ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe
Size

336KB
MD5

cc61cb3cca3ae9a412c351f2fb671818
SHA1

67263c72ecaf2e5138673b8c45edf35159095d67
SHA256

ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa
SHA512

480eded6d5f47620c460ddf38f6056c95211a8ba686d72b24a1868e0a8ecb8353e3675724a2ffdfbfed752d3e866fdd19d92b01a3edb793f87ef3cfbf2cdae48
SSDEEP

6144:0zIa9Js+ogiRR0wm8k8lMJGih/0XvraXtAZB42lj9jJLelEGPcXfCvY9wXiQ:Gs+oZR3m8L2Gisja9AZRVilAqvgwd

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1316	ombere.exe

Deletes itself 1 IoCs

pid	Process
996	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	ombere.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Peozi\\ombere.exe"	ombere.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 996	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	27

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe
1316	ombere.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe
1316	ombere.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1316	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	26
PID 1976 wrote to memory of 1316	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	26
PID 1976 wrote to memory of 1316	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	26
PID 1976 wrote to memory of 1316	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	26
PID 1316 wrote to memory of 1236	1316	ombere.exe	16
PID 1316 wrote to memory of 1236	1316	ombere.exe	16
PID 1316 wrote to memory of 1236	1316	ombere.exe	16
PID 1316 wrote to memory of 1236	1316	ombere.exe	16
PID 1316 wrote to memory of 1236	1316	ombere.exe	16
PID 1316 wrote to memory of 1348	1316	ombere.exe	15
PID 1316 wrote to memory of 1348	1316	ombere.exe	15
PID 1316 wrote to memory of 1348	1316	ombere.exe	15
PID 1316 wrote to memory of 1348	1316	ombere.exe	15
PID 1316 wrote to memory of 1348	1316	ombere.exe	15
PID 1316 wrote to memory of 1400	1316	ombere.exe	14
PID 1316 wrote to memory of 1400	1316	ombere.exe	14
PID 1316 wrote to memory of 1400	1316	ombere.exe	14
PID 1316 wrote to memory of 1400	1316	ombere.exe	14
PID 1316 wrote to memory of 1400	1316	ombere.exe	14
PID 1316 wrote to memory of 1976	1316	ombere.exe	25
PID 1316 wrote to memory of 1976	1316	ombere.exe	25
PID 1316 wrote to memory of 1976	1316	ombere.exe	25
PID 1316 wrote to memory of 1976	1316	ombere.exe	25
PID 1316 wrote to memory of 1976	1316	ombere.exe	25
PID 1976 wrote to memory of 996	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	27
PID 1976 wrote to memory of 996	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	27
PID 1976 wrote to memory of 996	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	27
PID 1976 wrote to memory of 996	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	27
PID 1976 wrote to memory of 996	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	27
PID 1976 wrote to memory of 996	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	27
PID 1976 wrote to memory of 996	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	27
PID 1976 wrote to memory of 996	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	27
PID 1976 wrote to memory of 996	1976	ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe
  "C:\Users\Admin\AppData\Local\Temp\ad0ed82e7287970540327619496c352949b27db482604da113d62e5369abc1fa.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Roaming\Peozi\ombere.exe
    "C:\Users\Admin\AppData\Roaming\Peozi\ombere.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6c8d224f.bat"
    3⤵
    - Deletes itself
    PID:996

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1348

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6c8d224f.bat

Filesize
307B

MD5
743b449857ee07f27e5bb2efb66e0388

SHA1
b7e7ae57b051bdb05e3713a58f4c4db0a3148257

SHA256
fab70467c3e0e853c27608bab8623d2fc4832eaa5dbb0f4b11ee6e5933d16b41

SHA512
0a1527d5030250568de4642dfd6d408f01413c56fb63eb530eda3b0d6433b6d536e0c0b6f1413a56cd3ac995c33f1237cd041b5ae59ca801148bbdf2f6185154

Download Submit
C:\Users\Admin\AppData\Roaming\Peozi\ombere.exe

Filesize
336KB

MD5
0c43e90f3fce73893fdb57bffd87e9d4

SHA1
3471a87a96f7a377ca10760ad7345858c5cef2aa

SHA256
5814c3846f0f5731bd5ebbae6e4712cdf200ba7b01505d94133ea2355b9a34cc

SHA512
68a5451b802aaebe74e13e92a48681bea43c6435c36a2581f845f0afcf857426139a8a57740e997ff3d08b407d903670f62f53efd8bd741bfa39ef8c10a5648b

Download Submit
C:\Users\Admin\AppData\Roaming\Peozi\ombere.exe

Filesize
336KB

MD5
0c43e90f3fce73893fdb57bffd87e9d4

SHA1
3471a87a96f7a377ca10760ad7345858c5cef2aa

SHA256
5814c3846f0f5731bd5ebbae6e4712cdf200ba7b01505d94133ea2355b9a34cc

SHA512
68a5451b802aaebe74e13e92a48681bea43c6435c36a2581f845f0afcf857426139a8a57740e997ff3d08b407d903670f62f53efd8bd741bfa39ef8c10a5648b

Download Submit
\Users\Admin\AppData\Roaming\Peozi\ombere.exe

Filesize
336KB

MD5
0c43e90f3fce73893fdb57bffd87e9d4

SHA1
3471a87a96f7a377ca10760ad7345858c5cef2aa

SHA256
5814c3846f0f5731bd5ebbae6e4712cdf200ba7b01505d94133ea2355b9a34cc

SHA512
68a5451b802aaebe74e13e92a48681bea43c6435c36a2581f845f0afcf857426139a8a57740e997ff3d08b407d903670f62f53efd8bd741bfa39ef8c10a5648b

Download Submit
memory/996-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/996-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/996-95-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/996-94-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/996-96-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/996-92-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/996-97-0x000000000007E967-mapping.dmp

Download
memory/996-109-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/996-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/996-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1236-67-0x0000000000230000-0x000000000027D000-memory.dmp

Filesize
308KB

Download
memory/1236-63-0x0000000000230000-0x000000000027D000-memory.dmp

Filesize
308KB

Download
memory/1236-65-0x0000000000230000-0x000000000027D000-memory.dmp

Filesize
308KB

Download
memory/1236-66-0x0000000000230000-0x000000000027D000-memory.dmp

Filesize
308KB

Download
memory/1236-68-0x0000000000230000-0x000000000027D000-memory.dmp

Filesize
308KB

Download
memory/1316-102-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1316-110-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1316-59-0x0000000000000000-mapping.dmp

Download
memory/1316-101-0x0000000000310000-0x000000000035D000-memory.dmp

Filesize
308KB

Download
memory/1348-72-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1348-71-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1348-74-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1348-73-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1400-79-0x0000000002610000-0x000000000265D000-memory.dmp

Filesize
308KB

Download
memory/1400-80-0x0000000002610000-0x000000000265D000-memory.dmp

Filesize
308KB

Download
memory/1400-78-0x0000000002610000-0x000000000265D000-memory.dmp

Filesize
308KB

Download
memory/1400-77-0x0000000002610000-0x000000000265D000-memory.dmp

Filesize
308KB

Download
memory/1976-86-0x0000000001CD0000-0x0000000001D1D000-memory.dmp

Filesize
308KB

Download
memory/1976-99-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1976-98-0x00000000004B0000-0x00000000004FD000-memory.dmp

Filesize
308KB

Download
memory/1976-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-100-0x0000000001CD0000-0x0000000001D1D000-memory.dmp

Filesize
308KB

Download
memory/1976-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-83-0x0000000001CD0000-0x0000000001D1D000-memory.dmp

Filesize
308KB

Download
memory/1976-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1976-84-0x0000000001CD0000-0x0000000001D1D000-memory.dmp

Filesize
308KB

Download
memory/1976-85-0x0000000001CD0000-0x0000000001D1D000-memory.dmp

Filesize
308KB

Download
memory/1976-57-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1976-56-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1976-55-0x00000000004B0000-0x00000000004FD000-memory.dmp

Filesize
308KB

Download