350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da

Analysis

max time kernel
41s
max time network
57s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
Size

1.4MB
MD5

5baa9158268baf72cff4b6680f6b6f15
SHA1

31dc9d7e1b2a40b69973709e14ff96575648915e
SHA256

350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da
SHA512

cd0fc497ee8632263ed0f54150e766a88109fd5e226c6353b1b478ebc5c7b30a0282cfe4bb8357696c16dec6cada05f287322d4ae720ff88f5e3dbd5b9f506d9
SSDEEP

24576:QlbJbJRM9+zDmidLD8/xK7tHyQNBBeOs/k580WAwY9UymmLU7Gd4E4:Qlb6Im8ogtyQLIB4qTBG2E4

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

description ioc process

File created C:\WINDOWS\SysWOW64\drivers\OOEYnL.sys 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\drivers\OOEYnL.sys	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ficjs\ImagePath = "\\??\\C:\\WINDOWS\\system32\\drivers\\OOEYnL.sys"	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1852-55-0x0000000019140000-0x0000000019474000-memory.dmp	vmprotect
behavioral1/memory/1852-56-0x0000000019140000-0x0000000019474000-memory.dmp	vmprotect
behavioral1/memory/1852-58-0x0000000019140000-0x0000000019474000-memory.dmp	vmprotect
behavioral1/memory/1852-59-0x0000000019140000-0x0000000019474000-memory.dmp	vmprotect

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

pid	process
1852	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
1852	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
1852	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

pid process

1852 350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

description	pid	process
Token: SeDebugPrivilege	1852	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
Token: SeLoadDriverPrivilege	1852	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

pid	process
1852	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
1852	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
1852	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
1852	350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe

C:\Users\Admin\AppData\Local\Temp\350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe
"C:\Users\Admin\AppData\Local\Temp\350b8f96d63f6258919c583985b5a3d603b98859a359e1b3844f928e185e56da.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1852-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1852-55-0x0000000019140000-0x0000000019474000-memory.dmp

Filesize
3.2MB

Download
memory/1852-56-0x0000000019140000-0x0000000019474000-memory.dmp

Filesize
3.2MB

Download
memory/1852-58-0x0000000019140000-0x0000000019474000-memory.dmp

Filesize
3.2MB

Download
memory/1852-59-0x0000000019140000-0x0000000019474000-memory.dmp

Filesize
3.2MB

Download
memory/1852-60-0x0000000072210000-0x0000000072301000-memory.dmp

Filesize
964KB

Download