ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b

Analysis

max time kernel
158s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe
Size

290KB
MD5

0e2d978295ade9f2ad0c7c86f2b88460
SHA1

91f03d509fd50cb4dc99824992cdcf18b66eb7d6
SHA256

ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b
SHA512

e2aa78e142ae3cf6a8b5a968f2a6c494c3d517303ba7c2f3a39d60cb658a48783cee0d840956380c6921a533ffc1a56221ec1a625f02d2f7adafef77da8d7e18
SSDEEP

6144:YtqsCcx37x7GILKDO5YhewKNTEIDTRuHYAjhWUI:DsdB7+N8V3DTY48I

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4216	olahd.exe
4908	olahd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	olahd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Olahd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Giuran\\olahd.exe"	olahd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 400 set thread context of 1656	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	79
PID 4216 set thread context of 4908	4216	olahd.exe	81

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe
1656	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe
4908	olahd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2072	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	78
PID 400 wrote to memory of 2072	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	78
PID 400 wrote to memory of 2072	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	78
PID 400 wrote to memory of 1656	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	79
PID 400 wrote to memory of 1656	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	79
PID 400 wrote to memory of 1656	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	79
PID 400 wrote to memory of 1656	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	79
PID 400 wrote to memory of 1656	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	79
PID 400 wrote to memory of 1656	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	79
PID 400 wrote to memory of 1656	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	79
PID 400 wrote to memory of 1656	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	79
PID 400 wrote to memory of 1656	400	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	79
PID 1656 wrote to memory of 4216	1656	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	80
PID 1656 wrote to memory of 4216	1656	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	80
PID 1656 wrote to memory of 4216	1656	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	80
PID 4216 wrote to memory of 4908	4216	olahd.exe	81
PID 4216 wrote to memory of 4908	4216	olahd.exe	81
PID 4216 wrote to memory of 4908	4216	olahd.exe	81
PID 4216 wrote to memory of 4908	4216	olahd.exe	81
PID 4216 wrote to memory of 4908	4216	olahd.exe	81
PID 4216 wrote to memory of 4908	4216	olahd.exe	81
PID 4216 wrote to memory of 4908	4216	olahd.exe	81
PID 4216 wrote to memory of 4908	4216	olahd.exe	81
PID 4216 wrote to memory of 4908	4216	olahd.exe	81
PID 1656 wrote to memory of 808	1656	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	82
PID 1656 wrote to memory of 808	1656	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	82
PID 1656 wrote to memory of 808	1656	ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe	82
PID 4908 wrote to memory of 2348	4908	olahd.exe	37
PID 4908 wrote to memory of 2348	4908	olahd.exe	37
PID 4908 wrote to memory of 2348	4908	olahd.exe	37
PID 4908 wrote to memory of 2348	4908	olahd.exe	37
PID 4908 wrote to memory of 2348	4908	olahd.exe	37
PID 4908 wrote to memory of 2360	4908	olahd.exe	71
PID 4908 wrote to memory of 2360	4908	olahd.exe	71
PID 4908 wrote to memory of 2360	4908	olahd.exe	71
PID 4908 wrote to memory of 2360	4908	olahd.exe	71
PID 4908 wrote to memory of 2360	4908	olahd.exe	71
PID 4908 wrote to memory of 2472	4908	olahd.exe	70
PID 4908 wrote to memory of 2472	4908	olahd.exe	70
PID 4908 wrote to memory of 2472	4908	olahd.exe	70
PID 4908 wrote to memory of 2472	4908	olahd.exe	70
PID 4908 wrote to memory of 2472	4908	olahd.exe	70
PID 4908 wrote to memory of 3044	4908	olahd.exe	62
PID 4908 wrote to memory of 3044	4908	olahd.exe	62
PID 4908 wrote to memory of 3044	4908	olahd.exe	62
PID 4908 wrote to memory of 3044	4908	olahd.exe	62
PID 4908 wrote to memory of 3044	4908	olahd.exe	62
PID 4908 wrote to memory of 776	4908	olahd.exe	61
PID 4908 wrote to memory of 776	4908	olahd.exe	61
PID 4908 wrote to memory of 776	4908	olahd.exe	61
PID 4908 wrote to memory of 776	4908	olahd.exe	61
PID 4908 wrote to memory of 776	4908	olahd.exe	61
PID 4908 wrote to memory of 3232	4908	olahd.exe	60
PID 4908 wrote to memory of 3232	4908	olahd.exe	60
PID 4908 wrote to memory of 3232	4908	olahd.exe	60
PID 4908 wrote to memory of 3232	4908	olahd.exe	60
PID 4908 wrote to memory of 3232	4908	olahd.exe	60
PID 4908 wrote to memory of 3328	4908	olahd.exe	59
PID 4908 wrote to memory of 3328	4908	olahd.exe	59
PID 4908 wrote to memory of 3328	4908	olahd.exe	59
PID 4908 wrote to memory of 3328	4908	olahd.exe	59
PID 4908 wrote to memory of 3328	4908	olahd.exe	59
PID 4908 wrote to memory of 3396	4908	olahd.exe	40
PID 4908 wrote to memory of 3396	4908	olahd.exe	40

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2348

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3396

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4684

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3716

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3472

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:776

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3044
- C:\Users\Admin\AppData\Local\Temp\ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe
  "C:\Users\Admin\AppData\Local\Temp\ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe
    "C:\Users\Admin\AppData\Local\Temp\ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe"
    3⤵
    PID:2072
- - C:\Users\Admin\AppData\Local\Temp\ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe
    "C:\Users\Admin\AppData\Local\Temp\ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\Giuran\olahd.exe
      "C:\Users\Admin\AppData\Local\Temp\Giuran\olahd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Users\Admin\AppData\Local\Temp\Giuran\olahd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Giuran\olahd.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OGG7BEB.bat"
      4⤵
      PID:808
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2248

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Giuran\olahd.exe

Filesize
290KB

MD5
c180dbbd07774393f08b3431ca19d2d3

SHA1
ded1bd462566a59d1d5e0834dea57046bdba705d

SHA256
b2816f94da4a5541aec827c7a0670c6aa4f925ccf859e18c068762173c63c2a6

SHA512
2a1c692dad7f2269092800cfefc5b57088de18d828b22c8eb418b2883816a526bd157e61551deb15c9c46ad089ab6caa04f2927ce59ef638242f2a3129ae9db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Giuran\olahd.exe

Filesize
290KB

MD5
c180dbbd07774393f08b3431ca19d2d3

SHA1
ded1bd462566a59d1d5e0834dea57046bdba705d

SHA256
b2816f94da4a5541aec827c7a0670c6aa4f925ccf859e18c068762173c63c2a6

SHA512
2a1c692dad7f2269092800cfefc5b57088de18d828b22c8eb418b2883816a526bd157e61551deb15c9c46ad089ab6caa04f2927ce59ef638242f2a3129ae9db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Giuran\olahd.exe

Filesize
290KB

MD5
c180dbbd07774393f08b3431ca19d2d3

SHA1
ded1bd462566a59d1d5e0834dea57046bdba705d

SHA256
b2816f94da4a5541aec827c7a0670c6aa4f925ccf859e18c068762173c63c2a6

SHA512
2a1c692dad7f2269092800cfefc5b57088de18d828b22c8eb418b2883816a526bd157e61551deb15c9c46ad089ab6caa04f2927ce59ef638242f2a3129ae9db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGG7BEB.bat

Filesize
278B

MD5
4b9ae5c4c5cb396d52dbca6f7326e22f

SHA1
8f2911465e4e73e8683135ce08a57cd33925e31a

SHA256
331498a18e0e7221c32de97b8313088b1fdb8aa4635f77c8717a9c5e19d64a3e

SHA512
4ee687d407cf83d01a213a52c7b136dfbfe7be99ef69905c96e69fb14f7ca9fabfc8b07a3c1dd37a53c4fe13398b535b31c47d9f4f173758c5f923a96d981173

Download Submit
memory/400-133-0x0000000000E7C000-0x0000000000E81000-memory.dmp

Filesize
20KB

Download
memory/400-134-0x0000000000E7E000-0x0000000000E81000-memory.dmp

Filesize
12KB

Download
memory/400-137-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/400-138-0x0000000000E7E000-0x0000000000E81000-memory.dmp

Filesize
12KB

Download
memory/400-132-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/808-156-0x0000000000E10000-0x0000000000E52000-memory.dmp

Filesize
264KB

Download
memory/1656-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4216-152-0x00000000014C6000-0x00000000014C9000-memory.dmp

Filesize
12KB

Download
memory/4216-151-0x0000000074B70000-0x0000000075121000-memory.dmp

Filesize
5.7MB

Download
memory/4216-146-0x00000000014C6000-0x00000000014C9000-memory.dmp

Filesize
12KB

Download
memory/4908-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download