b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
Size

138KB
MD5

b7655e9e599df62efb4d96a571b7a7a3
SHA1

7647557b2449c349dc6853649c2f255d38dfe0ee
SHA256

b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a
SHA512

574c955265ea0384836334f01f8b33650a649e8655db11608cd415d57690c943f502d4293f484f1322a36aaaf09033979527d6a7b6fd74eb51b87a0b1b6b4fef
SSDEEP

3072:qzB1LZQEduEgsW2UPqxUE84qkC0i50/YXiQXT+t/8XIgfUTaXD3kz1QNc:qzB1L+QHhUPqxUE8qQiQwkXhfUThQm

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

omuxm.exe

pid process

1768 omuxm.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1828 cmd.exe

pid	process
1828	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe

pid	process
1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

omuxm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	omuxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F0504851-A490-8B4E-4E3C-2EC686EC55D8} = "C:\\Users\\Admin\\AppData\\Roaming\\Yselli\\omuxm.exe"	omuxm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe

description	pid	process	target process
PID 1676 set thread context of 1828	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\69BA7EAD-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

omuxm.exe

pid	process
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe
1768	omuxm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
Token: SeSecurityPrivilege	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
Token: SeSecurityPrivilege	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
Token: SeManageVolumePrivilege	988	WinMail.exe
Token: SeSecurityPrivilege	1828	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

988 WinMail.exe

pid	process
988	WinMail.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exeomuxm.exe

description	pid	process	target process
PID 1676 wrote to memory of 1768	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	omuxm.exe
PID 1676 wrote to memory of 1768	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	omuxm.exe
PID 1676 wrote to memory of 1768	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	omuxm.exe
PID 1676 wrote to memory of 1768	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	omuxm.exe
PID 1768 wrote to memory of 1124	1768	omuxm.exe	taskhost.exe
PID 1768 wrote to memory of 1124	1768	omuxm.exe	taskhost.exe
PID 1768 wrote to memory of 1124	1768	omuxm.exe	taskhost.exe
PID 1768 wrote to memory of 1124	1768	omuxm.exe	taskhost.exe
PID 1768 wrote to memory of 1124	1768	omuxm.exe	taskhost.exe
PID 1768 wrote to memory of 1176	1768	omuxm.exe	Dwm.exe
PID 1768 wrote to memory of 1176	1768	omuxm.exe	Dwm.exe
PID 1768 wrote to memory of 1176	1768	omuxm.exe	Dwm.exe
PID 1768 wrote to memory of 1176	1768	omuxm.exe	Dwm.exe
PID 1768 wrote to memory of 1176	1768	omuxm.exe	Dwm.exe
PID 1768 wrote to memory of 1220	1768	omuxm.exe	Explorer.EXE
PID 1768 wrote to memory of 1220	1768	omuxm.exe	Explorer.EXE
PID 1768 wrote to memory of 1220	1768	omuxm.exe	Explorer.EXE
PID 1768 wrote to memory of 1220	1768	omuxm.exe	Explorer.EXE
PID 1768 wrote to memory of 1220	1768	omuxm.exe	Explorer.EXE
PID 1768 wrote to memory of 1676	1768	omuxm.exe	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
PID 1768 wrote to memory of 1676	1768	omuxm.exe	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
PID 1768 wrote to memory of 1676	1768	omuxm.exe	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
PID 1768 wrote to memory of 1676	1768	omuxm.exe	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
PID 1768 wrote to memory of 1676	1768	omuxm.exe	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
PID 1768 wrote to memory of 988	1768	omuxm.exe	WinMail.exe
PID 1768 wrote to memory of 988	1768	omuxm.exe	WinMail.exe
PID 1768 wrote to memory of 988	1768	omuxm.exe	WinMail.exe
PID 1768 wrote to memory of 988	1768	omuxm.exe	WinMail.exe
PID 1768 wrote to memory of 988	1768	omuxm.exe	WinMail.exe
PID 1676 wrote to memory of 1828	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	cmd.exe
PID 1676 wrote to memory of 1828	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	cmd.exe
PID 1676 wrote to memory of 1828	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	cmd.exe
PID 1676 wrote to memory of 1828	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	cmd.exe
PID 1676 wrote to memory of 1828	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	cmd.exe
PID 1676 wrote to memory of 1828	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	cmd.exe
PID 1676 wrote to memory of 1828	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	cmd.exe
PID 1676 wrote to memory of 1828	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	cmd.exe
PID 1676 wrote to memory of 1828	1676	b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe	cmd.exe
PID 1768 wrote to memory of 1584	1768	omuxm.exe	DllHost.exe
PID 1768 wrote to memory of 1584	1768	omuxm.exe	DllHost.exe
PID 1768 wrote to memory of 1584	1768	omuxm.exe	DllHost.exe
PID 1768 wrote to memory of 1584	1768	omuxm.exe	DllHost.exe
PID 1768 wrote to memory of 1584	1768	omuxm.exe	DllHost.exe
PID 1768 wrote to memory of 2012	1768	omuxm.exe	DllHost.exe
PID 1768 wrote to memory of 2012	1768	omuxm.exe	DllHost.exe
PID 1768 wrote to memory of 2012	1768	omuxm.exe	DllHost.exe
PID 1768 wrote to memory of 2012	1768	omuxm.exe	DllHost.exe
PID 1768 wrote to memory of 2012	1768	omuxm.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe
"C:\Users\Admin\AppData\Local\Temp\b109c24bb58d7d309d986e9fbb45e248545fb0dbd237c6563a1c674dce19356a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\Yselli\omuxm.exe
"C:\Users\Admin\AppData\Roaming\Yselli\omuxm.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp03c53074.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp03c53074.bat

Filesize
307B

MD5
20c8981528ca5a6dcaae22a547f314db

SHA1
2a22fdbea16c0854f426d3e6cea691a65247a994

SHA256
c46e2b37cc6d5329aecff2af7ae5fbf228a6d0583f6bbe13d57453db6b2c4df3

SHA512
af0b2a1b0a9c52d2e9fbb7653bbc935e5ab68d43e94e237d403edd2a5cd59e481212b084500955e52987bc6906b38797469c3b1bb6a2d3f6dc24022f6b27149b

Download Submit
C:\Users\Admin\AppData\Roaming\Bytuod\tugu.ryz

Filesize
398B

MD5
7875f45530157b92df7099e91687bd48

SHA1
2d81617ddc0833a0f11646baff015d5c2252ccc4

SHA256
8184dfc523740353f6c9627d07262d275dd8e5c68e987ce2a2cc6b157c3ca90a

SHA512
9aa18ff2466287d79e0683d9c88622be8b5b185e07ae650a88026e0e28acbc9fad32a1c54ea6dbbe73d7b073a21d35593bf4a9b2c144c896dd54c175c2db864a

Download Submit
C:\Users\Admin\AppData\Roaming\Yselli\omuxm.exe

Filesize
138KB

MD5
475f78e6ff4c34758cff574967cb40a8

SHA1
e136040db00bf88f212d69d07d0fc689a3f005c9

SHA256
2475d08f435a8cb91efd8b5f7e7429cd2a9d6634010e6975e78994f2ead73c7e

SHA512
73edf35f844238a4347348bea22f09a599e1d836d1d1a186fd5ed569fe7269f9bedd74ee5ce77ab030427f3a60346a2bbddf6c4a6deff2a37ca2f4160e72d061

Download Submit
C:\Users\Admin\AppData\Roaming\Yselli\omuxm.exe

Filesize
138KB

MD5
475f78e6ff4c34758cff574967cb40a8

SHA1
e136040db00bf88f212d69d07d0fc689a3f005c9

SHA256
2475d08f435a8cb91efd8b5f7e7429cd2a9d6634010e6975e78994f2ead73c7e

SHA512
73edf35f844238a4347348bea22f09a599e1d836d1d1a186fd5ed569fe7269f9bedd74ee5ce77ab030427f3a60346a2bbddf6c4a6deff2a37ca2f4160e72d061

Download Submit
\Users\Admin\AppData\Roaming\Yselli\omuxm.exe

Filesize
138KB

MD5
475f78e6ff4c34758cff574967cb40a8

SHA1
e136040db00bf88f212d69d07d0fc689a3f005c9

SHA256
2475d08f435a8cb91efd8b5f7e7429cd2a9d6634010e6975e78994f2ead73c7e

SHA512
73edf35f844238a4347348bea22f09a599e1d836d1d1a186fd5ed569fe7269f9bedd74ee5ce77ab030427f3a60346a2bbddf6c4a6deff2a37ca2f4160e72d061

Download Submit
\Users\Admin\AppData\Roaming\Yselli\omuxm.exe

Filesize
138KB

MD5
475f78e6ff4c34758cff574967cb40a8

SHA1
e136040db00bf88f212d69d07d0fc689a3f005c9

SHA256
2475d08f435a8cb91efd8b5f7e7429cd2a9d6634010e6975e78994f2ead73c7e

SHA512
73edf35f844238a4347348bea22f09a599e1d836d1d1a186fd5ed569fe7269f9bedd74ee5ce77ab030427f3a60346a2bbddf6c4a6deff2a37ca2f4160e72d061

Download Submit
memory/988-103-0x0000000003DB0000-0x0000000003DD7000-memory.dmp

Filesize
156KB

Download
memory/988-105-0x0000000003DB0000-0x0000000003DD7000-memory.dmp

Filesize
156KB

Download
memory/988-94-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/988-102-0x0000000003DB0000-0x0000000003DD7000-memory.dmp

Filesize
156KB

Download
memory/988-88-0x0000000001E70000-0x0000000001E80000-memory.dmp

Filesize
64KB

Download
memory/988-87-0x000007FEF6401000-0x000007FEF6403000-memory.dmp

Filesize
8KB

Download
memory/988-86-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download
memory/988-104-0x0000000003DB0000-0x0000000003DD7000-memory.dmp

Filesize
156KB

Download
memory/1124-63-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1124-64-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1124-65-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1124-66-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1124-61-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1176-72-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1176-71-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1176-70-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1176-69-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1220-78-0x00000000029B0000-0x00000000029D7000-memory.dmp

Filesize
156KB

Download
memory/1220-77-0x00000000029B0000-0x00000000029D7000-memory.dmp

Filesize
156KB

Download
memory/1220-76-0x00000000029B0000-0x00000000029D7000-memory.dmp

Filesize
156KB

Download
memory/1220-75-0x00000000029B0000-0x00000000029D7000-memory.dmp

Filesize
156KB

Download
memory/1584-121-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1584-120-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1584-122-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1584-123-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1676-84-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1676-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1676-81-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1676-85-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1676-82-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1676-83-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1768-57-0x0000000000000000-mapping.dmp

Download
memory/1828-112-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1828-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1828-114-0x0000000000066A07-mapping.dmp

Download
memory/1828-113-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1828-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1828-109-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2012-126-0x0000000002390000-0x00000000023B7000-memory.dmp

Filesize
156KB

Download
memory/2012-127-0x0000000002390000-0x00000000023B7000-memory.dmp

Filesize
156KB

Download