749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

Analysis

max time kernel
316s
max time network
364s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
Size

928KB
MD5

284b37c4771f4dcf91a37348014e04ff
SHA1

211e5aa4cc0451aa252660576fc5c6a1961667fd
SHA256

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913
SHA512

dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568
SSDEEP

24576:+TSkT7/hjVX1uKLGLY27AX1Wh6qC/UxPpXWhi:Evl3LG0h1KZkwPhW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1028	oiesczh.exe
4392	oiesczh.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\oiesczh.exe.log	oiesczh.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3700 set thread context of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	83
PID 1028 set thread context of 4392	1028	oiesczh.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4208	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
4208	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	83
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	83
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	83
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	83
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	83
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	83
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	87
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	87
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	87
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	87
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	87
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	87

C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
"C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
  "C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4208

C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
  "C:\Users\Admin\AppData\Local\Temp\oiesczh.exe"
  2⤵
  - Executes dropped EXE
  PID:4392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oiesczh.exe

Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe

Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe

Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
memory/1028-152-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/1028-144-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/1028-143-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/3700-132-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3700-139-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4208-137-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4208-140-0x0000000000FB0000-0x00000000011FB000-memory.dmp

Filesize
2.3MB

Download
memory/4208-138-0x0000000000D90000-0x0000000000FAA000-memory.dmp

Filesize
2.1MB

Download
memory/4208-134-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download