78edd36544999ea3efea4d650bccb1121091f1721f79a00b64eb57

Download Submit
C:\Users\Admin\AppData\Roaming\Kuymopdy\oronf.exe

Filesize
243KB

MD5
d84f0693384afb39bac2228872051540

SHA1
6da5e0ffd702a04c5eb6de8c225e71c0c479f46e

SHA256
1c2620be97319716fdcb83c3e9aa65ec50e24c76fb031178d6c23377ca30aa6c

SHA512
6cc5ce36669e0864564e79306f9e273e43c0679aedfa9f96c2d874aae03d26bb0d06cf746065f66a8759ffae2491e6d6977e368d1441d05d809c08bd9cfc4891

Download Submit
C:\Users\Admin\AppData\Roaming\Kuymopdy\oronf.exe

Filesize
243KB

MD5
d84f0693384afb39bac2228872051540

SHA1
6da5e0ffd702a04c5eb6de8c225e71c0c479f46e

SHA256
1c2620be97319716fdcb83c3e9aa65ec50e24c76fb031178d6c23377ca30aa6c

SHA512
6cc5ce36669e0864564e79306f9e273e43c0679aedfa9f96c2d874aae03d26bb0d06cf746065f66a8759ffae2491e6d6977e368d1441d05d809c08bd9cfc4891

Download Submit
C:\Users\Admin\AppData\Roaming\Kuymopdy\oronf.exe

Filesize
243KB

MD5
d84f0693384afb39bac2228872051540

SHA1
6da5e0ffd702a04c5eb6de8c225e71c0c479f46e

SHA256
1c2620be97319716fdcb83c3e9aa65ec50e24c76fb031178d6c23377ca30aa6c

SHA512
6cc5ce36669e0864564e79306f9e273e43c0679aedfa9f96c2d874aae03d26bb0d06cf746065f66a8759ffae2491e6d6977e368d1441d05d809c08bd9cfc4891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7UBWHJPR.txt

Filesize
108B

MD5
82f00e267a0f6e362ca9143f996cf6e1

SHA1
d1a2f7c7d0af21119111d3698ce9d3554e00ede2

SHA256
33f6840ac9dfdd6e3400e016ddd5e99e74d3ea96cbe17429ab906cf68585e9f5

SHA512
a4490da26a0b1dbda15ccd4ad157bf1d70cc6851736fb9d9049a344add28eefec0bba191998cdfef856beeca36c7e4308f7b2adc2bd630d25fe4b4bfac2d382a

Download Submit
C:\Windows\SysWOW64\winsec.exe

Filesize
243KB

MD5
d84f0693384afb39bac2228872051540

SHA1
6da5e0ffd702a04c5eb6de8c225e71c0c479f46e

SHA256
1c2620be97319716fdcb83c3e9aa65ec50e24c76fb031178d6c23377ca30aa6c

SHA512
6cc5ce36669e0864564e79306f9e273e43c0679aedfa9f96c2d874aae03d26bb0d06cf746065f66a8759ffae2491e6d6977e368d1441d05d809c08bd9cfc4891

Download Submit
C:\Windows\SysWOW64\winsec.exe

Filesize
243KB

MD5
d84f0693384afb39bac2228872051540

SHA1
6da5e0ffd702a04c5eb6de8c225e71c0c479f46e

SHA256
1c2620be97319716fdcb83c3e9aa65ec50e24c76fb031178d6c23377ca30aa6c

SHA512
6cc5ce36669e0864564e79306f9e273e43c0679aedfa9f96c2d874aae03d26bb0d06cf746065f66a8759ffae2491e6d6977e368d1441d05d809c08bd9cfc4891

Download Submit
\Users\Admin\AppData\Roaming\Kuymopdy\oronf.exe

Filesize
243KB

MD5
d84f0693384afb39bac2228872051540

SHA1
6da5e0ffd702a04c5eb6de8c225e71c0c479f46e

SHA256
1c2620be97319716fdcb83c3e9aa65ec50e24c76fb031178d6c23377ca30aa6c

SHA512
6cc5ce36669e0864564e79306f9e273e43c0679aedfa9f96c2d874aae03d26bb0d06cf746065f66a8759ffae2491e6d6977e368d1441d05d809c08bd9cfc4891

Download Submit
memory/564-85-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/564-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/564-75-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/564-78-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1044-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1044-58-0x0000000000340000-0x000000000035A000-memory.dmp

Filesize
104KB

Download
memory/1044-55-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/1044-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-56-0x0000000000290000-0x00000000002A9000-memory.dmp

Filesize
100KB

Download
memory/1440-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-72-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/1716-64-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/1716-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads