3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Size

280KB
MD5

0852ebe4950dc5c01e81e123cb20f5d0
SHA1

1aeb77ea59355c6747a66be43e20916f3fde215d
SHA256

3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5
SHA512

35974817a670f932c8c0ecedd0b15f5d884b3d85e7383736271106f68815d130243947cc8d0bfd61bcb8d6c32975453a9f4b58b31373405bd5ed76c4f51adbb1
SSDEEP

6144:pT8lj6/LTbJ8j7q4qFNLG0mvT0YhBdF5VWiFDL6u:pgleTZe7q4eNLS0YXdFBv6

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4960	opixu.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\Currentversion\Run	opixu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Olseopyhik = "C:\\Users\\Admin\\AppData\\Roaming\\Fyas\\opixu.exe"	opixu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4856 set thread context of 2532	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	82

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Privacy	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe
4960	opixu.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
Token: SeSecurityPrivilege	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4960	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	81
PID 4856 wrote to memory of 4960	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	81
PID 4856 wrote to memory of 4960	4856	3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe	81
PID 4960 wrote to memory of 2448	4960	opixu.exe	75
PID 4960 wrote to memory of 2448	4960	opixu.exe	75
PID 4960 wrote to memory of 2448	4960	opixu.exe	75
PID 4960 wrote to memory of 2448	4960	opixu.exe	75
PID 4960 wrote to memory of 2448	4960	opixu.exe	75
PID 4960 wrote to memory of 2516	4960	opixu.exe	41
PID 4960 wrote to memory of 2516	4960	opixu.exe	41
PID 4960 wrote to memory of 2516	4960	opixu.exe	41
PID 4960 wrote to memory of 2516	4960	opixu.exe	41
PID 4960 wrote to memory of 2516	4960	opixu.exe	41
PID 4960 wrote to memory of 2880	4960	opixu.exe	47
PID 4960 wrote to memory of 2880	4960	opixu.exe	47
PID 4960 wrote to memory of 2880	4960	opixu.exe	47
PID 4960 wrote to memory of 2880	4960	opixu.exe	47
PID 4960 wrote to memory of 2880	4960	opixu.exe	47
PID 4960 wrote to memory of 780	4960	opixu.exe	48
PID 4960 wrote to memory of 780	4960	opixu.exe	48
PID 4960 wrote to memory of 780	4960	opixu.exe	48
PID 4960 wrote to memory of 780	4960	opixu.exe	48
PID 4960 wrote to memory of 780	4960	opixu.exe	48
PID 4960 wrote to memory of 3156	4960	opixu.exe	73
PID 4960 wrote to memory of 3156	4960	opixu.exe	73
PID 4960 wrote to memory of 3156	4960	opixu.exe	73
PID 4960 wrote to memory of 3156	4960	opixu.exe	73
PID 4960 wrote to memory of 3156	4960	opixu.exe	73
PID 4960 wrote to memory of 3356	4960	opixu.exe	50
PID 4960 wrote to memory of 3356	4960	opixu.exe	50
PID 4960 wrote to memory of 3356	4960	opixu.exe	50
PID 4960 wrote to memory of 3356	4960	opixu.exe	50
PID 4960 wrote to memory of 3356	4960	opixu.exe	50
PID 4960 wrote to memory of 3460	4960	opixu.exe	49
PID 4960 wrote to memory of 3460	4960	opixu.exe	49
PID 4960 wrote to memory of 3460	4960	opixu.exe	49
PID 4960 wrote to memory of 3460	4960	opixu.exe	49
PID 4960 wrote to memory of 3460	4960	opixu.exe	49
PID 4960 wrote to memory of 3524	4960	opixu.exe	51
PID 4960 wrote to memory of 3524	4960	opixu.exe	51
PID 4960 wrote to memory of 3524	4960	opixu.exe	51
PID 4960 wrote to memory of 3524	4960	opixu.exe	51
PID 4960 wrote to memory of 3524	4960	opixu.exe	51
PID 4960 wrote to memory of 3612	4960	opixu.exe	72
PID 4960 wrote to memory of 3612	4960	opixu.exe	72
PID 4960 wrote to memory of 3612	4960	opixu.exe	72
PID 4960 wrote to memory of 3612	4960	opixu.exe	72
PID 4960 wrote to memory of 3612	4960	opixu.exe	72
PID 4960 wrote to memory of 3820	4960	opixu.exe	52
PID 4960 wrote to memory of 3820	4960	opixu.exe	52
PID 4960 wrote to memory of 3820	4960	opixu.exe	52
PID 4960 wrote to memory of 3820	4960	opixu.exe	52
PID 4960 wrote to memory of 3820	4960	opixu.exe	52
PID 4960 wrote to memory of 4688	4960	opixu.exe	54
PID 4960 wrote to memory of 4688	4960	opixu.exe	54
PID 4960 wrote to memory of 4688	4960	opixu.exe	54
PID 4960 wrote to memory of 4688	4960	opixu.exe	54
PID 4960 wrote to memory of 4688	4960	opixu.exe	54
PID 4960 wrote to memory of 3212	4960	opixu.exe	58
PID 4960 wrote to memory of 3212	4960	opixu.exe	58
PID 4960 wrote to memory of 3212	4960	opixu.exe	58
PID 4960 wrote to memory of 3212	4960	opixu.exe	58
PID 4960 wrote to memory of 3212	4960	opixu.exe	58
PID 4960 wrote to memory of 4856	4960	opixu.exe	80

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2516

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2880

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:780
- C:\Users\Admin\AppData\Local\Temp\3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe
  "C:\Users\Admin\AppData\Local\Temp\3ddf0abe134f351257d9b794ac4fb2424646fe55d77d11d7af2d6df4a015aea5.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Roaming\Fyas\opixu.exe
    "C:\Users\Admin\AppData\Roaming\Fyas\opixu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1015389f.bat"
    3⤵
    PID:2532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3460

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3356

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3524

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4688

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3212

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3156

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Daug\taega.umz

Filesize
2KB

MD5
cdbb1e0923a6d4e5b330ef41048817f4

SHA1
27b9675adaab622104cad200190485d27fad9576

SHA256
ce2ea85fe4c8fab866980d668c4eaf5b7d313100bd3d16132bddfae3e57d91a3

SHA512
6baa0e6fbd3bdc38b748bd7dc6e152d44149317ea6c0f08456807a38a309f84fdcd0273a85772396e693ccfd5c10577fc21ec01a57ea72b1b39b6d13dafdd90c

Download Submit
C:\Users\Admin\AppData\Roaming\Fyas\opixu.exe

Filesize
280KB

MD5
0600c4b95642db145c640fc29c042de2

SHA1
64e6cf4f3af9bc3fd4f881d40497365dbb2e65f0

SHA256
9d088904c8d08843a36dfe27532c26ffa6f42f09f0c5d8e88ab480a7a376d8c4

SHA512
71263c6bd6d36da1b6694bf610933c9b177254dd1b14361f7365855c0ad97ba5ff8b0f16d0660c24060464c3834c026b756e09b383c55bff0088937027f5fccb

Download Submit
C:\Users\Admin\AppData\Roaming\Fyas\opixu.exe

Filesize
280KB

MD5
0600c4b95642db145c640fc29c042de2

SHA1
64e6cf4f3af9bc3fd4f881d40497365dbb2e65f0

SHA256
9d088904c8d08843a36dfe27532c26ffa6f42f09f0c5d8e88ab480a7a376d8c4

SHA512
71263c6bd6d36da1b6694bf610933c9b177254dd1b14361f7365855c0ad97ba5ff8b0f16d0660c24060464c3834c026b756e09b383c55bff0088937027f5fccb

Download Submit
memory/2532-144-0x00000000009A0000-0x00000000009DB000-memory.dmp

Filesize
236KB

Download
memory/2532-149-0x00000000009A0000-0x00000000009DB000-memory.dmp

Filesize
236KB

Download
memory/4856-135-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4856-139-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4856-132-0x00000000021D0000-0x000000000220B000-memory.dmp

Filesize
236KB

Download
memory/4856-145-0x00000000021D0000-0x000000000220B000-memory.dmp

Filesize
236KB

Download
memory/4856-142-0x00000000022B0000-0x00000000022EB000-memory.dmp

Filesize
236KB

Download
memory/4856-148-0x00000000022B0000-0x00000000022EB000-memory.dmp

Filesize
236KB

Download
memory/4856-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4856-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4856-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4960-141-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4960-140-0x00000000005B0000-0x00000000005EB000-memory.dmp

Filesize
236KB

Download
memory/4960-150-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download