af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d

Analysis

max time kernel
290s
max time network
350s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
Size

389KB
MD5

b6f44530923ed01c9d8339cfafca2499
SHA1

b478caf17103ecee9bd78e604f76145b910549ef
SHA256

af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d
SHA512

185990df0173af4e68c7e0f10bb25b81cfa6ff7441254eb1a41b52a9c3a5dedb8681095c06f41442a7a9979ee14cf4526537592022d15460ece13ea60d5230ad
SSDEEP

3072:Pe41fGxM8/R2ljNjbbYewzYS/nnSXjyV8n167SaaHNhXV3+050jIkTHGGrb/SCdK:mAOOeeNbE0SSzO8163F05kxdb965w2Ug

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1176	omyh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Privacy	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1176	omyh.exe
1176	omyh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4472	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
Token: SeSecurityPrivilege	4472	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 1176	4472	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	82
PID 4472 wrote to memory of 1176	4472	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	82
PID 4472 wrote to memory of 1176	4472	af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe	82
PID 1176 wrote to memory of 2704	1176	omyh.exe	50
PID 1176 wrote to memory of 2704	1176	omyh.exe	50
PID 1176 wrote to memory of 2704	1176	omyh.exe	50
PID 1176 wrote to memory of 2704	1176	omyh.exe	50
PID 1176 wrote to memory of 2704	1176	omyh.exe	50
PID 1176 wrote to memory of 2744	1176	omyh.exe	49
PID 1176 wrote to memory of 2744	1176	omyh.exe	49
PID 1176 wrote to memory of 2744	1176	omyh.exe	49
PID 1176 wrote to memory of 2744	1176	omyh.exe	49
PID 1176 wrote to memory of 2744	1176	omyh.exe	49
PID 1176 wrote to memory of 2872	1176	omyh.exe	48
PID 1176 wrote to memory of 2872	1176	omyh.exe	48
PID 1176 wrote to memory of 2872	1176	omyh.exe	48
PID 1176 wrote to memory of 2872	1176	omyh.exe	48
PID 1176 wrote to memory of 2872	1176	omyh.exe	48
PID 1176 wrote to memory of 1952	1176	omyh.exe	46
PID 1176 wrote to memory of 1952	1176	omyh.exe	46
PID 1176 wrote to memory of 1952	1176	omyh.exe	46
PID 1176 wrote to memory of 1952	1176	omyh.exe	46
PID 1176 wrote to memory of 1952	1176	omyh.exe	46
PID 1176 wrote to memory of 3088	1176	omyh.exe	45
PID 1176 wrote to memory of 3088	1176	omyh.exe	45
PID 1176 wrote to memory of 3088	1176	omyh.exe	45
PID 1176 wrote to memory of 3088	1176	omyh.exe	45
PID 1176 wrote to memory of 3088	1176	omyh.exe	45
PID 1176 wrote to memory of 3268	1176	omyh.exe	44
PID 1176 wrote to memory of 3268	1176	omyh.exe	44
PID 1176 wrote to memory of 3268	1176	omyh.exe	44
PID 1176 wrote to memory of 3268	1176	omyh.exe	44
PID 1176 wrote to memory of 3268	1176	omyh.exe	44
PID 1176 wrote to memory of 3376	1176	omyh.exe	43
PID 1176 wrote to memory of 3376	1176	omyh.exe	43
PID 1176 wrote to memory of 3376	1176	omyh.exe	43
PID 1176 wrote to memory of 3376	1176	omyh.exe	43
PID 1176 wrote to memory of 3376	1176	omyh.exe	43
PID 1176 wrote to memory of 3444	1176	omyh.exe	22
PID 1176 wrote to memory of 3444	1176	omyh.exe	22
PID 1176 wrote to memory of 3444	1176	omyh.exe	22
PID 1176 wrote to memory of 3444	1176	omyh.exe	22
PID 1176 wrote to memory of 3444	1176	omyh.exe	22
PID 1176 wrote to memory of 3528	1176	omyh.exe	42
PID 1176 wrote to memory of 3528	1176	omyh.exe	42
PID 1176 wrote to memory of 3528	1176	omyh.exe	42
PID 1176 wrote to memory of 3528	1176	omyh.exe	42
PID 1176 wrote to memory of 3528	1176	omyh.exe	42
PID 1176 wrote to memory of 3808	1176	omyh.exe	41
PID 1176 wrote to memory of 3808	1176	omyh.exe	41
PID 1176 wrote to memory of 3808	1176	omyh.exe	41
PID 1176 wrote to memory of 3808	1176	omyh.exe	41
PID 1176 wrote to memory of 3808	1176	omyh.exe	41
PID 1176 wrote to memory of 4368	1176	omyh.exe	27
PID 1176 wrote to memory of 4368	1176	omyh.exe	27
PID 1176 wrote to memory of 4368	1176	omyh.exe	27
PID 1176 wrote to memory of 4368	1176	omyh.exe	27
PID 1176 wrote to memory of 4368	1176	omyh.exe	27
PID 1176 wrote to memory of 4656	1176	omyh.exe	25
PID 1176 wrote to memory of 4656	1176	omyh.exe	25
PID 1176 wrote to memory of 4656	1176	omyh.exe	25
PID 1176 wrote to memory of 4656	1176	omyh.exe	25
PID 1176 wrote to memory of 4656	1176	omyh.exe	25
PID 1176 wrote to memory of 4472	1176	omyh.exe	79

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4656

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4368

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe
  "C:\Users\Admin\AppData\Local\Temp\af830999799b96a0e6d9d2034351aa4a3ef37eb19238d729e5b579baac1ff89d.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Users\Admin\AppData\Roaming\Aqnoih\omyh.exe
    "C:\Users\Admin\AppData\Roaming\Aqnoih\omyh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1176

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2744

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Aqnoih\omyh.exe

Filesize
389KB

MD5
e2785b2f62e44189c54df9c58f185856

SHA1
ff51c78433769a36db23db018e755b6e9ac0ca9b

SHA256
827d0e096b23483125edf7e7fd06df0ba48d6026e34213fc3f33b5c8f9a69529

SHA512
5ce31eb2f637b3b146e68aca41cbbed860898f4f398e3f32c72e39ceb6c8116efc2ef60686bea00ff6e1796766d20b91b8bbd3f001a2173ef83ca2a0179e6639

Download Submit
C:\Users\Admin\AppData\Roaming\Aqnoih\omyh.exe

Filesize
389KB

MD5
e2785b2f62e44189c54df9c58f185856

SHA1
ff51c78433769a36db23db018e755b6e9ac0ca9b

SHA256
827d0e096b23483125edf7e7fd06df0ba48d6026e34213fc3f33b5c8f9a69529

SHA512
5ce31eb2f637b3b146e68aca41cbbed860898f4f398e3f32c72e39ceb6c8116efc2ef60686bea00ff6e1796766d20b91b8bbd3f001a2173ef83ca2a0179e6639

Download Submit
memory/1176-141-0x0000000001F90000-0x0000000001FCB000-memory.dmp

Filesize
236KB

Download
memory/1176-142-0x0000000001FD0000-0x0000000002032000-memory.dmp

Filesize
392KB

Download
memory/1176-143-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1176-144-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4472-135-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4472-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4472-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4472-134-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4472-133-0x0000000002250000-0x00000000022B2000-memory.dmp

Filesize
392KB

Download
memory/4472-132-0x0000000002210000-0x000000000224B000-memory.dmp

Filesize
236KB

Download
memory/4472-145-0x0000000000670000-0x00000000006AB000-memory.dmp

Filesize
236KB

Download
memory/4472-146-0x0000000000670000-0x00000000006AB000-memory.dmp

Filesize
236KB

Download