52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722

Analysis

max time kernel
153s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe
Size

330KB
MD5

0e555a0a44ab5d4ca550dfcf10968c6b
SHA1

59c8fd31589e42a53754d49a1f8d79050665db58
SHA256

52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722
SHA512

ec4c284153b2be390333a035d4dec1556de2bca5ae1aae1ee10efffdd8e8cf4ea0518de6e59563e1fb7762c7d371464dd1eb928b6eda94f4b610ec2b207a582e
SSDEEP

6144:xxAl+L7TuevSla3TdKQtK6f1g+GcG8DCqabJaqvAz:x2l+LdvSlItK60ctCq4Yz

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	ospoj.exe

Deletes itself 1 IoCs

pid	Process
364	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	ospoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Ivihc\\ospoj.exe"	ospoj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 364	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	28

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe
1696	ospoj.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe
1696	ospoj.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1696	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	27
PID 1672 wrote to memory of 1696	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	27
PID 1672 wrote to memory of 1696	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	27
PID 1672 wrote to memory of 1696	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	27
PID 1696 wrote to memory of 1136	1696	ospoj.exe	14
PID 1696 wrote to memory of 1136	1696	ospoj.exe	14
PID 1696 wrote to memory of 1136	1696	ospoj.exe	14
PID 1696 wrote to memory of 1136	1696	ospoj.exe	14
PID 1696 wrote to memory of 1136	1696	ospoj.exe	14
PID 1696 wrote to memory of 1232	1696	ospoj.exe	13
PID 1696 wrote to memory of 1232	1696	ospoj.exe	13
PID 1696 wrote to memory of 1232	1696	ospoj.exe	13
PID 1696 wrote to memory of 1232	1696	ospoj.exe	13
PID 1696 wrote to memory of 1232	1696	ospoj.exe	13
PID 1696 wrote to memory of 1268	1696	ospoj.exe	12
PID 1696 wrote to memory of 1268	1696	ospoj.exe	12
PID 1696 wrote to memory of 1268	1696	ospoj.exe	12
PID 1696 wrote to memory of 1268	1696	ospoj.exe	12
PID 1696 wrote to memory of 1268	1696	ospoj.exe	12
PID 1696 wrote to memory of 1672	1696	ospoj.exe	16
PID 1696 wrote to memory of 1672	1696	ospoj.exe	16
PID 1696 wrote to memory of 1672	1696	ospoj.exe	16
PID 1696 wrote to memory of 1672	1696	ospoj.exe	16
PID 1696 wrote to memory of 1672	1696	ospoj.exe	16
PID 1672 wrote to memory of 364	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	28
PID 1672 wrote to memory of 364	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	28
PID 1672 wrote to memory of 364	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	28
PID 1672 wrote to memory of 364	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	28
PID 1672 wrote to memory of 364	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	28
PID 1672 wrote to memory of 364	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	28
PID 1672 wrote to memory of 364	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	28
PID 1672 wrote to memory of 364	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	28
PID 1672 wrote to memory of 364	1672	52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe
  "C:\Users\Admin\AppData\Local\Temp\52a24cf49cb784b7b1986010b598a50f0d9d4644af9472ed8d1e2a0c94b2e722.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Roaming\Ivihc\ospoj.exe
    "C:\Users\Admin\AppData\Roaming\Ivihc\ospoj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpad5dc15f.bat"
    3⤵
    - Deletes itself
    PID:364

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpad5dc15f.bat

Filesize
307B

MD5
189e7a66b735ceb9f408d93d415289e1

SHA1
844e061263f7b66997c2ada7fd1dd5091f343bff

SHA256
41add545f1bdc70e8a0ff4a61ad10ddece3002b45d14834556ee3ce54260aa7e

SHA512
0dd1e4ce5ef53e040755cf220de1a0a10dd12f8f14f895ec4f56f34c83d555f736129cb4566f64a00a78154a75e8fee347d24a4bc7de507a8c4dbeebb74abc65

Download Submit
C:\Users\Admin\AppData\Roaming\Ivihc\ospoj.exe

Filesize
330KB

MD5
b680df9c8594f3791c1e68810cfe21ce

SHA1
3a57978daa52cace39894017ee5376a19edf81e9

SHA256
78b0b79d6827ae7b0aea9bb2478c9d837e8c2fbf5be7c7ddebb4688d9dfec6ec

SHA512
6fecc8107f6a4a72ea58d69532bbb4108f5212bb3c873ef06ba5b6a8005b5c2bce39f431c181c6cda8ac56019a6c408652fa06a7ffe7f92af3c147f708ecf44b

Download Submit
C:\Users\Admin\AppData\Roaming\Ivihc\ospoj.exe

Filesize
330KB

MD5
b680df9c8594f3791c1e68810cfe21ce

SHA1
3a57978daa52cace39894017ee5376a19edf81e9

SHA256
78b0b79d6827ae7b0aea9bb2478c9d837e8c2fbf5be7c7ddebb4688d9dfec6ec

SHA512
6fecc8107f6a4a72ea58d69532bbb4108f5212bb3c873ef06ba5b6a8005b5c2bce39f431c181c6cda8ac56019a6c408652fa06a7ffe7f92af3c147f708ecf44b

Download Submit
\Users\Admin\AppData\Roaming\Ivihc\ospoj.exe

Filesize
330KB

MD5
b680df9c8594f3791c1e68810cfe21ce

SHA1
3a57978daa52cace39894017ee5376a19edf81e9

SHA256
78b0b79d6827ae7b0aea9bb2478c9d837e8c2fbf5be7c7ddebb4688d9dfec6ec

SHA512
6fecc8107f6a4a72ea58d69532bbb4108f5212bb3c873ef06ba5b6a8005b5c2bce39f431c181c6cda8ac56019a6c408652fa06a7ffe7f92af3c147f708ecf44b

Download Submit
memory/364-115-0x0000000000160000-0x00000000001A7000-memory.dmp

Filesize
284KB

Download
memory/364-99-0x0000000000160000-0x00000000001A7000-memory.dmp

Filesize
284KB

Download
memory/364-95-0x0000000000160000-0x00000000001A7000-memory.dmp

Filesize
284KB

Download
memory/364-97-0x0000000000160000-0x00000000001A7000-memory.dmp

Filesize
284KB

Download
memory/364-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-98-0x0000000000160000-0x00000000001A7000-memory.dmp

Filesize
284KB

Download
memory/364-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1136-67-0x0000000001ED0000-0x0000000001F17000-memory.dmp

Filesize
284KB

Download
memory/1136-68-0x0000000001ED0000-0x0000000001F17000-memory.dmp

Filesize
284KB

Download
memory/1136-66-0x0000000001ED0000-0x0000000001F17000-memory.dmp

Filesize
284KB

Download
memory/1136-65-0x0000000001ED0000-0x0000000001F17000-memory.dmp

Filesize
284KB

Download
memory/1136-63-0x0000000001ED0000-0x0000000001F17000-memory.dmp

Filesize
284KB

Download
memory/1232-74-0x00000000001D0000-0x0000000000217000-memory.dmp

Filesize
284KB

Download
memory/1232-73-0x00000000001D0000-0x0000000000217000-memory.dmp

Filesize
284KB

Download
memory/1232-72-0x00000000001D0000-0x0000000000217000-memory.dmp

Filesize
284KB

Download
memory/1232-71-0x00000000001D0000-0x0000000000217000-memory.dmp

Filesize
284KB

Download
memory/1268-80-0x00000000029C0000-0x0000000002A07000-memory.dmp

Filesize
284KB

Download
memory/1268-79-0x00000000029C0000-0x0000000002A07000-memory.dmp

Filesize
284KB

Download
memory/1268-78-0x00000000029C0000-0x0000000002A07000-memory.dmp

Filesize
284KB

Download
memory/1268-77-0x00000000029C0000-0x0000000002A07000-memory.dmp

Filesize
284KB

Download
memory/1672-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1672-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1672-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1672-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1672-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1672-102-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1672-101-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/1672-103-0x0000000000510000-0x0000000000557000-memory.dmp

Filesize
284KB

Download
memory/1672-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/1672-57-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1672-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1672-86-0x0000000000510000-0x0000000000557000-memory.dmp

Filesize
284KB

Download
memory/1672-85-0x0000000000510000-0x0000000000557000-memory.dmp

Filesize
284KB

Download
memory/1672-83-0x0000000000510000-0x0000000000557000-memory.dmp

Filesize
284KB

Download
memory/1672-84-0x0000000000510000-0x0000000000557000-memory.dmp

Filesize
284KB

Download
memory/1672-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1696-105-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/1696-106-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1696-116-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download