739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac

Analysis

max time kernel
152s
max time network
181s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe
Size

429KB
MD5

08ef62033515e5036d20fb851ed5028c
SHA1

39a4276cde4368f377de8796f11fd2135a9ab7a5
SHA256

739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac
SHA512

3f7da0b9c49f6d5931f063b65f77287c252655cdd59621715aa5af472453bcae617f2fadb1a1036cbc4e1f497421b285e096bab5e836fea2cdee182722acf120
SSDEEP

6144:WD+UC5zn42swT2E47RMEpWzIiRojL6xLsVz6xkY72wcqOYFQWhBdqMXBrwUbWpyU:WU4JJrrWzXOLBR6eYiC2G7pBrdbpx8f

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rusiaq.exe

pid process

1328 rusiaq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1052 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe

pid process

1276 739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe

pid	process
1052	cmd.exe

pid	process
1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rusiaq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	rusiaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rusiaq = "C:\\Users\\Admin\\AppData\\Roaming\\Oxpau\\rusiaq.exe"	rusiaq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe

description	pid	process	target process
PID 1276 set thread context of 1052	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

rusiaq.exe

pid	process
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe
1328	rusiaq.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exerusiaq.exe

description	pid	process	target process
PID 1276 wrote to memory of 1328	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	rusiaq.exe
PID 1276 wrote to memory of 1328	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	rusiaq.exe
PID 1276 wrote to memory of 1328	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	rusiaq.exe
PID 1276 wrote to memory of 1328	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	rusiaq.exe
PID 1328 wrote to memory of 1128	1328	rusiaq.exe	taskhost.exe
PID 1328 wrote to memory of 1128	1328	rusiaq.exe	taskhost.exe
PID 1328 wrote to memory of 1128	1328	rusiaq.exe	taskhost.exe
PID 1328 wrote to memory of 1128	1328	rusiaq.exe	taskhost.exe
PID 1328 wrote to memory of 1128	1328	rusiaq.exe	taskhost.exe
PID 1328 wrote to memory of 1228	1328	rusiaq.exe	Dwm.exe
PID 1328 wrote to memory of 1228	1328	rusiaq.exe	Dwm.exe
PID 1328 wrote to memory of 1228	1328	rusiaq.exe	Dwm.exe
PID 1328 wrote to memory of 1228	1328	rusiaq.exe	Dwm.exe
PID 1328 wrote to memory of 1228	1328	rusiaq.exe	Dwm.exe
PID 1328 wrote to memory of 1284	1328	rusiaq.exe	Explorer.EXE
PID 1328 wrote to memory of 1284	1328	rusiaq.exe	Explorer.EXE
PID 1328 wrote to memory of 1284	1328	rusiaq.exe	Explorer.EXE
PID 1328 wrote to memory of 1284	1328	rusiaq.exe	Explorer.EXE
PID 1328 wrote to memory of 1284	1328	rusiaq.exe	Explorer.EXE
PID 1328 wrote to memory of 1276	1328	rusiaq.exe	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe
PID 1328 wrote to memory of 1276	1328	rusiaq.exe	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe
PID 1328 wrote to memory of 1276	1328	rusiaq.exe	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe
PID 1328 wrote to memory of 1276	1328	rusiaq.exe	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe
PID 1328 wrote to memory of 1276	1328	rusiaq.exe	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe
PID 1276 wrote to memory of 1052	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe
PID 1276 wrote to memory of 1052	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe
PID 1276 wrote to memory of 1052	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe
PID 1276 wrote to memory of 1052	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe
PID 1276 wrote to memory of 1052	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe
PID 1276 wrote to memory of 1052	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe
PID 1276 wrote to memory of 1052	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe
PID 1276 wrote to memory of 1052	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe
PID 1276 wrote to memory of 1052	1276	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe
PID 1328 wrote to memory of 1704	1328	rusiaq.exe	conhost.exe
PID 1328 wrote to memory of 1704	1328	rusiaq.exe	conhost.exe
PID 1328 wrote to memory of 1704	1328	rusiaq.exe	conhost.exe
PID 1328 wrote to memory of 1704	1328	rusiaq.exe	conhost.exe
PID 1328 wrote to memory of 1704	1328	rusiaq.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe
"C:\Users\Admin\AppData\Local\Temp\739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Roaming\Oxpau\rusiaq.exe
"C:\Users\Admin\AppData\Roaming\Oxpau\rusiaq.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\PQU2C6D.bat"
3⤵
- Deletes itself
PID:1052

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3185065791019767970276524364-1188788571090347361-1546130460-127592662-1344977730"
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PQU2C6D.bat

Filesize
303B

MD5
2a63def4f74c57fa161a49319f2c585d

SHA1
14d9651e237609af6eb03dcc6d9c3b995231be2a

SHA256
280414d21257d82a5166bb65dd837ea13ee942c4e2774c0b6b75d086e2d79a08

SHA512
1d7fe0676c44986f0ac67cc26055aa0358ab4f252806e25b68d65680007315f55d610823f239ac7856d84aa9cd5d8465359b773c254bb7083889984a26e68224

Download Submit
C:\Users\Admin\AppData\Roaming\Oxpau\rusiaq.exe

Filesize
429KB

MD5
78332628132ecf1ac20e2ba9800a5414

SHA1
15950137ec073b0e42f2f2111455efcc481c53a4

SHA256
6d33101eef97573824113a587ba7f08b36e603dda9389971fcbc051eed2579fd

SHA512
e0361295fe47ddc87763898e748bd5d2d6ff8df8544513f7e4f0282767e7faf72ad2a999e7bdefdbcdc659fc36f2b67d8a8a8f27bf4cc19a83cebfaa853943f1

Download Submit
C:\Users\Admin\AppData\Roaming\Oxpau\rusiaq.exe

Filesize
429KB

MD5
78332628132ecf1ac20e2ba9800a5414

SHA1
15950137ec073b0e42f2f2111455efcc481c53a4

SHA256
6d33101eef97573824113a587ba7f08b36e603dda9389971fcbc051eed2579fd

SHA512
e0361295fe47ddc87763898e748bd5d2d6ff8df8544513f7e4f0282767e7faf72ad2a999e7bdefdbcdc659fc36f2b67d8a8a8f27bf4cc19a83cebfaa853943f1

Download Submit
\Users\Admin\AppData\Roaming\Oxpau\rusiaq.exe

Filesize
429KB

MD5
78332628132ecf1ac20e2ba9800a5414

SHA1
15950137ec073b0e42f2f2111455efcc481c53a4

SHA256
6d33101eef97573824113a587ba7f08b36e603dda9389971fcbc051eed2579fd

SHA512
e0361295fe47ddc87763898e748bd5d2d6ff8df8544513f7e4f0282767e7faf72ad2a999e7bdefdbcdc659fc36f2b67d8a8a8f27bf4cc19a83cebfaa853943f1

Download Submit
memory/1052-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1052-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-114-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1052-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1052-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1052-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1052-103-0x0000000000074F98-mapping.dmp

Download
memory/1052-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1128-69-0x0000000001E10000-0x0000000001E59000-memory.dmp

Filesize
292KB

Download
memory/1128-71-0x0000000001E10000-0x0000000001E59000-memory.dmp

Filesize
292KB

Download
memory/1128-70-0x0000000001E10000-0x0000000001E59000-memory.dmp

Filesize
292KB

Download
memory/1128-68-0x0000000001E10000-0x0000000001E59000-memory.dmp

Filesize
292KB

Download
memory/1128-64-0x0000000001E10000-0x0000000001E59000-memory.dmp

Filesize
292KB

Download
memory/1228-76-0x00000000001C0000-0x0000000000209000-memory.dmp

Filesize
292KB

Download
memory/1228-77-0x00000000001C0000-0x0000000000209000-memory.dmp

Filesize
292KB

Download
memory/1228-74-0x00000000001C0000-0x0000000000209000-memory.dmp

Filesize
292KB

Download
memory/1228-75-0x00000000001C0000-0x0000000000209000-memory.dmp

Filesize
292KB

Download
memory/1276-89-0x0000000002BC0000-0x0000000002C09000-memory.dmp

Filesize
292KB

Download
memory/1276-86-0x0000000002BC0000-0x0000000002C09000-memory.dmp

Filesize
292KB

Download
memory/1276-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1276-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1276-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1276-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1276-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1276-88-0x0000000002BC0000-0x0000000002C09000-memory.dmp

Filesize
292KB

Download
memory/1276-87-0x0000000002BC0000-0x0000000002C09000-memory.dmp

Filesize
292KB

Download
memory/1276-63-0x00000000027C0000-0x0000000002BC0000-memory.dmp

Filesize
4.0MB

Download
memory/1276-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1276-55-0x00000000027C0000-0x0000000002BC0000-memory.dmp

Filesize
4.0MB

Download
memory/1276-105-0x0000000002BC0000-0x0000000002C09000-memory.dmp

Filesize
292KB

Download
memory/1276-104-0x00000000027C0000-0x0000000002BC0000-memory.dmp

Filesize
4.0MB

Download
memory/1276-56-0x00000000027C0000-0x0000000002BC0000-memory.dmp

Filesize
4.0MB

Download
memory/1276-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1276-62-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1284-80-0x00000000029A0000-0x00000000029E9000-memory.dmp

Filesize
292KB

Download
memory/1284-81-0x00000000029A0000-0x00000000029E9000-memory.dmp

Filesize
292KB

Download
memory/1284-82-0x00000000029A0000-0x00000000029E9000-memory.dmp

Filesize
292KB

Download
memory/1284-83-0x00000000029A0000-0x00000000029E9000-memory.dmp

Filesize
292KB

Download
memory/1328-58-0x0000000000000000-mapping.dmp

Download
memory/1328-65-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1328-67-0x00000000028A0000-0x0000000002CA0000-memory.dmp

Filesize
4.0MB

Download
memory/1328-121-0x00000000028A0000-0x0000000002CA0000-memory.dmp

Filesize
4.0MB

Download
memory/1704-117-0x0000000001AA0000-0x0000000001AE9000-memory.dmp

Filesize
292KB

Download
memory/1704-118-0x0000000001AA0000-0x0000000001AE9000-memory.dmp

Filesize
292KB

Download
memory/1704-119-0x0000000001AA0000-0x0000000001AE9000-memory.dmp

Filesize
292KB

Download
memory/1704-120-0x0000000001AA0000-0x0000000001AE9000-memory.dmp

Filesize
292KB

Download