eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268

Analysis

max time kernel
155s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268.exe
Size

230KB
MD5

2c192f76425e966ae698a84130dc89f2
SHA1

6bbcb0c953c15b11f7489a6d976b20a75f64d54c
SHA256

eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268
SHA512

43b730ea0c7b0fed79230917dfd18f3418a3f749c03d1a5f3ba8cea3b4b954833984f0c60db96d17c2baa4c84e991c84a37ee1f72d864a2c48dee43568d91d8e
SSDEEP

3072:epvmvakjLm7PR5Q3k3vHjNr0eOGjIUi/cDhn0y24ywvDDjbngcQVS+1aA6:epWjkP/ZHjN9Njv7jbnZWS+

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4904	Cwozia.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4876-132-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x0006000000022e23-136.dat	upx
behavioral2/files/0x0006000000022e23-137.dat	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268.exe
File created	C:\Windows\Cwozia.exe	eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268.exe
File opened for modification	C:\Windows\Cwozia.exe	eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Cwozia.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Cwozia.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	Cwozia.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\International	Cwozia.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe
4904	Cwozia.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 4904	4876	eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268.exe	84
PID 4876 wrote to memory of 4904	4876	eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268.exe	84
PID 4876 wrote to memory of 4904	4876	eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268.exe	84

C:\Users\Admin\AppData\Local\Temp\eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268.exe
"C:\Users\Admin\AppData\Local\Temp\eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\Cwozia.exe
  C:\Windows\Cwozia.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Cwozia.exe

Filesize
230KB

MD5
2c192f76425e966ae698a84130dc89f2

SHA1
6bbcb0c953c15b11f7489a6d976b20a75f64d54c

SHA256
eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268

SHA512
43b730ea0c7b0fed79230917dfd18f3418a3f749c03d1a5f3ba8cea3b4b954833984f0c60db96d17c2baa4c84e991c84a37ee1f72d864a2c48dee43568d91d8e

Download Submit
C:\Windows\Cwozia.exe

Filesize
230KB

MD5
2c192f76425e966ae698a84130dc89f2

SHA1
6bbcb0c953c15b11f7489a6d976b20a75f64d54c

SHA256
eb139e9f7b1095c9b4932eed0b6e42590ffe1373c7bc288c94621f11999ea268

SHA512
43b730ea0c7b0fed79230917dfd18f3418a3f749c03d1a5f3ba8cea3b4b954833984f0c60db96d17c2baa4c84e991c84a37ee1f72d864a2c48dee43568d91d8e

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
426B

MD5
ef51402ab808274fcd413abb3f32d0f1

SHA1
84edee3fcae710f365b40650615a25c03aa972c0

SHA256
059e3cc5da0eaa72ec22c551c6d36781e57e47c3b4c50e53f74f9825a287a66c

SHA512
1097073ec6b9ce6547ba1d416d301c98ea5510fbebb1c6b0a09f8d066cb191c4a4561afa1e04281b7221f9c4eab4b9df86d695f15cdee8f3d022ed3f83942ba1

Download Submit
memory/4876-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4876-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4876-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4876-141-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4904-139-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4904-140-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download