1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe
Size

252KB
MD5

720dbe91f9b716046b8886912ba1710b
SHA1

6ee5eb960f56bde8b9ddf0411e7a39a05f9cc5a6
SHA256

1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5
SHA512

42d8ae7ef0c76a42f590ec21bcabf4b48454ea18898f15490468f3bff1b19b181b3a8f26caeeda433d8b752ee849c3781b13096a4586e4e94a90dbd2574b29a6
SSDEEP

6144:GAMp71V3yAaKkpyZAfBpgl3qAAXqCYooMzX+b1CJFhEs44DBU5:GVpTzaKkM3FRA6CYN041Cnhb449U

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1704	ophu.exe
1240	ophu.exe

Deletes itself 1 IoCs

pid	Process
1344	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe
1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1060 set thread context of 1188	1060	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	27
PID 1704 set thread context of 1240	1704	ophu.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1240	ophu.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe
Token: SeSecurityPrivilege	1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1188	1060	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	27
PID 1060 wrote to memory of 1188	1060	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	27
PID 1060 wrote to memory of 1188	1060	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	27
PID 1060 wrote to memory of 1188	1060	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	27
PID 1060 wrote to memory of 1188	1060	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	27
PID 1060 wrote to memory of 1188	1060	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	27
PID 1060 wrote to memory of 1188	1060	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	27
PID 1060 wrote to memory of 1188	1060	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	27
PID 1060 wrote to memory of 1188	1060	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	27
PID 1188 wrote to memory of 1704	1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	28
PID 1188 wrote to memory of 1704	1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	28
PID 1188 wrote to memory of 1704	1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	28
PID 1188 wrote to memory of 1704	1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	28
PID 1704 wrote to memory of 1240	1704	ophu.exe	29
PID 1704 wrote to memory of 1240	1704	ophu.exe	29
PID 1704 wrote to memory of 1240	1704	ophu.exe	29
PID 1704 wrote to memory of 1240	1704	ophu.exe	29
PID 1704 wrote to memory of 1240	1704	ophu.exe	29
PID 1704 wrote to memory of 1240	1704	ophu.exe	29
PID 1704 wrote to memory of 1240	1704	ophu.exe	29
PID 1704 wrote to memory of 1240	1704	ophu.exe	29
PID 1704 wrote to memory of 1240	1704	ophu.exe	29
PID 1240 wrote to memory of 1160	1240	ophu.exe	17
PID 1240 wrote to memory of 1160	1240	ophu.exe	17
PID 1240 wrote to memory of 1160	1240	ophu.exe	17
PID 1188 wrote to memory of 1344	1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	30
PID 1188 wrote to memory of 1344	1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	30
PID 1188 wrote to memory of 1344	1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	30
PID 1188 wrote to memory of 1344	1188	1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe	30
PID 1240 wrote to memory of 1160	1240	ophu.exe	17
PID 1240 wrote to memory of 1160	1240	ophu.exe	17

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe
"C:\Users\Admin\AppData\Local\Temp\1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1060
- \??\c:\users\admin\appdata\local\temp\1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe
  "c:\users\admin\appdata\local\temp\1c76b3e9748485d1825ed67dd64d2801245055f3a68fe33d741c1e470812fae5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Users\Admin\AppData\Roaming\Ubfu\ophu.exe
    "C:\Users\Admin\AppData\Roaming\Ubfu\ophu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - \??\c:\users\admin\appdata\roaming\ubfu\ophu.exe
      "c:\users\admin\appdata\roaming\ubfu\ophu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc6d00c2f.bat"
    3⤵
    - Deletes itself
    PID:1344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc6d00c2f.bat

Filesize
307B

MD5
e7448a5cd9fc09598f451a037a399be9

SHA1
fc5d8c74786265c6eed956a187901eade0129816

SHA256
b9e7f5a289c26e7545168a6e55bba033d95d1ad47de682bbf2f8ff84cdd23d5d

SHA512
6e945274d989aa03726f9590eb70b457e4dfe4e95e3b2cffc00dfde9220828c8d6ae386092d6eec588034a4ef469f86936ded87643e22a2c21b10cc5f0ec90c8

Download Submit
C:\Users\Admin\AppData\Roaming\Ubfu\ophu.exe

Filesize
252KB

MD5
5c87dde58983bb3caa263ef91125fcc7

SHA1
99c9192def62a53f238af8d171d3774474f38785

SHA256
c6c5c3bdd26c25d63130aaf81be5260723d6ec35a1e03c4fda2fdc251760d4d6

SHA512
2323f7bf167f4c82c819a9f3758518e951f9234c6688f3d3b02a582384c2a23f89db28fc733fdf804405a934a7643dde824c9a15178ea44d73f605986ce5b083

Download Submit
C:\Users\Admin\AppData\Roaming\Ubfu\ophu.exe

Filesize
252KB

MD5
5c87dde58983bb3caa263ef91125fcc7

SHA1
99c9192def62a53f238af8d171d3774474f38785

SHA256
c6c5c3bdd26c25d63130aaf81be5260723d6ec35a1e03c4fda2fdc251760d4d6

SHA512
2323f7bf167f4c82c819a9f3758518e951f9234c6688f3d3b02a582384c2a23f89db28fc733fdf804405a934a7643dde824c9a15178ea44d73f605986ce5b083

Download Submit
\??\c:\users\admin\appdata\roaming\ubfu\ophu.exe

Filesize
252KB

MD5
5c87dde58983bb3caa263ef91125fcc7

SHA1
99c9192def62a53f238af8d171d3774474f38785

SHA256
c6c5c3bdd26c25d63130aaf81be5260723d6ec35a1e03c4fda2fdc251760d4d6

SHA512
2323f7bf167f4c82c819a9f3758518e951f9234c6688f3d3b02a582384c2a23f89db28fc733fdf804405a934a7643dde824c9a15178ea44d73f605986ce5b083

Download Submit
\Users\Admin\AppData\Roaming\Ubfu\ophu.exe

Filesize
252KB

MD5
5c87dde58983bb3caa263ef91125fcc7

SHA1
99c9192def62a53f238af8d171d3774474f38785

SHA256
c6c5c3bdd26c25d63130aaf81be5260723d6ec35a1e03c4fda2fdc251760d4d6

SHA512
2323f7bf167f4c82c819a9f3758518e951f9234c6688f3d3b02a582384c2a23f89db28fc733fdf804405a934a7643dde824c9a15178ea44d73f605986ce5b083

Download Submit
\Users\Admin\AppData\Roaming\Ubfu\ophu.exe

Filesize
252KB

MD5
5c87dde58983bb3caa263ef91125fcc7

SHA1
99c9192def62a53f238af8d171d3774474f38785

SHA256
c6c5c3bdd26c25d63130aaf81be5260723d6ec35a1e03c4fda2fdc251760d4d6

SHA512
2323f7bf167f4c82c819a9f3758518e951f9234c6688f3d3b02a582384c2a23f89db28fc733fdf804405a934a7643dde824c9a15178ea44d73f605986ce5b083

Download Submit
memory/1160-84-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download
memory/1160-87-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download
memory/1160-83-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download
memory/1160-85-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download
memory/1188-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1188-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1188-57-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1188-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1188-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1188-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1188-63-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1188-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1240-92-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download