f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc

General

Target

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
Size

254KB
MD5

134e5e2107b7a64b9d098bedfe64eb40
SHA1

5301b808503aa80dc5cdffe778f648110d6a18ad
SHA256

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc
SHA512

b0be44dc201dc2a10204538109b5feac05cd0af35d53fee3fb91504c9efa4c206489f7004a357a9808e84e0d046547a9bbe5c10889eb7bc5ca6834ed184730c7
SSDEEP

3072:BddKhdgcyetZPShTIzdD32PoNnvPyCXjH4H471I3N0KgCEV5RUsBIJ4CcauqyFJQ:BdCtBKMdiwNnvPyFL3THeQ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

oxoh.exeoxoh.exe

pid process

2700 oxoh.exe
4980 oxoh.exe

pid	process
2700	oxoh.exe
4980	oxoh.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

oxoh.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\Currentversion\Run	oxoh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	oxoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tyemh = "C:\\Users\\Admin\\AppData\\Roaming\\Yxne\\oxoh.exe"	oxoh.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exeoxoh.exe

description	pid	process	target process
PID 1708 set thread context of 1828	1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 2700 set thread context of 4980	2700	oxoh.exe	oxoh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exeoxoh.exeoxoh.exe

pid	process
1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
2700	oxoh.exe
2700	oxoh.exe
2700	oxoh.exe
2700	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe
4980	oxoh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe

description	pid	process
Token: SeSecurityPrivilege	1828	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
Token: SeSecurityPrivilege	1828	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exef2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exeoxoh.exeoxoh.exe

description	pid	process	target process
PID 1708 wrote to memory of 1828	1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1708 wrote to memory of 1828	1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1708 wrote to memory of 1828	1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1708 wrote to memory of 1828	1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1708 wrote to memory of 1828	1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1708 wrote to memory of 1828	1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1708 wrote to memory of 1828	1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1708 wrote to memory of 1828	1708	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1828 wrote to memory of 2700	1828	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	oxoh.exe
PID 1828 wrote to memory of 2700	1828	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	oxoh.exe
PID 1828 wrote to memory of 2700	1828	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	oxoh.exe
PID 2700 wrote to memory of 4980	2700	oxoh.exe	oxoh.exe
PID 2700 wrote to memory of 4980	2700	oxoh.exe	oxoh.exe
PID 2700 wrote to memory of 4980	2700	oxoh.exe	oxoh.exe
PID 2700 wrote to memory of 4980	2700	oxoh.exe	oxoh.exe
PID 2700 wrote to memory of 4980	2700	oxoh.exe	oxoh.exe
PID 2700 wrote to memory of 4980	2700	oxoh.exe	oxoh.exe
PID 2700 wrote to memory of 4980	2700	oxoh.exe	oxoh.exe
PID 2700 wrote to memory of 4980	2700	oxoh.exe	oxoh.exe
PID 4980 wrote to memory of 2708	4980	oxoh.exe	sihost.exe
PID 4980 wrote to memory of 2708	4980	oxoh.exe	sihost.exe
PID 4980 wrote to memory of 2708	4980	oxoh.exe	sihost.exe
PID 4980 wrote to memory of 2708	4980	oxoh.exe	sihost.exe
PID 4980 wrote to memory of 2708	4980	oxoh.exe	sihost.exe
PID 4980 wrote to memory of 2728	4980	oxoh.exe	svchost.exe
PID 4980 wrote to memory of 2728	4980	oxoh.exe	svchost.exe
PID 4980 wrote to memory of 2728	4980	oxoh.exe	svchost.exe
PID 4980 wrote to memory of 2728	4980	oxoh.exe	svchost.exe
PID 4980 wrote to memory of 2728	4980	oxoh.exe	svchost.exe
PID 1828 wrote to memory of 1248	1828	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	cmd.exe
PID 1828 wrote to memory of 1248	1828	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	cmd.exe
PID 1828 wrote to memory of 1248	1828	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	cmd.exe
PID 4980 wrote to memory of 2872	4980	oxoh.exe	taskhostw.exe
PID 4980 wrote to memory of 2872	4980	oxoh.exe	taskhostw.exe
PID 4980 wrote to memory of 2872	4980	oxoh.exe	taskhostw.exe
PID 4980 wrote to memory of 2872	4980	oxoh.exe	taskhostw.exe
PID 4980 wrote to memory of 2872	4980	oxoh.exe	taskhostw.exe
PID 4980 wrote to memory of 376	4980	oxoh.exe	Explorer.EXE
PID 4980 wrote to memory of 376	4980	oxoh.exe	Explorer.EXE
PID 4980 wrote to memory of 376	4980	oxoh.exe	Explorer.EXE
PID 4980 wrote to memory of 376	4980	oxoh.exe	Explorer.EXE
PID 4980 wrote to memory of 376	4980	oxoh.exe	Explorer.EXE
PID 4980 wrote to memory of 3076	4980	oxoh.exe	svchost.exe
PID 4980 wrote to memory of 3076	4980	oxoh.exe	svchost.exe
PID 4980 wrote to memory of 3076	4980	oxoh.exe	svchost.exe
PID 4980 wrote to memory of 3076	4980	oxoh.exe	svchost.exe
PID 4980 wrote to memory of 3076	4980	oxoh.exe	svchost.exe
PID 4980 wrote to memory of 3280	4980	oxoh.exe	DllHost.exe
PID 4980 wrote to memory of 3280	4980	oxoh.exe	DllHost.exe
PID 4980 wrote to memory of 3280	4980	oxoh.exe	DllHost.exe
PID 4980 wrote to memory of 3280	4980	oxoh.exe	DllHost.exe
PID 4980 wrote to memory of 3280	4980	oxoh.exe	DllHost.exe
PID 4980 wrote to memory of 3376	4980	oxoh.exe	StartMenuExperienceHost.exe
PID 4980 wrote to memory of 3376	4980	oxoh.exe	StartMenuExperienceHost.exe
PID 4980 wrote to memory of 3376	4980	oxoh.exe	StartMenuExperienceHost.exe
PID 4980 wrote to memory of 3376	4980	oxoh.exe	StartMenuExperienceHost.exe
PID 4980 wrote to memory of 3376	4980	oxoh.exe	StartMenuExperienceHost.exe
PID 4980 wrote to memory of 3444	4980	oxoh.exe	RuntimeBroker.exe
PID 4980 wrote to memory of 3444	4980	oxoh.exe	RuntimeBroker.exe
PID 4980 wrote to memory of 3444	4980	oxoh.exe	RuntimeBroker.exe
PID 4980 wrote to memory of 3444	4980	oxoh.exe	RuntimeBroker.exe
PID 4980 wrote to memory of 3444	4980	oxoh.exe	RuntimeBroker.exe
PID 4980 wrote to memory of 3536	4980	oxoh.exe	SearchApp.exe
PID 4980 wrote to memory of 3536	4980	oxoh.exe	SearchApp.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2728

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2872

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
"C:\Users\Admin\AppData\Local\Temp\f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
"C:\Users\Admin\AppData\Local\Temp\f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Roaming\Yxne\oxoh.exe
"C:\Users\Admin\AppData\Roaming\Yxne\oxoh.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Roaming\Yxne\oxoh.exe
"C:\Users\Admin\AppData\Roaming\Yxne\oxoh.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp15ac3eb7.bat"
4⤵
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3076

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp15ac3eb7.bat
Filesize
307B

MD5
e71d54a2fa24e3e3d384ef4351f20e76

SHA1
2c57bcba877738a43edea30fc4febbacc1152320

SHA256
e56221c10e2d499c2e8faa472df93ed500a89a0b285c129b40614eca50e2a2aa

SHA512
e14a2dde704e109d8d4a0fe3b2537ac0e68af3cf8ecda7152e02596bd9d8f32773d49160dd3245fc59565005fa2cc189392b522016c1437c89daf64341f06757

Download Submit
C:\Users\Admin\AppData\Roaming\Yxne\oxoh.exe
Filesize
254KB

MD5
beb262fd526fea683612c752eed30bbd

SHA1
c83cf4a198442500303ab4c28ff482e851490bc4

SHA256
8fd74fb7bea061cbe0a3194de9da549d7ab9ae80f17638360940ea5263cec081

SHA512
590e9bd99ac9a4edb617635ff564653bb35ea5968542d3251196dffa62775485ad30d2595423ab266aa9170ef3fa594a407a6d80dc3afa59b5d52d4ee0ea33ac

Download Submit
C:\Users\Admin\AppData\Roaming\Yxne\oxoh.exe
Filesize
254KB

MD5
beb262fd526fea683612c752eed30bbd

SHA1
c83cf4a198442500303ab4c28ff482e851490bc4

SHA256
8fd74fb7bea061cbe0a3194de9da549d7ab9ae80f17638360940ea5263cec081

SHA512
590e9bd99ac9a4edb617635ff564653bb35ea5968542d3251196dffa62775485ad30d2595423ab266aa9170ef3fa594a407a6d80dc3afa59b5d52d4ee0ea33ac

Download Submit
C:\Users\Admin\AppData\Roaming\Yxne\oxoh.exe
Filesize
254KB

MD5
beb262fd526fea683612c752eed30bbd

SHA1
c83cf4a198442500303ab4c28ff482e851490bc4

SHA256
8fd74fb7bea061cbe0a3194de9da549d7ab9ae80f17638360940ea5263cec081

SHA512
590e9bd99ac9a4edb617635ff564653bb35ea5968542d3251196dffa62775485ad30d2595423ab266aa9170ef3fa594a407a6d80dc3afa59b5d52d4ee0ea33ac

Download Submit
memory/1248-144-0x0000000000000000-mapping.dmp

Download
memory/1248-147-0x0000000001050000-0x000000000108B000-memory.dmp

Filesize
236KB

Download
memory/1828-138-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1828-132-0x0000000000000000-mapping.dmp

Download
memory/1828-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1828-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-135-0x0000000000000000-mapping.dmp

Download
memory/4980-139-0x0000000000000000-mapping.dmp

Download
memory/4980-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4980-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads