7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135

Analysis

max time kernel
152s
max time network
200s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe
Size

368KB
MD5

1492c06464fbf92399ed8ba8aff8a4e7
SHA1

94e53381c9f3cec8e1d2cc07aa65aa84d8806b9e
SHA256

7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135
SHA512

33788a171bde3fc7ed5757481fbfff45225a7d5fa4f2f7555c224e4e5da1185eaebd7ebed316175628ab3265c63cb7184e67c76e6aa79c9bac8d184bdc20ae44
SSDEEP

6144:MvKTODKKX34vcXvRe0UUdtuNObc/6e1l2llEBsvtX1l1eO:8Bused1N3Nl2HvtH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1248	woojy.exe

Deletes itself 1 IoCs

pid	Process
592	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe
1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	woojy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Ehno\\woojy.exe"	woojy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1232 set thread context of 592	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe
1248	woojy.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe
1248	woojy.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1248	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	28
PID 1232 wrote to memory of 1248	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	28
PID 1232 wrote to memory of 1248	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	28
PID 1232 wrote to memory of 1248	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	28
PID 1248 wrote to memory of 1152	1248	woojy.exe	18
PID 1248 wrote to memory of 1152	1248	woojy.exe	18
PID 1248 wrote to memory of 1152	1248	woojy.exe	18
PID 1248 wrote to memory of 1152	1248	woojy.exe	18
PID 1248 wrote to memory of 1152	1248	woojy.exe	18
PID 1248 wrote to memory of 1252	1248	woojy.exe	17
PID 1248 wrote to memory of 1252	1248	woojy.exe	17
PID 1248 wrote to memory of 1252	1248	woojy.exe	17
PID 1248 wrote to memory of 1252	1248	woojy.exe	17
PID 1248 wrote to memory of 1252	1248	woojy.exe	17
PID 1248 wrote to memory of 1336	1248	woojy.exe	16
PID 1248 wrote to memory of 1336	1248	woojy.exe	16
PID 1248 wrote to memory of 1336	1248	woojy.exe	16
PID 1248 wrote to memory of 1336	1248	woojy.exe	16
PID 1248 wrote to memory of 1336	1248	woojy.exe	16
PID 1248 wrote to memory of 1232	1248	woojy.exe	22
PID 1248 wrote to memory of 1232	1248	woojy.exe	22
PID 1248 wrote to memory of 1232	1248	woojy.exe	22
PID 1248 wrote to memory of 1232	1248	woojy.exe	22
PID 1248 wrote to memory of 1232	1248	woojy.exe	22
PID 1232 wrote to memory of 592	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	29
PID 1232 wrote to memory of 592	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	29
PID 1232 wrote to memory of 592	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	29
PID 1232 wrote to memory of 592	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	29
PID 1232 wrote to memory of 592	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	29
PID 1232 wrote to memory of 592	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	29
PID 1232 wrote to memory of 592	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	29
PID 1232 wrote to memory of 592	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	29
PID 1232 wrote to memory of 592	1232	7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe	29
PID 1248 wrote to memory of 1748	1248	woojy.exe	30
PID 1248 wrote to memory of 1748	1248	woojy.exe	30
PID 1248 wrote to memory of 1748	1248	woojy.exe	30
PID 1248 wrote to memory of 1748	1248	woojy.exe	30
PID 1248 wrote to memory of 1748	1248	woojy.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe
  "C:\Users\Admin\AppData\Local\Temp\7cbd9fc9e2189598f2e84a89a2f79d320584c837676b493fa2f0cfb0ba12a135.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Roaming\Ehno\woojy.exe
    "C:\Users\Admin\AppData\Roaming\Ehno\woojy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp51c5240a.bat"
    3⤵
    - Deletes itself
    PID:592

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1252

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-26074374015983462434309544951997289432-16090413141178790911-86014814260823022"
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\feyn.umi

Filesize
466B

MD5
2181b56d4860119c23069172923579d6

SHA1
2ae21e5d7780ca061bcb720c1fc409b386fced33

SHA256
162d093f0d1a58fdb7693e4338fbca19bb628951cb0b5e770c54f4a0ea39c63d

SHA512
8d8a16f618afeb4adc06415251fba2ca44f16602e9766e15821aaf3ee8407dda1b64d5cd2699be02f2cfed610e156e8f23af03a4b54f12edfd6049c9c0a0d415

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51c5240a.bat

Filesize
307B

MD5
31da4028f5bd98c56db64e00fd7eb59b

SHA1
180d2646f32c820de8725ddbd98cd49e4b864eb3

SHA256
ff7ba3179af0ffd245c5c2940f5eafab509977765d9e1a2527c5fcc44fc38a9e

SHA512
ad2d6966c25651adc780b57d80549c093c118956d563a6dc4624ddc266bf6a8ef372a7cac99be278f2f5bd20526786386caa8b7f7af4150bc018f8676569515c

Download Submit
C:\Users\Admin\AppData\Roaming\Ehno\woojy.exe

Filesize
368KB

MD5
dd4e256b0b31d88849fa26368b1757b0

SHA1
5e8be4e4e034ed48b82f106626a3f625d0dc84d2

SHA256
fdd4b713352ee78feb6ad58861383c6fc78309bf6cfa44e899e54830a5f56764

SHA512
671d5ebcc3ebb1f80a570ef51142a10592d8f578191456375840c074d189b5b5f670f144edca6df4d49495ad6ac9d60e0982214b93b01d6cb807b8f1b2616535

Download Submit
C:\Users\Admin\AppData\Roaming\Ehno\woojy.exe

Filesize
368KB

MD5
dd4e256b0b31d88849fa26368b1757b0

SHA1
5e8be4e4e034ed48b82f106626a3f625d0dc84d2

SHA256
fdd4b713352ee78feb6ad58861383c6fc78309bf6cfa44e899e54830a5f56764

SHA512
671d5ebcc3ebb1f80a570ef51142a10592d8f578191456375840c074d189b5b5f670f144edca6df4d49495ad6ac9d60e0982214b93b01d6cb807b8f1b2616535

Download Submit
\Users\Admin\AppData\Roaming\Ehno\woojy.exe

Filesize
368KB

MD5
dd4e256b0b31d88849fa26368b1757b0

SHA1
5e8be4e4e034ed48b82f106626a3f625d0dc84d2

SHA256
fdd4b713352ee78feb6ad58861383c6fc78309bf6cfa44e899e54830a5f56764

SHA512
671d5ebcc3ebb1f80a570ef51142a10592d8f578191456375840c074d189b5b5f670f144edca6df4d49495ad6ac9d60e0982214b93b01d6cb807b8f1b2616535

Download Submit
\Users\Admin\AppData\Roaming\Ehno\woojy.exe

Filesize
368KB

MD5
dd4e256b0b31d88849fa26368b1757b0

SHA1
5e8be4e4e034ed48b82f106626a3f625d0dc84d2

SHA256
fdd4b713352ee78feb6ad58861383c6fc78309bf6cfa44e899e54830a5f56764

SHA512
671d5ebcc3ebb1f80a570ef51142a10592d8f578191456375840c074d189b5b5f670f144edca6df4d49495ad6ac9d60e0982214b93b01d6cb807b8f1b2616535

Download Submit
memory/592-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/592-112-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/592-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/592-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/592-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1152-65-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1152-63-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1152-67-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1152-68-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1152-66-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1232-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1232-89-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1232-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1232-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1232-83-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1232-84-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1232-85-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1232-86-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1232-87-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1232-88-0x00000000003A0000-0x00000000003FF000-memory.dmp

Filesize
380KB

Download
memory/1232-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1232-103-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1232-93-0x0000000001EF0000-0x0000000001F4F000-memory.dmp

Filesize
380KB

Download
memory/1248-92-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1248-91-0x0000000001D20000-0x0000000001D7F000-memory.dmp

Filesize
380KB

Download
memory/1248-90-0x0000000000460000-0x00000000004A4000-memory.dmp

Filesize
272KB

Download
memory/1252-74-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1252-73-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1252-72-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1252-71-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1336-77-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/1336-78-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/1336-80-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/1336-79-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/1748-106-0x0000000001940000-0x0000000001984000-memory.dmp

Filesize
272KB

Download
memory/1748-107-0x0000000001940000-0x0000000001984000-memory.dmp

Filesize
272KB

Download
memory/1748-108-0x0000000001940000-0x0000000001984000-memory.dmp

Filesize
272KB

Download
memory/1748-109-0x0000000001940000-0x0000000001984000-memory.dmp

Filesize
272KB

Download