936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c

Analysis

max time kernel
205s
max time network
269s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe
Size

270KB
MD5

b3a76e5fbec66b688634bf9fcfc772b8
SHA1

f20b911329c0b2598622125026b36ac26192f351
SHA256

936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c
SHA512

a05e16c0e1ebebeefcbf12ffe636851b52fa4edc3c87d71d4366435f86b440954709a0add0d50dede17e1e6329b88290ca5b3e06f16769ba309dae88183b9033
SSDEEP

6144:TtjpoIzqvoArlO+Bei92/pWTxq/fnx7GDrRcJIcxyCq0hzfb:Bcvo8LVq/PERcHxywb

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ogjuij.exe

pid process

664 ogjuij.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

936 cmd.exe

pid	process
936	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe

pid	process
916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe
916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ogjuij.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	ogjuij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E8A35E48-3774-AD4D-52EE-D422474DF73F} = "C:\\Users\\Admin\\AppData\\Roaming\\Otof\\ogjuij.exe"	ogjuij.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe

description pid process target process

PID 916 set thread context of 936 916 936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe cmd.exe

description	pid	process	target process
PID 916 set thread context of 936	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ogjuij.exe

pid	process
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe
664	ogjuij.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exeogjuij.exe

pid process

916 936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe
664 ogjuij.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exeogjuij.exe

description	pid	process	target process
PID 916 wrote to memory of 664	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	ogjuij.exe
PID 916 wrote to memory of 664	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	ogjuij.exe
PID 916 wrote to memory of 664	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	ogjuij.exe
PID 916 wrote to memory of 664	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	ogjuij.exe
PID 664 wrote to memory of 1116	664	ogjuij.exe	taskhost.exe
PID 664 wrote to memory of 1116	664	ogjuij.exe	taskhost.exe
PID 664 wrote to memory of 1116	664	ogjuij.exe	taskhost.exe
PID 664 wrote to memory of 1116	664	ogjuij.exe	taskhost.exe
PID 664 wrote to memory of 1116	664	ogjuij.exe	taskhost.exe
PID 664 wrote to memory of 1188	664	ogjuij.exe	Dwm.exe
PID 664 wrote to memory of 1188	664	ogjuij.exe	Dwm.exe
PID 664 wrote to memory of 1188	664	ogjuij.exe	Dwm.exe
PID 664 wrote to memory of 1188	664	ogjuij.exe	Dwm.exe
PID 664 wrote to memory of 1188	664	ogjuij.exe	Dwm.exe
PID 664 wrote to memory of 1276	664	ogjuij.exe	Explorer.EXE
PID 664 wrote to memory of 1276	664	ogjuij.exe	Explorer.EXE
PID 664 wrote to memory of 1276	664	ogjuij.exe	Explorer.EXE
PID 664 wrote to memory of 1276	664	ogjuij.exe	Explorer.EXE
PID 664 wrote to memory of 1276	664	ogjuij.exe	Explorer.EXE
PID 664 wrote to memory of 916	664	ogjuij.exe	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe
PID 664 wrote to memory of 916	664	ogjuij.exe	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe
PID 664 wrote to memory of 916	664	ogjuij.exe	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe
PID 664 wrote to memory of 916	664	ogjuij.exe	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe
PID 664 wrote to memory of 916	664	ogjuij.exe	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe
PID 916 wrote to memory of 936	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	cmd.exe
PID 916 wrote to memory of 936	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	cmd.exe
PID 916 wrote to memory of 936	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	cmd.exe
PID 916 wrote to memory of 936	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	cmd.exe
PID 916 wrote to memory of 936	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	cmd.exe
PID 916 wrote to memory of 936	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	cmd.exe
PID 916 wrote to memory of 936	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	cmd.exe
PID 916 wrote to memory of 936	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	cmd.exe
PID 916 wrote to memory of 936	916	936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe
"C:\Users\Admin\AppData\Local\Temp\936492d66e50d3968be242ead680f1c875df9887e936863db32766d523e9090c.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Roaming\Otof\ogjuij.exe
"C:\Users\Admin\AppData\Roaming\Otof\ogjuij.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp122bc17a.bat"
3⤵
- Deletes itself
PID:936

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp122bc17a.bat

Filesize
307B

MD5
9bace9a5a724e2d59a7174c32056bdda

SHA1
58c983d2461117a3f77de4e642f4c9df2a5e7fc3

SHA256
ea4ba1bab4d9031707affe33db24ad716dd31a7a3437feeeb10189306b77fda9

SHA512
de1c47d04f21799760ef29c893df289c62927eeb4d3708118a2f79009e826015712325184ac844ff5b1454c7c0e3d568c2cf036bfbddb9d02a2ab4fc81a4ff70

Download Submit
C:\Users\Admin\AppData\Roaming\Otof\ogjuij.exe

Filesize
270KB

MD5
7f6d30b90c88e8ae7f340d9045ccda89

SHA1
2e6c4d404c564618c1d89e25e2505db407bbb137

SHA256
a80b92f4515b6814d87651b9f288c417bfec206d91ecc2af0286b8ecbd6ebc68

SHA512
3e7588e6dd95083df8bd778deab7c88baa67382501f60f65c052df393f7d64c2348d654617e373c30d9c95684d19b8deeee658d3c967633bd2ad792822a34461

Download Submit
C:\Users\Admin\AppData\Roaming\Otof\ogjuij.exe

Filesize
270KB

MD5
7f6d30b90c88e8ae7f340d9045ccda89

SHA1
2e6c4d404c564618c1d89e25e2505db407bbb137

SHA256
a80b92f4515b6814d87651b9f288c417bfec206d91ecc2af0286b8ecbd6ebc68

SHA512
3e7588e6dd95083df8bd778deab7c88baa67382501f60f65c052df393f7d64c2348d654617e373c30d9c95684d19b8deeee658d3c967633bd2ad792822a34461

Download Submit
\Users\Admin\AppData\Roaming\Otof\ogjuij.exe

Filesize
270KB

MD5
7f6d30b90c88e8ae7f340d9045ccda89

SHA1
2e6c4d404c564618c1d89e25e2505db407bbb137

SHA256
a80b92f4515b6814d87651b9f288c417bfec206d91ecc2af0286b8ecbd6ebc68

SHA512
3e7588e6dd95083df8bd778deab7c88baa67382501f60f65c052df393f7d64c2348d654617e373c30d9c95684d19b8deeee658d3c967633bd2ad792822a34461

Download Submit
\Users\Admin\AppData\Roaming\Otof\ogjuij.exe

Filesize
270KB

MD5
7f6d30b90c88e8ae7f340d9045ccda89

SHA1
2e6c4d404c564618c1d89e25e2505db407bbb137

SHA256
a80b92f4515b6814d87651b9f288c417bfec206d91ecc2af0286b8ecbd6ebc68

SHA512
3e7588e6dd95083df8bd778deab7c88baa67382501f60f65c052df393f7d64c2348d654617e373c30d9c95684d19b8deeee658d3c967633bd2ad792822a34461

Download Submit
memory/664-95-0x00000000002B0000-0x00000000002F6000-memory.dmp

Filesize
280KB

Download
memory/664-112-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/664-94-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/664-63-0x0000000000000000-mapping.dmp

Download
memory/664-93-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/664-111-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/916-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/916-96-0x0000000001E10000-0x0000000001E56000-memory.dmp

Filesize
280KB

Download
memory/916-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/916-109-0x0000000001E10000-0x0000000001E52000-memory.dmp

Filesize
264KB

Download
memory/916-55-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/916-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/916-60-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/916-89-0x0000000001E10000-0x0000000001E52000-memory.dmp

Filesize
264KB

Download
memory/916-54-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/916-58-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/916-59-0x00000000002B0000-0x00000000002F6000-memory.dmp

Filesize
280KB

Download
memory/916-92-0x0000000001E10000-0x0000000001E56000-memory.dmp

Filesize
280KB

Download
memory/916-91-0x0000000001E10000-0x0000000001E56000-memory.dmp

Filesize
280KB

Download
memory/916-90-0x0000000001E10000-0x0000000001E52000-memory.dmp

Filesize
264KB

Download
memory/916-87-0x0000000001E10000-0x0000000001E52000-memory.dmp

Filesize
264KB

Download
memory/916-88-0x0000000001E10000-0x0000000001E52000-memory.dmp

Filesize
264KB

Download
memory/936-102-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/936-104-0x000000000005E4C8-mapping.dmp

Download
memory/936-110-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/936-99-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/936-106-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/936-101-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/936-103-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1116-70-0x0000000001F70000-0x0000000001FB2000-memory.dmp

Filesize
264KB

Download
memory/1116-71-0x0000000001F70000-0x0000000001FB2000-memory.dmp

Filesize
264KB

Download
memory/1116-72-0x0000000001F70000-0x0000000001FB2000-memory.dmp

Filesize
264KB

Download
memory/1116-69-0x0000000001F70000-0x0000000001FB2000-memory.dmp

Filesize
264KB

Download
memory/1116-67-0x0000000001F70000-0x0000000001FB2000-memory.dmp

Filesize
264KB

Download
memory/1188-78-0x00000000001D0000-0x0000000000212000-memory.dmp

Filesize
264KB

Download
memory/1188-75-0x00000000001D0000-0x0000000000212000-memory.dmp

Filesize
264KB

Download
memory/1188-76-0x00000000001D0000-0x0000000000212000-memory.dmp

Filesize
264KB

Download
memory/1188-77-0x00000000001D0000-0x0000000000212000-memory.dmp

Filesize
264KB

Download
memory/1276-84-0x00000000029C0000-0x0000000002A02000-memory.dmp

Filesize
264KB

Download
memory/1276-81-0x00000000029C0000-0x0000000002A02000-memory.dmp

Filesize
264KB

Download
memory/1276-82-0x00000000029C0000-0x0000000002A02000-memory.dmp

Filesize
264KB

Download
memory/1276-83-0x00000000029C0000-0x0000000002A02000-memory.dmp

Filesize
264KB

Download