bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0

Analysis

max time kernel
151s
max time network
107s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe
Size

107KB
MD5

31257716c7d6782356cf803a221b33c0
SHA1

ac109d7ffcf1a2cfec586c027b983702611f1954
SHA256

bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0
SHA512

6c6d6d6b817ee25c4e24b431ea79decf4a12c43869c42bdb54f7cf80b85b09afb078d19cdbe6566c43d93f1e010bd4261c81e16776c13a35cd32f48717562aa9
SSDEEP

3072:Oe1YG16yOPrYo6ACNASXnYykkSNfpgrntFkX:SG16yaWNZYASNCrnC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1256	olugl.exe

Deletes itself 1 IoCs

pid	Process
568	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe
1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	olugl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{681FC6F5-5538-2875-189E-305015A0D6AF} = "C:\\Users\\Admin\\AppData\\Roaming\\Muumoc\\olugl.exe"	olugl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 568	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe
1256	olugl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe
Token: SeSecurityPrivilege	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe
Token: SeSecurityPrivilege	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1256	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	28
PID 1544 wrote to memory of 1256	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	28
PID 1544 wrote to memory of 1256	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	28
PID 1544 wrote to memory of 1256	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	28
PID 1256 wrote to memory of 1124	1256	olugl.exe	10
PID 1256 wrote to memory of 1124	1256	olugl.exe	10
PID 1256 wrote to memory of 1124	1256	olugl.exe	10
PID 1256 wrote to memory of 1124	1256	olugl.exe	10
PID 1256 wrote to memory of 1124	1256	olugl.exe	10
PID 1256 wrote to memory of 1208	1256	olugl.exe	18
PID 1256 wrote to memory of 1208	1256	olugl.exe	18
PID 1256 wrote to memory of 1208	1256	olugl.exe	18
PID 1256 wrote to memory of 1208	1256	olugl.exe	18
PID 1256 wrote to memory of 1208	1256	olugl.exe	18
PID 1256 wrote to memory of 1244	1256	olugl.exe	17
PID 1256 wrote to memory of 1244	1256	olugl.exe	17
PID 1256 wrote to memory of 1244	1256	olugl.exe	17
PID 1256 wrote to memory of 1244	1256	olugl.exe	17
PID 1256 wrote to memory of 1244	1256	olugl.exe	17
PID 1256 wrote to memory of 1544	1256	olugl.exe	27
PID 1256 wrote to memory of 1544	1256	olugl.exe	27
PID 1256 wrote to memory of 1544	1256	olugl.exe	27
PID 1256 wrote to memory of 1544	1256	olugl.exe	27
PID 1256 wrote to memory of 1544	1256	olugl.exe	27
PID 1544 wrote to memory of 568	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	29
PID 1544 wrote to memory of 568	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	29
PID 1544 wrote to memory of 568	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	29
PID 1544 wrote to memory of 568	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	29
PID 1544 wrote to memory of 568	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	29
PID 1544 wrote to memory of 568	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	29
PID 1544 wrote to memory of 568	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	29
PID 1544 wrote to memory of 568	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	29
PID 1544 wrote to memory of 568	1544	bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe	29
PID 1256 wrote to memory of 324	1256	olugl.exe	31
PID 1256 wrote to memory of 324	1256	olugl.exe	31
PID 1256 wrote to memory of 324	1256	olugl.exe	31
PID 1256 wrote to memory of 324	1256	olugl.exe	31
PID 1256 wrote to memory of 324	1256	olugl.exe	31
PID 1256 wrote to memory of 1496	1256	olugl.exe	32
PID 1256 wrote to memory of 1496	1256	olugl.exe	32
PID 1256 wrote to memory of 1496	1256	olugl.exe	32
PID 1256 wrote to memory of 1496	1256	olugl.exe	32
PID 1256 wrote to memory of 1496	1256	olugl.exe	32
PID 1256 wrote to memory of 1824	1256	olugl.exe	33
PID 1256 wrote to memory of 1824	1256	olugl.exe	33
PID 1256 wrote to memory of 1824	1256	olugl.exe	33
PID 1256 wrote to memory of 1824	1256	olugl.exe	33
PID 1256 wrote to memory of 1824	1256	olugl.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe
  "C:\Users\Admin\AppData\Local\Temp\bde8f16b5f54c6a55355af025dda1fe0623f8361eb09d7783df201ea64f2d2a0.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Roaming\Muumoc\olugl.exe
    "C:\Users\Admin\AppData\Roaming\Muumoc\olugl.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbcaecf6f.bat"
    3⤵
    - Deletes itself
    PID:568

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1208

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbcaecf6f.bat

Filesize
307B

MD5
c71fa9eccbba94ac9b835f0e57d3b25f

SHA1
c73d9fe72d07e6336155877092d97323fc38298c

SHA256
9fedb6a80b25a4dd668fab03609ab41fb75f1a57d491c59651459c7a207888c1

SHA512
f0f7f5a54abf7e311fc3b8b6caed33ace1351607b64b7af4faacb3b153968e9decb3c0bf7929b8cfab87eac0135cd468786935c3b61f7d3e175a017dcccd2e44

Download Submit
C:\Users\Admin\AppData\Roaming\Atapp\ylimu.noi

Filesize
398B

MD5
2b1ec690c550847072d9a6457c0da34a

SHA1
bd9a5255ae69fb4f98217c06c27962f0286f7fc9

SHA256
8a9815ecf140e5f9a9e918847190efcc69fe8f837d6f6d36e24ce2eb0ffdf1a2

SHA512
15ea48174dd16408024f6022ba0a92d1061daabfe65012ef99766036ec0bb8a42a876b380995a382fd43006077cd8a946b226c01d2ffcf70fd4dddb255e81a81

Download Submit
C:\Users\Admin\AppData\Roaming\Muumoc\olugl.exe

Filesize
107KB

MD5
67b92069fd8f1fe08e3dc498d16acdad

SHA1
fdee619468ddfd20e5ae4a44a5a67910bbec4b9f

SHA256
7b486b140238629de9cd13604cea65d76ac050770809e11474ed1e2e7d567d25

SHA512
54b3f510ce89161b0be9e54014f516a3b12fbdb076ca12c5ca5116579782048e0886b681d4f312665ce7a38bb0007c11bd60658328e900f1f1e2faea6ae32ff9

Download Submit
C:\Users\Admin\AppData\Roaming\Muumoc\olugl.exe

Filesize
107KB

MD5
67b92069fd8f1fe08e3dc498d16acdad

SHA1
fdee619468ddfd20e5ae4a44a5a67910bbec4b9f

SHA256
7b486b140238629de9cd13604cea65d76ac050770809e11474ed1e2e7d567d25

SHA512
54b3f510ce89161b0be9e54014f516a3b12fbdb076ca12c5ca5116579782048e0886b681d4f312665ce7a38bb0007c11bd60658328e900f1f1e2faea6ae32ff9

Download Submit
\Users\Admin\AppData\Roaming\Muumoc\olugl.exe

Filesize
107KB

MD5
67b92069fd8f1fe08e3dc498d16acdad

SHA1
fdee619468ddfd20e5ae4a44a5a67910bbec4b9f

SHA256
7b486b140238629de9cd13604cea65d76ac050770809e11474ed1e2e7d567d25

SHA512
54b3f510ce89161b0be9e54014f516a3b12fbdb076ca12c5ca5116579782048e0886b681d4f312665ce7a38bb0007c11bd60658328e900f1f1e2faea6ae32ff9

Download Submit
\Users\Admin\AppData\Roaming\Muumoc\olugl.exe

Filesize
107KB

MD5
67b92069fd8f1fe08e3dc498d16acdad

SHA1
fdee619468ddfd20e5ae4a44a5a67910bbec4b9f

SHA256
7b486b140238629de9cd13604cea65d76ac050770809e11474ed1e2e7d567d25

SHA512
54b3f510ce89161b0be9e54014f516a3b12fbdb076ca12c5ca5116579782048e0886b681d4f312665ce7a38bb0007c11bd60658328e900f1f1e2faea6ae32ff9

Download Submit
memory/324-102-0x0000000000410000-0x000000000042F000-memory.dmp

Filesize
124KB

Download
memory/324-103-0x0000000000410000-0x000000000042F000-memory.dmp

Filesize
124KB

Download
memory/324-100-0x0000000000410000-0x000000000042F000-memory.dmp

Filesize
124KB

Download
memory/324-101-0x0000000000410000-0x000000000042F000-memory.dmp

Filesize
124KB

Download
memory/568-93-0x0000000000062004-mapping.dmp

Download
memory/568-97-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/568-92-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/568-88-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/568-91-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/568-90-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/1124-66-0x0000000001C20000-0x0000000001C3F000-memory.dmp

Filesize
124KB

Download
memory/1124-65-0x0000000001C20000-0x0000000001C3F000-memory.dmp

Filesize
124KB

Download
memory/1124-64-0x0000000001C20000-0x0000000001C3F000-memory.dmp

Filesize
124KB

Download
memory/1124-63-0x0000000001C20000-0x0000000001C3F000-memory.dmp

Filesize
124KB

Download
memory/1124-61-0x0000000001C20000-0x0000000001C3F000-memory.dmp

Filesize
124KB

Download
memory/1208-69-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/1208-72-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/1208-70-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/1208-71-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/1244-77-0x00000000027A0000-0x00000000027BF000-memory.dmp

Filesize
124KB

Download
memory/1244-75-0x00000000027A0000-0x00000000027BF000-memory.dmp

Filesize
124KB

Download
memory/1244-78-0x00000000027A0000-0x00000000027BF000-memory.dmp

Filesize
124KB

Download
memory/1244-76-0x00000000027A0000-0x00000000027BF000-memory.dmp

Filesize
124KB

Download
memory/1256-57-0x0000000000000000-mapping.dmp

Download
memory/1496-108-0x0000000003A50000-0x0000000003A6F000-memory.dmp

Filesize
124KB

Download
memory/1496-106-0x0000000003A50000-0x0000000003A6F000-memory.dmp

Filesize
124KB

Download
memory/1496-109-0x0000000003A50000-0x0000000003A6F000-memory.dmp

Filesize
124KB

Download
memory/1496-107-0x0000000003A50000-0x0000000003A6F000-memory.dmp

Filesize
124KB

Download
memory/1544-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1544-94-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/1544-81-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/1544-83-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/1544-84-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/1544-82-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/1824-115-0x0000000001B40000-0x0000000001B5F000-memory.dmp

Filesize
124KB

Download
memory/1824-114-0x0000000001B40000-0x0000000001B5F000-memory.dmp

Filesize
124KB

Download
memory/1824-113-0x0000000001B40000-0x0000000001B5F000-memory.dmp

Filesize
124KB

Download
memory/1824-112-0x0000000001B40000-0x0000000001B5F000-memory.dmp

Filesize
124KB

Download