d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a

General

Target

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
Size

306KB
MD5

f3ebfa7620168235291806a159b573ff
SHA1

3dcd61c8efe9a1e4b9eba69da5e288c3103cfb51
SHA256

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a
SHA512

8f191287944d1afd1148a9039068601a5111b4182ef1379b83139c7617a19a3943b7c924d0a5db63d5caab72c2e0cda8f396c7f686dc83ddd86c128bb2e7dcef
SSDEEP

6144:esAAud4378+l4A4qxy/3wyhu1r4/G3MbCr5X79e/cPszxSg:esAIr7SA48UnFOcS5Xac

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ohivtu.exe

pid process

1548 ohivtu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1952 cmd.exe

pid	process
1952	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe

pid	process
1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ohivtu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	ohivtu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ohivtu = "C:\\Users\\Admin\\AppData\\Roaming\\Bajyqu\\ohivtu.exe"	ohivtu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe

description	pid	process	target process
PID 1552 set thread context of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

ohivtu.exe

pid	process
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exeohivtu.exe

description	pid	process	target process
PID 1552 wrote to memory of 1548	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	ohivtu.exe
PID 1552 wrote to memory of 1548	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	ohivtu.exe
PID 1552 wrote to memory of 1548	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	ohivtu.exe
PID 1552 wrote to memory of 1548	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	ohivtu.exe
PID 1548 wrote to memory of 1132	1548	ohivtu.exe	taskhost.exe
PID 1548 wrote to memory of 1132	1548	ohivtu.exe	taskhost.exe
PID 1548 wrote to memory of 1132	1548	ohivtu.exe	taskhost.exe
PID 1548 wrote to memory of 1132	1548	ohivtu.exe	taskhost.exe
PID 1548 wrote to memory of 1132	1548	ohivtu.exe	taskhost.exe
PID 1548 wrote to memory of 1188	1548	ohivtu.exe	Dwm.exe
PID 1548 wrote to memory of 1188	1548	ohivtu.exe	Dwm.exe
PID 1548 wrote to memory of 1188	1548	ohivtu.exe	Dwm.exe
PID 1548 wrote to memory of 1188	1548	ohivtu.exe	Dwm.exe
PID 1548 wrote to memory of 1188	1548	ohivtu.exe	Dwm.exe
PID 1548 wrote to memory of 1220	1548	ohivtu.exe	Explorer.EXE
PID 1548 wrote to memory of 1220	1548	ohivtu.exe	Explorer.EXE
PID 1548 wrote to memory of 1220	1548	ohivtu.exe	Explorer.EXE
PID 1548 wrote to memory of 1220	1548	ohivtu.exe	Explorer.EXE
PID 1548 wrote to memory of 1220	1548	ohivtu.exe	Explorer.EXE
PID 1548 wrote to memory of 1552	1548	ohivtu.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
PID 1548 wrote to memory of 1552	1548	ohivtu.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
PID 1548 wrote to memory of 1552	1548	ohivtu.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
PID 1548 wrote to memory of 1552	1548	ohivtu.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
PID 1548 wrote to memory of 1552	1548	ohivtu.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
"C:\Users\Admin\AppData\Local\Temp\d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe
"C:\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\JOLE149.bat"
3⤵
- Deletes itself
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JOLE149.bat
Filesize
303B

MD5
a3c4118897eb7aca8d4caf9b2ff54cdc

SHA1
3ca3a99c30f94c610a797d0423dc3c2ab083aae7

SHA256
18948216818d7b7b13fde4d0cb261b26f1b60095ce633c80c3b9368cc74d51de

SHA512
cbdfd2196c819928a94ef86b7921d455fe4808efee524abc1d335fa2b7fafb976686c80f729d91119f790b7ba639576373e53bcdcdc48fa507fabb1fa80daf1b

Download Submit
C:\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe
Filesize
306KB

MD5
c578d37a2304cf33bba2c8d38e27214b

SHA1
f61e57b55a74bf71215f4290f750cc94f7564870

SHA256
1e2a7d01b537f080ab0880125adbc86dfa1bf403390a88a31e66b6df0ff80f57

SHA512
0257a15e0b39145936c3ae4337e69bb059f77657ff1e4b400659fa1ddb9ecb051320cc7df20673d995e1d5f02c2fda071dd5b2958b494e503eeadec5a3ad472a

Download Submit
C:\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe
Filesize
306KB

MD5
c578d37a2304cf33bba2c8d38e27214b

SHA1
f61e57b55a74bf71215f4290f750cc94f7564870

SHA256
1e2a7d01b537f080ab0880125adbc86dfa1bf403390a88a31e66b6df0ff80f57

SHA512
0257a15e0b39145936c3ae4337e69bb059f77657ff1e4b400659fa1ddb9ecb051320cc7df20673d995e1d5f02c2fda071dd5b2958b494e503eeadec5a3ad472a

Download Submit
\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe
Filesize
306KB

MD5
c578d37a2304cf33bba2c8d38e27214b

SHA1
f61e57b55a74bf71215f4290f750cc94f7564870

SHA256
1e2a7d01b537f080ab0880125adbc86dfa1bf403390a88a31e66b6df0ff80f57

SHA512
0257a15e0b39145936c3ae4337e69bb059f77657ff1e4b400659fa1ddb9ecb051320cc7df20673d995e1d5f02c2fda071dd5b2958b494e503eeadec5a3ad472a

Download Submit
\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe
Filesize
306KB

MD5
c578d37a2304cf33bba2c8d38e27214b

SHA1
f61e57b55a74bf71215f4290f750cc94f7564870

SHA256
1e2a7d01b537f080ab0880125adbc86dfa1bf403390a88a31e66b6df0ff80f57

SHA512
0257a15e0b39145936c3ae4337e69bb059f77657ff1e4b400659fa1ddb9ecb051320cc7df20673d995e1d5f02c2fda071dd5b2958b494e503eeadec5a3ad472a

Download Submit
memory/1132-67-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-69-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-70-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-68-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-65-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1188-73-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1188-74-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1188-75-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1188-76-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1220-81-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1220-82-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1220-79-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1220-80-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1548-62-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1548-59-0x0000000000000000-mapping.dmp

Download
memory/1552-85-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/1552-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1552-86-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/1552-88-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/1552-87-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/1552-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-103-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/1552-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1552-56-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1952-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1952-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1952-102-0x0000000000083B6A-mapping.dmp

Download
memory/1952-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1952-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1952-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads