783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe
Size

300KB
MD5

c8e3183efb6a5fdbad0f88c6c03d6a8b
SHA1

5ce08914dd77668be2a91aaad9be51459c598294
SHA256

783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a
SHA512

b46127ec4b0b0637e330549d10afe5896846acd321698a4efd9cf2a8bd62cce365ead1c30abf279ed1bcc4807aad5c60c3ee355fd8144f014baea5646710aa8c
SSDEEP

6144:DrCuRAtfgvIZDe6w/JwHdZHdV/pfdJXFnpAQTNWIOJh8:DrZAlfZyuHdJdV/BXFnpzBWr8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1704	hyoxq.exe

Deletes itself 1 IoCs

pid	Process
1656	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe
1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	hyoxq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hyoxq = "C:\\Users\\Admin\\AppData\\Roaming\\Olata\\hyoxq.exe"	hyoxq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 1656	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	27

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe
1704	hyoxq.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1704	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	26
PID 1708 wrote to memory of 1704	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	26
PID 1708 wrote to memory of 1704	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	26
PID 1708 wrote to memory of 1704	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	26
PID 1704 wrote to memory of 1124	1704	hyoxq.exe	16
PID 1704 wrote to memory of 1124	1704	hyoxq.exe	16
PID 1704 wrote to memory of 1124	1704	hyoxq.exe	16
PID 1704 wrote to memory of 1124	1704	hyoxq.exe	16
PID 1704 wrote to memory of 1124	1704	hyoxq.exe	16
PID 1704 wrote to memory of 1180	1704	hyoxq.exe	15
PID 1704 wrote to memory of 1180	1704	hyoxq.exe	15
PID 1704 wrote to memory of 1180	1704	hyoxq.exe	15
PID 1704 wrote to memory of 1180	1704	hyoxq.exe	15
PID 1704 wrote to memory of 1180	1704	hyoxq.exe	15
PID 1704 wrote to memory of 1224	1704	hyoxq.exe	13
PID 1704 wrote to memory of 1224	1704	hyoxq.exe	13
PID 1704 wrote to memory of 1224	1704	hyoxq.exe	13
PID 1704 wrote to memory of 1224	1704	hyoxq.exe	13
PID 1704 wrote to memory of 1224	1704	hyoxq.exe	13
PID 1704 wrote to memory of 1708	1704	hyoxq.exe	14
PID 1704 wrote to memory of 1708	1704	hyoxq.exe	14
PID 1704 wrote to memory of 1708	1704	hyoxq.exe	14
PID 1704 wrote to memory of 1708	1704	hyoxq.exe	14
PID 1704 wrote to memory of 1708	1704	hyoxq.exe	14
PID 1708 wrote to memory of 1656	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	27
PID 1708 wrote to memory of 1656	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	27
PID 1708 wrote to memory of 1656	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	27
PID 1708 wrote to memory of 1656	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	27
PID 1708 wrote to memory of 1656	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	27
PID 1708 wrote to memory of 1656	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	27
PID 1708 wrote to memory of 1656	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	27
PID 1708 wrote to memory of 1656	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	27
PID 1708 wrote to memory of 1656	1708	783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe
  "C:\Users\Admin\AppData\Local\Temp\783f3ad49ba8de049caa788015471439cb750f3e8c6141a21cdb56ff16499d3a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Roaming\Olata\hyoxq.exe
    "C:\Users\Admin\AppData\Roaming\Olata\hyoxq.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ACRC9DE.bat"
    3⤵
    - Deletes itself
    PID:1656

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ACRC9DE.bat

Filesize
303B

MD5
c95ef4c8c7689295d7def55d0b9bd683

SHA1
e2aa7c5d2db2bd24ece039a1608a281b9f7121c5

SHA256
9083f257969e51aa2e63d3efbd13d8bf54e0c85a26bab83c920bcd8a1a4ebc3b

SHA512
44b75248a8b17472f203b48a79679a3a5dda68d994ebd721b837794cb3ff0de5a0a42b2e94b5c53c28d9d3d8775a522d01f5b5f002b6f9163823360dbca4fb72

Download Submit
C:\Users\Admin\AppData\Roaming\Olata\hyoxq.exe

Filesize
300KB

MD5
ef1540659f71b076ca2d944195416820

SHA1
200ae0116378b4671528a54a2dec26da91c55db8

SHA256
9c72435e5fd01914703fb04a436f2934e09ccd993577766223153b4d0bbe88f5

SHA512
5bb0e122f3eac3633ca1be07d84984bd36c1a76721601a61e5d8ecab33f3141dac656b67419616f73e860c4dd51bd7405b6a87f928c1b653750008e980c29500

Download Submit
C:\Users\Admin\AppData\Roaming\Olata\hyoxq.exe

Filesize
300KB

MD5
ef1540659f71b076ca2d944195416820

SHA1
200ae0116378b4671528a54a2dec26da91c55db8

SHA256
9c72435e5fd01914703fb04a436f2934e09ccd993577766223153b4d0bbe88f5

SHA512
5bb0e122f3eac3633ca1be07d84984bd36c1a76721601a61e5d8ecab33f3141dac656b67419616f73e860c4dd51bd7405b6a87f928c1b653750008e980c29500

Download Submit
\Users\Admin\AppData\Roaming\Olata\hyoxq.exe

Filesize
300KB

MD5
ef1540659f71b076ca2d944195416820

SHA1
200ae0116378b4671528a54a2dec26da91c55db8

SHA256
9c72435e5fd01914703fb04a436f2934e09ccd993577766223153b4d0bbe88f5

SHA512
5bb0e122f3eac3633ca1be07d84984bd36c1a76721601a61e5d8ecab33f3141dac656b67419616f73e860c4dd51bd7405b6a87f928c1b653750008e980c29500

Download Submit
\Users\Admin\AppData\Roaming\Olata\hyoxq.exe

Filesize
300KB

MD5
ef1540659f71b076ca2d944195416820

SHA1
200ae0116378b4671528a54a2dec26da91c55db8

SHA256
9c72435e5fd01914703fb04a436f2934e09ccd993577766223153b4d0bbe88f5

SHA512
5bb0e122f3eac3633ca1be07d84984bd36c1a76721601a61e5d8ecab33f3141dac656b67419616f73e860c4dd51bd7405b6a87f928c1b653750008e980c29500

Download Submit
memory/1124-68-0x0000000001C00000-0x0000000001C49000-memory.dmp

Filesize
292KB

Download
memory/1124-65-0x0000000001C00000-0x0000000001C49000-memory.dmp

Filesize
292KB

Download
memory/1124-67-0x0000000001C00000-0x0000000001C49000-memory.dmp

Filesize
292KB

Download
memory/1124-69-0x0000000001C00000-0x0000000001C49000-memory.dmp

Filesize
292KB

Download
memory/1124-70-0x0000000001C00000-0x0000000001C49000-memory.dmp

Filesize
292KB

Download
memory/1180-73-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1180-74-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1180-75-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1180-76-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1224-81-0x0000000002B20000-0x0000000002B69000-memory.dmp

Filesize
292KB

Download
memory/1224-82-0x0000000002B20000-0x0000000002B69000-memory.dmp

Filesize
292KB

Download
memory/1224-80-0x0000000002B20000-0x0000000002B69000-memory.dmp

Filesize
292KB

Download
memory/1224-79-0x0000000002B20000-0x0000000002B69000-memory.dmp

Filesize
292KB

Download
memory/1656-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1656-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1656-114-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1656-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1656-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1656-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1656-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1656-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1656-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1656-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1656-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1656-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1704-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1708-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1708-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-104-0x00000000005F0000-0x0000000000639000-memory.dmp

Filesize
292KB

Download
memory/1708-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-91-0x00000000005F0000-0x0000000000639000-memory.dmp

Filesize
292KB

Download
memory/1708-88-0x00000000005F0000-0x0000000000639000-memory.dmp

Filesize
292KB

Download
memory/1708-87-0x00000000005F0000-0x0000000000639000-memory.dmp

Filesize
292KB

Download
memory/1708-86-0x00000000005F0000-0x0000000000639000-memory.dmp

Filesize
292KB

Download
memory/1708-85-0x00000000005F0000-0x0000000000639000-memory.dmp

Filesize
292KB

Download
memory/1708-56-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1708-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1708-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download