2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115

Analysis

max time kernel
152s
max time network
178s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe
Size

301KB
MD5

fc3a5187b5cf5f92e0b40cb31a01f1db
SHA1

ac4ffcec9bf2c0a3989a516c78737c6cd37fa548
SHA256

2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115
SHA512

c68891fd569ba667e90995328ebbb5e437e0c2369545ae31f09b40f356bc2886892a7e112d930e22ae94fb656522afa1ca63295b3c51270f98a343c04d662b30
SSDEEP

6144:WKOadcbBWriOZ2z1IJq/6Z/yYaxZ2Fqy6+1V6a:WKldcbBKPtJq2amFqyLb

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
908	ocjau.exe

Deletes itself 1 IoCs

pid	Process
1628	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe
1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	ocjau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ocjau = "C:\\Users\\Admin\\AppData\\Roaming\\Issuo\\ocjau.exe"	ocjau.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 1628	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	29

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe
908	ocjau.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 908	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	28
PID 1948 wrote to memory of 908	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	28
PID 1948 wrote to memory of 908	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	28
PID 1948 wrote to memory of 908	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	28
PID 908 wrote to memory of 1120	908	ocjau.exe	15
PID 908 wrote to memory of 1120	908	ocjau.exe	15
PID 908 wrote to memory of 1120	908	ocjau.exe	15
PID 908 wrote to memory of 1120	908	ocjau.exe	15
PID 908 wrote to memory of 1120	908	ocjau.exe	15
PID 908 wrote to memory of 1176	908	ocjau.exe	14
PID 908 wrote to memory of 1176	908	ocjau.exe	14
PID 908 wrote to memory of 1176	908	ocjau.exe	14
PID 908 wrote to memory of 1176	908	ocjau.exe	14
PID 908 wrote to memory of 1176	908	ocjau.exe	14
PID 908 wrote to memory of 1204	908	ocjau.exe	13
PID 908 wrote to memory of 1204	908	ocjau.exe	13
PID 908 wrote to memory of 1204	908	ocjau.exe	13
PID 908 wrote to memory of 1204	908	ocjau.exe	13
PID 908 wrote to memory of 1204	908	ocjau.exe	13
PID 908 wrote to memory of 1948	908	ocjau.exe	16
PID 908 wrote to memory of 1948	908	ocjau.exe	16
PID 908 wrote to memory of 1948	908	ocjau.exe	16
PID 908 wrote to memory of 1948	908	ocjau.exe	16
PID 908 wrote to memory of 1948	908	ocjau.exe	16
PID 1948 wrote to memory of 1628	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	29
PID 1948 wrote to memory of 1628	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	29
PID 1948 wrote to memory of 1628	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	29
PID 1948 wrote to memory of 1628	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	29
PID 1948 wrote to memory of 1628	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	29
PID 1948 wrote to memory of 1628	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	29
PID 1948 wrote to memory of 1628	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	29
PID 1948 wrote to memory of 1628	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	29
PID 1948 wrote to memory of 1628	1948	2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe
  "C:\Users\Admin\AppData\Local\Temp\2e1f8a3b7440b51fc122d733cc3c989c359eeb17d12aaf4990513d628f47e115.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Roaming\Issuo\ocjau.exe
    "C:\Users\Admin\AppData\Roaming\Issuo\ocjau.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\LMI22D5.bat"
    3⤵
    - Deletes itself
    PID:1628

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LMI22D5.bat

Filesize
303B

MD5
0408cc4a9214d218a38d52f53cca8f49

SHA1
91437b106b41dccf35c00a3f870b01fffce4d4a0

SHA256
bfbb4ffb0a5814196e833b6f02a2ede70a579d3a6c7af11673717844f8b02236

SHA512
d1bbef425bb045938c2b812ad6489e0284719abafc47bf734d510fb66c004f09ba22c64bdb53fe7931fc133f074ceaa3a456c16bbbcff9bb20d6135e04faf807

Download Submit
C:\Users\Admin\AppData\Roaming\Issuo\ocjau.exe

Filesize
301KB

MD5
a69983e381a5475d98e8c24cc2a80fc2

SHA1
7a3e395966177dfdc24ecf712d081885914c032d

SHA256
aa7742d510ad7bdb725d2c1280561e3ae48835ed139b403644b7886d3486739e

SHA512
77e11524de28374c80c90d0c512afc629e0cf9a59b6762a24caf86733e907f732e9a498eeb4f712631bfc98b5a654ccdf0c5a1e2ed0ff60a7355c7efa07f0818

Download Submit
C:\Users\Admin\AppData\Roaming\Issuo\ocjau.exe

Filesize
301KB

MD5
a69983e381a5475d98e8c24cc2a80fc2

SHA1
7a3e395966177dfdc24ecf712d081885914c032d

SHA256
aa7742d510ad7bdb725d2c1280561e3ae48835ed139b403644b7886d3486739e

SHA512
77e11524de28374c80c90d0c512afc629e0cf9a59b6762a24caf86733e907f732e9a498eeb4f712631bfc98b5a654ccdf0c5a1e2ed0ff60a7355c7efa07f0818

Download Submit
\Users\Admin\AppData\Roaming\Issuo\ocjau.exe

Filesize
301KB

MD5
a69983e381a5475d98e8c24cc2a80fc2

SHA1
7a3e395966177dfdc24ecf712d081885914c032d

SHA256
aa7742d510ad7bdb725d2c1280561e3ae48835ed139b403644b7886d3486739e

SHA512
77e11524de28374c80c90d0c512afc629e0cf9a59b6762a24caf86733e907f732e9a498eeb4f712631bfc98b5a654ccdf0c5a1e2ed0ff60a7355c7efa07f0818

Download Submit
\Users\Admin\AppData\Roaming\Issuo\ocjau.exe

Filesize
301KB

MD5
a69983e381a5475d98e8c24cc2a80fc2

SHA1
7a3e395966177dfdc24ecf712d081885914c032d

SHA256
aa7742d510ad7bdb725d2c1280561e3ae48835ed139b403644b7886d3486739e

SHA512
77e11524de28374c80c90d0c512afc629e0cf9a59b6762a24caf86733e907f732e9a498eeb4f712631bfc98b5a654ccdf0c5a1e2ed0ff60a7355c7efa07f0818

Download Submit
memory/908-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1120-67-0x0000000001DC0000-0x0000000001E09000-memory.dmp

Filesize
292KB

Download
memory/1120-65-0x0000000001DC0000-0x0000000001E09000-memory.dmp

Filesize
292KB

Download
memory/1120-68-0x0000000001DC0000-0x0000000001E09000-memory.dmp

Filesize
292KB

Download
memory/1120-70-0x0000000001DC0000-0x0000000001E09000-memory.dmp

Filesize
292KB

Download
memory/1120-69-0x0000000001DC0000-0x0000000001E09000-memory.dmp

Filesize
292KB

Download
memory/1176-73-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1176-74-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1176-75-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1176-76-0x0000000001B00000-0x0000000001B49000-memory.dmp

Filesize
292KB

Download
memory/1204-82-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1204-81-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1204-79-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1204-80-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1628-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1628-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1628-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1628-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1628-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1948-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1948-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1948-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1948-103-0x0000000001D10000-0x000000000295A000-memory.dmp

Filesize
12.3MB

Download
memory/1948-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1948-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1948-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1948-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1948-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1948-88-0x0000000001E70000-0x0000000001EB9000-memory.dmp

Filesize
292KB

Download
memory/1948-87-0x0000000001E70000-0x0000000001EB9000-memory.dmp

Filesize
292KB

Download
memory/1948-86-0x0000000001E70000-0x0000000001EB9000-memory.dmp

Filesize
292KB

Download
memory/1948-56-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1948-85-0x0000000001E70000-0x0000000001EB9000-memory.dmp

Filesize
292KB

Download