8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 06:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe
Size

360KB
MD5

dab5a6e91c61f4db5fec7f84ee403bdc
SHA1

00652df1455b740f611c55b80e84dcafa9a7db5e
SHA256

8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273
SHA512

c6f099b5b8f2c7b0be14d51528be020039643722acb457b4d692ec40735288d1635def733bba0b72244075ffa126cf6f6ac18e083b905b186b8aedb3e6a9d0ee
SSDEEP

6144:4tD1VLuCiLh7BCe1QS43cGGriHZzMdSOlIhv5:4tDbaue1p4sMydO

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1956	loolza.exe

Deletes itself 1 IoCs

pid	Process
1080	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe
364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	loolza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Ixliw\\loolza.exe"	loolza.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 364 set thread context of 1080	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	27

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe
1956	loolza.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 1956	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	26
PID 364 wrote to memory of 1956	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	26
PID 364 wrote to memory of 1956	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	26
PID 364 wrote to memory of 1956	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	26
PID 1956 wrote to memory of 1240	1956	loolza.exe	17
PID 1956 wrote to memory of 1240	1956	loolza.exe	17
PID 1956 wrote to memory of 1240	1956	loolza.exe	17
PID 1956 wrote to memory of 1240	1956	loolza.exe	17
PID 1956 wrote to memory of 1240	1956	loolza.exe	17
PID 1956 wrote to memory of 1320	1956	loolza.exe	16
PID 1956 wrote to memory of 1320	1956	loolza.exe	16
PID 1956 wrote to memory of 1320	1956	loolza.exe	16
PID 1956 wrote to memory of 1320	1956	loolza.exe	16
PID 1956 wrote to memory of 1320	1956	loolza.exe	16
PID 1956 wrote to memory of 1356	1956	loolza.exe	11
PID 1956 wrote to memory of 1356	1956	loolza.exe	11
PID 1956 wrote to memory of 1356	1956	loolza.exe	11
PID 1956 wrote to memory of 1356	1956	loolza.exe	11
PID 1956 wrote to memory of 1356	1956	loolza.exe	11
PID 1956 wrote to memory of 364	1956	loolza.exe	25
PID 1956 wrote to memory of 364	1956	loolza.exe	25
PID 1956 wrote to memory of 364	1956	loolza.exe	25
PID 1956 wrote to memory of 364	1956	loolza.exe	25
PID 1956 wrote to memory of 364	1956	loolza.exe	25
PID 364 wrote to memory of 1080	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	27
PID 364 wrote to memory of 1080	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	27
PID 364 wrote to memory of 1080	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	27
PID 364 wrote to memory of 1080	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	27
PID 364 wrote to memory of 1080	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	27
PID 364 wrote to memory of 1080	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	27
PID 364 wrote to memory of 1080	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	27
PID 364 wrote to memory of 1080	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	27
PID 364 wrote to memory of 1080	364	8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1356
- C:\Users\Admin\AppData\Local\Temp\8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe
  "C:\Users\Admin\AppData\Local\Temp\8919723f49684dd4d1df3426162cd427f989d1187c07396720902d9da96c7273.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Users\Admin\AppData\Roaming\Ixliw\loolza.exe
    "C:\Users\Admin\AppData\Roaming\Ixliw\loolza.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc5f54a06.bat"
    3⤵
    - Deletes itself
    PID:1080

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc5f54a06.bat

Filesize
307B

MD5
a407fc82e5b448a6745ee508c6b3dd0c

SHA1
f8a9f250ddbcd47212ce5f5b97852166e48e47e8

SHA256
22e189d166ec8b88306e4c8465b55d8fe0879d7e6c6c694e753406b43bc267b0

SHA512
e727fb05c073f0fe4594e6c1ebbf4d48c6f0579b50b2b4a42248c6d860fe0f8b7856be1b540e4db21f204d140cc05b03b5ab6989e8568b398bafbb8d99a1a459

Download Submit
C:\Users\Admin\AppData\Roaming\Ixliw\loolza.exe

Filesize
360KB

MD5
23b92f92d7d520c467ec48a955681b4d

SHA1
6842933d93014035c6f680d94e015f2abd2721d0

SHA256
c374387609bb1c4c9f6cc1e30e25649a5d5bf46eada57fa4839b568d27e272b6

SHA512
9070fb449f9d32966ff870d2db233292823adaf120e29740d709b5bcc3eff743bc78383fd98c0ae902d901335f736380b9ddb29acf8430a0f859afbbdca29e71

Download Submit
C:\Users\Admin\AppData\Roaming\Ixliw\loolza.exe

Filesize
360KB

MD5
23b92f92d7d520c467ec48a955681b4d

SHA1
6842933d93014035c6f680d94e015f2abd2721d0

SHA256
c374387609bb1c4c9f6cc1e30e25649a5d5bf46eada57fa4839b568d27e272b6

SHA512
9070fb449f9d32966ff870d2db233292823adaf120e29740d709b5bcc3eff743bc78383fd98c0ae902d901335f736380b9ddb29acf8430a0f859afbbdca29e71

Download Submit
\Users\Admin\AppData\Roaming\Ixliw\loolza.exe

Filesize
360KB

MD5
23b92f92d7d520c467ec48a955681b4d

SHA1
6842933d93014035c6f680d94e015f2abd2721d0

SHA256
c374387609bb1c4c9f6cc1e30e25649a5d5bf46eada57fa4839b568d27e272b6

SHA512
9070fb449f9d32966ff870d2db233292823adaf120e29740d709b5bcc3eff743bc78383fd98c0ae902d901335f736380b9ddb29acf8430a0f859afbbdca29e71

Download Submit
\Users\Admin\AppData\Roaming\Ixliw\loolza.exe

Filesize
360KB

MD5
23b92f92d7d520c467ec48a955681b4d

SHA1
6842933d93014035c6f680d94e015f2abd2721d0

SHA256
c374387609bb1c4c9f6cc1e30e25649a5d5bf46eada57fa4839b568d27e272b6

SHA512
9070fb449f9d32966ff870d2db233292823adaf120e29740d709b5bcc3eff743bc78383fd98c0ae902d901335f736380b9ddb29acf8430a0f859afbbdca29e71

Download Submit
memory/364-87-0x0000000002180000-0x000000000222A000-memory.dmp

Filesize
680KB

Download
memory/364-83-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/364-55-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/364-96-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/364-84-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/364-85-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/364-86-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/1080-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1080-90-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1080-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1080-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1080-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1240-63-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1240-68-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1240-65-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1240-67-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1240-66-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1320-73-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1320-72-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1320-71-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1320-74-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1356-80-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/1356-77-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/1356-78-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/1356-79-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/1956-61-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download