d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479

Analysis

max time kernel
189s
max time network
234s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe
Size

377KB
MD5

e31a72a2969441513d6fd427d365eaba
SHA1

304a3aada3eed99e1f1790713a41fcd69590fc94
SHA256

d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479
SHA512

cbbb815208298e6a7b8782fb48630ba3fa3240bc708fbee8ba298de776b3bd355e13cdf375f5f6f746f199521fcc2e50f5cf57d36c371f19d5643fd145e893bf
SSDEEP

6144:gs1dB7c9VzrA98jUxh5R8WyPDh/S5PE6KRnhJRSkJpuuuuuuuuuuuuuuuuuuuuue:gZnA98wh7aPDha5P+fpuuuuuuuuuuuuN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1036	suor.exe

Deletes itself 1 IoCs

pid	Process
840	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe
1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	suor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Iqoj\\suor.exe"	suor.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1412 set thread context of 840	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe
1036	suor.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1036	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	28
PID 1412 wrote to memory of 1036	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	28
PID 1412 wrote to memory of 1036	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	28
PID 1412 wrote to memory of 1036	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	28
PID 1036 wrote to memory of 1148	1036	suor.exe	15
PID 1036 wrote to memory of 1148	1036	suor.exe	15
PID 1036 wrote to memory of 1148	1036	suor.exe	15
PID 1036 wrote to memory of 1148	1036	suor.exe	15
PID 1036 wrote to memory of 1148	1036	suor.exe	15
PID 1036 wrote to memory of 1236	1036	suor.exe	14
PID 1036 wrote to memory of 1236	1036	suor.exe	14
PID 1036 wrote to memory of 1236	1036	suor.exe	14
PID 1036 wrote to memory of 1236	1036	suor.exe	14
PID 1036 wrote to memory of 1236	1036	suor.exe	14
PID 1036 wrote to memory of 1272	1036	suor.exe	13
PID 1036 wrote to memory of 1272	1036	suor.exe	13
PID 1036 wrote to memory of 1272	1036	suor.exe	13
PID 1036 wrote to memory of 1272	1036	suor.exe	13
PID 1036 wrote to memory of 1272	1036	suor.exe	13
PID 1036 wrote to memory of 1412	1036	suor.exe	20
PID 1036 wrote to memory of 1412	1036	suor.exe	20
PID 1036 wrote to memory of 1412	1036	suor.exe	20
PID 1036 wrote to memory of 1412	1036	suor.exe	20
PID 1036 wrote to memory of 1412	1036	suor.exe	20
PID 1412 wrote to memory of 840	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	29
PID 1412 wrote to memory of 840	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	29
PID 1412 wrote to memory of 840	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	29
PID 1412 wrote to memory of 840	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	29
PID 1412 wrote to memory of 840	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	29
PID 1412 wrote to memory of 840	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	29
PID 1412 wrote to memory of 840	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	29
PID 1412 wrote to memory of 840	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	29
PID 1412 wrote to memory of 840	1412	d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe	29
PID 1036 wrote to memory of 1212	1036	suor.exe	31
PID 1036 wrote to memory of 1212	1036	suor.exe	31
PID 1036 wrote to memory of 1212	1036	suor.exe	31
PID 1036 wrote to memory of 1212	1036	suor.exe	31
PID 1036 wrote to memory of 1212	1036	suor.exe	31
PID 1036 wrote to memory of 1712	1036	suor.exe	32
PID 1036 wrote to memory of 1712	1036	suor.exe	32
PID 1036 wrote to memory of 1712	1036	suor.exe	32
PID 1036 wrote to memory of 1712	1036	suor.exe	32
PID 1036 wrote to memory of 1712	1036	suor.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe
  "C:\Users\Admin\AppData\Local\Temp\d1b676548d0e0d3033a36f74ec7c65f23a3729529dda4eea9b84cde9840d9479.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Roaming\Iqoj\suor.exe
    "C:\Users\Admin\AppData\Roaming\Iqoj\suor.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5cd578cb.bat"
    3⤵
    - Deletes itself
    PID:840

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1212

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5cd578cb.bat

Filesize
307B

MD5
ce96273e3b8a92ede3be07e29b25191f

SHA1
5e04fc9a4694b9b10e976285cfe8bffa02a89d9d

SHA256
317572b5fa58d7cc47039f025193473ad41a7ba7c23cc71903ae9cbf943ee2c5

SHA512
35c9a88af8aafcb038211b8a24e82f1b24373f0ce75d08c01ee6a80afac1268ab644bfb28436c2a670c74c6452325af43b291df03b888a8a7a805f0a7c4c778c

Download Submit
C:\Users\Admin\AppData\Roaming\Iqoj\suor.exe

Filesize
377KB

MD5
c08db8223bb9d31163ede1ec8859d25b

SHA1
f66253b878bdf64711d50604cf48c161e37a9e4a

SHA256
058f25d6812f8e6390de8215af54106f48541ed0db0734cf09b23b962d1a7569

SHA512
fa9431bc6dc805f1f7a5e4a206187c9552c5583166b32f58ce39200767227f5f23bff2bd8d2508af4d72bb6c0516d9d658c2b66f861c109d1d1d3ea3c45a3720

Download Submit
C:\Users\Admin\AppData\Roaming\Iqoj\suor.exe

Filesize
377KB

MD5
c08db8223bb9d31163ede1ec8859d25b

SHA1
f66253b878bdf64711d50604cf48c161e37a9e4a

SHA256
058f25d6812f8e6390de8215af54106f48541ed0db0734cf09b23b962d1a7569

SHA512
fa9431bc6dc805f1f7a5e4a206187c9552c5583166b32f58ce39200767227f5f23bff2bd8d2508af4d72bb6c0516d9d658c2b66f861c109d1d1d3ea3c45a3720

Download Submit
\Users\Admin\AppData\Roaming\Iqoj\suor.exe

Filesize
377KB

MD5
c08db8223bb9d31163ede1ec8859d25b

SHA1
f66253b878bdf64711d50604cf48c161e37a9e4a

SHA256
058f25d6812f8e6390de8215af54106f48541ed0db0734cf09b23b962d1a7569

SHA512
fa9431bc6dc805f1f7a5e4a206187c9552c5583166b32f58ce39200767227f5f23bff2bd8d2508af4d72bb6c0516d9d658c2b66f861c109d1d1d3ea3c45a3720

Download Submit
\Users\Admin\AppData\Roaming\Iqoj\suor.exe

Filesize
377KB

MD5
c08db8223bb9d31163ede1ec8859d25b

SHA1
f66253b878bdf64711d50604cf48c161e37a9e4a

SHA256
058f25d6812f8e6390de8215af54106f48541ed0db0734cf09b23b962d1a7569

SHA512
fa9431bc6dc805f1f7a5e4a206187c9552c5583166b32f58ce39200767227f5f23bff2bd8d2508af4d72bb6c0516d9d658c2b66f861c109d1d1d3ea3c45a3720

Download Submit
memory/840-89-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/840-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/840-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/840-91-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/840-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1148-67-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1148-68-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1148-63-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1148-65-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1148-66-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1212-101-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1212-103-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1212-104-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1212-102-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1236-73-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1236-74-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1236-72-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1236-71-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1272-80-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1272-79-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1272-77-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1272-78-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1412-85-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/1412-84-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/1412-55-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1412-83-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/1412-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1412-95-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/1412-86-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/1712-107-0x0000000003A60000-0x0000000003AA4000-memory.dmp

Filesize
272KB

Download
memory/1712-108-0x0000000003A60000-0x0000000003AA4000-memory.dmp

Filesize
272KB

Download
memory/1712-109-0x0000000003A60000-0x0000000003AA4000-memory.dmp

Filesize
272KB

Download
memory/1712-110-0x0000000003A60000-0x0000000003AA4000-memory.dmp

Filesize
272KB

Download