0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe
Size

296KB
MD5

932ef2674fb6aab6a96746d9a47e6c50
SHA1

13696b398d5830ffe95334c9bca10eee1624e83b
SHA256

0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135
SHA512

9bcb6a92127cc0eba6ce6a65fb07efa51668a88579a9cf9b5da705687a6f24add1876b5ce93cdde4118d7d672c43b8449eed1441447636b518eb0509ddf85ec0
SSDEEP

6144:k6uSdqQDynGRXeoGVuO4UG4aKYw//AjYqMAkDxb0Q0LQ1m:keDyOXzldUG4aKYIojzM9Jx8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
860	inuxw.exe

Deletes itself 1 IoCs

pid	Process
1264	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe
1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Inuxw = "C:\\Users\\Admin\\AppData\\Roaming\\Dain\\inuxw.exe"	inuxw.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	inuxw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1248 set thread context of 1264	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	27

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe
860	inuxw.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 860	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	26
PID 1248 wrote to memory of 860	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	26
PID 1248 wrote to memory of 860	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	26
PID 1248 wrote to memory of 860	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	26
PID 860 wrote to memory of 1300	860	inuxw.exe	10
PID 860 wrote to memory of 1300	860	inuxw.exe	10
PID 860 wrote to memory of 1300	860	inuxw.exe	10
PID 860 wrote to memory of 1300	860	inuxw.exe	10
PID 860 wrote to memory of 1300	860	inuxw.exe	10
PID 860 wrote to memory of 1404	860	inuxw.exe	9
PID 860 wrote to memory of 1404	860	inuxw.exe	9
PID 860 wrote to memory of 1404	860	inuxw.exe	9
PID 860 wrote to memory of 1404	860	inuxw.exe	9
PID 860 wrote to memory of 1404	860	inuxw.exe	9
PID 860 wrote to memory of 1444	860	inuxw.exe	8
PID 860 wrote to memory of 1444	860	inuxw.exe	8
PID 860 wrote to memory of 1444	860	inuxw.exe	8
PID 860 wrote to memory of 1444	860	inuxw.exe	8
PID 860 wrote to memory of 1444	860	inuxw.exe	8
PID 860 wrote to memory of 1248	860	inuxw.exe	14
PID 860 wrote to memory of 1248	860	inuxw.exe	14
PID 860 wrote to memory of 1248	860	inuxw.exe	14
PID 860 wrote to memory of 1248	860	inuxw.exe	14
PID 860 wrote to memory of 1248	860	inuxw.exe	14
PID 1248 wrote to memory of 1264	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	27
PID 1248 wrote to memory of 1264	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	27
PID 1248 wrote to memory of 1264	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	27
PID 1248 wrote to memory of 1264	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	27
PID 1248 wrote to memory of 1264	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	27
PID 1248 wrote to memory of 1264	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	27
PID 1248 wrote to memory of 1264	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	27
PID 1248 wrote to memory of 1264	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	27
PID 1248 wrote to memory of 1264	1248	0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe
  "C:\Users\Admin\AppData\Local\Temp\0c01a667864e3d3a4919906135f628e1b67ef2fddb5b1f4ef75a9400139a6135.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Roaming\Dain\inuxw.exe
    "C:\Users\Admin\AppData\Roaming\Dain\inuxw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\WOK976C.bat"
    3⤵
    - Deletes itself
    PID:1264

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1404

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WOK976C.bat

Filesize
303B

MD5
374d76333971cd546009f1a308fbe7d7

SHA1
ed391a56b503f27481edfe5d126aae433bb20032

SHA256
66acf9c50a02d96f34e152b540d62b830fbfb8b1ad0c06d719ed4baeb4679890

SHA512
7546476e6ea1c6d675df8f206c094ec7b0a565a1a02283cf241f9657cafd5ed13bc300c69bd903029534e74dced67e9ebc458545178f5aab667cfa0a537a74b2

Download Submit
C:\Users\Admin\AppData\Roaming\Dain\inuxw.exe

Filesize
296KB

MD5
91b4759800cc1f7373c482210de7b337

SHA1
4201aaa2afb282d19447f7687db2b67911dfe773

SHA256
23ee1ae75d8d59705148c52049507019876a5e8c26e6fa37c4a6f2c61c30debe

SHA512
c1cf8fc5983892425a3bedaaf26618caf50c322373e543b209e87dcf0128f11df219ae07f426013ac4a4866db69ac018df564e2c1da9129854af80618e30fe3f

Download Submit
C:\Users\Admin\AppData\Roaming\Dain\inuxw.exe

Filesize
296KB

MD5
91b4759800cc1f7373c482210de7b337

SHA1
4201aaa2afb282d19447f7687db2b67911dfe773

SHA256
23ee1ae75d8d59705148c52049507019876a5e8c26e6fa37c4a6f2c61c30debe

SHA512
c1cf8fc5983892425a3bedaaf26618caf50c322373e543b209e87dcf0128f11df219ae07f426013ac4a4866db69ac018df564e2c1da9129854af80618e30fe3f

Download Submit
\Users\Admin\AppData\Roaming\Dain\inuxw.exe

Filesize
296KB

MD5
91b4759800cc1f7373c482210de7b337

SHA1
4201aaa2afb282d19447f7687db2b67911dfe773

SHA256
23ee1ae75d8d59705148c52049507019876a5e8c26e6fa37c4a6f2c61c30debe

SHA512
c1cf8fc5983892425a3bedaaf26618caf50c322373e543b209e87dcf0128f11df219ae07f426013ac4a4866db69ac018df564e2c1da9129854af80618e30fe3f

Download Submit
\Users\Admin\AppData\Roaming\Dain\inuxw.exe

Filesize
296KB

MD5
91b4759800cc1f7373c482210de7b337

SHA1
4201aaa2afb282d19447f7687db2b67911dfe773

SHA256
23ee1ae75d8d59705148c52049507019876a5e8c26e6fa37c4a6f2c61c30debe

SHA512
c1cf8fc5983892425a3bedaaf26618caf50c322373e543b209e87dcf0128f11df219ae07f426013ac4a4866db69ac018df564e2c1da9129854af80618e30fe3f

Download Submit
memory/860-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1248-104-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1248-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1248-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1248-85-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1248-103-0x0000000001D50000-0x0000000001DA1000-memory.dmp

Filesize
324KB

Download
memory/1248-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1248-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1248-56-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1248-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1248-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1248-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1248-88-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1248-87-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1248-86-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1264-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-114-0x00000000000B0000-0x00000000000F8000-memory.dmp

Filesize
288KB

Download
memory/1264-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1264-100-0x00000000000B0000-0x00000000000F8000-memory.dmp

Filesize
288KB

Download
memory/1264-97-0x00000000000B0000-0x00000000000F8000-memory.dmp

Filesize
288KB

Download
memory/1264-99-0x00000000000B0000-0x00000000000F8000-memory.dmp

Filesize
288KB

Download
memory/1264-101-0x00000000000B0000-0x00000000000F8000-memory.dmp

Filesize
288KB

Download
memory/1300-65-0x0000000000190000-0x00000000001D8000-memory.dmp

Filesize
288KB

Download
memory/1300-70-0x0000000000190000-0x00000000001D8000-memory.dmp

Filesize
288KB

Download
memory/1300-69-0x0000000000190000-0x00000000001D8000-memory.dmp

Filesize
288KB

Download
memory/1300-67-0x0000000000190000-0x00000000001D8000-memory.dmp

Filesize
288KB

Download
memory/1300-68-0x0000000000190000-0x00000000001D8000-memory.dmp

Filesize
288KB

Download
memory/1404-73-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1404-74-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1404-75-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1404-76-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1444-80-0x0000000002530000-0x0000000002578000-memory.dmp

Filesize
288KB

Download
memory/1444-81-0x0000000002530000-0x0000000002578000-memory.dmp

Filesize
288KB

Download
memory/1444-79-0x0000000002530000-0x0000000002578000-memory.dmp

Filesize
288KB

Download
memory/1444-82-0x0000000002530000-0x0000000002578000-memory.dmp

Filesize
288KB

Download