8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf

Analysis

max time kernel
151s
max time network
161s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
Size

138KB
MD5

b2e04c471211884fc800c91ab506abfd
SHA1

3d210a8dcc5a2446ad7c991df47c07189af19998
SHA256

8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf
SHA512

5952a5a266f3f523eac4722c2c4e79abbf8a37c192d93474bbb1dc5f1d5432773c77888fabb4207b7dab61ba0c5e4670b6f7c5edd390ea878e29f4462982e474
SSDEEP

3072:KT+x50VJqtHGbu5XCniylWrtGA1GHvGXaCH1Fukp1dZ3wQGN:KT+oGtmiYlW4A1QvGXjBduQGN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vouda.exe

pid process

1600 vouda.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1956 cmd.exe

pid	process
1956	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe

pid	process
864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vouda.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	vouda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CC743FD4-BD60-A740-C6D9-995A659D1391} = "C:\\Users\\Admin\\AppData\\Roaming\\Goemit\\vouda.exe"	vouda.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe

description pid process target process

PID 864 set thread context of 1956 864 8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe cmd.exe

description	pid	process	target process
PID 864 set thread context of 1956	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\580D5B5C-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

vouda.exe

pid	process
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe
1600	vouda.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
Token: SeSecurityPrivilege	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
Token: SeSecurityPrivilege	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
Token: SeSecurityPrivilege	1956	cmd.exe
Token: SeManageVolumePrivilege	664	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

664 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

664 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

664 WinMail.exe

pid	process
664	WinMail.exe

pid	process
664	WinMail.exe

pid	process
664	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exevouda.exe

description	pid	process	target process
PID 864 wrote to memory of 1600	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	vouda.exe
PID 864 wrote to memory of 1600	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	vouda.exe
PID 864 wrote to memory of 1600	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	vouda.exe
PID 864 wrote to memory of 1600	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	vouda.exe
PID 1600 wrote to memory of 1216	1600	vouda.exe	taskhost.exe
PID 1600 wrote to memory of 1216	1600	vouda.exe	taskhost.exe
PID 1600 wrote to memory of 1216	1600	vouda.exe	taskhost.exe
PID 1600 wrote to memory of 1216	1600	vouda.exe	taskhost.exe
PID 1600 wrote to memory of 1216	1600	vouda.exe	taskhost.exe
PID 1600 wrote to memory of 1296	1600	vouda.exe	Dwm.exe
PID 1600 wrote to memory of 1296	1600	vouda.exe	Dwm.exe
PID 1600 wrote to memory of 1296	1600	vouda.exe	Dwm.exe
PID 1600 wrote to memory of 1296	1600	vouda.exe	Dwm.exe
PID 1600 wrote to memory of 1296	1600	vouda.exe	Dwm.exe
PID 1600 wrote to memory of 1376	1600	vouda.exe	Explorer.EXE
PID 1600 wrote to memory of 1376	1600	vouda.exe	Explorer.EXE
PID 1600 wrote to memory of 1376	1600	vouda.exe	Explorer.EXE
PID 1600 wrote to memory of 1376	1600	vouda.exe	Explorer.EXE
PID 1600 wrote to memory of 1376	1600	vouda.exe	Explorer.EXE
PID 1600 wrote to memory of 864	1600	vouda.exe	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
PID 1600 wrote to memory of 864	1600	vouda.exe	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
PID 1600 wrote to memory of 864	1600	vouda.exe	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
PID 1600 wrote to memory of 864	1600	vouda.exe	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
PID 1600 wrote to memory of 864	1600	vouda.exe	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
PID 864 wrote to memory of 1956	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	cmd.exe
PID 864 wrote to memory of 1956	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	cmd.exe
PID 864 wrote to memory of 1956	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	cmd.exe
PID 864 wrote to memory of 1956	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	cmd.exe
PID 864 wrote to memory of 1956	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	cmd.exe
PID 864 wrote to memory of 1956	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	cmd.exe
PID 864 wrote to memory of 1956	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	cmd.exe
PID 864 wrote to memory of 1956	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	cmd.exe
PID 864 wrote to memory of 1956	864	8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe	cmd.exe
PID 1600 wrote to memory of 364	1600	vouda.exe	conhost.exe
PID 1600 wrote to memory of 364	1600	vouda.exe	conhost.exe
PID 1600 wrote to memory of 364	1600	vouda.exe	conhost.exe
PID 1600 wrote to memory of 364	1600	vouda.exe	conhost.exe
PID 1600 wrote to memory of 364	1600	vouda.exe	conhost.exe
PID 1600 wrote to memory of 664	1600	vouda.exe	WinMail.exe
PID 1600 wrote to memory of 664	1600	vouda.exe	WinMail.exe
PID 1600 wrote to memory of 664	1600	vouda.exe	WinMail.exe
PID 1600 wrote to memory of 664	1600	vouda.exe	WinMail.exe
PID 1600 wrote to memory of 664	1600	vouda.exe	WinMail.exe
PID 1600 wrote to memory of 680	1600	vouda.exe	DllHost.exe
PID 1600 wrote to memory of 680	1600	vouda.exe	DllHost.exe
PID 1600 wrote to memory of 680	1600	vouda.exe	DllHost.exe
PID 1600 wrote to memory of 680	1600	vouda.exe	DllHost.exe
PID 1600 wrote to memory of 680	1600	vouda.exe	DllHost.exe
PID 1600 wrote to memory of 1396	1600	vouda.exe	DllHost.exe
PID 1600 wrote to memory of 1396	1600	vouda.exe	DllHost.exe
PID 1600 wrote to memory of 1396	1600	vouda.exe	DllHost.exe
PID 1600 wrote to memory of 1396	1600	vouda.exe	DllHost.exe
PID 1600 wrote to memory of 1396	1600	vouda.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe
"C:\Users\Admin\AppData\Local\Temp\8423a04ca4fc3f10134ca4082ce292fba423b714071013147c12f93a4d379ecf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Roaming\Goemit\vouda.exe
"C:\Users\Admin\AppData\Roaming\Goemit\vouda.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp687f4800.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1296

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1501962695182194761788215754314713125137567788301581250091257845821-1936345366"
1⤵
PID:364

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp687f4800.bat

Filesize
307B

MD5
2a15b786a1250400007ca60faadd3858

SHA1
e54c548fde6f322fe449bb123cd8b224fe094c25

SHA256
0a3b20a9f3bd4074ab54e6be58015734795241ed618baa6826f3e74326a4aef5

SHA512
f4db2f7d012c4a86459dc32e958ae41a43155b5a599b0d325f12b19bc2e203c249b1cdf6c810a22519eaae95613f03cfb4b6fd9160d3f5cccbcbed4524f878b6

Download Submit
C:\Users\Admin\AppData\Roaming\Goemit\vouda.exe

Filesize
138KB

MD5
22c4f3a20c28cb248d23cb10acfeb9b1

SHA1
8fad185137b43aaabcc7c6a5561ddb9a970498d0

SHA256
913f928aa72f6c4a409f9ad43790c88503953d62d939813e539a5da515ac1b3b

SHA512
24b2803ddd531aa5a99d121ae2ff947a77c80dd666fb57b5b364b82ae2d105c58f78cbadc3abd3f6dbf9f550f30ca2a3033be0e287c622ea359ad4246c21db3b

Download Submit
C:\Users\Admin\AppData\Roaming\Goemit\vouda.exe

Filesize
138KB

MD5
22c4f3a20c28cb248d23cb10acfeb9b1

SHA1
8fad185137b43aaabcc7c6a5561ddb9a970498d0

SHA256
913f928aa72f6c4a409f9ad43790c88503953d62d939813e539a5da515ac1b3b

SHA512
24b2803ddd531aa5a99d121ae2ff947a77c80dd666fb57b5b364b82ae2d105c58f78cbadc3abd3f6dbf9f550f30ca2a3033be0e287c622ea359ad4246c21db3b

Download Submit
C:\Users\Admin\AppData\Roaming\Ygxa\omav.ebr

Filesize
398B

MD5
faf0e62fd8f170560a7eeed7fca16bc8

SHA1
c446c089eb99ce43d27a3602de227c8286e4a631

SHA256
c2458323f93df838e37bc63e3a060d8a9ab4887c0385f12c8949df26ec218b95

SHA512
277a6eef2602e752963c96ca6af5d28776ee6114757821c2bd9f19f1b829fb05c30009478f98f1484ac2576aed8ad3011e4924b8401a1a258353b3dbf2ad5df8

Download Submit
\Users\Admin\AppData\Roaming\Goemit\vouda.exe

Filesize
138KB

MD5
22c4f3a20c28cb248d23cb10acfeb9b1

SHA1
8fad185137b43aaabcc7c6a5561ddb9a970498d0

SHA256
913f928aa72f6c4a409f9ad43790c88503953d62d939813e539a5da515ac1b3b

SHA512
24b2803ddd531aa5a99d121ae2ff947a77c80dd666fb57b5b364b82ae2d105c58f78cbadc3abd3f6dbf9f550f30ca2a3033be0e287c622ea359ad4246c21db3b

Download Submit
\Users\Admin\AppData\Roaming\Goemit\vouda.exe

Filesize
138KB

MD5
22c4f3a20c28cb248d23cb10acfeb9b1

SHA1
8fad185137b43aaabcc7c6a5561ddb9a970498d0

SHA256
913f928aa72f6c4a409f9ad43790c88503953d62d939813e539a5da515ac1b3b

SHA512
24b2803ddd531aa5a99d121ae2ff947a77c80dd666fb57b5b364b82ae2d105c58f78cbadc3abd3f6dbf9f550f30ca2a3033be0e287c622ea359ad4246c21db3b

Download Submit
memory/364-99-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/364-100-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/364-101-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/364-102-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/664-120-0x0000000003BC0000-0x0000000003BE7000-memory.dmp

Filesize
156KB

Download
memory/664-119-0x0000000003BC0000-0x0000000003BE7000-memory.dmp

Filesize
156KB

Download
memory/664-111-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/664-105-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/664-104-0x000007FEF6701000-0x000007FEF6703000-memory.dmp

Filesize
8KB

Download
memory/664-103-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/664-121-0x0000000003BC0000-0x0000000003BE7000-memory.dmp

Filesize
156KB

Download
memory/664-122-0x0000000003BC0000-0x0000000003BE7000-memory.dmp

Filesize
156KB

Download
memory/680-125-0x0000000001C20000-0x0000000001C47000-memory.dmp

Filesize
156KB

Download
memory/680-126-0x0000000001C20000-0x0000000001C47000-memory.dmp

Filesize
156KB

Download
memory/864-84-0x00000000024D0000-0x00000000024F7000-memory.dmp

Filesize
156KB

Download
memory/864-82-0x00000000024D0000-0x00000000024F7000-memory.dmp

Filesize
156KB

Download
memory/864-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/864-85-0x00000000024D0000-0x00000000024F7000-memory.dmp

Filesize
156KB

Download
memory/864-83-0x00000000024D0000-0x00000000024F7000-memory.dmp

Filesize
156KB

Download
memory/864-81-0x00000000024D0000-0x00000000024F7000-memory.dmp

Filesize
156KB

Download
memory/1216-65-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1216-64-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1216-66-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1216-63-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1216-61-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1296-72-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1296-69-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1296-70-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1296-71-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1376-78-0x0000000002760000-0x0000000002787000-memory.dmp

Filesize
156KB

Download
memory/1376-75-0x0000000002760000-0x0000000002787000-memory.dmp

Filesize
156KB

Download
memory/1376-77-0x0000000002760000-0x0000000002787000-memory.dmp

Filesize
156KB

Download
memory/1376-76-0x0000000002760000-0x0000000002787000-memory.dmp

Filesize
156KB

Download
memory/1600-57-0x0000000000000000-mapping.dmp

Download
memory/1956-96-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1956-94-0x0000000000062CBA-mapping.dmp

Download
memory/1956-93-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1956-92-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1956-91-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1956-88-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1956-135-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download