3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060

Analysis

max time kernel
250s
max time network
343s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe
Size

310KB
MD5

4e16f3c39ec491402cf455e96144c580
SHA1

7cd58b772bda2d3691d5e4cce75f47301ca968bf
SHA256

3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060
SHA512

22662ff313949d8e63df04f49ec35180dd21a0b472e20f22055dae9e9c7755140d271f1a9be96e63be001c123a0a542b96597c93c7a89353a38ad71162f03854
SSDEEP

6144:jObgMHaMXcvfB2uue87LpH0NHyMd9RGX/zPTKVgIx:jEdcXN27lH0NSMd9gXaJx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ogol.exe

pid process

760 ogol.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

680 cmd.exe

pid	process
680	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe

pid	process
540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe
540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ogol.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	ogol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ogol = "C:\\Users\\Admin\\AppData\\Roaming\\Ygsy\\ogol.exe"	ogol.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe

description pid process target process

PID 540 set thread context of 680 540 3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe cmd.exe

description	pid	process	target process
PID 540 set thread context of 680	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ogol.exe

pid	process
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe
760	ogol.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exeogol.exe

description	pid	process	target process
PID 540 wrote to memory of 760	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	ogol.exe
PID 540 wrote to memory of 760	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	ogol.exe
PID 540 wrote to memory of 760	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	ogol.exe
PID 540 wrote to memory of 760	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	ogol.exe
PID 760 wrote to memory of 1120	760	ogol.exe	taskhost.exe
PID 760 wrote to memory of 1120	760	ogol.exe	taskhost.exe
PID 760 wrote to memory of 1120	760	ogol.exe	taskhost.exe
PID 760 wrote to memory of 1120	760	ogol.exe	taskhost.exe
PID 760 wrote to memory of 1120	760	ogol.exe	taskhost.exe
PID 760 wrote to memory of 1220	760	ogol.exe	Dwm.exe
PID 760 wrote to memory of 1220	760	ogol.exe	Dwm.exe
PID 760 wrote to memory of 1220	760	ogol.exe	Dwm.exe
PID 760 wrote to memory of 1220	760	ogol.exe	Dwm.exe
PID 760 wrote to memory of 1220	760	ogol.exe	Dwm.exe
PID 760 wrote to memory of 1268	760	ogol.exe	Explorer.EXE
PID 760 wrote to memory of 1268	760	ogol.exe	Explorer.EXE
PID 760 wrote to memory of 1268	760	ogol.exe	Explorer.EXE
PID 760 wrote to memory of 1268	760	ogol.exe	Explorer.EXE
PID 760 wrote to memory of 1268	760	ogol.exe	Explorer.EXE
PID 760 wrote to memory of 540	760	ogol.exe	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe
PID 760 wrote to memory of 540	760	ogol.exe	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe
PID 760 wrote to memory of 540	760	ogol.exe	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe
PID 760 wrote to memory of 540	760	ogol.exe	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe
PID 760 wrote to memory of 540	760	ogol.exe	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe
PID 540 wrote to memory of 680	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	cmd.exe
PID 540 wrote to memory of 680	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	cmd.exe
PID 540 wrote to memory of 680	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	cmd.exe
PID 540 wrote to memory of 680	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	cmd.exe
PID 540 wrote to memory of 680	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	cmd.exe
PID 540 wrote to memory of 680	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	cmd.exe
PID 540 wrote to memory of 680	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	cmd.exe
PID 540 wrote to memory of 680	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	cmd.exe
PID 540 wrote to memory of 680	540	3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe	cmd.exe
PID 760 wrote to memory of 1084	760	ogol.exe	conhost.exe
PID 760 wrote to memory of 1084	760	ogol.exe	conhost.exe
PID 760 wrote to memory of 1084	760	ogol.exe	conhost.exe
PID 760 wrote to memory of 1084	760	ogol.exe	conhost.exe
PID 760 wrote to memory of 1084	760	ogol.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe
"C:\Users\Admin\AppData\Local\Temp\3dc5db5a9d6fa078a6e790ac490c478ac024722ffbbcf906bffedebd10853060.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Roaming\Ygsy\ogol.exe
"C:\Users\Admin\AppData\Roaming\Ygsy\ogol.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\PKJEC24.bat"
3⤵
- Deletes itself
PID:680

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14940505631944034461-119122327422666176-746627954-1186659599651802995481442006"
1⤵
PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PKJEC24.bat

Filesize
303B

MD5
838fb1ab8c00a1adfcdefb7788366595

SHA1
7bae45093155e65fc61fa229bda98f17d439cdb7

SHA256
c7aca40fbe216dc055af1ad6d46c12157c03373dba74a3a2b4cbbdc63a083768

SHA512
63d8597eac8b8858d05cca060607ff93fa538e96bf0ae3f65ca52be76a1466bed2be9f9662bafbed18fe9ffbbebffb632776d69b36e35831efd491896f0257e9

Download Submit
C:\Users\Admin\AppData\Roaming\Ygsy\ogol.exe

Filesize
310KB

MD5
964e7efe032714b7166a27baa7162b35

SHA1
b30637e50752d713232cf8a8c0bacf0afc02028b

SHA256
d2c448f11a0a69735028cb624a0ff9f897413f49cad21b2044f0eee7841f8208

SHA512
6b24dba6d823e815bac72399c9e537d58ce0c1f5c337dda4df0453dce55db7b087309bb138ade2bd86c872fc6107dc37023f4b22f8942ea14c647c74cd651971

Download Submit
C:\Users\Admin\AppData\Roaming\Ygsy\ogol.exe

Filesize
310KB

MD5
964e7efe032714b7166a27baa7162b35

SHA1
b30637e50752d713232cf8a8c0bacf0afc02028b

SHA256
d2c448f11a0a69735028cb624a0ff9f897413f49cad21b2044f0eee7841f8208

SHA512
6b24dba6d823e815bac72399c9e537d58ce0c1f5c337dda4df0453dce55db7b087309bb138ade2bd86c872fc6107dc37023f4b22f8942ea14c647c74cd651971

Download Submit
\Users\Admin\AppData\Roaming\Ygsy\ogol.exe

Filesize
310KB

MD5
964e7efe032714b7166a27baa7162b35

SHA1
b30637e50752d713232cf8a8c0bacf0afc02028b

SHA256
d2c448f11a0a69735028cb624a0ff9f897413f49cad21b2044f0eee7841f8208

SHA512
6b24dba6d823e815bac72399c9e537d58ce0c1f5c337dda4df0453dce55db7b087309bb138ade2bd86c872fc6107dc37023f4b22f8942ea14c647c74cd651971

Download Submit
\Users\Admin\AppData\Roaming\Ygsy\ogol.exe

Filesize
310KB

MD5
964e7efe032714b7166a27baa7162b35

SHA1
b30637e50752d713232cf8a8c0bacf0afc02028b

SHA256
d2c448f11a0a69735028cb624a0ff9f897413f49cad21b2044f0eee7841f8208

SHA512
6b24dba6d823e815bac72399c9e537d58ce0c1f5c337dda4df0453dce55db7b087309bb138ade2bd86c872fc6107dc37023f4b22f8942ea14c647c74cd651971

Download Submit
memory/540-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/540-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-54-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/540-85-0x00000000004A0000-0x00000000004E9000-memory.dmp

Filesize
292KB

Download
memory/540-95-0x00000000004A0000-0x00000000004E9000-memory.dmp

Filesize
292KB

Download
memory/540-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-56-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/540-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-88-0x00000000004A0000-0x00000000004E9000-memory.dmp

Filesize
292KB

Download
memory/540-87-0x00000000004A0000-0x00000000004E9000-memory.dmp

Filesize
292KB

Download
memory/540-86-0x00000000004A0000-0x00000000004E9000-memory.dmp

Filesize
292KB

Download
memory/680-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/680-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/680-120-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/680-112-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/680-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/680-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/680-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/680-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/680-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/680-103-0x0000000000082ED8-mapping.dmp

Download
memory/680-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/680-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/680-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/680-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/760-59-0x0000000000000000-mapping.dmp

Download
memory/760-62-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1084-115-0x0000000001B30000-0x0000000001B79000-memory.dmp

Filesize
292KB

Download
memory/1084-118-0x0000000001B30000-0x0000000001B79000-memory.dmp

Filesize
292KB

Download
memory/1084-117-0x0000000001B30000-0x0000000001B79000-memory.dmp

Filesize
292KB

Download
memory/1084-116-0x0000000001B30000-0x0000000001B79000-memory.dmp

Filesize
292KB

Download
memory/1120-67-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1120-68-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1120-70-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1120-69-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1120-65-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1220-75-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1220-76-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1220-74-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1220-73-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1268-80-0x0000000002A10000-0x0000000002A59000-memory.dmp

Filesize
292KB

Download
memory/1268-81-0x0000000002A10000-0x0000000002A59000-memory.dmp

Filesize
292KB

Download
memory/1268-79-0x0000000002A10000-0x0000000002A59000-memory.dmp

Filesize
292KB

Download
memory/1268-82-0x0000000002A10000-0x0000000002A59000-memory.dmp

Filesize
292KB

Download