7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244

Analysis

max time kernel
170s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 14:04

Target

7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe
Size

197KB
MD5

0d7ee5ca2ad2f1ff8dc76b0b3e46a879
SHA1

4fb3d2a4c3d8dd10d41f88fa406a8b57df86afd2
SHA256

7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244
SHA512

b2ebff2aab02fa2f0184aa7532c27c45ef0eb5c344439ab4ecb50861ebe83a5eff0c213917f0e25b967e123a3e99ea8cac8b886eaa7d2cd6c8f1aaef2ef255ff
SSDEEP

3072:LVHat+arJxGCKOpb+cMh0tcxW0r4MZ8NlV4OmfOcRdMj0qegl44kVS1eWDTTeGNq:ejwcMh0tcU0D+l6NfOG2Vfl442SA6

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1076	Nsohya.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	Nsohya.exe
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe
File created	C:\Windows\Nsohya.exe	7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe
File opened for modification	C:\Windows\Nsohya.exe	7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	Nsohya.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International	Nsohya.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1884	7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe
1076	Nsohya.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1884	7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe
1076	Nsohya.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1076	1884	7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe	28
PID 1884 wrote to memory of 1076	1884	7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe	28
PID 1884 wrote to memory of 1076	1884	7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe	28
PID 1884 wrote to memory of 1076	1884	7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244.exe	28

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\Nsohya.exe

Filesize
197KB

MD5
0d7ee5ca2ad2f1ff8dc76b0b3e46a879

SHA1
4fb3d2a4c3d8dd10d41f88fa406a8b57df86afd2

SHA256
7aab50d132aac6d04d58886d57eab678205b6775c19172aec3cfc2231357b244

SHA512
b2ebff2aab02fa2f0184aa7532c27c45ef0eb5c344439ab4ecb50861ebe83a5eff0c213917f0e25b967e123a3e99ea8cac8b886eaa7d2cd6c8f1aaef2ef255ff

Download Submit
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Filesize
408B

MD5
fb712f8a06bfd1bff6f690f5cd8a9f3c

SHA1
c46560f544a35b9b0bfffbbde60fd712df1deeb4

SHA256
ef0b65be9966aab7b08d39e8125e74aa511e2968fd605e8ecd9ceb093b1b9e14

SHA512
9704f7a46cdd2ef4119bd864a3ddab750e6a9aa1b7a3c6105610915eb08f144e67626c384ce3b581338f13d75ea5ce8fd355dc57aab20b36fa3562289ba20885

Download Submit
memory/1076-62-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1884-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1884-55-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/1884-56-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1884-59-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1884-63-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download