0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe
Size

668KB
MD5

0dd181e5679fd2fda3569db1aee5dc60
SHA1

61001affe47bef640de681efcdba6b2166626929
SHA256

0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7
SHA512

df70e9f6bbed1cd8e4f791f4a9495025e36c92559904d228a203aa072b36ffabf0e5469ed73ece4e02f1f3916dc46856d46cc24d5368e2a0de83b45674065e1a
SSDEEP

12288:lhJMfRUpYKXZxAnM30c8sGDGnwgWhkBRDIuIivlPzzUKC1gv7Vw0:7WpUTZxA20c8sFnwgd1zUpgzC0

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1988	key.exe
988	dwm.exe

Loads dropped DLL 13 IoCs

pid	Process
1088	0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe
1088	0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe
1988	key.exe
1988	key.exe
1988	key.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
336	Process not Found
988	dwm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	key.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tsiVideo = "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\\\mdi064.dll,runme"	key.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1480	rundll32.exe
1480	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1988	1088	0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe	27
PID 1088 wrote to memory of 1988	1088	0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe	27
PID 1088 wrote to memory of 1988	1088	0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe	27
PID 1088 wrote to memory of 1988	1088	0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe	27
PID 1088 wrote to memory of 1988	1088	0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe	27
PID 1088 wrote to memory of 1988	1088	0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe	27
PID 1088 wrote to memory of 1988	1088	0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe	27
PID 1988 wrote to memory of 1480	1988	key.exe	28
PID 1988 wrote to memory of 1480	1988	key.exe	28
PID 1988 wrote to memory of 1480	1988	key.exe	28
PID 1988 wrote to memory of 1480	1988	key.exe	28
PID 1988 wrote to memory of 1480	1988	key.exe	28
PID 1988 wrote to memory of 1480	1988	key.exe	28
PID 1988 wrote to memory of 1480	1988	key.exe	28
PID 1480 wrote to memory of 988	1480	rundll32.exe	29
PID 1480 wrote to memory of 988	1480	rundll32.exe	29
PID 1480 wrote to memory of 988	1480	rundll32.exe	29
PID 1480 wrote to memory of 988	1480	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe
"C:\Users\Admin\AppData\Local\Temp\0d11aafd65466135435e33ce33dc57badd7186dc08913e4e63093471dcc411e7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\7zC5862440\key.exe
  C:\Users\Admin\AppData\Local\Temp\7zC5862440\key.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\\mdi064.dll,runme
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe
      C:\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe -poolip=54.200.248.75 -poolport=1337 -pooluser=AHXJ1dhkKiHmSFRT3g4LTEyGaomhL46N6m -poolpassword=x -genproclimit=8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zC5862440\key.exe

Filesize
702KB

MD5
b451eb3796a7cc8c17d6a0e9abb3fea1

SHA1
93ddef5ff44ce6dcd086025aa6cffa39e25d0e2a

SHA256
5af11b5c0f91a47894abe6190e527b7fbf390af713d63a83d35a26ed503e180b

SHA512
2d536e0e858aa1246a407314fa8b590f533aa260e6bcb726e135bca80c2c7a8606c27965954445af2b7a5daa7113e2ed01acdd836ace120315094e46a9ebb652

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zC5862440\key.exe

Filesize
702KB

MD5
b451eb3796a7cc8c17d6a0e9abb3fea1

SHA1
93ddef5ff44ce6dcd086025aa6cffa39e25d0e2a

SHA256
5af11b5c0f91a47894abe6190e527b7fbf390af713d63a83d35a26ed503e180b

SHA512
2d536e0e858aa1246a407314fa8b590f533aa260e6bcb726e135bca80c2c7a8606c27965954445af2b7a5daa7113e2ed01acdd836ace120315094e46a9ebb652

Download Submit
C:\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe

Filesize
1.4MB

MD5
e5fe2a8179d2850a2c4496620de04dc5

SHA1
77a644368d7ff77f3f4ee9a75165f126529aa95f

SHA256
0d1f7f36427736f3132016027b2f06b8e1a40d21db88846d46e0ed9f2283497b

SHA512
4f0acf8147ab5978928cde60cfb2e328e17b41ba8128273a7a35d3fb9b70aa184fa0dd9dbd24a54b538ff445dd12fe81b63defbdbd74d3cc76b634068cc524d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iswizard05\libwinpthread-1.dll

Filesize
52KB

MD5
4c33c6fc8466bcfe9e79f3e6578f5ae5

SHA1
50589a405de4be0f04753b6d12c1edbbd0c8b911

SHA256
f4d88aa405096d178e1f11f7daa1d5863693340b82405a7fb1d7ca5863fdf50c

SHA512
ea57a3824775530db1ea3bd4cb28acc9358cc1f92b96c37b98114a36b03cec1231ea93326dd3b2ed859382608e156af1531a91c40198e57764653085fae93707

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdi064.dll

Filesize
545KB

MD5
ba817bab585d806a546401697ad4c5ab

SHA1
51138cf91df82ed8b550ab193d2e35622634ad79

SHA256
a80cc1735e5f149b39ccf32eb73933726a8926d9605eecc1f9350ddba1754b86

SHA512
40bc0c152990170610eb5c0f3c9ad9ebe323e937dfc1a73925f210d52a77385355d6f71f97fb1bd85e12435a964a28c31687d2932768d2894c8edf43460452bc

Download Submit
\Users\Admin\AppData\Local\Temp\7zC5862440\key.exe

Filesize
702KB

MD5
b451eb3796a7cc8c17d6a0e9abb3fea1

SHA1
93ddef5ff44ce6dcd086025aa6cffa39e25d0e2a

SHA256
5af11b5c0f91a47894abe6190e527b7fbf390af713d63a83d35a26ed503e180b

SHA512
2d536e0e858aa1246a407314fa8b590f533aa260e6bcb726e135bca80c2c7a8606c27965954445af2b7a5daa7113e2ed01acdd836ace120315094e46a9ebb652

Download Submit
\Users\Admin\AppData\Local\Temp\7zC5862440\key.exe

Filesize
702KB

MD5
b451eb3796a7cc8c17d6a0e9abb3fea1

SHA1
93ddef5ff44ce6dcd086025aa6cffa39e25d0e2a

SHA256
5af11b5c0f91a47894abe6190e527b7fbf390af713d63a83d35a26ed503e180b

SHA512
2d536e0e858aa1246a407314fa8b590f533aa260e6bcb726e135bca80c2c7a8606c27965954445af2b7a5daa7113e2ed01acdd836ace120315094e46a9ebb652

Download Submit
\Users\Admin\AppData\Local\Temp\7zC5862440\key.exe

Filesize
702KB

MD5
b451eb3796a7cc8c17d6a0e9abb3fea1

SHA1
93ddef5ff44ce6dcd086025aa6cffa39e25d0e2a

SHA256
5af11b5c0f91a47894abe6190e527b7fbf390af713d63a83d35a26ed503e180b

SHA512
2d536e0e858aa1246a407314fa8b590f533aa260e6bcb726e135bca80c2c7a8606c27965954445af2b7a5daa7113e2ed01acdd836ace120315094e46a9ebb652

Download Submit
\Users\Admin\AppData\Local\Temp\7zC5862440\key.exe

Filesize
702KB

MD5
b451eb3796a7cc8c17d6a0e9abb3fea1

SHA1
93ddef5ff44ce6dcd086025aa6cffa39e25d0e2a

SHA256
5af11b5c0f91a47894abe6190e527b7fbf390af713d63a83d35a26ed503e180b

SHA512
2d536e0e858aa1246a407314fa8b590f533aa260e6bcb726e135bca80c2c7a8606c27965954445af2b7a5daa7113e2ed01acdd836ace120315094e46a9ebb652

Download Submit
\Users\Admin\AppData\Local\Temp\7zC5862440\key.exe

Filesize
702KB

MD5
b451eb3796a7cc8c17d6a0e9abb3fea1

SHA1
93ddef5ff44ce6dcd086025aa6cffa39e25d0e2a

SHA256
5af11b5c0f91a47894abe6190e527b7fbf390af713d63a83d35a26ed503e180b

SHA512
2d536e0e858aa1246a407314fa8b590f533aa260e6bcb726e135bca80c2c7a8606c27965954445af2b7a5daa7113e2ed01acdd836ace120315094e46a9ebb652

Download Submit
\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe

Filesize
1.4MB

MD5
e5fe2a8179d2850a2c4496620de04dc5

SHA1
77a644368d7ff77f3f4ee9a75165f126529aa95f

SHA256
0d1f7f36427736f3132016027b2f06b8e1a40d21db88846d46e0ed9f2283497b

SHA512
4f0acf8147ab5978928cde60cfb2e328e17b41ba8128273a7a35d3fb9b70aa184fa0dd9dbd24a54b538ff445dd12fe81b63defbdbd74d3cc76b634068cc524d5

Download Submit
\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe

Filesize
1.4MB

MD5
e5fe2a8179d2850a2c4496620de04dc5

SHA1
77a644368d7ff77f3f4ee9a75165f126529aa95f

SHA256
0d1f7f36427736f3132016027b2f06b8e1a40d21db88846d46e0ed9f2283497b

SHA512
4f0acf8147ab5978928cde60cfb2e328e17b41ba8128273a7a35d3fb9b70aa184fa0dd9dbd24a54b538ff445dd12fe81b63defbdbd74d3cc76b634068cc524d5

Download Submit
\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe

Filesize
1.4MB

MD5
e5fe2a8179d2850a2c4496620de04dc5

SHA1
77a644368d7ff77f3f4ee9a75165f126529aa95f

SHA256
0d1f7f36427736f3132016027b2f06b8e1a40d21db88846d46e0ed9f2283497b

SHA512
4f0acf8147ab5978928cde60cfb2e328e17b41ba8128273a7a35d3fb9b70aa184fa0dd9dbd24a54b538ff445dd12fe81b63defbdbd74d3cc76b634068cc524d5

Download Submit
\Users\Admin\AppData\Local\Temp\iswizard05\libwinpthread-1.dll

Filesize
52KB

MD5
4c33c6fc8466bcfe9e79f3e6578f5ae5

SHA1
50589a405de4be0f04753b6d12c1edbbd0c8b911

SHA256
f4d88aa405096d178e1f11f7daa1d5863693340b82405a7fb1d7ca5863fdf50c

SHA512
ea57a3824775530db1ea3bd4cb28acc9358cc1f92b96c37b98114a36b03cec1231ea93326dd3b2ed859382608e156af1531a91c40198e57764653085fae93707

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll

Filesize
545KB

MD5
ba817bab585d806a546401697ad4c5ab

SHA1
51138cf91df82ed8b550ab193d2e35622634ad79

SHA256
a80cc1735e5f149b39ccf32eb73933726a8926d9605eecc1f9350ddba1754b86

SHA512
40bc0c152990170610eb5c0f3c9ad9ebe323e937dfc1a73925f210d52a77385355d6f71f97fb1bd85e12435a964a28c31687d2932768d2894c8edf43460452bc

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll

Filesize
545KB

MD5
ba817bab585d806a546401697ad4c5ab

SHA1
51138cf91df82ed8b550ab193d2e35622634ad79

SHA256
a80cc1735e5f149b39ccf32eb73933726a8926d9605eecc1f9350ddba1754b86

SHA512
40bc0c152990170610eb5c0f3c9ad9ebe323e937dfc1a73925f210d52a77385355d6f71f97fb1bd85e12435a964a28c31687d2932768d2894c8edf43460452bc

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll

Filesize
545KB

MD5
ba817bab585d806a546401697ad4c5ab

SHA1
51138cf91df82ed8b550ab193d2e35622634ad79

SHA256
a80cc1735e5f149b39ccf32eb73933726a8926d9605eecc1f9350ddba1754b86

SHA512
40bc0c152990170610eb5c0f3c9ad9ebe323e937dfc1a73925f210d52a77385355d6f71f97fb1bd85e12435a964a28c31687d2932768d2894c8edf43460452bc

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll

Filesize
545KB

MD5
ba817bab585d806a546401697ad4c5ab

SHA1
51138cf91df82ed8b550ab193d2e35622634ad79

SHA256
a80cc1735e5f149b39ccf32eb73933726a8926d9605eecc1f9350ddba1754b86

SHA512
40bc0c152990170610eb5c0f3c9ad9ebe323e937dfc1a73925f210d52a77385355d6f71f97fb1bd85e12435a964a28c31687d2932768d2894c8edf43460452bc

Download Submit
memory/1088-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1988-64-0x00000000020F0000-0x00000000021B5000-memory.dmp

Filesize
788KB

Download