9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 08:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe
Size

310KB
MD5

5119ffd205dd569921a8fe0c650cb6f0
SHA1

320e30dca1467736c7ac61bec1e6a0ce4dacbc27
SHA256

9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4
SHA512

ffe029c7a0e1b919f618d2fb25d366cb234f89e1ba82177ddea75e922e26cd38781fe09acafa7ac02a61ec1b9b20e06e6e649bd3788b227bddf0eee7518d9355
SSDEEP

6144:yP5Ltaj+2fBmtMhxehbu+te33CWtctheXEgXnWQU:yP5LtaUtMT2bNtenCO54

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1276	doha.exe

Deletes itself 1 IoCs

pid	Process
1776	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe
1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	doha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Avucby\\doha.exe"	doha.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 1776	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	27

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe
1276	doha.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1276	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	26
PID 1452 wrote to memory of 1276	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	26
PID 1452 wrote to memory of 1276	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	26
PID 1452 wrote to memory of 1276	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	26
PID 1276 wrote to memory of 1132	1276	doha.exe	15
PID 1276 wrote to memory of 1132	1276	doha.exe	15
PID 1276 wrote to memory of 1132	1276	doha.exe	15
PID 1276 wrote to memory of 1132	1276	doha.exe	15
PID 1276 wrote to memory of 1132	1276	doha.exe	15
PID 1276 wrote to memory of 1236	1276	doha.exe	14
PID 1276 wrote to memory of 1236	1276	doha.exe	14
PID 1276 wrote to memory of 1236	1276	doha.exe	14
PID 1276 wrote to memory of 1236	1276	doha.exe	14
PID 1276 wrote to memory of 1236	1276	doha.exe	14
PID 1276 wrote to memory of 1268	1276	doha.exe	13
PID 1276 wrote to memory of 1268	1276	doha.exe	13
PID 1276 wrote to memory of 1268	1276	doha.exe	13
PID 1276 wrote to memory of 1268	1276	doha.exe	13
PID 1276 wrote to memory of 1268	1276	doha.exe	13
PID 1276 wrote to memory of 1452	1276	doha.exe	20
PID 1276 wrote to memory of 1452	1276	doha.exe	20
PID 1276 wrote to memory of 1452	1276	doha.exe	20
PID 1276 wrote to memory of 1452	1276	doha.exe	20
PID 1276 wrote to memory of 1452	1276	doha.exe	20
PID 1452 wrote to memory of 1776	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	27
PID 1452 wrote to memory of 1776	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	27
PID 1452 wrote to memory of 1776	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	27
PID 1452 wrote to memory of 1776	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	27
PID 1452 wrote to memory of 1776	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	27
PID 1452 wrote to memory of 1776	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	27
PID 1452 wrote to memory of 1776	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	27
PID 1452 wrote to memory of 1776	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	27
PID 1452 wrote to memory of 1776	1452	9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe
  "C:\Users\Admin\AppData\Local\Temp\9b9b01b55dca486a9587cb6e97a5097e36ac952e871707fc3e0eb544d19894c4.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Roaming\Avucby\doha.exe
    "C:\Users\Admin\AppData\Roaming\Avucby\doha.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp24104bb8.bat"
    3⤵
    - Deletes itself
    PID:1776

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp24104bb8.bat

Filesize
307B

MD5
58517b07e9aabe47c081c89f513b8e89

SHA1
5dd03895e1adb342b69a7af53e890c2e54838756

SHA256
ccb076c659268ea3573c3819190ceb0d85f4609407ac24311187c2b5f6177fe7

SHA512
e46a2125032249227749f54debd81af0345fb8af35833f3c3419aaf95e78b6808a78952f574793afcf0e9967a1952836edef6ad668b45f437afd1f7b9dab388a

Download Submit
C:\Users\Admin\AppData\Roaming\Avucby\doha.exe

Filesize
310KB

MD5
d6df0a9355b0444b18fd4319ebf08b4b

SHA1
801a75df521b6a28a30164a5e51b387acd6e4e67

SHA256
a04d662323ae890596dcbbde32b24ccfa495721ae90dfefa0183bfc745a1da33

SHA512
4825544afc57d0ca024cfc5baf8d4ef9bc8f8bee6676f1dc9513ac7136f4dc55c1227ba91a08bdb57214c04b6497a97ea9cb673824b8142a7323d29d4e74ef5e

Download Submit
C:\Users\Admin\AppData\Roaming\Avucby\doha.exe

Filesize
310KB

MD5
d6df0a9355b0444b18fd4319ebf08b4b

SHA1
801a75df521b6a28a30164a5e51b387acd6e4e67

SHA256
a04d662323ae890596dcbbde32b24ccfa495721ae90dfefa0183bfc745a1da33

SHA512
4825544afc57d0ca024cfc5baf8d4ef9bc8f8bee6676f1dc9513ac7136f4dc55c1227ba91a08bdb57214c04b6497a97ea9cb673824b8142a7323d29d4e74ef5e

Download Submit
\Users\Admin\AppData\Roaming\Avucby\doha.exe

Filesize
310KB

MD5
d6df0a9355b0444b18fd4319ebf08b4b

SHA1
801a75df521b6a28a30164a5e51b387acd6e4e67

SHA256
a04d662323ae890596dcbbde32b24ccfa495721ae90dfefa0183bfc745a1da33

SHA512
4825544afc57d0ca024cfc5baf8d4ef9bc8f8bee6676f1dc9513ac7136f4dc55c1227ba91a08bdb57214c04b6497a97ea9cb673824b8142a7323d29d4e74ef5e

Download Submit
\Users\Admin\AppData\Roaming\Avucby\doha.exe

Filesize
310KB

MD5
d6df0a9355b0444b18fd4319ebf08b4b

SHA1
801a75df521b6a28a30164a5e51b387acd6e4e67

SHA256
a04d662323ae890596dcbbde32b24ccfa495721ae90dfefa0183bfc745a1da33

SHA512
4825544afc57d0ca024cfc5baf8d4ef9bc8f8bee6676f1dc9513ac7136f4dc55c1227ba91a08bdb57214c04b6497a97ea9cb673824b8142a7323d29d4e74ef5e

Download Submit
memory/1132-65-0x0000000001D60000-0x0000000001DA8000-memory.dmp

Filesize
288KB

Download
memory/1132-70-0x0000000001D60000-0x0000000001DA8000-memory.dmp

Filesize
288KB

Download
memory/1132-69-0x0000000001D60000-0x0000000001DA8000-memory.dmp

Filesize
288KB

Download
memory/1132-68-0x0000000001D60000-0x0000000001DA8000-memory.dmp

Filesize
288KB

Download
memory/1132-67-0x0000000001D60000-0x0000000001DA8000-memory.dmp

Filesize
288KB

Download
memory/1236-73-0x00000000019E0000-0x0000000001A28000-memory.dmp

Filesize
288KB

Download
memory/1236-74-0x00000000019E0000-0x0000000001A28000-memory.dmp

Filesize
288KB

Download
memory/1236-75-0x00000000019E0000-0x0000000001A28000-memory.dmp

Filesize
288KB

Download
memory/1236-76-0x00000000019E0000-0x0000000001A28000-memory.dmp

Filesize
288KB

Download
memory/1268-81-0x00000000021B0000-0x00000000021F8000-memory.dmp

Filesize
288KB

Download
memory/1268-82-0x00000000021B0000-0x00000000021F8000-memory.dmp

Filesize
288KB

Download
memory/1268-79-0x00000000021B0000-0x00000000021F8000-memory.dmp

Filesize
288KB

Download
memory/1268-80-0x00000000021B0000-0x00000000021F8000-memory.dmp

Filesize
288KB

Download
memory/1452-86-0x00000000003A0000-0x00000000003E8000-memory.dmp

Filesize
288KB

Download
memory/1452-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-85-0x00000000003A0000-0x00000000003E8000-memory.dmp

Filesize
288KB

Download
memory/1452-54-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1452-87-0x00000000003A0000-0x00000000003E8000-memory.dmp

Filesize
288KB

Download
memory/1452-88-0x00000000003A0000-0x00000000003E8000-memory.dmp

Filesize
288KB

Download
memory/1452-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-103-0x00000000003A0000-0x00000000003E8000-memory.dmp

Filesize
288KB

Download
memory/1452-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1452-55-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1776-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1776-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1776-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1776-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1776-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1776-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1776-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1776-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1776-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1776-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1776-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1776-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download