c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55

General

Target

c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe
Size

296KB
MD5

bb760a406a419ca138d5ce6ce94e1658
SHA1

b4142b06b5d3ad1ee9e0cadc5ad165c14bc416b5
SHA256

c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55
SHA512

4570b9f45127c8d75dc7f2433c36b114101c5b76f5485c0595ca209b38dc7ca90a81bf828b4246d84d5749d1a707ae6f22223453dc83e8ddc8da8d4455e5e31e
SSDEEP

6144:F7eH4vkz9VX/XCpprDXza2GQwIpJV/g/S0XgBfIaB2:deH4yPY5DDa27wIPBgDXgpI

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

oxkook.exe

pid process

4936 oxkook.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

oxkook.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	oxkook.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oxkook = "C:\\Users\\Admin\\AppData\\Roaming\\Igcyi\\oxkook.exe"	oxkook.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe

description	pid	process	target process
PID 2548 set thread context of 1772	2548	c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

oxkook.exe

pid	process
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe
4936	oxkook.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exeoxkook.exe

description	pid	process	target process
PID 2548 wrote to memory of 4936	2548	c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe	oxkook.exe
PID 2548 wrote to memory of 4936	2548	c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe	oxkook.exe
PID 2548 wrote to memory of 4936	2548	c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe	oxkook.exe
PID 4936 wrote to memory of 2740	4936	oxkook.exe	sihost.exe
PID 4936 wrote to memory of 2740	4936	oxkook.exe	sihost.exe
PID 4936 wrote to memory of 2740	4936	oxkook.exe	sihost.exe
PID 4936 wrote to memory of 2740	4936	oxkook.exe	sihost.exe
PID 4936 wrote to memory of 2740	4936	oxkook.exe	sihost.exe
PID 4936 wrote to memory of 2784	4936	oxkook.exe	svchost.exe
PID 4936 wrote to memory of 2784	4936	oxkook.exe	svchost.exe
PID 4936 wrote to memory of 2784	4936	oxkook.exe	svchost.exe
PID 4936 wrote to memory of 2784	4936	oxkook.exe	svchost.exe
PID 4936 wrote to memory of 2784	4936	oxkook.exe	svchost.exe
PID 4936 wrote to memory of 2880	4936	oxkook.exe	taskhostw.exe
PID 4936 wrote to memory of 2880	4936	oxkook.exe	taskhostw.exe
PID 4936 wrote to memory of 2880	4936	oxkook.exe	taskhostw.exe
PID 4936 wrote to memory of 2880	4936	oxkook.exe	taskhostw.exe
PID 4936 wrote to memory of 2880	4936	oxkook.exe	taskhostw.exe
PID 4936 wrote to memory of 2416	4936	oxkook.exe	Explorer.EXE
PID 4936 wrote to memory of 2416	4936	oxkook.exe	Explorer.EXE
PID 4936 wrote to memory of 2416	4936	oxkook.exe	Explorer.EXE
PID 4936 wrote to memory of 2416	4936	oxkook.exe	Explorer.EXE
PID 4936 wrote to memory of 2416	4936	oxkook.exe	Explorer.EXE
PID 4936 wrote to memory of 3100	4936	oxkook.exe	svchost.exe
PID 4936 wrote to memory of 3100	4936	oxkook.exe	svchost.exe
PID 4936 wrote to memory of 3100	4936	oxkook.exe	svchost.exe
PID 4936 wrote to memory of 3100	4936	oxkook.exe	svchost.exe
PID 4936 wrote to memory of 3100	4936	oxkook.exe	svchost.exe
PID 4936 wrote to memory of 3288	4936	oxkook.exe	DllHost.exe
PID 4936 wrote to memory of 3288	4936	oxkook.exe	DllHost.exe
PID 4936 wrote to memory of 3288	4936	oxkook.exe	DllHost.exe
PID 4936 wrote to memory of 3288	4936	oxkook.exe	DllHost.exe
PID 4936 wrote to memory of 3288	4936	oxkook.exe	DllHost.exe
PID 4936 wrote to memory of 3380	4936	oxkook.exe	StartMenuExperienceHost.exe
PID 4936 wrote to memory of 3380	4936	oxkook.exe	StartMenuExperienceHost.exe
PID 4936 wrote to memory of 3380	4936	oxkook.exe	StartMenuExperienceHost.exe
PID 4936 wrote to memory of 3380	4936	oxkook.exe	StartMenuExperienceHost.exe
PID 4936 wrote to memory of 3380	4936	oxkook.exe	StartMenuExperienceHost.exe
PID 4936 wrote to memory of 3448	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 3448	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 3448	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 3448	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 3448	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 3536	4936	oxkook.exe	SearchApp.exe
PID 4936 wrote to memory of 3536	4936	oxkook.exe	SearchApp.exe
PID 4936 wrote to memory of 3536	4936	oxkook.exe	SearchApp.exe
PID 4936 wrote to memory of 3536	4936	oxkook.exe	SearchApp.exe
PID 4936 wrote to memory of 3536	4936	oxkook.exe	SearchApp.exe
PID 4936 wrote to memory of 3700	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 3700	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 3700	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 3700	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 3700	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 4624	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 4624	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 4624	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 4624	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 4624	4936	oxkook.exe	RuntimeBroker.exe
PID 4936 wrote to memory of 2548	4936	oxkook.exe	c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe
PID 4936 wrote to memory of 2548	4936	oxkook.exe	c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe
PID 4936 wrote to memory of 2548	4936	oxkook.exe	c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe
PID 4936 wrote to memory of 2548	4936	oxkook.exe	c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe
PID 4936 wrote to memory of 2548	4936	oxkook.exe	c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe
PID 2548 wrote to memory of 1772	2548	c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3448

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4624

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe
"C:\Users\Admin\AppData\Local\Temp\c675a2ab7056196156c101cbe24426465f40236915a7884405b9c69953762d55.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Roaming\Igcyi\oxkook.exe
"C:\Users\Admin\AppData\Roaming\Igcyi\oxkook.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ILGB000.bat"
3⤵
PID:1772

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2784

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ILGB000.bat
Filesize
303B

MD5
10a8c18288e30302b7db35c2a7355d79

SHA1
478e0381f5f997a279011a2af2cb56af37ca769b

SHA256
dfbbab7aeee2187b15b72f13a5c44045193f83b25205aef78710492a0c2ff8c7

SHA512
05eef08d96ff3cd7be3e07006a3f54531771f8ada39559950888448ca586fb1290547091ecc1c69481bb52e6a54a8635d0629c30b7d7ea864463658b0482c8de

Download Submit
C:\Users\Admin\AppData\Roaming\Igcyi\oxkook.exe
Filesize
296KB

MD5
ed5f3b23d30655d55b1a8e1fb6e221e8

SHA1
0bd8b386ee877a80599b4b7deebc24d4780c3a0c

SHA256
a106aea8323ae532ae52872c86182fceb64cf96284d497cde77c6e0cbe41e5cf

SHA512
132be46a6469f9967d5d47bd77add3d15ac93c97afe9070c2e93a9180482dafbffab0975aca8d5f10d5e3d41e71843878d5ebd44acaba4c294daf9610e0ef3d9

Download Submit
C:\Users\Admin\AppData\Roaming\Igcyi\oxkook.exe
Filesize
296KB

MD5
ed5f3b23d30655d55b1a8e1fb6e221e8

SHA1
0bd8b386ee877a80599b4b7deebc24d4780c3a0c

SHA256
a106aea8323ae532ae52872c86182fceb64cf96284d497cde77c6e0cbe41e5cf

SHA512
132be46a6469f9967d5d47bd77add3d15ac93c97afe9070c2e93a9180482dafbffab0975aca8d5f10d5e3d41e71843878d5ebd44acaba4c294daf9610e0ef3d9

Download Submit
memory/1772-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-157-0x0000000000740000-0x0000000000789000-memory.dmp

Filesize
292KB

Download
memory/1772-155-0x0000000000740000-0x0000000000789000-memory.dmp

Filesize
292KB

Download
memory/1772-147-0x0000000000740000-0x0000000000789000-memory.dmp

Filesize
292KB

Download
memory/1772-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-146-0x0000000000000000-mapping.dmp

Download
memory/2548-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2548-145-0x0000000000AA0000-0x0000000000AE9000-memory.dmp

Filesize
292KB

Download
memory/2548-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2548-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2548-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2548-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2548-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2548-132-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2548-133-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/4936-137-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4936-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads