d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f

Analysis

max time kernel
187s
max time network
185s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe
Size

329KB
MD5

f242a8b174bfb4c818e93e24d1847ecc
SHA1

2315c5175def6112cd04925246efb85e4145a0be
SHA256

d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f
SHA512

aa0083726211b64f21c0e1922da1cb80d4aabbf9b362b8c36dd6fdfc09fd3805c4a1ea02e245f2ec18ac060c7203de813f7e19d5cf69a9cb6ab9d4ccc8c17206
SSDEEP

6144:jYwaU+TjJl6Qy/VOoUKIVflNiLoWtM89QJTPPWZYbssN:swP+PWQEOooiX+89Q1nWZUN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
368	assoen.exe

Deletes itself 1 IoCs

pid	Process
1592	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe
344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	assoen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Kojau\\assoen.exe"	assoen.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 344 set thread context of 1592	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe
368	assoen.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe
368	assoen.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 368	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	28
PID 344 wrote to memory of 368	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	28
PID 344 wrote to memory of 368	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	28
PID 344 wrote to memory of 368	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	28
PID 368 wrote to memory of 1132	368	assoen.exe	15
PID 368 wrote to memory of 1132	368	assoen.exe	15
PID 368 wrote to memory of 1132	368	assoen.exe	15
PID 368 wrote to memory of 1132	368	assoen.exe	15
PID 368 wrote to memory of 1132	368	assoen.exe	15
PID 368 wrote to memory of 1172	368	assoen.exe	14
PID 368 wrote to memory of 1172	368	assoen.exe	14
PID 368 wrote to memory of 1172	368	assoen.exe	14
PID 368 wrote to memory of 1172	368	assoen.exe	14
PID 368 wrote to memory of 1172	368	assoen.exe	14
PID 368 wrote to memory of 1204	368	assoen.exe	13
PID 368 wrote to memory of 1204	368	assoen.exe	13
PID 368 wrote to memory of 1204	368	assoen.exe	13
PID 368 wrote to memory of 1204	368	assoen.exe	13
PID 368 wrote to memory of 1204	368	assoen.exe	13
PID 368 wrote to memory of 344	368	assoen.exe	20
PID 368 wrote to memory of 344	368	assoen.exe	20
PID 368 wrote to memory of 344	368	assoen.exe	20
PID 368 wrote to memory of 344	368	assoen.exe	20
PID 368 wrote to memory of 344	368	assoen.exe	20
PID 344 wrote to memory of 1592	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	29
PID 344 wrote to memory of 1592	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	29
PID 344 wrote to memory of 1592	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	29
PID 344 wrote to memory of 1592	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	29
PID 344 wrote to memory of 1592	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	29
PID 344 wrote to memory of 1592	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	29
PID 344 wrote to memory of 1592	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	29
PID 344 wrote to memory of 1592	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	29
PID 344 wrote to memory of 1592	344	d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe
  "C:\Users\Admin\AppData\Local\Temp\d09af56af9cb416bbfd68f178afa718061a8fe0b469f01c334cb0b8daaecc04f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Users\Admin\AppData\Roaming\Kojau\assoen.exe
    "C:\Users\Admin\AppData\Roaming\Kojau\assoen.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp45033879.bat"
    3⤵
    - Deletes itself
    PID:1592

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp45033879.bat

Filesize
307B

MD5
87328ef07f41e20ca794474a4819e8d8

SHA1
2a74d729e492687938f3ccb111a6d2d1de713325

SHA256
68070160868b1e67b93f92591d4a26ab3db92bf7b90fccec94a7a096c3402cf9

SHA512
0482f50eb42b9b6b7fb8aaeaf138f3d016d02bea7d7da93ee5a907d4e0d0340371e3fcda9f02fd1a69e0fa08c13ea12aab9a76f0b5303ac306f23e234d6be4cd

Download Submit
C:\Users\Admin\AppData\Roaming\Kojau\assoen.exe

Filesize
329KB

MD5
a5b7dc9a7ea7162afec87b05a4c07db4

SHA1
f39921b610cec1d62c1f737eb8cd1d077562bfa4

SHA256
c24ea2b219d71de0b847db4ae139eaba04d5a0612806978ab6b61b38b6fd7929

SHA512
7f5e694c4562307f4e1745657a3f9372453b163d82d25bba0758f1cad34a95712d9398c4c49df808414bae7080a0c2620dc8e608aa460df6fea51094f1347a56

Download Submit
C:\Users\Admin\AppData\Roaming\Kojau\assoen.exe

Filesize
329KB

MD5
a5b7dc9a7ea7162afec87b05a4c07db4

SHA1
f39921b610cec1d62c1f737eb8cd1d077562bfa4

SHA256
c24ea2b219d71de0b847db4ae139eaba04d5a0612806978ab6b61b38b6fd7929

SHA512
7f5e694c4562307f4e1745657a3f9372453b163d82d25bba0758f1cad34a95712d9398c4c49df808414bae7080a0c2620dc8e608aa460df6fea51094f1347a56

Download Submit
\Users\Admin\AppData\Roaming\Kojau\assoen.exe

Filesize
329KB

MD5
a5b7dc9a7ea7162afec87b05a4c07db4

SHA1
f39921b610cec1d62c1f737eb8cd1d077562bfa4

SHA256
c24ea2b219d71de0b847db4ae139eaba04d5a0612806978ab6b61b38b6fd7929

SHA512
7f5e694c4562307f4e1745657a3f9372453b163d82d25bba0758f1cad34a95712d9398c4c49df808414bae7080a0c2620dc8e608aa460df6fea51094f1347a56

Download Submit
\Users\Admin\AppData\Roaming\Kojau\assoen.exe

Filesize
329KB

MD5
a5b7dc9a7ea7162afec87b05a4c07db4

SHA1
f39921b610cec1d62c1f737eb8cd1d077562bfa4

SHA256
c24ea2b219d71de0b847db4ae139eaba04d5a0612806978ab6b61b38b6fd7929

SHA512
7f5e694c4562307f4e1745657a3f9372453b163d82d25bba0758f1cad34a95712d9398c4c49df808414bae7080a0c2620dc8e608aa460df6fea51094f1347a56

Download Submit
memory/344-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/344-102-0x00000000003A0000-0x00000000003F6000-memory.dmp

Filesize
344KB

Download
memory/344-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/344-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/344-56-0x00000000003A0000-0x00000000003F6000-memory.dmp

Filesize
344KB

Download
memory/344-85-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/344-55-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/344-104-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/344-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/344-86-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/344-93-0x0000000000560000-0x00000000005B6000-memory.dmp

Filesize
344KB

Download
memory/344-87-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/344-88-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/344-89-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/368-91-0x0000000000350000-0x00000000003A6000-memory.dmp

Filesize
344KB

Download
memory/368-90-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/368-92-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1132-65-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1132-70-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1132-67-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1132-68-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1132-69-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1172-73-0x00000000019F0000-0x0000000001A34000-memory.dmp

Filesize
272KB

Download
memory/1172-76-0x00000000019F0000-0x0000000001A34000-memory.dmp

Filesize
272KB

Download
memory/1172-75-0x00000000019F0000-0x0000000001A34000-memory.dmp

Filesize
272KB

Download
memory/1172-74-0x00000000019F0000-0x0000000001A34000-memory.dmp

Filesize
272KB

Download
memory/1204-81-0x0000000002A80000-0x0000000002AC4000-memory.dmp

Filesize
272KB

Download
memory/1204-82-0x0000000002A80000-0x0000000002AC4000-memory.dmp

Filesize
272KB

Download
memory/1204-80-0x0000000002A80000-0x0000000002AC4000-memory.dmp

Filesize
272KB

Download
memory/1204-79-0x0000000002A80000-0x0000000002AC4000-memory.dmp

Filesize
272KB

Download
memory/1592-96-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1592-100-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1592-98-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1592-99-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1592-107-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download