1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
Size

327KB
MD5

787d26ae83f0a6599e96dc1eafe0cea4
SHA1

392a898abeb50fcd98e4f72671eb9f8c67f564df
SHA256

1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87
SHA512

3858fddbfe55793daf1330a0f06e0db92666ae69bbdb28019afd293d2f3d5e71e1d3d81da59edf49376a008a5a3591a37d5647b67f8aa0c6fc1f634d78faefd5
SSDEEP

6144:MHfQZl8Q3GjMMMMMMoAVbpGoBtC0Ae+F294oLNHkiBOb8j:4fQZl8+YMMMMMM51GoBtCvF2946aiBOs

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

omivo.exe

pid process

1684 omivo.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1884 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe

pid process

1456 1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe

pid	process
1884	cmd.exe

pid	process
1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

omivo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	omivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{427D821A-C81F-015E-20D5-9207563B16E6} = "C:\\Users\\Admin\\AppData\\Roaming\\Nunauf\\omivo.exe"	omivo.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exeomivo.exe

pid process

1456 1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
1684 omivo.exe

pid	process
1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
1684	omivo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe

description	pid	process	target process
PID 1456 set thread context of 1884	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\30054953-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

omivo.exe

pid	process
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe
1684	omivo.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
Token: SeSecurityPrivilege	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
Token: SeSecurityPrivilege	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
Token: SeManageVolumePrivilege	1980	WinMail.exe
Token: SeSecurityPrivilege	1884	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1980 WinMail.exe

pid	process
1980	WinMail.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exeomivo.exe

description	pid	process	target process
PID 1456 wrote to memory of 1684	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	omivo.exe
PID 1456 wrote to memory of 1684	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	omivo.exe
PID 1456 wrote to memory of 1684	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	omivo.exe
PID 1456 wrote to memory of 1684	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	omivo.exe
PID 1684 wrote to memory of 1228	1684	omivo.exe	taskhost.exe
PID 1684 wrote to memory of 1228	1684	omivo.exe	taskhost.exe
PID 1684 wrote to memory of 1228	1684	omivo.exe	taskhost.exe
PID 1684 wrote to memory of 1228	1684	omivo.exe	taskhost.exe
PID 1684 wrote to memory of 1228	1684	omivo.exe	taskhost.exe
PID 1684 wrote to memory of 1308	1684	omivo.exe	Dwm.exe
PID 1684 wrote to memory of 1308	1684	omivo.exe	Dwm.exe
PID 1684 wrote to memory of 1308	1684	omivo.exe	Dwm.exe
PID 1684 wrote to memory of 1308	1684	omivo.exe	Dwm.exe
PID 1684 wrote to memory of 1308	1684	omivo.exe	Dwm.exe
PID 1684 wrote to memory of 1360	1684	omivo.exe	Explorer.EXE
PID 1684 wrote to memory of 1360	1684	omivo.exe	Explorer.EXE
PID 1684 wrote to memory of 1360	1684	omivo.exe	Explorer.EXE
PID 1684 wrote to memory of 1360	1684	omivo.exe	Explorer.EXE
PID 1684 wrote to memory of 1360	1684	omivo.exe	Explorer.EXE
PID 1684 wrote to memory of 1456	1684	omivo.exe	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
PID 1684 wrote to memory of 1456	1684	omivo.exe	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
PID 1684 wrote to memory of 1456	1684	omivo.exe	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
PID 1684 wrote to memory of 1456	1684	omivo.exe	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
PID 1684 wrote to memory of 1456	1684	omivo.exe	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
PID 1684 wrote to memory of 1980	1684	omivo.exe	WinMail.exe
PID 1684 wrote to memory of 1980	1684	omivo.exe	WinMail.exe
PID 1684 wrote to memory of 1980	1684	omivo.exe	WinMail.exe
PID 1684 wrote to memory of 1980	1684	omivo.exe	WinMail.exe
PID 1684 wrote to memory of 1980	1684	omivo.exe	WinMail.exe
PID 1456 wrote to memory of 1884	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	cmd.exe
PID 1456 wrote to memory of 1884	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	cmd.exe
PID 1456 wrote to memory of 1884	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	cmd.exe
PID 1456 wrote to memory of 1884	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	cmd.exe
PID 1456 wrote to memory of 1884	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	cmd.exe
PID 1456 wrote to memory of 1884	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	cmd.exe
PID 1456 wrote to memory of 1884	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	cmd.exe
PID 1456 wrote to memory of 1884	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	cmd.exe
PID 1456 wrote to memory of 1884	1456	1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe	cmd.exe
PID 1684 wrote to memory of 1040	1684	omivo.exe	conhost.exe
PID 1684 wrote to memory of 1040	1684	omivo.exe	conhost.exe
PID 1684 wrote to memory of 1040	1684	omivo.exe	conhost.exe
PID 1684 wrote to memory of 1040	1684	omivo.exe	conhost.exe
PID 1684 wrote to memory of 1040	1684	omivo.exe	conhost.exe
PID 1684 wrote to memory of 1928	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1928	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1928	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1928	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1928	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1600	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1600	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1600	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1600	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1600	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1384	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1384	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1384	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1384	1684	omivo.exe	DllHost.exe
PID 1684 wrote to memory of 1384	1684	omivo.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe
  "C:\Users\Admin\AppData\Local\Temp\1a8aedf2bafbdcfa4a9eed9ca7e57ebe7183063f40f5991df5e46d07da074d87.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Roaming\Nunauf\omivo.exe
    "C:\Users\Admin\AppData\Roaming\Nunauf\omivo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2b4f8578.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:1884

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-312827068247572414-644981968-1097932614-776266483-4852668215175600001803761486"
1⤵
PID:1040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2b4f8578.bat

Filesize
307B

MD5
89496a54b1d71823aedcfc637bf89c12

SHA1
a0cc8370090989ec7c180bb14c6172a3c9219f85

SHA256
e9b3fcb2cb2da373b05908d79fb0122a3ab4e01d549ca3f7ce00fafdcc595f08

SHA512
3ee1deeeb96ae6a5f3c27479d863e008ebd467d7df6d8df46f09fbde707dc68548f8d7201931f84a3fe9d61d2007f5a44109680376fac62831924a34eb6636a4

Download Submit
C:\Users\Admin\AppData\Roaming\Nunauf\omivo.exe

Filesize
327KB

MD5
90313d7e8ac76471f756f008a3f1d59c

SHA1
91ad8d0009d815b99915d3a965d29b746020b5aa

SHA256
d2c38a0e8dc853f6c10220ded3689e95cff2c9aea3dc0aded541d59fc71268bb

SHA512
9aff45c3e1c4b3cd50e872a44dd84e69ccf194cc0c26ffee23bd97327f11ba4116567a2c27a7a410858b2c0e32944fda211a7c34f010de203d75379789518de7

Download Submit
C:\Users\Admin\AppData\Roaming\Nunauf\omivo.exe

Filesize
327KB

MD5
90313d7e8ac76471f756f008a3f1d59c

SHA1
91ad8d0009d815b99915d3a965d29b746020b5aa

SHA256
d2c38a0e8dc853f6c10220ded3689e95cff2c9aea3dc0aded541d59fc71268bb

SHA512
9aff45c3e1c4b3cd50e872a44dd84e69ccf194cc0c26ffee23bd97327f11ba4116567a2c27a7a410858b2c0e32944fda211a7c34f010de203d75379789518de7

Download Submit
C:\Users\Admin\AppData\Roaming\Uqidh\otpy.odu

Filesize
398B

MD5
94e5fb066a624c74a63cf7823322b524

SHA1
53ba3b3dcd339acf5259fadc124063c1900e658f

SHA256
896e0f930da288c6d176f41ea5e2deb3513a5259c7bb642d91065a087ede7980

SHA512
88c775baa2e06fdf454b419f953445fd9a1411b9d921133fe54ba9c08394096041b5f6e437e054ef28201f62823d85672d06e0b033844da5ba4c109058df5818

Download Submit
\Users\Admin\AppData\Roaming\Nunauf\omivo.exe

Filesize
327KB

MD5
90313d7e8ac76471f756f008a3f1d59c

SHA1
91ad8d0009d815b99915d3a965d29b746020b5aa

SHA256
d2c38a0e8dc853f6c10220ded3689e95cff2c9aea3dc0aded541d59fc71268bb

SHA512
9aff45c3e1c4b3cd50e872a44dd84e69ccf194cc0c26ffee23bd97327f11ba4116567a2c27a7a410858b2c0e32944fda211a7c34f010de203d75379789518de7

Download Submit
memory/1040-123-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1040-122-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1040-125-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1040-124-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1228-62-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1228-67-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1228-66-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1228-65-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1228-64-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1308-72-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1308-73-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1308-71-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1308-70-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1360-78-0x00000000026D0000-0x00000000026F7000-memory.dmp

Filesize
156KB

Download
memory/1360-77-0x00000000026D0000-0x00000000026F7000-memory.dmp

Filesize
156KB

Download
memory/1360-79-0x00000000026D0000-0x00000000026F7000-memory.dmp

Filesize
156KB

Download
memory/1360-76-0x00000000026D0000-0x00000000026F7000-memory.dmp

Filesize
156KB

Download
memory/1456-86-0x0000000001D00000-0x0000000001D27000-memory.dmp

Filesize
156KB

Download
memory/1456-83-0x0000000001D00000-0x0000000001D27000-memory.dmp

Filesize
156KB

Download
memory/1456-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1456-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1456-56-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1456-101-0x0000000001D00000-0x0000000001D27000-memory.dmp

Filesize
156KB

Download
memory/1456-85-0x0000000001D00000-0x0000000001D27000-memory.dmp

Filesize
156KB

Download
memory/1456-84-0x0000000001D00000-0x0000000001D27000-memory.dmp

Filesize
156KB

Download
memory/1456-117-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1684-127-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1684-58-0x0000000000000000-mapping.dmp

Download
memory/1684-80-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1884-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1884-115-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1884-116-0x0000000000062CBA-mapping.dmp

Download
memory/1884-114-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1884-113-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1884-119-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1928-131-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1928-130-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1980-106-0x0000000003E60000-0x0000000003E87000-memory.dmp

Filesize
156KB

Download
memory/1980-107-0x0000000003E60000-0x0000000003E87000-memory.dmp

Filesize
156KB

Download
memory/1980-89-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/1980-95-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/1980-88-0x000007FEFA821000-0x000007FEFA823000-memory.dmp

Filesize
8KB

Download
memory/1980-87-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download
memory/1980-104-0x0000000003E60000-0x0000000003E87000-memory.dmp

Filesize
156KB

Download
memory/1980-105-0x0000000003E60000-0x0000000003E87000-memory.dmp

Filesize
156KB

Download