b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798

Analysis

max time kernel
151s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/11/2022, 22:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe
Size

339KB
MD5

725d3e723e72fb9156cf4a525ed14b4b
SHA1

40e197f6086c67ba8c9890d11d88f51eee7b11b2
SHA256

b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798
SHA512

4dcfea8d4f17b30ef7367fd5d31dfba087aba43c0f4d90909840f4b2810b8acdbc5de702395e8abd76b5c8d90179a8a03343dc140b47d3568b7b04276f906ca3
SSDEEP

6144:AA76KljCh2Hb2baqDqhmmvClvdwpjc3K8CtY:/CQ72+MrmRaK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1832	alocru.exe

Deletes itself 1 IoCs

pid	Process
272	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Eqzyqu\\alocru.exe"	alocru.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	alocru.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 272	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	28

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe
1832	alocru.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe
1832	alocru.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1832	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	27
PID 1044 wrote to memory of 1832	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	27
PID 1044 wrote to memory of 1832	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	27
PID 1044 wrote to memory of 1832	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	27
PID 1044 wrote to memory of 1832	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	27
PID 1044 wrote to memory of 1832	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	27
PID 1044 wrote to memory of 1832	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	27
PID 1832 wrote to memory of 1112	1832	alocru.exe	14
PID 1832 wrote to memory of 1112	1832	alocru.exe	14
PID 1832 wrote to memory of 1112	1832	alocru.exe	14
PID 1832 wrote to memory of 1112	1832	alocru.exe	14
PID 1832 wrote to memory of 1112	1832	alocru.exe	14
PID 1832 wrote to memory of 1172	1832	alocru.exe	13
PID 1832 wrote to memory of 1172	1832	alocru.exe	13
PID 1832 wrote to memory of 1172	1832	alocru.exe	13
PID 1832 wrote to memory of 1172	1832	alocru.exe	13
PID 1832 wrote to memory of 1172	1832	alocru.exe	13
PID 1832 wrote to memory of 1212	1832	alocru.exe	11
PID 1832 wrote to memory of 1212	1832	alocru.exe	11
PID 1832 wrote to memory of 1212	1832	alocru.exe	11
PID 1832 wrote to memory of 1212	1832	alocru.exe	11
PID 1832 wrote to memory of 1212	1832	alocru.exe	11
PID 1832 wrote to memory of 1044	1832	alocru.exe	12
PID 1832 wrote to memory of 1044	1832	alocru.exe	12
PID 1832 wrote to memory of 1044	1832	alocru.exe	12
PID 1832 wrote to memory of 1044	1832	alocru.exe	12
PID 1832 wrote to memory of 1044	1832	alocru.exe	12
PID 1044 wrote to memory of 272	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	28
PID 1044 wrote to memory of 272	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	28
PID 1044 wrote to memory of 272	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	28
PID 1044 wrote to memory of 272	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	28
PID 1044 wrote to memory of 272	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	28
PID 1044 wrote to memory of 272	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	28
PID 1044 wrote to memory of 272	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	28
PID 1044 wrote to memory of 272	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	28
PID 1044 wrote to memory of 272	1044	b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe
  "C:\Users\Admin\AppData\Local\Temp\b4dd82a41cea1491b88a7b7360061745e4d5514fb0ab1da48f76d5d36a8f0798.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Roaming\Eqzyqu\alocru.exe
    "C:\Users\Admin\AppData\Roaming\Eqzyqu\alocru.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe34bec79.bat"
    3⤵
    - Deletes itself
    PID:272

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe34bec79.bat

Filesize
307B

MD5
ddeff8b7d6226713bf72b415a5ac1930

SHA1
0d593eadbd4c6b3e50633d8efe2d41ba9f73b837

SHA256
5129e5a36b1787ac00029a13aac6e0bfce0efd98d8ef33d2069b3daaf00ea24c

SHA512
64c94291ce7ba6691876dcfe9a91fb4c1ff624586a2c41667dc2a52ef4cd71dd3b9847f8048823615de31eca992fb90a9cd55726c1fae5a4babf5aab9ab52232

Download Submit
C:\Users\Admin\AppData\Roaming\Eqzyqu\alocru.exe

Filesize
339KB

MD5
482221ff598c35ac52ffbf4924ee71a9

SHA1
62c226ce6e0d6b606e186e6300bfc6547cedde3a

SHA256
7ccd22ab7709d85126a0c3bb023bcc7056eaaad450633671ec2821878792e784

SHA512
208dbfdbbab4dc877ac6ea1a822a87cd2d31b6d576dead3f7c60eb54b91d4a1bdfc43f6de5aaaeb796a62d62f5b6a0fe1721afdeaa2c935a645d8157ff70198b

Download Submit
C:\Users\Admin\AppData\Roaming\Eqzyqu\alocru.exe

Filesize
339KB

MD5
482221ff598c35ac52ffbf4924ee71a9

SHA1
62c226ce6e0d6b606e186e6300bfc6547cedde3a

SHA256
7ccd22ab7709d85126a0c3bb023bcc7056eaaad450633671ec2821878792e784

SHA512
208dbfdbbab4dc877ac6ea1a822a87cd2d31b6d576dead3f7c60eb54b91d4a1bdfc43f6de5aaaeb796a62d62f5b6a0fe1721afdeaa2c935a645d8157ff70198b

Download Submit
\Users\Admin\AppData\Roaming\Eqzyqu\alocru.exe

Filesize
339KB

MD5
482221ff598c35ac52ffbf4924ee71a9

SHA1
62c226ce6e0d6b606e186e6300bfc6547cedde3a

SHA256
7ccd22ab7709d85126a0c3bb023bcc7056eaaad450633671ec2821878792e784

SHA512
208dbfdbbab4dc877ac6ea1a822a87cd2d31b6d576dead3f7c60eb54b91d4a1bdfc43f6de5aaaeb796a62d62f5b6a0fe1721afdeaa2c935a645d8157ff70198b

Download Submit
memory/272-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/272-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/272-115-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/272-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/272-98-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/272-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/272-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/272-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/272-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/272-102-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/272-101-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/272-100-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1044-86-0x0000000000490000-0x00000000004D7000-memory.dmp

Filesize
284KB

Download
memory/1044-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1044-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1044-81-0x0000000000330000-0x0000000000377000-memory.dmp

Filesize
284KB

Download
memory/1044-83-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1044-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1044-84-0x0000000000490000-0x00000000004D7000-memory.dmp

Filesize
284KB

Download
memory/1044-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1044-105-0x0000000000490000-0x00000000004D7000-memory.dmp

Filesize
284KB

Download
memory/1044-88-0x0000000000490000-0x00000000004D7000-memory.dmp

Filesize
284KB

Download
memory/1044-89-0x0000000000490000-0x00000000004D7000-memory.dmp

Filesize
284KB

Download
memory/1044-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1044-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1044-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1044-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1044-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1044-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1112-67-0x0000000000360000-0x00000000003A7000-memory.dmp

Filesize
284KB

Download
memory/1112-66-0x0000000000360000-0x00000000003A7000-memory.dmp

Filesize
284KB

Download
memory/1112-62-0x0000000000360000-0x00000000003A7000-memory.dmp

Filesize
284KB

Download
memory/1112-64-0x0000000000360000-0x00000000003A7000-memory.dmp

Filesize
284KB

Download
memory/1112-65-0x0000000000360000-0x00000000003A7000-memory.dmp

Filesize
284KB

Download
memory/1172-71-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1172-70-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1172-72-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1172-73-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1212-78-0x00000000029C0000-0x0000000002A07000-memory.dmp

Filesize
284KB

Download
memory/1212-77-0x00000000029C0000-0x0000000002A07000-memory.dmp

Filesize
284KB

Download
memory/1212-76-0x00000000029C0000-0x0000000002A07000-memory.dmp

Filesize
284KB

Download
memory/1212-79-0x00000000029C0000-0x0000000002A07000-memory.dmp

Filesize
284KB

Download
memory/1832-87-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1832-85-0x00000000002E0000-0x0000000000327000-memory.dmp

Filesize
284KB

Download
memory/1832-116-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download