99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d

Analysis

max time kernel
152s
max time network
197s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe
Size

301KB
MD5

dd99a3e96b75e49c640b338c805c9417
SHA1

2b7ee0a5aad735f308d234c619c09482cc35d82a
SHA256

99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d
SHA512

22b37a88d7913aaeabf3c2a01d56b0c1d11ee13a08cb570559410f13c9e249f78647509e7b1cf1b1d95bbc49f508d1474f0fe05a6e5d8820b9d6acc30033caae
SSDEEP

6144:N1lyVPodSdVmOOOl+Gi6BH0PnGhNA/KudjJJi0AMDaPVT9dL1SrMQAnP:NyxgSdoOOOp6GfAjje0UpLaMd

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1712	ibihit.exe

Deletes itself 1 IoCs

pid	Process
1704	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe
952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	ibihit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ibihit = "C:\\Users\\Admin\\AppData\\Roaming\\Toicx\\ibihit.exe"	ibihit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 1704	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	29

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe
1712	ibihit.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1712	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	28
PID 952 wrote to memory of 1712	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	28
PID 952 wrote to memory of 1712	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	28
PID 952 wrote to memory of 1712	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	28
PID 1712 wrote to memory of 1120	1712	ibihit.exe	7
PID 1712 wrote to memory of 1120	1712	ibihit.exe	7
PID 1712 wrote to memory of 1120	1712	ibihit.exe	7
PID 1712 wrote to memory of 1120	1712	ibihit.exe	7
PID 1712 wrote to memory of 1120	1712	ibihit.exe	7
PID 1712 wrote to memory of 1176	1712	ibihit.exe	15
PID 1712 wrote to memory of 1176	1712	ibihit.exe	15
PID 1712 wrote to memory of 1176	1712	ibihit.exe	15
PID 1712 wrote to memory of 1176	1712	ibihit.exe	15
PID 1712 wrote to memory of 1176	1712	ibihit.exe	15
PID 1712 wrote to memory of 1204	1712	ibihit.exe	14
PID 1712 wrote to memory of 1204	1712	ibihit.exe	14
PID 1712 wrote to memory of 1204	1712	ibihit.exe	14
PID 1712 wrote to memory of 1204	1712	ibihit.exe	14
PID 1712 wrote to memory of 1204	1712	ibihit.exe	14
PID 1712 wrote to memory of 952	1712	ibihit.exe	21
PID 1712 wrote to memory of 952	1712	ibihit.exe	21
PID 1712 wrote to memory of 952	1712	ibihit.exe	21
PID 1712 wrote to memory of 952	1712	ibihit.exe	21
PID 1712 wrote to memory of 952	1712	ibihit.exe	21
PID 952 wrote to memory of 1704	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	29
PID 952 wrote to memory of 1704	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	29
PID 952 wrote to memory of 1704	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	29
PID 952 wrote to memory of 1704	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	29
PID 952 wrote to memory of 1704	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	29
PID 952 wrote to memory of 1704	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	29
PID 952 wrote to memory of 1704	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	29
PID 952 wrote to memory of 1704	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	29
PID 952 wrote to memory of 1704	952	99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe
  "C:\Users\Admin\AppData\Local\Temp\99aa3bd929c2871f7824e0fb5c96052f5255883c9b7ff7d6189dde42b0b2f19d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Roaming\Toicx\ibihit.exe
    "C:\Users\Admin\AppData\Roaming\Toicx\ibihit.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EGPA33.bat"
    3⤵
    - Deletes itself
    PID:1704

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EGPA33.bat

Filesize
302B

MD5
154d205526ab76a4f175ddc787aef880

SHA1
1360ef48b906f5cd78fc5472ebbc37c86f74566b

SHA256
124be7e21e54ede068019a18c4616e1ba5ed951a2d9057b8517eb229b4a62ec8

SHA512
a3852a05523ebb79ff3b1220e3c6e4945ef40abbcdac01bdddfb43d9437053f84629fcf0325dc8d303f566a639725bfeeb0ef5cbae93b592b67a028f3ee0588c

Download Submit
C:\Users\Admin\AppData\Roaming\Toicx\ibihit.exe

Filesize
301KB

MD5
348ed1415f7fcd77f7f9ff6b91dda6bf

SHA1
8c032166bfc5ac4a6e7790ad163435dfa3f10d37

SHA256
4b7738f8a29ab5dbdc02bf17d15ede2912eb62d3bfd7e03fac26239ed4a19d90

SHA512
dfcb82747c827b0aeed5eab2607a65b49b07787b308ac15852a7a7173c65de4d196b3cf68bb77dea2fa7c6a266512285ef9840396947d2dae3831e056e3839f6

Download Submit
C:\Users\Admin\AppData\Roaming\Toicx\ibihit.exe

Filesize
301KB

MD5
348ed1415f7fcd77f7f9ff6b91dda6bf

SHA1
8c032166bfc5ac4a6e7790ad163435dfa3f10d37

SHA256
4b7738f8a29ab5dbdc02bf17d15ede2912eb62d3bfd7e03fac26239ed4a19d90

SHA512
dfcb82747c827b0aeed5eab2607a65b49b07787b308ac15852a7a7173c65de4d196b3cf68bb77dea2fa7c6a266512285ef9840396947d2dae3831e056e3839f6

Download Submit
\Users\Admin\AppData\Roaming\Toicx\ibihit.exe

Filesize
301KB

MD5
348ed1415f7fcd77f7f9ff6b91dda6bf

SHA1
8c032166bfc5ac4a6e7790ad163435dfa3f10d37

SHA256
4b7738f8a29ab5dbdc02bf17d15ede2912eb62d3bfd7e03fac26239ed4a19d90

SHA512
dfcb82747c827b0aeed5eab2607a65b49b07787b308ac15852a7a7173c65de4d196b3cf68bb77dea2fa7c6a266512285ef9840396947d2dae3831e056e3839f6

Download Submit
\Users\Admin\AppData\Roaming\Toicx\ibihit.exe

Filesize
301KB

MD5
348ed1415f7fcd77f7f9ff6b91dda6bf

SHA1
8c032166bfc5ac4a6e7790ad163435dfa3f10d37

SHA256
4b7738f8a29ab5dbdc02bf17d15ede2912eb62d3bfd7e03fac26239ed4a19d90

SHA512
dfcb82747c827b0aeed5eab2607a65b49b07787b308ac15852a7a7173c65de4d196b3cf68bb77dea2fa7c6a266512285ef9840396947d2dae3831e056e3839f6

Download Submit
memory/952-86-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/952-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/952-56-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/952-104-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/952-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/952-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/952-55-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/952-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/952-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/952-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/952-88-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/952-87-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/952-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/952-95-0x0000000000370000-0x00000000003C2000-memory.dmp

Filesize
328KB

Download
memory/952-85-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1120-68-0x0000000001DC0000-0x0000000001E09000-memory.dmp

Filesize
292KB

Download
memory/1120-69-0x0000000001DC0000-0x0000000001E09000-memory.dmp

Filesize
292KB

Download
memory/1120-70-0x0000000001DC0000-0x0000000001E09000-memory.dmp

Filesize
292KB

Download
memory/1120-67-0x0000000001DC0000-0x0000000001E09000-memory.dmp

Filesize
292KB

Download
memory/1120-65-0x0000000001DC0000-0x0000000001E09000-memory.dmp

Filesize
292KB

Download
memory/1176-76-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1176-75-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1176-74-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1176-73-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1204-81-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1204-80-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1204-82-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1204-79-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1704-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1704-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1704-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1704-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1704-114-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1704-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1704-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1704-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1704-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1704-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1704-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1704-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1712-63-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download