7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe
Size

330KB
MD5

761b9f2aaa41445d70d4fb7faba5f3b0
SHA1

0fcbaa8fd4b46df396b41b2273f53e75df46d513
SHA256

7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a
SHA512

cdc6e44e2164d0d0d0adc0ea894a66d50e560928ef90452e49298f0248e301ec65aa120d5d3f60599d8f11c22504f65c4b45a083aab8d76c2369bf4c3262d075
SSDEEP

6144:+xzllL7TuevSlo3TdKQtK6f1g+GcG8DCqabJaqvAz:+5llLdvSl+tK60ctCq4Yz

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1720	viowa.exe

Deletes itself 1 IoCs

pid	Process
676	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	viowa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Ydcude\\viowa.exe"	viowa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 676	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	29

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe
1720	viowa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe
1720	viowa.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1720	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	28
PID 1052 wrote to memory of 1720	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	28
PID 1052 wrote to memory of 1720	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	28
PID 1052 wrote to memory of 1720	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	28
PID 1720 wrote to memory of 1116	1720	viowa.exe	9
PID 1720 wrote to memory of 1116	1720	viowa.exe	9
PID 1720 wrote to memory of 1116	1720	viowa.exe	9
PID 1720 wrote to memory of 1116	1720	viowa.exe	9
PID 1720 wrote to memory of 1116	1720	viowa.exe	9
PID 1720 wrote to memory of 1176	1720	viowa.exe	17
PID 1720 wrote to memory of 1176	1720	viowa.exe	17
PID 1720 wrote to memory of 1176	1720	viowa.exe	17
PID 1720 wrote to memory of 1176	1720	viowa.exe	17
PID 1720 wrote to memory of 1176	1720	viowa.exe	17
PID 1720 wrote to memory of 1216	1720	viowa.exe	16
PID 1720 wrote to memory of 1216	1720	viowa.exe	16
PID 1720 wrote to memory of 1216	1720	viowa.exe	16
PID 1720 wrote to memory of 1216	1720	viowa.exe	16
PID 1720 wrote to memory of 1216	1720	viowa.exe	16
PID 1720 wrote to memory of 1052	1720	viowa.exe	27
PID 1720 wrote to memory of 1052	1720	viowa.exe	27
PID 1720 wrote to memory of 1052	1720	viowa.exe	27
PID 1720 wrote to memory of 1052	1720	viowa.exe	27
PID 1720 wrote to memory of 1052	1720	viowa.exe	27
PID 1052 wrote to memory of 676	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	29
PID 1052 wrote to memory of 676	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	29
PID 1052 wrote to memory of 676	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	29
PID 1052 wrote to memory of 676	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	29
PID 1052 wrote to memory of 676	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	29
PID 1052 wrote to memory of 676	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	29
PID 1052 wrote to memory of 676	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	29
PID 1052 wrote to memory of 676	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	29
PID 1052 wrote to memory of 676	1052	7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe
  "C:\Users\Admin\AppData\Local\Temp\7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Roaming\Ydcude\viowa.exe
    "C:\Users\Admin\AppData\Roaming\Ydcude\viowa.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaa1ff9ba.bat"
    3⤵
    - Deletes itself
    PID:676

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpaa1ff9ba.bat

Filesize
307B

MD5
a0a1f3e981e4903bab8488af8b69bc20

SHA1
2308e04cbaa2e35e4aa1ea60c584c40b6695ac96

SHA256
85bcab0a39a34618200e08d4e3b2f4dd52ccc18eefab4770d36aa1188e3ffdba

SHA512
321784d25d0132c28b075489632048089d743c5d9d899d10d40fa12f71decc4e08e9427fcf16f5397a3bc09ae9b12ddd5684ed2eec41ba998d13dca154ea5525

Download Submit
C:\Users\Admin\AppData\Roaming\Ydcude\viowa.exe

Filesize
330KB

MD5
de066fff3f264104a53d6f1d9d382c31

SHA1
2f5ccd33a6274f4cc7a3223dbcd481f71e2f1893

SHA256
5a7036f6965b557b20122127b84e5803fb7751764f3797aa8576741d73b7d74a

SHA512
620ef37594c375a12c03c7842b99cf704422a629fd23564542d01c44b1dd9c2d6cb8264bda5b1caac23346e000b49bdd02907654f1a4f9a8affee3ddf669356c

Download Submit
C:\Users\Admin\AppData\Roaming\Ydcude\viowa.exe

Filesize
330KB

MD5
de066fff3f264104a53d6f1d9d382c31

SHA1
2f5ccd33a6274f4cc7a3223dbcd481f71e2f1893

SHA256
5a7036f6965b557b20122127b84e5803fb7751764f3797aa8576741d73b7d74a

SHA512
620ef37594c375a12c03c7842b99cf704422a629fd23564542d01c44b1dd9c2d6cb8264bda5b1caac23346e000b49bdd02907654f1a4f9a8affee3ddf669356c

Download Submit
\Users\Admin\AppData\Roaming\Ydcude\viowa.exe

Filesize
330KB

MD5
de066fff3f264104a53d6f1d9d382c31

SHA1
2f5ccd33a6274f4cc7a3223dbcd481f71e2f1893

SHA256
5a7036f6965b557b20122127b84e5803fb7751764f3797aa8576741d73b7d74a

SHA512
620ef37594c375a12c03c7842b99cf704422a629fd23564542d01c44b1dd9c2d6cb8264bda5b1caac23346e000b49bdd02907654f1a4f9a8affee3ddf669356c

Download Submit
memory/676-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/676-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/676-115-0x00000000000A0000-0x00000000000E7000-memory.dmp

Filesize
284KB

Download
memory/676-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/676-98-0x00000000000A0000-0x00000000000E7000-memory.dmp

Filesize
284KB

Download
memory/676-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/676-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/676-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/676-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/676-102-0x00000000000A0000-0x00000000000E7000-memory.dmp

Filesize
284KB

Download
memory/676-101-0x00000000000A0000-0x00000000000E7000-memory.dmp

Filesize
284KB

Download
memory/676-100-0x00000000000A0000-0x00000000000E7000-memory.dmp

Filesize
284KB

Download
memory/1052-86-0x0000000000700000-0x0000000000747000-memory.dmp

Filesize
284KB

Download
memory/1052-104-0x00000000007A0000-0x00000000007E7000-memory.dmp

Filesize
284KB

Download
memory/1052-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1052-82-0x00000000007A0000-0x00000000007E7000-memory.dmp

Filesize
284KB

Download
memory/1052-83-0x00000000007A0000-0x00000000007E7000-memory.dmp

Filesize
284KB

Download
memory/1052-84-0x00000000007A0000-0x00000000007E7000-memory.dmp

Filesize
284KB

Download
memory/1052-85-0x00000000007A0000-0x00000000007E7000-memory.dmp

Filesize
284KB

Download
memory/1052-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1052-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-88-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1052-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1052-105-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1052-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1052-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1116-67-0x0000000001CD0000-0x0000000001D17000-memory.dmp

Filesize
284KB

Download
memory/1116-66-0x0000000001CD0000-0x0000000001D17000-memory.dmp

Filesize
284KB

Download
memory/1116-62-0x0000000001CD0000-0x0000000001D17000-memory.dmp

Filesize
284KB

Download
memory/1116-64-0x0000000001CD0000-0x0000000001D17000-memory.dmp

Filesize
284KB

Download
memory/1116-65-0x0000000001CD0000-0x0000000001D17000-memory.dmp

Filesize
284KB

Download
memory/1176-73-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/1176-72-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/1176-71-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/1176-70-0x0000000001C60000-0x0000000001CA7000-memory.dmp

Filesize
284KB

Download
memory/1216-77-0x0000000002240000-0x0000000002287000-memory.dmp

Filesize
284KB

Download
memory/1216-78-0x0000000002240000-0x0000000002287000-memory.dmp

Filesize
284KB

Download
memory/1216-76-0x0000000002240000-0x0000000002287000-memory.dmp

Filesize
284KB

Download
memory/1216-79-0x0000000002240000-0x0000000002287000-memory.dmp

Filesize
284KB

Download
memory/1720-90-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1720-89-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/1720-116-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download