e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf

General

Target

e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
Size

284KB
MD5

acea7eb3caa13865ee594bfcb66bc1da
SHA1

a468a0ee8cfee4461c5a1b3badef8694498a03a3
SHA256

e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf
SHA512

5644007f846387ed26b6df315184e29663f41e801a1f583ac49d4cee0be190094ff3f3c4ce6e99103e37ab43f4b1f33f12ef7f120b7df2536cb7d47483b2ecc0
SSDEEP

6144:iBKeMQ0Nl6loc090LiQF/rxvoO+rkU7DNU7yKeJ5Ig:n6l490Ws9v27DN2yKeog

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

olluh.exeolluh.exe

pid process

336 olluh.exe
4912 olluh.exe

pid	process
336	olluh.exe
4912	olluh.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exeolluh.exe

description	pid	process	target process
PID 4172 set thread context of 3540	4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
PID 336 set thread context of 4912	336	olluh.exe	olluh.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exeolluh.exeolluh.exe

pid	process
4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
336	olluh.exe
336	olluh.exe
4912	olluh.exe
4912	olluh.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

olluh.exe

pid process

4912 olluh.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe

description pid process

Token: SeSecurityPrivilege 3540 e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe

pid	process
4912	olluh.exe

description	pid	process
Token: SeSecurityPrivilege	3540	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exee9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exeolluh.exeolluh.exe

description	pid	process	target process
PID 4172 wrote to memory of 3540	4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
PID 4172 wrote to memory of 3540	4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
PID 4172 wrote to memory of 3540	4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
PID 4172 wrote to memory of 3540	4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
PID 4172 wrote to memory of 3540	4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
PID 4172 wrote to memory of 3540	4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
PID 4172 wrote to memory of 3540	4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
PID 4172 wrote to memory of 3540	4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
PID 4172 wrote to memory of 3540	4172	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
PID 3540 wrote to memory of 336	3540	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	olluh.exe
PID 3540 wrote to memory of 336	3540	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	olluh.exe
PID 3540 wrote to memory of 336	3540	e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe	olluh.exe
PID 336 wrote to memory of 4912	336	olluh.exe	olluh.exe
PID 336 wrote to memory of 4912	336	olluh.exe	olluh.exe
PID 336 wrote to memory of 4912	336	olluh.exe	olluh.exe
PID 336 wrote to memory of 4912	336	olluh.exe	olluh.exe
PID 336 wrote to memory of 4912	336	olluh.exe	olluh.exe
PID 336 wrote to memory of 4912	336	olluh.exe	olluh.exe
PID 336 wrote to memory of 4912	336	olluh.exe	olluh.exe
PID 336 wrote to memory of 4912	336	olluh.exe	olluh.exe
PID 336 wrote to memory of 4912	336	olluh.exe	olluh.exe
PID 4912 wrote to memory of 3284	4912	olluh.exe	explorer.exe
PID 4912 wrote to memory of 3284	4912	olluh.exe	explorer.exe
PID 4912 wrote to memory of 3284	4912	olluh.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
"C:\Users\Admin\AppData\Local\Temp\e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe
"C:\Users\Admin\AppData\Local\Temp\e9b9f1c3113d9912591ba9391b8a88fd13ee8ef09facc1a688afbf813b1862bf.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Roaming\Gouxu\olluh.exe
"C:\Users\Admin\AppData\Roaming\Gouxu\olluh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Roaming\Gouxu\olluh.exe
"C:\Users\Admin\AppData\Roaming\Gouxu\olluh.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
5⤵
PID:3284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Gouxu\olluh.exe
Filesize
284KB

MD5
d77f9adbb2e49018a3af79a7c4325efe

SHA1
f84be18fe0aa88cca4174819be7d1a4f33e6b375

SHA256
2866994e79572fb153465f7d3941a48473b17b5efae6a0052af204a23c423be3

SHA512
204fda7ec0d817c4b0b9731f19f9ecc551d620ca733a1fada71a951da5351fd8f5a62a67a7b7d568be3bf4be4b68389ac9636b8f7b6df59df8887eb12d0692da

Download Submit
C:\Users\Admin\AppData\Roaming\Gouxu\olluh.exe
Filesize
284KB

MD5
d77f9adbb2e49018a3af79a7c4325efe

SHA1
f84be18fe0aa88cca4174819be7d1a4f33e6b375

SHA256
2866994e79572fb153465f7d3941a48473b17b5efae6a0052af204a23c423be3

SHA512
204fda7ec0d817c4b0b9731f19f9ecc551d620ca733a1fada71a951da5351fd8f5a62a67a7b7d568be3bf4be4b68389ac9636b8f7b6df59df8887eb12d0692da

Download Submit
C:\Users\Admin\AppData\Roaming\Gouxu\olluh.exe
Filesize
284KB

MD5
d77f9adbb2e49018a3af79a7c4325efe

SHA1
f84be18fe0aa88cca4174819be7d1a4f33e6b375

SHA256
2866994e79572fb153465f7d3941a48473b17b5efae6a0052af204a23c423be3

SHA512
204fda7ec0d817c4b0b9731f19f9ecc551d620ca733a1fada71a951da5351fd8f5a62a67a7b7d568be3bf4be4b68389ac9636b8f7b6df59df8887eb12d0692da

Download Submit
memory/336-146-0x0000000001FC0000-0x0000000001FED000-memory.dmp

Filesize
180KB

Download
memory/336-140-0x0000000000000000-mapping.dmp

Download
memory/3284-153-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download
memory/3284-150-0x0000000000000000-mapping.dmp

Download
memory/3540-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3540-135-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3540-143-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3540-132-0x0000000000000000-mapping.dmp

Download
memory/3540-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3540-139-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3540-151-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3540-138-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4172-136-0x00000000021E0000-0x000000000220D000-memory.dmp

Filesize
180KB

Download
memory/4912-144-0x0000000000000000-mapping.dmp

Download
memory/4912-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads