95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe
Size

315KB
MD5

f2bb617b2457edbd97e4b721b3886561
SHA1

d4022332cbae44df2112f90e35e8d8c43cfc77bf
SHA256

95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27
SHA512

232a37b14c1d6d1d576c95bdeade91d92b7490eadc2a098d6a474295fd36c20b9ed383be6f717a11246a58a4c9195dffc5015790c60d074738218b90e4e4f9d0
SSDEEP

6144:ODxcTponzQPSqzXXaydn3nozW5TFYkI4uLZMGLv+xxxxxxxxxxxxxxxxngxxxxxg:KeTGzQPRHHdn34y3IbnLGxxxxxxxxxxr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1132	okal.exe

Deletes itself 1 IoCs

pid	Process
452	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe
1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	okal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Oxriva\\okal.exe"	okal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 452	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	27

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe
1132	okal.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe
1132	okal.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1132	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	26
PID 1112 wrote to memory of 1132	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	26
PID 1112 wrote to memory of 1132	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	26
PID 1112 wrote to memory of 1132	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	26
PID 1132 wrote to memory of 1300	1132	okal.exe	11
PID 1132 wrote to memory of 1300	1132	okal.exe	11
PID 1132 wrote to memory of 1300	1132	okal.exe	11
PID 1132 wrote to memory of 1300	1132	okal.exe	11
PID 1132 wrote to memory of 1300	1132	okal.exe	11
PID 1132 wrote to memory of 1404	1132	okal.exe	17
PID 1132 wrote to memory of 1404	1132	okal.exe	17
PID 1132 wrote to memory of 1404	1132	okal.exe	17
PID 1132 wrote to memory of 1404	1132	okal.exe	17
PID 1132 wrote to memory of 1404	1132	okal.exe	17
PID 1132 wrote to memory of 1444	1132	okal.exe	12
PID 1132 wrote to memory of 1444	1132	okal.exe	12
PID 1132 wrote to memory of 1444	1132	okal.exe	12
PID 1132 wrote to memory of 1444	1132	okal.exe	12
PID 1132 wrote to memory of 1444	1132	okal.exe	12
PID 1132 wrote to memory of 1112	1132	okal.exe	25
PID 1132 wrote to memory of 1112	1132	okal.exe	25
PID 1132 wrote to memory of 1112	1132	okal.exe	25
PID 1132 wrote to memory of 1112	1132	okal.exe	25
PID 1132 wrote to memory of 1112	1132	okal.exe	25
PID 1112 wrote to memory of 452	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	27
PID 1112 wrote to memory of 452	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	27
PID 1112 wrote to memory of 452	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	27
PID 1112 wrote to memory of 452	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	27
PID 1112 wrote to memory of 452	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	27
PID 1112 wrote to memory of 452	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	27
PID 1112 wrote to memory of 452	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	27
PID 1112 wrote to memory of 452	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	27
PID 1112 wrote to memory of 452	1112	95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe	27

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe
  "C:\Users\Admin\AppData\Local\Temp\95e987d876d1729a913253a06951b6ecc06f376db62b529a19c273232a4afe27.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Roaming\Oxriva\okal.exe
    "C:\Users\Admin\AppData\Roaming\Oxriva\okal.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmped677dd2.bat"
    3⤵
    - Deletes itself
    PID:452

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmped677dd2.bat

Filesize
307B

MD5
3ceaa9d68a3f3d89d304e3e109e03599

SHA1
a4bd3ff3040089880b70f2d1de4056f9c5de71ad

SHA256
4ce8ab60ff63134f1ad0c908631ac08b986a20209de0435af7dd55ccc0eec221

SHA512
026b3ffa8938633e58867f33a0568814caa487abbc0d58e0311d6b68b54fa8ab1ede105a2c4bbcce858b7f66cc3935b3ba7812598515a50f4c11a2f7da71337b

Download Submit
C:\Users\Admin\AppData\Roaming\Oxriva\okal.exe

Filesize
315KB

MD5
e50b4187c45475c030287b0fda1e70d9

SHA1
e1e333111d6184c508bb78cd1dbfa62f06951846

SHA256
116c95f5765206d43c7ff65c58d3543d5abf70e483208a6e7fb24840d9928eb2

SHA512
2447f1f21b9404a1d5b4ea20046a8a2a7555e9d31fe7c3e3b7ff6d868bb28d405ce5a67f3f2fb676f403c770b3d68dec1d97ad39f435b241b2c2fc5898ee5c86

Download Submit
C:\Users\Admin\AppData\Roaming\Oxriva\okal.exe

Filesize
315KB

MD5
e50b4187c45475c030287b0fda1e70d9

SHA1
e1e333111d6184c508bb78cd1dbfa62f06951846

SHA256
116c95f5765206d43c7ff65c58d3543d5abf70e483208a6e7fb24840d9928eb2

SHA512
2447f1f21b9404a1d5b4ea20046a8a2a7555e9d31fe7c3e3b7ff6d868bb28d405ce5a67f3f2fb676f403c770b3d68dec1d97ad39f435b241b2c2fc5898ee5c86

Download Submit
\Users\Admin\AppData\Roaming\Oxriva\okal.exe

Filesize
315KB

MD5
e50b4187c45475c030287b0fda1e70d9

SHA1
e1e333111d6184c508bb78cd1dbfa62f06951846

SHA256
116c95f5765206d43c7ff65c58d3543d5abf70e483208a6e7fb24840d9928eb2

SHA512
2447f1f21b9404a1d5b4ea20046a8a2a7555e9d31fe7c3e3b7ff6d868bb28d405ce5a67f3f2fb676f403c770b3d68dec1d97ad39f435b241b2c2fc5898ee5c86

Download Submit
\Users\Admin\AppData\Roaming\Oxriva\okal.exe

Filesize
315KB

MD5
e50b4187c45475c030287b0fda1e70d9

SHA1
e1e333111d6184c508bb78cd1dbfa62f06951846

SHA256
116c95f5765206d43c7ff65c58d3543d5abf70e483208a6e7fb24840d9928eb2

SHA512
2447f1f21b9404a1d5b4ea20046a8a2a7555e9d31fe7c3e3b7ff6d868bb28d405ce5a67f3f2fb676f403c770b3d68dec1d97ad39f435b241b2c2fc5898ee5c86

Download Submit
memory/452-106-0x00000000000D0000-0x0000000000112000-memory.dmp

Filesize
264KB

Download
memory/452-94-0x00000000000D0000-0x0000000000112000-memory.dmp

Filesize
264KB

Download
memory/452-95-0x00000000000D0000-0x0000000000112000-memory.dmp

Filesize
264KB

Download
memory/452-91-0x00000000000D0000-0x0000000000112000-memory.dmp

Filesize
264KB

Download
memory/452-93-0x00000000000D0000-0x0000000000112000-memory.dmp

Filesize
264KB

Download
memory/1112-100-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/1112-85-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/1112-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1112-55-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1112-102-0x00000000002D0000-0x0000000000324000-memory.dmp

Filesize
336KB

Download
memory/1112-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1112-96-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1112-56-0x00000000002D0000-0x0000000000324000-memory.dmp

Filesize
336KB

Download
memory/1112-88-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/1112-87-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/1112-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1112-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1112-86-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/1132-107-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1132-99-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1132-98-0x00000000002D0000-0x0000000000324000-memory.dmp

Filesize
336KB

Download
memory/1132-97-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1300-65-0x0000000000190000-0x00000000001D2000-memory.dmp

Filesize
264KB

Download
memory/1300-70-0x0000000000190000-0x00000000001D2000-memory.dmp

Filesize
264KB

Download
memory/1300-69-0x0000000000190000-0x00000000001D2000-memory.dmp

Filesize
264KB

Download
memory/1300-68-0x0000000000190000-0x00000000001D2000-memory.dmp

Filesize
264KB

Download
memory/1300-67-0x0000000000190000-0x00000000001D2000-memory.dmp

Filesize
264KB

Download
memory/1404-76-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1404-74-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1404-75-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1404-73-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1444-80-0x0000000002530000-0x0000000002572000-memory.dmp

Filesize
264KB

Download
memory/1444-81-0x0000000002530000-0x0000000002572000-memory.dmp

Filesize
264KB

Download
memory/1444-82-0x0000000002530000-0x0000000002572000-memory.dmp

Filesize
264KB

Download
memory/1444-79-0x0000000002530000-0x0000000002572000-memory.dmp

Filesize
264KB

Download