cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0

Analysis

max time kernel
233s
max time network
313s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe
Size

269KB
MD5

c454b22431143c3761e2c2593fd2f631
SHA1

d3a2b1406ab080811489861559e5a15329bd73a6
SHA256

cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0
SHA512

d12c50e57dc84efa7f7258c2935d6b444fcb97bbe40301dbf6a1eb01ed2d5f976c98cdcb12a6d81b5bbcc1fbb4a94a868764a5a1e9276cf0e16e5ddc0570a107
SSDEEP

6144:xiNPdDQHwWKseiAzgNi6IemvG88RBQ4oPD6mrGZHXmGX8:pHqsRQgVInoXocB8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
520	lourk.exe

Deletes itself 1 IoCs

pid	Process
988	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe
1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	lourk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E8A35E48-3774-AD4D-52EE-D422474DF73F} = "C:\\Users\\Admin\\AppData\\Roaming\\Uxsese\\lourk.exe"	lourk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 988	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe
520	lourk.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe
520	lourk.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 520	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	28
PID 1072 wrote to memory of 520	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	28
PID 1072 wrote to memory of 520	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	28
PID 1072 wrote to memory of 520	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	28
PID 520 wrote to memory of 1124	520	lourk.exe	11
PID 520 wrote to memory of 1124	520	lourk.exe	11
PID 520 wrote to memory of 1124	520	lourk.exe	11
PID 520 wrote to memory of 1124	520	lourk.exe	11
PID 520 wrote to memory of 1124	520	lourk.exe	11
PID 520 wrote to memory of 1192	520	lourk.exe	20
PID 520 wrote to memory of 1192	520	lourk.exe	20
PID 520 wrote to memory of 1192	520	lourk.exe	20
PID 520 wrote to memory of 1192	520	lourk.exe	20
PID 520 wrote to memory of 1192	520	lourk.exe	20
PID 520 wrote to memory of 1252	520	lourk.exe	13
PID 520 wrote to memory of 1252	520	lourk.exe	13
PID 520 wrote to memory of 1252	520	lourk.exe	13
PID 520 wrote to memory of 1252	520	lourk.exe	13
PID 520 wrote to memory of 1252	520	lourk.exe	13
PID 520 wrote to memory of 1072	520	lourk.exe	27
PID 520 wrote to memory of 1072	520	lourk.exe	27
PID 520 wrote to memory of 1072	520	lourk.exe	27
PID 520 wrote to memory of 1072	520	lourk.exe	27
PID 520 wrote to memory of 1072	520	lourk.exe	27
PID 1072 wrote to memory of 988	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	29
PID 1072 wrote to memory of 988	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	29
PID 1072 wrote to memory of 988	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	29
PID 1072 wrote to memory of 988	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	29
PID 1072 wrote to memory of 988	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	29
PID 1072 wrote to memory of 988	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	29
PID 1072 wrote to memory of 988	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	29
PID 1072 wrote to memory of 988	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	29
PID 1072 wrote to memory of 988	1072	cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe	29
PID 520 wrote to memory of 1900	520	lourk.exe	30
PID 520 wrote to memory of 1900	520	lourk.exe	30
PID 520 wrote to memory of 1900	520	lourk.exe	30
PID 520 wrote to memory of 1900	520	lourk.exe	30
PID 520 wrote to memory of 1900	520	lourk.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe
  "C:\Users\Admin\AppData\Local\Temp\cc79ac9f98386e0a9fe1ae6ab299cc365e87d3fa96d33d4b8e7a97d492b374e0.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Roaming\Uxsese\lourk.exe
    "C:\Users\Admin\AppData\Roaming\Uxsese\lourk.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp43307bea.bat"
    3⤵
    - Deletes itself
    PID:988

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-181225421-690704633-1227328825-802199726-1704300965-353629339-77005041552532917"
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp43307bea.bat

Filesize
307B

MD5
6b5cf6a7a9ee344ae59207c7dae093b9

SHA1
81f95539cfec926d4f51aab834fdaef910c798c0

SHA256
82c07f159a3d184773cb908bf2daf9f2e7e5c7e5c9e7f769f815835789a981ef

SHA512
4e6b589007ba25c967a8314e9195d5af85d6b55baff7a0a39e61c59e3c64e39141cbda1fe059b43f63e1ad56685942b25af7f2ca884e0502256b75b40b8245e7

Download Submit
C:\Users\Admin\AppData\Roaming\Uxsese\lourk.exe

Filesize
269KB

MD5
7ac4dd95b6f7871cfdfd4a0fa3603891

SHA1
5ce8424c1ad3a34b3c0e4b0cf5bf6af68a92ceb9

SHA256
74e4c580526c68820116628360764f57382e3b51937dbf51369144e658560bb1

SHA512
a737d153fd494d093b741af03e3c19dd9d4dbc94b9c9efd59d594fe15332c5ea5224507361a4c12395fdacd91b5489ff1fb37a5bcc5bd4bd326d7990bf951b69

Download Submit
C:\Users\Admin\AppData\Roaming\Uxsese\lourk.exe

Filesize
269KB

MD5
7ac4dd95b6f7871cfdfd4a0fa3603891

SHA1
5ce8424c1ad3a34b3c0e4b0cf5bf6af68a92ceb9

SHA256
74e4c580526c68820116628360764f57382e3b51937dbf51369144e658560bb1

SHA512
a737d153fd494d093b741af03e3c19dd9d4dbc94b9c9efd59d594fe15332c5ea5224507361a4c12395fdacd91b5489ff1fb37a5bcc5bd4bd326d7990bf951b69

Download Submit
\Users\Admin\AppData\Roaming\Uxsese\lourk.exe

Filesize
269KB

MD5
7ac4dd95b6f7871cfdfd4a0fa3603891

SHA1
5ce8424c1ad3a34b3c0e4b0cf5bf6af68a92ceb9

SHA256
74e4c580526c68820116628360764f57382e3b51937dbf51369144e658560bb1

SHA512
a737d153fd494d093b741af03e3c19dd9d4dbc94b9c9efd59d594fe15332c5ea5224507361a4c12395fdacd91b5489ff1fb37a5bcc5bd4bd326d7990bf951b69

Download Submit
\Users\Admin\AppData\Roaming\Uxsese\lourk.exe

Filesize
269KB

MD5
7ac4dd95b6f7871cfdfd4a0fa3603891

SHA1
5ce8424c1ad3a34b3c0e4b0cf5bf6af68a92ceb9

SHA256
74e4c580526c68820116628360764f57382e3b51937dbf51369144e658560bb1

SHA512
a737d153fd494d093b741af03e3c19dd9d4dbc94b9c9efd59d594fe15332c5ea5224507361a4c12395fdacd91b5489ff1fb37a5bcc5bd4bd326d7990bf951b69

Download Submit
memory/520-77-0x0000000000330000-0x000000000037A000-memory.dmp

Filesize
296KB

Download
memory/520-79-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/520-75-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/988-100-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/988-110-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/988-96-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/988-99-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/988-98-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1072-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1072-112-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1072-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1072-108-0x0000000001DE0000-0x0000000001E2A000-memory.dmp

Filesize
296KB

Download
memory/1072-59-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1072-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1072-90-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1072-57-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/1072-58-0x0000000000340000-0x000000000038A000-memory.dmp

Filesize
296KB

Download
memory/1072-54-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/1072-93-0x0000000001DE0000-0x0000000001E2A000-memory.dmp

Filesize
296KB

Download
memory/1072-89-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1072-91-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1072-92-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1124-66-0x0000000001E40000-0x0000000001E82000-memory.dmp

Filesize
264KB

Download
memory/1124-71-0x0000000001E40000-0x0000000001E82000-memory.dmp

Filesize
264KB

Download
memory/1124-68-0x0000000001E40000-0x0000000001E82000-memory.dmp

Filesize
264KB

Download
memory/1124-69-0x0000000001E40000-0x0000000001E82000-memory.dmp

Filesize
264KB

Download
memory/1124-70-0x0000000001E40000-0x0000000001E82000-memory.dmp

Filesize
264KB

Download
memory/1192-74-0x0000000000150000-0x0000000000192000-memory.dmp

Filesize
264KB

Download
memory/1192-76-0x0000000000150000-0x0000000000192000-memory.dmp

Filesize
264KB

Download
memory/1192-78-0x0000000000150000-0x0000000000192000-memory.dmp

Filesize
264KB

Download
memory/1192-80-0x0000000000150000-0x0000000000192000-memory.dmp

Filesize
264KB

Download
memory/1252-84-0x0000000002BE0000-0x0000000002C22000-memory.dmp

Filesize
264KB

Download
memory/1252-83-0x0000000002BE0000-0x0000000002C22000-memory.dmp

Filesize
264KB

Download
memory/1252-85-0x0000000002BE0000-0x0000000002C22000-memory.dmp

Filesize
264KB

Download
memory/1252-86-0x0000000002BE0000-0x0000000002C22000-memory.dmp

Filesize
264KB

Download
memory/1900-104-0x0000000001960000-0x00000000019A2000-memory.dmp

Filesize
264KB

Download
memory/1900-105-0x0000000001960000-0x00000000019A2000-memory.dmp

Filesize
264KB

Download
memory/1900-106-0x0000000001960000-0x00000000019A2000-memory.dmp

Filesize
264KB

Download
memory/1900-107-0x0000000001960000-0x00000000019A2000-memory.dmp

Filesize
264KB

Download