2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937

General

Target

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
Size

391KB
MD5

8d075f98d22c930bd92b5d9f01899fe6
SHA1

b38a61958617c13bcdca9956e05b4cf5b1ca6dc2
SHA256

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937
SHA512

3a684bcbb084b3c77b934f9411ab59f4fa0000f407f2fa3b9b39cf8acdcdfe3873da7231f7ef8f50574746517e34427e756b806db24d61a1122759a274c98dc9
SSDEEP

6144:XAmQQ7/pjykp5+BV8EAEKd1vgmFv6KZf7iMcQCJwvAynaN0mHU766t2EUHEm1:XZ7/RpsV8EAXIc66fa+AyI07dikC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ojrieb.exeojrieb.exeojrieb.exe

pid process

4192 ojrieb.exe
1128 ojrieb.exe
1456 ojrieb.exe

pid	process
4192	ojrieb.exe
1128	ojrieb.exe
1456	ojrieb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ojrieb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	ojrieb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ojrieb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ehmye\\ojrieb.exe"	ojrieb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exeojrieb.exe

description	pid	process	target process
PID 4828 set thread context of 3408	4828	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 4192 set thread context of 1456	4192	ojrieb.exe	ojrieb.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exeojrieb.exe

pid	process
3408	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
3408	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe
1456	ojrieb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exeojrieb.exeojrieb.exe

description	pid	process	target process
PID 4828 wrote to memory of 3408	4828	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 4828 wrote to memory of 3408	4828	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 4828 wrote to memory of 3408	4828	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 4828 wrote to memory of 3408	4828	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 4828 wrote to memory of 3408	4828	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 4828 wrote to memory of 3408	4828	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 4828 wrote to memory of 3408	4828	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 4828 wrote to memory of 3408	4828	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 4828 wrote to memory of 3408	4828	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 3408 wrote to memory of 4192	3408	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	ojrieb.exe
PID 3408 wrote to memory of 4192	3408	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	ojrieb.exe
PID 3408 wrote to memory of 4192	3408	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	ojrieb.exe
PID 4192 wrote to memory of 1128	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1128	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1128	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1456	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1456	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1456	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1456	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1456	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1456	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1456	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1456	4192	ojrieb.exe	ojrieb.exe
PID 4192 wrote to memory of 1456	4192	ojrieb.exe	ojrieb.exe
PID 1456 wrote to memory of 2360	1456	ojrieb.exe	sihost.exe
PID 1456 wrote to memory of 2360	1456	ojrieb.exe	sihost.exe
PID 1456 wrote to memory of 2360	1456	ojrieb.exe	sihost.exe
PID 1456 wrote to memory of 2360	1456	ojrieb.exe	sihost.exe
PID 1456 wrote to memory of 2360	1456	ojrieb.exe	sihost.exe
PID 1456 wrote to memory of 2380	1456	ojrieb.exe	svchost.exe
PID 1456 wrote to memory of 2380	1456	ojrieb.exe	svchost.exe
PID 1456 wrote to memory of 2380	1456	ojrieb.exe	svchost.exe
PID 1456 wrote to memory of 2380	1456	ojrieb.exe	svchost.exe
PID 1456 wrote to memory of 2380	1456	ojrieb.exe	svchost.exe
PID 1456 wrote to memory of 2488	1456	ojrieb.exe	taskhostw.exe
PID 1456 wrote to memory of 2488	1456	ojrieb.exe	taskhostw.exe
PID 1456 wrote to memory of 2488	1456	ojrieb.exe	taskhostw.exe
PID 1456 wrote to memory of 2488	1456	ojrieb.exe	taskhostw.exe
PID 1456 wrote to memory of 2488	1456	ojrieb.exe	taskhostw.exe
PID 1456 wrote to memory of 2976	1456	ojrieb.exe	Explorer.EXE
PID 1456 wrote to memory of 2976	1456	ojrieb.exe	Explorer.EXE
PID 1456 wrote to memory of 2976	1456	ojrieb.exe	Explorer.EXE
PID 1456 wrote to memory of 2976	1456	ojrieb.exe	Explorer.EXE
PID 1456 wrote to memory of 2976	1456	ojrieb.exe	Explorer.EXE
PID 1456 wrote to memory of 3180	1456	ojrieb.exe	svchost.exe
PID 1456 wrote to memory of 3180	1456	ojrieb.exe	svchost.exe
PID 1456 wrote to memory of 3180	1456	ojrieb.exe	svchost.exe
PID 1456 wrote to memory of 3180	1456	ojrieb.exe	svchost.exe
PID 1456 wrote to memory of 3180	1456	ojrieb.exe	svchost.exe
PID 1456 wrote to memory of 3392	1456	ojrieb.exe	DllHost.exe
PID 1456 wrote to memory of 3392	1456	ojrieb.exe	DllHost.exe
PID 1456 wrote to memory of 3392	1456	ojrieb.exe	DllHost.exe
PID 1456 wrote to memory of 3392	1456	ojrieb.exe	DllHost.exe
PID 1456 wrote to memory of 3392	1456	ojrieb.exe	DllHost.exe
PID 1456 wrote to memory of 3492	1456	ojrieb.exe	StartMenuExperienceHost.exe
PID 1456 wrote to memory of 3492	1456	ojrieb.exe	StartMenuExperienceHost.exe
PID 1456 wrote to memory of 3492	1456	ojrieb.exe	StartMenuExperienceHost.exe
PID 1456 wrote to memory of 3492	1456	ojrieb.exe	StartMenuExperienceHost.exe
PID 1456 wrote to memory of 3492	1456	ojrieb.exe	StartMenuExperienceHost.exe
PID 1456 wrote to memory of 3560	1456	ojrieb.exe	RuntimeBroker.exe
PID 1456 wrote to memory of 3560	1456	ojrieb.exe	RuntimeBroker.exe
PID 1456 wrote to memory of 3560	1456	ojrieb.exe	RuntimeBroker.exe
PID 1456 wrote to memory of 3560	1456	ojrieb.exe	RuntimeBroker.exe
PID 1456 wrote to memory of 3560	1456	ojrieb.exe	RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
"C:\Users\Admin\AppData\Local\Temp\2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
"C:\Users\Admin\AppData\Local\Temp\2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\Ehmye\ojrieb.exe
"C:\Users\Admin\AppData\Local\Temp\Ehmye\ojrieb.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\Ehmye\ojrieb.exe
"C:\Users\Admin\AppData\Local\Temp\Ehmye\ojrieb.exe"
5⤵
- Executes dropped EXE
PID:1128

C:\Users\Admin\AppData\Local\Temp\Ehmye\ojrieb.exe
"C:\Users\Admin\AppData\Local\Temp\Ehmye\ojrieb.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TIH30A9.bat"
4⤵
PID:1148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4664

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3640

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ehmye\ojrieb.exe
Filesize
391KB

MD5
fc40d25af66afbae9f7908fa8e4c59f4

SHA1
c95ea5910b858a46e1b92d53473c8b571198d9e4

SHA256
4fef83c52754b3c9b63ab4a370fdcd4cd08409b29cd5e41f098b2fb944994f46

SHA512
9c7d87a05c6f04958310aa43a4f8b30bb467390c0f132baf01185ad19a7f42d3cf51bad58d823cbdff37908bc0d5cc9b22fb2819678abc963203b7296a6f4b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ehmye\ojrieb.exe
Filesize
391KB

MD5
fc40d25af66afbae9f7908fa8e4c59f4

SHA1
c95ea5910b858a46e1b92d53473c8b571198d9e4

SHA256
4fef83c52754b3c9b63ab4a370fdcd4cd08409b29cd5e41f098b2fb944994f46

SHA512
9c7d87a05c6f04958310aa43a4f8b30bb467390c0f132baf01185ad19a7f42d3cf51bad58d823cbdff37908bc0d5cc9b22fb2819678abc963203b7296a6f4b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ehmye\ojrieb.exe
Filesize
391KB

MD5
fc40d25af66afbae9f7908fa8e4c59f4

SHA1
c95ea5910b858a46e1b92d53473c8b571198d9e4

SHA256
4fef83c52754b3c9b63ab4a370fdcd4cd08409b29cd5e41f098b2fb944994f46

SHA512
9c7d87a05c6f04958310aa43a4f8b30bb467390c0f132baf01185ad19a7f42d3cf51bad58d823cbdff37908bc0d5cc9b22fb2819678abc963203b7296a6f4b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ehmye\ojrieb.exe
Filesize
391KB

MD5
fc40d25af66afbae9f7908fa8e4c59f4

SHA1
c95ea5910b858a46e1b92d53473c8b571198d9e4

SHA256
4fef83c52754b3c9b63ab4a370fdcd4cd08409b29cd5e41f098b2fb944994f46

SHA512
9c7d87a05c6f04958310aa43a4f8b30bb467390c0f132baf01185ad19a7f42d3cf51bad58d823cbdff37908bc0d5cc9b22fb2819678abc963203b7296a6f4b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIH30A9.bat
Filesize
284B

MD5
df646d407520752af226155b941d0070

SHA1
33a319bf97be720b375f05f64f0193c622645ed5

SHA256
d3e9a7ebd678ff519864e4decf177528f6ea7b56fc8e9ddd69ec147a4bffd0bb

SHA512
0252a91d78d3790fe6ab83c342de18bf66ac7ed78de20ec25e7a468e17a05cdc5995897dab79e4d348c46d8b36b680b990336f8db13dc17c7474ee333ec9d98d

Download Submit
memory/1148-166-0x0000000001000000-0x0000000001042000-memory.dmp

Filesize
264KB

Download
memory/1148-162-0x0000000000000000-mapping.dmp

Download
memory/1456-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1456-155-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1456-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1456-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1456-149-0x0000000000000000-mapping.dmp

Download
memory/3408-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-134-0x0000000000000000-mapping.dmp

Download
memory/3408-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-164-0x0000000003160000-0x00000000031A2000-memory.dmp

Filesize
264KB

Download
memory/3408-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-163-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-161-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3408-160-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3408-159-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3408-158-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3408-156-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3408-157-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4192-144-0x0000000000000000-mapping.dmp

Download
memory/4192-154-0x00000000010B7000-0x00000000010BA000-memory.dmp

Filesize
12KB

Download
memory/4192-153-0x0000000073CB0000-0x0000000074261000-memory.dmp

Filesize
5.7MB

Download
memory/4192-147-0x00000000010B7000-0x00000000010BC000-memory.dmp

Filesize
20KB

Download
memory/4828-138-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-136-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-139-0x0000000000880000-0x0000000000883000-memory.dmp

Filesize
12KB

Download
memory/4828-132-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-135-0x0000000000880000-0x0000000000883000-memory.dmp

Filesize
12KB

Download
memory/4828-133-0x000000000087E000-0x0000000000883000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads