3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7

Analysis

max time kernel
150s
max time network
176s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe
Size

308KB
MD5

3aedd07b5a621303e9bcac44e105e790
SHA1

5df7beee07fcadc576cc2c65b523d1044248aa0c
SHA256

3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7
SHA512

4cf6b92d1379f721d3f1145434fa6d5a0e07ee3c6f3ed97a9e642b4fce5ffe74557b6cf137e60bf10b0498a3e2dc1603ee7c2190dcddfcaef504a19cc26d90a6
SSDEEP

6144:b8LqykcP+wbqVi4/9xQu95WE+FB4gWOw69aY+2GHTrbJW6N3cGyf3Yim:b8Lqy7Jb0i47QWu1WOw6WPHTrbY6NMFU

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	fulua.exe

Deletes itself 1 IoCs

pid	Process
1108	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe
960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fulua = "C:\\Users\\Admin\\AppData\\Roaming\\Owyf\\fulua.exe"	fulua.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	fulua.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 1108	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	29

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe
1708	fulua.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1708	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	28
PID 960 wrote to memory of 1708	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	28
PID 960 wrote to memory of 1708	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	28
PID 960 wrote to memory of 1708	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	28
PID 1708 wrote to memory of 1232	1708	fulua.exe	17
PID 1708 wrote to memory of 1232	1708	fulua.exe	17
PID 1708 wrote to memory of 1232	1708	fulua.exe	17
PID 1708 wrote to memory of 1232	1708	fulua.exe	17
PID 1708 wrote to memory of 1232	1708	fulua.exe	17
PID 1708 wrote to memory of 1320	1708	fulua.exe	16
PID 1708 wrote to memory of 1320	1708	fulua.exe	16
PID 1708 wrote to memory of 1320	1708	fulua.exe	16
PID 1708 wrote to memory of 1320	1708	fulua.exe	16
PID 1708 wrote to memory of 1320	1708	fulua.exe	16
PID 1708 wrote to memory of 1384	1708	fulua.exe	15
PID 1708 wrote to memory of 1384	1708	fulua.exe	15
PID 1708 wrote to memory of 1384	1708	fulua.exe	15
PID 1708 wrote to memory of 1384	1708	fulua.exe	15
PID 1708 wrote to memory of 1384	1708	fulua.exe	15
PID 1708 wrote to memory of 960	1708	fulua.exe	18
PID 1708 wrote to memory of 960	1708	fulua.exe	18
PID 1708 wrote to memory of 960	1708	fulua.exe	18
PID 1708 wrote to memory of 960	1708	fulua.exe	18
PID 1708 wrote to memory of 960	1708	fulua.exe	18
PID 960 wrote to memory of 1108	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	29
PID 960 wrote to memory of 1108	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	29
PID 960 wrote to memory of 1108	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	29
PID 960 wrote to memory of 1108	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	29
PID 960 wrote to memory of 1108	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	29
PID 960 wrote to memory of 1108	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	29
PID 960 wrote to memory of 1108	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	29
PID 960 wrote to memory of 1108	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	29
PID 960 wrote to memory of 1108	960	3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe
  "C:\Users\Admin\AppData\Local\Temp\3cf2e34b103edd62a351317a531a48c26207863e8306eecb97cc53cf392ef2d7.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Users\Admin\AppData\Roaming\Owyf\fulua.exe
    "C:\Users\Admin\AppData\Roaming\Owyf\fulua.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AGLE249.bat"
    3⤵
    - Deletes itself
    PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AGLE249.bat

Filesize
303B

MD5
3b1e94d0b9828155934525cf40abfe53

SHA1
cf86c597d7221f04cccbf51939291f795cad7686

SHA256
308129b690fd8b060ff76cdab2a1eb2b87bb756d438df54ed84e85810904b30e

SHA512
7b011628ea8713b44e05586600c2d814936701a3fa270b3db19a92b7c151a900b3280e514ef24e473abe40ed8289645ddceefec2ed56f82815df5070ded8a37a

Download Submit
C:\Users\Admin\AppData\Roaming\Owyf\fulua.exe

Filesize
308KB

MD5
24993d8ed529e199a4cc61f6ca2ed1df

SHA1
0e2cc986c482e889415e75b286b3be99d0590a2f

SHA256
9cf453cb4bcf67263349eaf34bf20e5d854b1f39194f3d90b5bc12db69319b80

SHA512
c0144a86c35a651c24ebffca0d6794d7a1fed1895ef1f459433da2e4691ff290c451760d1c0ff65d4833003073b1c6e1eb7eaa8d4a6024721f9200a1dc009734

Download Submit
C:\Users\Admin\AppData\Roaming\Owyf\fulua.exe

Filesize
308KB

MD5
24993d8ed529e199a4cc61f6ca2ed1df

SHA1
0e2cc986c482e889415e75b286b3be99d0590a2f

SHA256
9cf453cb4bcf67263349eaf34bf20e5d854b1f39194f3d90b5bc12db69319b80

SHA512
c0144a86c35a651c24ebffca0d6794d7a1fed1895ef1f459433da2e4691ff290c451760d1c0ff65d4833003073b1c6e1eb7eaa8d4a6024721f9200a1dc009734

Download Submit
\Users\Admin\AppData\Roaming\Owyf\fulua.exe

Filesize
308KB

MD5
24993d8ed529e199a4cc61f6ca2ed1df

SHA1
0e2cc986c482e889415e75b286b3be99d0590a2f

SHA256
9cf453cb4bcf67263349eaf34bf20e5d854b1f39194f3d90b5bc12db69319b80

SHA512
c0144a86c35a651c24ebffca0d6794d7a1fed1895ef1f459433da2e4691ff290c451760d1c0ff65d4833003073b1c6e1eb7eaa8d4a6024721f9200a1dc009734

Download Submit
\Users\Admin\AppData\Roaming\Owyf\fulua.exe

Filesize
308KB

MD5
24993d8ed529e199a4cc61f6ca2ed1df

SHA1
0e2cc986c482e889415e75b286b3be99d0590a2f

SHA256
9cf453cb4bcf67263349eaf34bf20e5d854b1f39194f3d90b5bc12db69319b80

SHA512
c0144a86c35a651c24ebffca0d6794d7a1fed1895ef1f459433da2e4691ff290c451760d1c0ff65d4833003073b1c6e1eb7eaa8d4a6024721f9200a1dc009734

Download Submit
memory/960-102-0x0000000000790000-0x00000000007D9000-memory.dmp

Filesize
292KB

Download
memory/960-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/960-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/960-85-0x0000000000790000-0x00000000007D9000-memory.dmp

Filesize
292KB

Download
memory/960-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/960-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/960-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/960-56-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/960-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/960-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/960-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/960-88-0x0000000000790000-0x00000000007D9000-memory.dmp

Filesize
292KB

Download
memory/960-87-0x0000000000790000-0x00000000007D9000-memory.dmp

Filesize
292KB

Download
memory/960-86-0x0000000000790000-0x00000000007D9000-memory.dmp

Filesize
292KB

Download
memory/1108-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1108-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1108-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1108-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1108-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1108-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1108-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1108-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1108-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1108-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1108-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1108-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1232-70-0x0000000000260000-0x00000000002A9000-memory.dmp

Filesize
292KB

Download
memory/1232-65-0x0000000000260000-0x00000000002A9000-memory.dmp

Filesize
292KB

Download
memory/1232-68-0x0000000000260000-0x00000000002A9000-memory.dmp

Filesize
292KB

Download
memory/1232-69-0x0000000000260000-0x00000000002A9000-memory.dmp

Filesize
292KB

Download
memory/1232-67-0x0000000000260000-0x00000000002A9000-memory.dmp

Filesize
292KB

Download
memory/1320-75-0x0000000001B40000-0x0000000001B89000-memory.dmp

Filesize
292KB

Download
memory/1320-73-0x0000000001B40000-0x0000000001B89000-memory.dmp

Filesize
292KB

Download
memory/1320-74-0x0000000001B40000-0x0000000001B89000-memory.dmp

Filesize
292KB

Download
memory/1320-76-0x0000000001B40000-0x0000000001B89000-memory.dmp

Filesize
292KB

Download
memory/1384-81-0x0000000002620000-0x0000000002669000-memory.dmp

Filesize
292KB

Download
memory/1384-79-0x0000000002620000-0x0000000002669000-memory.dmp

Filesize
292KB

Download
memory/1384-80-0x0000000002620000-0x0000000002669000-memory.dmp

Filesize
292KB

Download
memory/1384-82-0x0000000002620000-0x0000000002669000-memory.dmp

Filesize
292KB

Download
memory/1708-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download