b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe
Size

330KB
MD5

512f98dcaff4fd1e74b21cb41f7fe5ba
SHA1

debb91c18b7de4b66696fa3672ecf9b027f59ed4
SHA256

b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938
SHA512

185c8078aceae9180defd1a0c44206685d238b92d202340ba4bd2a6e64e1a64a9cf0959947d2d1a7c35394c64b66255f0305a730fd3d6d8f59b11f7679b0d327
SSDEEP

6144:tYwaU+TjJN6Qy/VcHoUKIVflNiLoWtMV9QJTPPWZYb/Y:mwP+P6QEYooiX+V9Q1nWZN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
940	woada.exe

Deletes itself 1 IoCs

pid	Process
1768	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe
2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	woada.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Taabes\\woada.exe"	woada.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 1768	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe
940	woada.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe
940	woada.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 940	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	27
PID 2032 wrote to memory of 940	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	27
PID 2032 wrote to memory of 940	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	27
PID 2032 wrote to memory of 940	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	27
PID 940 wrote to memory of 1232	940	woada.exe	9
PID 940 wrote to memory of 1232	940	woada.exe	9
PID 940 wrote to memory of 1232	940	woada.exe	9
PID 940 wrote to memory of 1232	940	woada.exe	9
PID 940 wrote to memory of 1232	940	woada.exe	9
PID 940 wrote to memory of 1328	940	woada.exe	16
PID 940 wrote to memory of 1328	940	woada.exe	16
PID 940 wrote to memory of 1328	940	woada.exe	16
PID 940 wrote to memory of 1328	940	woada.exe	16
PID 940 wrote to memory of 1328	940	woada.exe	16
PID 940 wrote to memory of 1368	940	woada.exe	15
PID 940 wrote to memory of 1368	940	woada.exe	15
PID 940 wrote to memory of 1368	940	woada.exe	15
PID 940 wrote to memory of 1368	940	woada.exe	15
PID 940 wrote to memory of 1368	940	woada.exe	15
PID 940 wrote to memory of 2032	940	woada.exe	26
PID 940 wrote to memory of 2032	940	woada.exe	26
PID 940 wrote to memory of 2032	940	woada.exe	26
PID 940 wrote to memory of 2032	940	woada.exe	26
PID 940 wrote to memory of 2032	940	woada.exe	26
PID 2032 wrote to memory of 1768	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	28
PID 2032 wrote to memory of 1768	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	28
PID 2032 wrote to memory of 1768	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	28
PID 2032 wrote to memory of 1768	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	28
PID 2032 wrote to memory of 1768	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	28
PID 2032 wrote to memory of 1768	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	28
PID 2032 wrote to memory of 1768	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	28
PID 2032 wrote to memory of 1768	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	28
PID 2032 wrote to memory of 1768	2032	b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe	28
PID 940 wrote to memory of 884	940	woada.exe	30
PID 940 wrote to memory of 884	940	woada.exe	30
PID 940 wrote to memory of 884	940	woada.exe	30
PID 940 wrote to memory of 884	940	woada.exe	30
PID 940 wrote to memory of 884	940	woada.exe	30
PID 940 wrote to memory of 1908	940	woada.exe	31
PID 940 wrote to memory of 1908	940	woada.exe	31
PID 940 wrote to memory of 1908	940	woada.exe	31
PID 940 wrote to memory of 1908	940	woada.exe	31
PID 940 wrote to memory of 1908	940	woada.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe
  "C:\Users\Admin\AppData\Local\Temp\b24fd91259e61918d7a5664e178b1360bcad3cc15a0a7f6c8df85fe6e39af938.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Roaming\Taabes\woada.exe
    "C:\Users\Admin\AppData\Roaming\Taabes\woada.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd0d00486.bat"
    3⤵
    - Deletes itself
    PID:1768

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd0d00486.bat

Filesize
307B

MD5
eaa3ad5349ee485ec9c54d7d43d14404

SHA1
ba451c7d9ac3b242fed5078000238ac294ac5e61

SHA256
effc650c909fb2c35298778d80758574809472331c353686de717e7057f94ae8

SHA512
1dc37a31a67c8c7b09acefb19ead32ca851fca1f13467b5292e84206fa41626534175fe7d90da125fb762e807d9ff6cfeee38d0ca0da1b4a07ee34d5f6c3f0e5

Download Submit
C:\Users\Admin\AppData\Roaming\Taabes\woada.exe

Filesize
330KB

MD5
e3ae5f852c720088688df424336c7d31

SHA1
93b2057c486f5c6b4ff0f472ff166eb845d58424

SHA256
f31eca440bd1ee594311155d853cb115221b2b83949b42b5ac6a2c195075b647

SHA512
cbe6758954054983bc08a5dbe23836482d949643aa07881a2075ff4b056c291ebfbc7c1abede025b08d8d8d2105ba7522c18e2d4f54d365749c09e4e7e3b3b0c

Download Submit
C:\Users\Admin\AppData\Roaming\Taabes\woada.exe

Filesize
330KB

MD5
e3ae5f852c720088688df424336c7d31

SHA1
93b2057c486f5c6b4ff0f472ff166eb845d58424

SHA256
f31eca440bd1ee594311155d853cb115221b2b83949b42b5ac6a2c195075b647

SHA512
cbe6758954054983bc08a5dbe23836482d949643aa07881a2075ff4b056c291ebfbc7c1abede025b08d8d8d2105ba7522c18e2d4f54d365749c09e4e7e3b3b0c

Download Submit
\Users\Admin\AppData\Roaming\Taabes\woada.exe

Filesize
330KB

MD5
e3ae5f852c720088688df424336c7d31

SHA1
93b2057c486f5c6b4ff0f472ff166eb845d58424

SHA256
f31eca440bd1ee594311155d853cb115221b2b83949b42b5ac6a2c195075b647

SHA512
cbe6758954054983bc08a5dbe23836482d949643aa07881a2075ff4b056c291ebfbc7c1abede025b08d8d8d2105ba7522c18e2d4f54d365749c09e4e7e3b3b0c

Download Submit
\Users\Admin\AppData\Roaming\Taabes\woada.exe

Filesize
330KB

MD5
e3ae5f852c720088688df424336c7d31

SHA1
93b2057c486f5c6b4ff0f472ff166eb845d58424

SHA256
f31eca440bd1ee594311155d853cb115221b2b83949b42b5ac6a2c195075b647

SHA512
cbe6758954054983bc08a5dbe23836482d949643aa07881a2075ff4b056c291ebfbc7c1abede025b08d8d8d2105ba7522c18e2d4f54d365749c09e4e7e3b3b0c

Download Submit
memory/884-109-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/884-108-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/884-110-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/884-107-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/940-59-0x0000000000000000-mapping.dmp

Download
memory/940-99-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/940-100-0x0000000000350000-0x00000000003A6000-memory.dmp

Filesize
344KB

Download
memory/940-101-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1232-67-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1232-68-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1232-66-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1232-65-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1232-63-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1328-72-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/1328-73-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/1328-74-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/1328-71-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/1368-78-0x0000000002570000-0x00000000025B4000-memory.dmp

Filesize
272KB

Download
memory/1368-80-0x0000000002570000-0x00000000025B4000-memory.dmp

Filesize
272KB

Download
memory/1368-77-0x0000000002570000-0x00000000025B4000-memory.dmp

Filesize
272KB

Download
memory/1368-79-0x0000000002570000-0x00000000025B4000-memory.dmp

Filesize
272KB

Download
memory/1768-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1768-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1768-91-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1768-94-0x00000000000671E6-mapping.dmp

Download
memory/1768-89-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1768-104-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1908-113-0x0000000003A60000-0x0000000003AA4000-memory.dmp

Filesize
272KB

Download
memory/1908-114-0x0000000003A60000-0x0000000003AA4000-memory.dmp

Filesize
272KB

Download
memory/1908-115-0x0000000003A60000-0x0000000003AA4000-memory.dmp

Filesize
272KB

Download
memory/1908-116-0x0000000003A60000-0x0000000003AA4000-memory.dmp

Filesize
272KB

Download
memory/2032-84-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/2032-98-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/2032-96-0x00000000002C0000-0x0000000000316000-memory.dmp

Filesize
344KB

Download
memory/2032-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2032-95-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/2032-86-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/2032-85-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2032-83-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/2032-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2032-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download