61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa

General

Target

61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe
Size

329KB
MD5

cb0b8c27a0a6ee62b87cc27294ac3b74
SHA1

171e180505476e4b309c4314f596f6903ee845c3
SHA256

61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa
SHA512

e0ee2c150c1d90155dc9d7d27ce53db56bff578966bec7fa626b66d1c502766dff695181a29097f6bfd092d460e0a9ae8f4e6ce4903b01829ed46087f0cc380f
SSDEEP

6144:BtEV7FUg+iyUXe2ZsD9eBVtQRlc12iVkIFzA9TLSDoC3FHvKHM4n4:BaVFQiym920jcc1f9U9XS335vHN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ocodo.exe

pid process

1496 ocodo.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

740 cmd.exe

pid	process
740	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe

pid	process
1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe
1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ocodo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	ocodo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Uppa\\ocodo.exe"	ocodo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe

description pid process target process

PID 1416 set thread context of 740 1416 61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe cmd.exe

description	pid	process	target process
PID 1416 set thread context of 740	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

ocodo.exe

pid	process
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe
1496	ocodo.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exeocodo.exe

pid process

1416 61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe
1496 ocodo.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exeocodo.exe

description	pid	process	target process
PID 1416 wrote to memory of 1496	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	ocodo.exe
PID 1416 wrote to memory of 1496	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	ocodo.exe
PID 1416 wrote to memory of 1496	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	ocodo.exe
PID 1416 wrote to memory of 1496	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	ocodo.exe
PID 1496 wrote to memory of 1132	1496	ocodo.exe	taskhost.exe
PID 1496 wrote to memory of 1132	1496	ocodo.exe	taskhost.exe
PID 1496 wrote to memory of 1132	1496	ocodo.exe	taskhost.exe
PID 1496 wrote to memory of 1132	1496	ocodo.exe	taskhost.exe
PID 1496 wrote to memory of 1132	1496	ocodo.exe	taskhost.exe
PID 1496 wrote to memory of 1236	1496	ocodo.exe	Dwm.exe
PID 1496 wrote to memory of 1236	1496	ocodo.exe	Dwm.exe
PID 1496 wrote to memory of 1236	1496	ocodo.exe	Dwm.exe
PID 1496 wrote to memory of 1236	1496	ocodo.exe	Dwm.exe
PID 1496 wrote to memory of 1236	1496	ocodo.exe	Dwm.exe
PID 1496 wrote to memory of 1276	1496	ocodo.exe	Explorer.EXE
PID 1496 wrote to memory of 1276	1496	ocodo.exe	Explorer.EXE
PID 1496 wrote to memory of 1276	1496	ocodo.exe	Explorer.EXE
PID 1496 wrote to memory of 1276	1496	ocodo.exe	Explorer.EXE
PID 1496 wrote to memory of 1276	1496	ocodo.exe	Explorer.EXE
PID 1496 wrote to memory of 1416	1496	ocodo.exe	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe
PID 1496 wrote to memory of 1416	1496	ocodo.exe	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe
PID 1496 wrote to memory of 1416	1496	ocodo.exe	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe
PID 1496 wrote to memory of 1416	1496	ocodo.exe	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe
PID 1496 wrote to memory of 1416	1496	ocodo.exe	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe
PID 1416 wrote to memory of 740	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	cmd.exe
PID 1416 wrote to memory of 740	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	cmd.exe
PID 1416 wrote to memory of 740	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	cmd.exe
PID 1416 wrote to memory of 740	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	cmd.exe
PID 1416 wrote to memory of 740	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	cmd.exe
PID 1416 wrote to memory of 740	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	cmd.exe
PID 1416 wrote to memory of 740	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	cmd.exe
PID 1416 wrote to memory of 740	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	cmd.exe
PID 1416 wrote to memory of 740	1416	61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe
"C:\Users\Admin\AppData\Local\Temp\61553495507bc4dfa2dfc44ecb01351f98893085a209a1f834c9ae80a29745aa.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Roaming\Uppa\ocodo.exe
"C:\Users\Admin\AppData\Roaming\Uppa\ocodo.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7dac7c0d.bat"
3⤵
- Deletes itself
PID:740

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7dac7c0d.bat

Filesize
307B

MD5
7abdcddcf82a7adadd6b6c27ef730925

SHA1
2a3c47002e8612c4d91251ce1c6ed2946f015ee0

SHA256
ba633773c383b74dd51b6e406c5aa048469e4dc43ef85790fd548443e6d8b11c

SHA512
4e103ecc20180f85a246f48165105f9930e92583399bfb60f90f3642f86df1aeb3670657fd5e2006e9bac00fce61f7b043ad7dca0421b05e347d9c8d45c631ab

Download Submit
C:\Users\Admin\AppData\Roaming\Uppa\ocodo.exe

Filesize
329KB

MD5
673d50a5334623353f9ecb221bacb264

SHA1
68d4673fd567d4a15bddfab08aa64cff22279bd7

SHA256
cc84b9e281517a7b93bf309a0e0944225c033e1cf62420731c6241af4e7a3622

SHA512
16d6a68e3fd8953392f68b50ee21dc4b284db2979050e329a13f4ce9569fc4917294f59a436d7aca760e04d9ad8471231ffcc35e33c78c1e62a250ca5b788b5a

Download Submit
C:\Users\Admin\AppData\Roaming\Uppa\ocodo.exe

Filesize
329KB

MD5
673d50a5334623353f9ecb221bacb264

SHA1
68d4673fd567d4a15bddfab08aa64cff22279bd7

SHA256
cc84b9e281517a7b93bf309a0e0944225c033e1cf62420731c6241af4e7a3622

SHA512
16d6a68e3fd8953392f68b50ee21dc4b284db2979050e329a13f4ce9569fc4917294f59a436d7aca760e04d9ad8471231ffcc35e33c78c1e62a250ca5b788b5a

Download Submit
\Users\Admin\AppData\Roaming\Uppa\ocodo.exe

Filesize
329KB

MD5
673d50a5334623353f9ecb221bacb264

SHA1
68d4673fd567d4a15bddfab08aa64cff22279bd7

SHA256
cc84b9e281517a7b93bf309a0e0944225c033e1cf62420731c6241af4e7a3622

SHA512
16d6a68e3fd8953392f68b50ee21dc4b284db2979050e329a13f4ce9569fc4917294f59a436d7aca760e04d9ad8471231ffcc35e33c78c1e62a250ca5b788b5a

Download Submit
\Users\Admin\AppData\Roaming\Uppa\ocodo.exe

Filesize
329KB

MD5
673d50a5334623353f9ecb221bacb264

SHA1
68d4673fd567d4a15bddfab08aa64cff22279bd7

SHA256
cc84b9e281517a7b93bf309a0e0944225c033e1cf62420731c6241af4e7a3622

SHA512
16d6a68e3fd8953392f68b50ee21dc4b284db2979050e329a13f4ce9569fc4917294f59a436d7aca760e04d9ad8471231ffcc35e33c78c1e62a250ca5b788b5a

Download Submit
memory/740-100-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/740-97-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/740-99-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/740-101-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/740-102-0x00000000002071E6-mapping.dmp

Download
memory/740-107-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/1132-68-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/1132-66-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/1132-69-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/1132-70-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/1132-71-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/1236-74-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1236-75-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1236-76-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1236-77-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1276-80-0x00000000029B0000-0x00000000029F4000-memory.dmp

Filesize
272KB

Download
memory/1276-81-0x00000000029B0000-0x00000000029F4000-memory.dmp

Filesize
272KB

Download
memory/1276-82-0x00000000029B0000-0x00000000029F4000-memory.dmp

Filesize
272KB

Download
memory/1276-83-0x00000000029B0000-0x00000000029F4000-memory.dmp

Filesize
272KB

Download
memory/1416-93-0x0000000001E10000-0x0000000001E65000-memory.dmp

Filesize
340KB

Download
memory/1416-58-0x0000000000380000-0x00000000003D5000-memory.dmp

Filesize
340KB

Download
memory/1416-88-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1416-89-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1416-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1416-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1416-104-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1416-86-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1416-94-0x0000000001E10000-0x0000000001E65000-memory.dmp

Filesize
340KB

Download
memory/1416-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1416-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1416-59-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1416-57-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1416-87-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1496-62-0x0000000000000000-mapping.dmp

Download
memory/1496-92-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1496-91-0x0000000000380000-0x00000000003D5000-memory.dmp

Filesize
340KB

Download
memory/1496-90-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads