39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69

Analysis

max time kernel
152s
max time network
184s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe
Size

363KB
MD5

84dc75ecd03c863e078c1d2bb44e3d4c
SHA1

3a8ede7f1d6b0570f4e1674b5311f042f22fa7aa
SHA256

39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69
SHA512

a17d422bc54cd390fccad5d1ec0d1c946a50728a7626cbd06ac849b2dd63b987a0983b52de8591af850552066fe2f7c0ffbef4708ad7303a23eedfd8bfb515f6
SSDEEP

6144:sbIAyTXCQuBVJxRbq3gkKJFoXrSePZ3hH0WO1ohKXm:HTSJ77eoJFe+ehaXm

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1600	soguel.exe

Deletes itself 1 IoCs

pid	Process
756	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe
1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	soguel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Yxow\\soguel.exe"	soguel.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1836 set thread context of 756	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe
1600	soguel.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe
1600	soguel.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1600	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	28
PID 1836 wrote to memory of 1600	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	28
PID 1836 wrote to memory of 1600	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	28
PID 1836 wrote to memory of 1600	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	28
PID 1600 wrote to memory of 1128	1600	soguel.exe	12
PID 1600 wrote to memory of 1128	1600	soguel.exe	12
PID 1600 wrote to memory of 1128	1600	soguel.exe	12
PID 1600 wrote to memory of 1128	1600	soguel.exe	12
PID 1600 wrote to memory of 1128	1600	soguel.exe	12
PID 1600 wrote to memory of 1192	1600	soguel.exe	11
PID 1600 wrote to memory of 1192	1600	soguel.exe	11
PID 1600 wrote to memory of 1192	1600	soguel.exe	11
PID 1600 wrote to memory of 1192	1600	soguel.exe	11
PID 1600 wrote to memory of 1192	1600	soguel.exe	11
PID 1600 wrote to memory of 1260	1600	soguel.exe	10
PID 1600 wrote to memory of 1260	1600	soguel.exe	10
PID 1600 wrote to memory of 1260	1600	soguel.exe	10
PID 1600 wrote to memory of 1260	1600	soguel.exe	10
PID 1600 wrote to memory of 1260	1600	soguel.exe	10
PID 1600 wrote to memory of 1836	1600	soguel.exe	16
PID 1600 wrote to memory of 1836	1600	soguel.exe	16
PID 1600 wrote to memory of 1836	1600	soguel.exe	16
PID 1600 wrote to memory of 1836	1600	soguel.exe	16
PID 1600 wrote to memory of 1836	1600	soguel.exe	16
PID 1836 wrote to memory of 756	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	29
PID 1836 wrote to memory of 756	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	29
PID 1836 wrote to memory of 756	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	29
PID 1836 wrote to memory of 756	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	29
PID 1836 wrote to memory of 756	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	29
PID 1836 wrote to memory of 756	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	29
PID 1836 wrote to memory of 756	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	29
PID 1836 wrote to memory of 756	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	29
PID 1836 wrote to memory of 756	1836	39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe
  "C:\Users\Admin\AppData\Local\Temp\39505b80304aa7842b32576f5b371d052e18983fba7b0fca60356c67598c6c69.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Roaming\Yxow\soguel.exe
    "C:\Users\Admin\AppData\Roaming\Yxow\soguel.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc5730a1b.bat"
    3⤵
    - Deletes itself
    PID:756

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc5730a1b.bat

Filesize
307B

MD5
34381de19dbbf32450c6bfd5040dae60

SHA1
7b9a48da05378eb2c43a4ed9999ec4708aca800c

SHA256
b4b00462e8a19a23d08c532421c4540968926a1d1270e75de5ca09689748600c

SHA512
10b636708a40e960c292bbbc02e1ae12985517597acc36bd436b9cf2764cf41bf3d542ec03bb7054f7b83c40231884a02c978335e4a595cb4e06382b146c065b

Download Submit
C:\Users\Admin\AppData\Roaming\Yxow\soguel.exe

Filesize
363KB

MD5
3f559d2a0009da36fbcfc07fd9ca20ba

SHA1
e2fe78057e05d3e06b61af5fa010127bd5aeed0d

SHA256
0cfc7bdeaae43feaa51b4ec19cd2b2e0826ab818aee5d98a15a68a2d01479df7

SHA512
51a611f148b7e9d1ea5bf31da6e869b1c2ca1ca131473e1e0ebe673aded3edcd0a7535630c952fe15445785cda1931542d9cfcf88df90779b455016f83462cda

Download Submit
C:\Users\Admin\AppData\Roaming\Yxow\soguel.exe

Filesize
363KB

MD5
3f559d2a0009da36fbcfc07fd9ca20ba

SHA1
e2fe78057e05d3e06b61af5fa010127bd5aeed0d

SHA256
0cfc7bdeaae43feaa51b4ec19cd2b2e0826ab818aee5d98a15a68a2d01479df7

SHA512
51a611f148b7e9d1ea5bf31da6e869b1c2ca1ca131473e1e0ebe673aded3edcd0a7535630c952fe15445785cda1931542d9cfcf88df90779b455016f83462cda

Download Submit
\Users\Admin\AppData\Roaming\Yxow\soguel.exe

Filesize
363KB

MD5
3f559d2a0009da36fbcfc07fd9ca20ba

SHA1
e2fe78057e05d3e06b61af5fa010127bd5aeed0d

SHA256
0cfc7bdeaae43feaa51b4ec19cd2b2e0826ab818aee5d98a15a68a2d01479df7

SHA512
51a611f148b7e9d1ea5bf31da6e869b1c2ca1ca131473e1e0ebe673aded3edcd0a7535630c952fe15445785cda1931542d9cfcf88df90779b455016f83462cda

Download Submit
\Users\Admin\AppData\Roaming\Yxow\soguel.exe

Filesize
363KB

MD5
3f559d2a0009da36fbcfc07fd9ca20ba

SHA1
e2fe78057e05d3e06b61af5fa010127bd5aeed0d

SHA256
0cfc7bdeaae43feaa51b4ec19cd2b2e0826ab818aee5d98a15a68a2d01479df7

SHA512
51a611f148b7e9d1ea5bf31da6e869b1c2ca1ca131473e1e0ebe673aded3edcd0a7535630c952fe15445785cda1931542d9cfcf88df90779b455016f83462cda

Download Submit
memory/756-100-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/756-106-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/756-96-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/756-99-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/756-98-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/1128-66-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1128-67-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1128-68-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1128-63-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1128-65-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1192-71-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1192-73-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1192-74-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1192-72-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1260-80-0x0000000002A50000-0x0000000002A94000-memory.dmp

Filesize
272KB

Download
memory/1260-77-0x0000000002A50000-0x0000000002A94000-memory.dmp

Filesize
272KB

Download
memory/1260-78-0x0000000002A50000-0x0000000002A94000-memory.dmp

Filesize
272KB

Download
memory/1260-79-0x0000000002A50000-0x0000000002A94000-memory.dmp

Filesize
272KB

Download
memory/1600-90-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1600-92-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1600-91-0x0000000000390000-0x00000000003F1000-memory.dmp

Filesize
388KB

Download
memory/1836-88-0x0000000001C30000-0x0000000001C91000-memory.dmp

Filesize
388KB

Download
memory/1836-89-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1836-83-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1836-93-0x0000000001D30000-0x0000000001D91000-memory.dmp

Filesize
388KB

Download
memory/1836-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1836-87-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1836-85-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1836-86-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1836-84-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1836-103-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1836-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1836-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1836-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download