d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
Size

306KB
MD5

f3ebfa7620168235291806a159b573ff
SHA1

3dcd61c8efe9a1e4b9eba69da5e288c3103cfb51
SHA256

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a
SHA512

8f191287944d1afd1148a9039068601a5111b4182ef1379b83139c7617a19a3943b7c924d0a5db63d5caab72c2e0cda8f396c7f686dc83ddd86c128bb2e7dcef
SSDEEP

6144:esAAud4378+l4A4qxy/3wyhu1r4/G3MbCr5X79e/cPszxSg:esAIr7SA48UnFOcS5Xac

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ohivtu.exe

pid process

1548 ohivtu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1952 cmd.exe

pid	process
1952	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe

pid	process
1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ohivtu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	ohivtu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ohivtu = "C:\\Users\\Admin\\AppData\\Roaming\\Bajyqu\\ohivtu.exe"	ohivtu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe

description	pid	process	target process
PID 1552 set thread context of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

ohivtu.exe

pid	process
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe
1548	ohivtu.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exeohivtu.exe

description	pid	process	target process
PID 1552 wrote to memory of 1548	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	ohivtu.exe
PID 1552 wrote to memory of 1548	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	ohivtu.exe
PID 1552 wrote to memory of 1548	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	ohivtu.exe
PID 1552 wrote to memory of 1548	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	ohivtu.exe
PID 1548 wrote to memory of 1132	1548	ohivtu.exe	taskhost.exe
PID 1548 wrote to memory of 1132	1548	ohivtu.exe	taskhost.exe
PID 1548 wrote to memory of 1132	1548	ohivtu.exe	taskhost.exe
PID 1548 wrote to memory of 1132	1548	ohivtu.exe	taskhost.exe
PID 1548 wrote to memory of 1132	1548	ohivtu.exe	taskhost.exe
PID 1548 wrote to memory of 1188	1548	ohivtu.exe	Dwm.exe
PID 1548 wrote to memory of 1188	1548	ohivtu.exe	Dwm.exe
PID 1548 wrote to memory of 1188	1548	ohivtu.exe	Dwm.exe
PID 1548 wrote to memory of 1188	1548	ohivtu.exe	Dwm.exe
PID 1548 wrote to memory of 1188	1548	ohivtu.exe	Dwm.exe
PID 1548 wrote to memory of 1220	1548	ohivtu.exe	Explorer.EXE
PID 1548 wrote to memory of 1220	1548	ohivtu.exe	Explorer.EXE
PID 1548 wrote to memory of 1220	1548	ohivtu.exe	Explorer.EXE
PID 1548 wrote to memory of 1220	1548	ohivtu.exe	Explorer.EXE
PID 1548 wrote to memory of 1220	1548	ohivtu.exe	Explorer.EXE
PID 1548 wrote to memory of 1552	1548	ohivtu.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
PID 1548 wrote to memory of 1552	1548	ohivtu.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
PID 1548 wrote to memory of 1552	1548	ohivtu.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
PID 1548 wrote to memory of 1552	1548	ohivtu.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
PID 1548 wrote to memory of 1552	1548	ohivtu.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
"C:\Users\Admin\AppData\Local\Temp\d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe
"C:\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\JOLE149.bat"
3⤵
- Deletes itself
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JOLE149.bat

Filesize
303B

MD5
a3c4118897eb7aca8d4caf9b2ff54cdc

SHA1
3ca3a99c30f94c610a797d0423dc3c2ab083aae7

SHA256
18948216818d7b7b13fde4d0cb261b26f1b60095ce633c80c3b9368cc74d51de

SHA512
cbdfd2196c819928a94ef86b7921d455fe4808efee524abc1d335fa2b7fafb976686c80f729d91119f790b7ba639576373e53bcdcdc48fa507fabb1fa80daf1b

Download Submit
C:\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe

Filesize
306KB

MD5
c578d37a2304cf33bba2c8d38e27214b

SHA1
f61e57b55a74bf71215f4290f750cc94f7564870

SHA256
1e2a7d01b537f080ab0880125adbc86dfa1bf403390a88a31e66b6df0ff80f57

SHA512
0257a15e0b39145936c3ae4337e69bb059f77657ff1e4b400659fa1ddb9ecb051320cc7df20673d995e1d5f02c2fda071dd5b2958b494e503eeadec5a3ad472a

Download Submit
C:\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe

Filesize
306KB

MD5
c578d37a2304cf33bba2c8d38e27214b

SHA1
f61e57b55a74bf71215f4290f750cc94f7564870

SHA256
1e2a7d01b537f080ab0880125adbc86dfa1bf403390a88a31e66b6df0ff80f57

SHA512
0257a15e0b39145936c3ae4337e69bb059f77657ff1e4b400659fa1ddb9ecb051320cc7df20673d995e1d5f02c2fda071dd5b2958b494e503eeadec5a3ad472a

Download Submit
\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe

Filesize
306KB

MD5
c578d37a2304cf33bba2c8d38e27214b

SHA1
f61e57b55a74bf71215f4290f750cc94f7564870

SHA256
1e2a7d01b537f080ab0880125adbc86dfa1bf403390a88a31e66b6df0ff80f57

SHA512
0257a15e0b39145936c3ae4337e69bb059f77657ff1e4b400659fa1ddb9ecb051320cc7df20673d995e1d5f02c2fda071dd5b2958b494e503eeadec5a3ad472a

Download Submit
\Users\Admin\AppData\Roaming\Bajyqu\ohivtu.exe

Filesize
306KB

MD5
c578d37a2304cf33bba2c8d38e27214b

SHA1
f61e57b55a74bf71215f4290f750cc94f7564870

SHA256
1e2a7d01b537f080ab0880125adbc86dfa1bf403390a88a31e66b6df0ff80f57

SHA512
0257a15e0b39145936c3ae4337e69bb059f77657ff1e4b400659fa1ddb9ecb051320cc7df20673d995e1d5f02c2fda071dd5b2958b494e503eeadec5a3ad472a

Download Submit
memory/1132-67-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-69-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-70-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-68-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-65-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1188-73-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1188-74-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1188-75-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1188-76-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1220-81-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1220-82-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1220-79-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1220-80-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1548-62-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1548-59-0x0000000000000000-mapping.dmp

Download
memory/1552-85-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/1552-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1552-86-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/1552-88-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/1552-87-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/1552-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-103-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/1552-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1552-56-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1952-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1952-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1952-102-0x0000000000083B6A-mapping.dmp

Download
memory/1952-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1952-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1952-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1952-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download