d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e

General

Target

d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe
Size

454KB
MD5

9bbc69cd7ea58b96a48245c40d9e34c7
SHA1

1ecacc4eab6eb0eba56d25716ddb72abb04d5d21
SHA256

d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e
SHA512

62d50a5134170fdbc7bda42ce14b5bf5afbea512dfb6fcd3564ad24754c6ce708ee30baa76e13bf493a26ec795ccc9b61730503ddacf131e0737ce38bf440502
SSDEEP

6144:QsYXLfUky78BO4cBvkeep6lWVEG6YsMo9SDFxu+f6Eo3ulgm35qaX:B+Ls9hvwp6UVh/4903f7Cub5qaX

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ormeag.exe

pid process

1596 ormeag.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

932 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe

pid process

2016 d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe

pid	process
932	cmd.exe

pid	process
2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ormeag.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	ormeag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Zera\\ormeag.exe"	ormeag.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe

description pid process target process

PID 2016 set thread context of 932 2016 d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe cmd.exe

description	pid	process	target process
PID 2016 set thread context of 932	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

ormeag.exe

pid	process
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe
1596	ormeag.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exeormeag.exe

pid process

2016 d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe
1596 ormeag.exe

pid	process
2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe
1596	ormeag.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exeormeag.exe

description	pid	process	target process
PID 2016 wrote to memory of 1596	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	ormeag.exe
PID 2016 wrote to memory of 1596	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	ormeag.exe
PID 2016 wrote to memory of 1596	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	ormeag.exe
PID 2016 wrote to memory of 1596	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	ormeag.exe
PID 1596 wrote to memory of 1120	1596	ormeag.exe	taskhost.exe
PID 1596 wrote to memory of 1120	1596	ormeag.exe	taskhost.exe
PID 1596 wrote to memory of 1120	1596	ormeag.exe	taskhost.exe
PID 1596 wrote to memory of 1120	1596	ormeag.exe	taskhost.exe
PID 1596 wrote to memory of 1120	1596	ormeag.exe	taskhost.exe
PID 1596 wrote to memory of 1164	1596	ormeag.exe	Dwm.exe
PID 1596 wrote to memory of 1164	1596	ormeag.exe	Dwm.exe
PID 1596 wrote to memory of 1164	1596	ormeag.exe	Dwm.exe
PID 1596 wrote to memory of 1164	1596	ormeag.exe	Dwm.exe
PID 1596 wrote to memory of 1164	1596	ormeag.exe	Dwm.exe
PID 1596 wrote to memory of 1200	1596	ormeag.exe	Explorer.EXE
PID 1596 wrote to memory of 1200	1596	ormeag.exe	Explorer.EXE
PID 1596 wrote to memory of 1200	1596	ormeag.exe	Explorer.EXE
PID 1596 wrote to memory of 1200	1596	ormeag.exe	Explorer.EXE
PID 1596 wrote to memory of 1200	1596	ormeag.exe	Explorer.EXE
PID 1596 wrote to memory of 2016	1596	ormeag.exe	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe
PID 1596 wrote to memory of 2016	1596	ormeag.exe	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe
PID 1596 wrote to memory of 2016	1596	ormeag.exe	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe
PID 1596 wrote to memory of 2016	1596	ormeag.exe	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe
PID 1596 wrote to memory of 2016	1596	ormeag.exe	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe
PID 2016 wrote to memory of 932	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	cmd.exe
PID 2016 wrote to memory of 932	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	cmd.exe
PID 2016 wrote to memory of 932	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	cmd.exe
PID 2016 wrote to memory of 932	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	cmd.exe
PID 2016 wrote to memory of 932	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	cmd.exe
PID 2016 wrote to memory of 932	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	cmd.exe
PID 2016 wrote to memory of 932	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	cmd.exe
PID 2016 wrote to memory of 932	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	cmd.exe
PID 2016 wrote to memory of 932	2016	d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe
"C:\Users\Admin\AppData\Local\Temp\d52ccc7622d7014895bf80e695a198c46766637c8a5fbe8c37fd3b61cb281a8e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Roaming\Zera\ormeag.exe
"C:\Users\Admin\AppData\Roaming\Zera\ormeag.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpda70f2a3.bat"
3⤵
- Deletes itself
PID:932

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpda70f2a3.bat
Filesize
307B

MD5
a72ccc406e35caa0ca1d74263f302580

SHA1
c43cf586547a42b4263eec19336b1b9d1f0d5906

SHA256
ab4417672711cd186f53a9a591204424347a131eb6ef2153de13930d60e89299

SHA512
7788b3ff78738175e8aad03ac2039787bae40849355cc2847051285f9a7074e7e4d55c96860b3a994a42d39f3606539ceefe3f559eb606e0b22b61956ae4d538

Download Submit
C:\Users\Admin\AppData\Roaming\Zera\ormeag.exe
Filesize
454KB

MD5
c0592688296050d7dcdfc78e47f3b2b2

SHA1
56a3ae9307ed018bba101f11705c5b2efa91cbf9

SHA256
b6d310089c32d2c052bd803d87f5f2801f1b6f6bb04eef1c16fd969f3ba2cbc8

SHA512
487b813573d0d3d2f8a05efbd96ba3f94a1da7244a8844a6c650844e326959f25b9590a59b0dad65ca4144c487558634b9b355874094cd1b15bfdf7fbbd3a617

Download Submit
C:\Users\Admin\AppData\Roaming\Zera\ormeag.exe
Filesize
454KB

MD5
c0592688296050d7dcdfc78e47f3b2b2

SHA1
56a3ae9307ed018bba101f11705c5b2efa91cbf9

SHA256
b6d310089c32d2c052bd803d87f5f2801f1b6f6bb04eef1c16fd969f3ba2cbc8

SHA512
487b813573d0d3d2f8a05efbd96ba3f94a1da7244a8844a6c650844e326959f25b9590a59b0dad65ca4144c487558634b9b355874094cd1b15bfdf7fbbd3a617

Download Submit
\Users\Admin\AppData\Roaming\Zera\ormeag.exe
Filesize
454KB

MD5
c0592688296050d7dcdfc78e47f3b2b2

SHA1
56a3ae9307ed018bba101f11705c5b2efa91cbf9

SHA256
b6d310089c32d2c052bd803d87f5f2801f1b6f6bb04eef1c16fd969f3ba2cbc8

SHA512
487b813573d0d3d2f8a05efbd96ba3f94a1da7244a8844a6c650844e326959f25b9590a59b0dad65ca4144c487558634b9b355874094cd1b15bfdf7fbbd3a617

Download Submit
memory/932-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/932-97-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/932-108-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/932-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/932-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/932-103-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/932-100-0x000000000007E967-mapping.dmp

Download
memory/932-95-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/932-99-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/932-98-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/1120-67-0x0000000001E60000-0x0000000001EAD000-memory.dmp

Filesize
308KB

Download
memory/1120-62-0x0000000001E60000-0x0000000001EAD000-memory.dmp

Filesize
308KB

Download
memory/1120-66-0x0000000001E60000-0x0000000001EAD000-memory.dmp

Filesize
308KB

Download
memory/1120-65-0x0000000001E60000-0x0000000001EAD000-memory.dmp

Filesize
308KB

Download
memory/1120-64-0x0000000001E60000-0x0000000001EAD000-memory.dmp

Filesize
308KB

Download
memory/1164-71-0x00000000002E0000-0x000000000032D000-memory.dmp

Filesize
308KB

Download
memory/1164-70-0x00000000002E0000-0x000000000032D000-memory.dmp

Filesize
308KB

Download
memory/1164-72-0x00000000002E0000-0x000000000032D000-memory.dmp

Filesize
308KB

Download
memory/1164-73-0x00000000002E0000-0x000000000032D000-memory.dmp

Filesize
308KB

Download
memory/1200-79-0x0000000002670000-0x00000000026BD000-memory.dmp

Filesize
308KB

Download
memory/1200-78-0x0000000002670000-0x00000000026BD000-memory.dmp

Filesize
308KB

Download
memory/1200-77-0x0000000002670000-0x00000000026BD000-memory.dmp

Filesize
308KB

Download
memory/1200-76-0x0000000002670000-0x00000000026BD000-memory.dmp

Filesize
308KB

Download
memory/1596-109-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1596-58-0x0000000000000000-mapping.dmp

Download
memory/1596-89-0x0000000000310000-0x000000000035D000-memory.dmp

Filesize
308KB

Download
memory/1596-92-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2016-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2016-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2016-86-0x0000000000290000-0x00000000002DD000-memory.dmp

Filesize
308KB

Download
memory/2016-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/2016-87-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2016-101-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2016-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2016-85-0x0000000000450000-0x000000000049D000-memory.dmp

Filesize
308KB

Download
memory/2016-84-0x0000000000450000-0x000000000049D000-memory.dmp

Filesize
308KB

Download
memory/2016-83-0x0000000000450000-0x000000000049D000-memory.dmp

Filesize
308KB

Download
memory/2016-56-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2016-55-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2016-82-0x0000000000450000-0x000000000049D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads