739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac

General

Target

739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe
Size

429KB
MD5

08ef62033515e5036d20fb851ed5028c
SHA1

39a4276cde4368f377de8796f11fd2135a9ab7a5
SHA256

739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac
SHA512

3f7da0b9c49f6d5931f063b65f77287c252655cdd59621715aa5af472453bcae617f2fadb1a1036cbc4e1f497421b285e096bab5e836fea2cdee182722acf120
SSDEEP

6144:WD+UC5zn42swT2E47RMEpWzIiRojL6xLsVz6xkY72wcqOYFQWhBdqMXBrwUbWpyU:WU4JJrrWzXOLBR6eYiC2G7pBrdbpx8f

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ohcev.exe

pid process

2964 ohcev.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ohcev.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	ohcev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ohcev = "C:\\Users\\Admin\\AppData\\Roaming\\Ujoc\\ohcev.exe"	ohcev.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe

description	pid	process	target process
PID 1652 set thread context of 3860	1652	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ohcev.exe

pid	process
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe
2964	ohcev.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exeohcev.exe

description	pid	process	target process
PID 1652 wrote to memory of 2964	1652	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	ohcev.exe
PID 1652 wrote to memory of 2964	1652	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	ohcev.exe
PID 1652 wrote to memory of 2964	1652	739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe	ohcev.exe
PID 2964 wrote to memory of 2464	2964	ohcev.exe	sihost.exe
PID 2964 wrote to memory of 2464	2964	ohcev.exe	sihost.exe
PID 2964 wrote to memory of 2464	2964	ohcev.exe	sihost.exe
PID 2964 wrote to memory of 2464	2964	ohcev.exe	sihost.exe
PID 2964 wrote to memory of 2464	2964	ohcev.exe	sihost.exe
PID 2964 wrote to memory of 2476	2964	ohcev.exe	svchost.exe
PID 2964 wrote to memory of 2476	2964	ohcev.exe	svchost.exe
PID 2964 wrote to memory of 2476	2964	ohcev.exe	svchost.exe
PID 2964 wrote to memory of 2476	2964	ohcev.exe	svchost.exe
PID 2964 wrote to memory of 2476	2964	ohcev.exe	svchost.exe
PID 2964 wrote to memory of 2556	2964	ohcev.exe	taskhostw.exe
PID 2964 wrote to memory of 2556	2964	ohcev.exe	taskhostw.exe
PID 2964 wrote to memory of 2556	2964	ohcev.exe	taskhostw.exe
PID 2964 wrote to memory of 2556	2964	ohcev.exe	taskhostw.exe
PID 2964 wrote to memory of 2556	2964	ohcev.exe	taskhostw.exe
PID 2964 wrote to memory of 2616	2964	ohcev.exe	Explorer.EXE
PID 2964 wrote to memory of 2616	2964	ohcev.exe	Explorer.EXE
PID 2964 wrote to memory of 2616	2964	ohcev.exe	Explorer.EXE
PID 2964 wrote to memory of 2616	2964	ohcev.exe	Explorer.EXE
PID 2964 wrote to memory of 2616	2964	ohcev.exe	Explorer.EXE
PID 2964 wrote to memory of 3060	2964	ohcev.exe	svchost.exe
PID 2964 wrote to memory of 3060	2964	ohcev.exe	svchost.exe
PID 2964 wrote to memory of 3060	2964	ohcev.exe	svchost.exe
PID 2964 wrote to memory of 3060	2964	ohcev.exe	svchost.exe
PID 2964 wrote to memory of 3060	2964	ohcev.exe	svchost.exe
PID 2964 wrote to memory of 3256	2964	ohcev.exe	DllHost.exe
PID 2964 wrote to memory of 3256	2964	ohcev.exe	DllHost.exe
PID 2964 wrote to memory of 3256	2964	ohcev.exe	DllHost.exe
PID 2964 wrote to memory of 3256	2964	ohcev.exe	DllHost.exe
PID 2964 wrote to memory of 3256	2964	ohcev.exe	DllHost.exe
PID 2964 wrote to memory of 3352	2964	ohcev.exe	StartMenuExperienceHost.exe
PID 2964 wrote to memory of 3352	2964	ohcev.exe	StartMenuExperienceHost.exe
PID 2964 wrote to memory of 3352	2964	ohcev.exe	StartMenuExperienceHost.exe
PID 2964 wrote to memory of 3352	2964	ohcev.exe	StartMenuExperienceHost.exe
PID 2964 wrote to memory of 3352	2964	ohcev.exe	StartMenuExperienceHost.exe
PID 2964 wrote to memory of 3424	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 3424	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 3424	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 3424	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 3424	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 3512	2964	ohcev.exe	SearchApp.exe
PID 2964 wrote to memory of 3512	2964	ohcev.exe	SearchApp.exe
PID 2964 wrote to memory of 3512	2964	ohcev.exe	SearchApp.exe
PID 2964 wrote to memory of 3512	2964	ohcev.exe	SearchApp.exe
PID 2964 wrote to memory of 3512	2964	ohcev.exe	SearchApp.exe
PID 2964 wrote to memory of 3664	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 3664	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 3664	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 3664	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 3664	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 4512	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 4512	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 4512	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 4512	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 4512	2964	ohcev.exe	RuntimeBroker.exe
PID 2964 wrote to memory of 4992	2964	ohcev.exe	backgroundTaskHost.exe
PID 2964 wrote to memory of 4992	2964	ohcev.exe	backgroundTaskHost.exe
PID 2964 wrote to memory of 4992	2964	ohcev.exe	backgroundTaskHost.exe
PID 2964 wrote to memory of 4992	2964	ohcev.exe	backgroundTaskHost.exe
PID 2964 wrote to memory of 4992	2964	ohcev.exe	backgroundTaskHost.exe
PID 2964 wrote to memory of 4980	2964	ohcev.exe	backgroundTaskHost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3352

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe
"C:\Users\Admin\AppData\Local\Temp\739003fabfa0179bc5d607489bbf79d20a984993a31721fcc9fafefff4010cac.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Roaming\Ujoc\ohcev.exe
"C:\Users\Admin\AppData\Roaming\Ujoc\ohcev.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BNDB6DC.bat"
3⤵
PID:3860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4656

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4512

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2476

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4980

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4716

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5112

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2608

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BNDB6DC.bat

Filesize
303B

MD5
d4a5568001cd0df145eb7fd186e2bb0b

SHA1
8cd2b7a4d4456f77eed2ea465387ce05876f51a9

SHA256
9fd21579c7a9bed21350fc40ad42b58cc17bacba9ae7370a2d75c6f6a93fcccf

SHA512
086a0a3db9acccf599eb4c9bb1db036350cac86c57e107bf2745391d890b65c15726ca7b85c4d530549f09a64b4fb79ba09fd4cdbf94a50920a6a002681f9fbd

Download Submit
C:\Users\Admin\AppData\Roaming\Ujoc\ohcev.exe

Filesize
429KB

MD5
1c71e7281eaa5fe6e88288bac680e6ac

SHA1
300bb88c3873a437a6c2879173d6aa74699385f6

SHA256
e755cd6160be5296e82400a3b24d148a52153e72fae332e1d663848314a57d63

SHA512
7dbb84e171c17f494fe68942652d5807aab17eaf0dd5c248213657f18e146cec175243dd12601016b08d27766f3db9c514412a1fd9e650f76f9b02abde379bbe

Download Submit
C:\Users\Admin\AppData\Roaming\Ujoc\ohcev.exe

Filesize
429KB

MD5
1c71e7281eaa5fe6e88288bac680e6ac

SHA1
300bb88c3873a437a6c2879173d6aa74699385f6

SHA256
e755cd6160be5296e82400a3b24d148a52153e72fae332e1d663848314a57d63

SHA512
7dbb84e171c17f494fe68942652d5807aab17eaf0dd5c248213657f18e146cec175243dd12601016b08d27766f3db9c514412a1fd9e650f76f9b02abde379bbe

Download Submit
memory/1652-134-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1652-133-0x0000000002860000-0x0000000002C60000-memory.dmp

Filesize
4.0MB

Download
memory/1652-138-0x0000000002860000-0x0000000002C60000-memory.dmp

Filesize
4.0MB

Download
memory/1652-149-0x0000000002860000-0x0000000002C60000-memory.dmp

Filesize
4.0MB

Download
memory/1652-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-150-0x00000000026A0000-0x00000000026E9000-memory.dmp

Filesize
292KB

Download
memory/1652-132-0x0000000002860000-0x0000000002C60000-memory.dmp

Filesize
4.0MB

Download
memory/2964-147-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2964-135-0x0000000000000000-mapping.dmp

Download
memory/2964-148-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/2964-160-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/3860-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3860-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3860-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3860-146-0x0000000000B00000-0x0000000000B49000-memory.dmp

Filesize
292KB

Download
memory/3860-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3860-157-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3860-156-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3860-158-0x0000000000B00000-0x0000000000B49000-memory.dmp

Filesize
292KB

Download
memory/3860-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3860-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads