fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d

Analysis

max time kernel
151s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe
Size

351KB
MD5

91458c7086ecdae7abbee181188e7ff7
SHA1

e64f8cb987608820db4ee6fbd098fd14034afc61
SHA256

fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d
SHA512

aff041910a6e7cf1ca5011c770eda1790672eef7e36eb2412044b37751786d3a707ab2ca11ccc2adf6dc36244d61364610159530f189512a5d282e96818fdea5
SSDEEP

6144:Qajim2UMkGolvCnITy0LBBL0NKrGWBGk9uhzRs1VQMpLEGBL3cxZo:Qamm2SGolvCFUBLnrGWBZc9qQ5GBbczo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

okip.exe

pid process

3492 okip.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

okip.exe

pid process

3492 okip.exe
3492 okip.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

okip.exe

pid process

3492 okip.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe

description pid process

Token: SeSecurityPrivilege 2136 fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe

pid	process
3492	okip.exe

pid	process
3492	okip.exe
3492	okip.exe

pid	process
3492	okip.exe

description	pid	process
Token: SeSecurityPrivilege	2136	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exeokip.exe

description	pid	process	target process
PID 2136 wrote to memory of 3492	2136	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	okip.exe
PID 2136 wrote to memory of 3492	2136	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	okip.exe
PID 2136 wrote to memory of 3492	2136	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	okip.exe
PID 3492 wrote to memory of 4292	3492	okip.exe	explorer.exe
PID 3492 wrote to memory of 4292	3492	okip.exe	explorer.exe
PID 3492 wrote to memory of 4292	3492	okip.exe	explorer.exe
PID 2136 wrote to memory of 3172	2136	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	cmd.exe
PID 2136 wrote to memory of 3172	2136	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	cmd.exe
PID 2136 wrote to memory of 3172	2136	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe
"C:\Users\Admin\AppData\Local\Temp\fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Roaming\Exvuq\okip.exe
"C:\Users\Admin\AppData\Roaming\Exvuq\okip.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3d1a05e8.bat"
2⤵
PID:3172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3d1a05e8.bat

Filesize
307B

MD5
04d1309e3a6e718a417c8c54e719c8bb

SHA1
6a15dbe25eec214e7b26aafb057dd771f5251485

SHA256
600851c31fce9b6b176a372d6ac805622e8fb24ed97afd685a699fd508bdc34d

SHA512
d83634a713e5acdae92de224aab9ef217db944e094093980b5202fb0ec529de25e56668e9eb9fd5a2403c8d8cc06d342620864f709161f494e28a19c5857b675

Download Submit
C:\Users\Admin\AppData\Roaming\Exvuq\okip.exe

Filesize
351KB

MD5
be6344a5b1f5f69a2a50b4dcc32bc046

SHA1
9c50ee72a6f3df380de7710fcdd943b39fb94b65

SHA256
708de902c8752054dd04136c05d513cafbecf653abfa56ed6769e0606e318a18

SHA512
a371adb827e61f0f3812bdc0064c53b4170b396a1ebe1c29d9e3e38d4422127536386c9fbe2c3b7e8d0754f952f83bf3a8cadcbf61071e5dd19ac08a80dc57f8

Download Submit
C:\Users\Admin\AppData\Roaming\Exvuq\okip.exe

Filesize
351KB

MD5
be6344a5b1f5f69a2a50b4dcc32bc046

SHA1
9c50ee72a6f3df380de7710fcdd943b39fb94b65

SHA256
708de902c8752054dd04136c05d513cafbecf653abfa56ed6769e0606e318a18

SHA512
a371adb827e61f0f3812bdc0064c53b4170b396a1ebe1c29d9e3e38d4422127536386c9fbe2c3b7e8d0754f952f83bf3a8cadcbf61071e5dd19ac08a80dc57f8

Download Submit
memory/2136-132-0x0000000002A30000-0x0000000002AC5000-memory.dmp

Filesize
596KB

Download
memory/2136-133-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3172-142-0x0000000000000000-mapping.dmp

Download
memory/3492-135-0x0000000000000000-mapping.dmp

Download
memory/3492-138-0x0000000002590000-0x0000000002625000-memory.dmp

Filesize
596KB

Download
memory/3492-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4292-141-0x0000000000000000-mapping.dmp

Download
memory/4292-144-0x0000000001100000-0x000000000112C000-memory.dmp

Filesize
176KB

Download