1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9

Analysis

max time kernel
186s
max time network
79s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe
Size

179KB
MD5

1ee116e38cc5709401e181495991811d
SHA1

6b4fae97c212a4cdab1be2f480797b53784d0210
SHA256

1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9
SHA512

cd37518399cf9299a77f64907b4e843744e65ea1cec3b293835d35e1e59278fbc93e17bce82d984de32110172459a8d3441895a6e80976aaa0ecfaa498db1386
SSDEEP

3072:6JIRH8MiBKlghdTeDco1Hxbu30/BLEypsLS88:MsH8MgrTeVN/tEyps

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
300	Kxoqoa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Kxoqoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\OTGV1DNWQQ = "C:\\Windows\\Kxoqoa.exe"	Kxoqoa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe
File created	C:\Windows\Kxoqoa.exe	1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe
File opened for modification	C:\Windows\Kxoqoa.exe	1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\International	Kxoqoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe
300	Kxoqoa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
832	1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe
300	Kxoqoa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 300	832	1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe	28
PID 832 wrote to memory of 300	832	1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe	28
PID 832 wrote to memory of 300	832	1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe	28
PID 832 wrote to memory of 300	832	1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe	28

C:\Users\Admin\AppData\Local\Temp\1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe
"C:\Users\Admin\AppData\Local\Temp\1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\Kxoqoa.exe
  C:\Windows\Kxoqoa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Kxoqoa.exe

Filesize
179KB

MD5
1ee116e38cc5709401e181495991811d

SHA1
6b4fae97c212a4cdab1be2f480797b53784d0210

SHA256
1b72a285cab6c42a969cb3f14e64c31eb38800d3c354589b1a9d5f0e042549c9

SHA512
cd37518399cf9299a77f64907b4e843744e65ea1cec3b293835d35e1e59278fbc93e17bce82d984de32110172459a8d3441895a6e80976aaa0ecfaa498db1386

Download Submit
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Filesize
408B

MD5
195c5454fec59d0cc350a493b4622740

SHA1
3f4657fb37355efc440295c9ff085f6ddc57d0c9

SHA256
afbfa1acd21741c22219460148f6bd8e82cefc4a6896eba415f50417030ebcf4

SHA512
0eba678b92f6fe4de9bb8284b3c675854fa4ec75a2bed8e4cd4402309096c8931b63bf1ca7c4d0a6bbdd3584c4b3b4ab7d1dbf654439f8a159f6becf82335e86

Download Submit
memory/300-61-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/300-64-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/832-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/832-55-0x0000000000120000-0x000000000013A000-memory.dmp

Filesize
104KB

Download
memory/832-62-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/832-63-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download