b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9

Analysis

max time kernel
207s
max time network
217s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe
Size

117KB
MD5

0eb1121b87a4608c6ef51119411439ac
SHA1

26715fe0ce01df6f46a7e2e13b4249419d3d238f
SHA256

b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9
SHA512

b470bb68bb0a72bd995cfe82e3972af107681877b0c05d1a45eb27c965ea7e5a83e6db68a82b4515f160e83b5a06c833660794176833da3989fdaad9ec64dbfb
SSDEEP

3072:Qxvmpm2yKept6op+s+5fTRaqym0WkJificeFaE:IKep1Iss4qGR0fipFa

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1500	Czowoa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Czowoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\KCSCPW1HKH = "C:\\Windows\\Czowoa.exe"	Czowoa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe
File created	C:\Windows\Czowoa.exe	b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe
File opened for modification	C:\Windows\Czowoa.exe	b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	Czowoa.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International	Czowoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe
1500	Czowoa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1500	560	b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe	28
PID 560 wrote to memory of 1500	560	b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe	28
PID 560 wrote to memory of 1500	560	b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe	28
PID 560 wrote to memory of 1500	560	b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe	28

C:\Users\Admin\AppData\Local\Temp\b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe
"C:\Users\Admin\AppData\Local\Temp\b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\Czowoa.exe
  C:\Windows\Czowoa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Czowoa.exe

Filesize
117KB

MD5
0eb1121b87a4608c6ef51119411439ac

SHA1
26715fe0ce01df6f46a7e2e13b4249419d3d238f

SHA256
b005736998f5832a393c4cad02e33965059b62b002cebba970ab3bfb26301eb9

SHA512
b470bb68bb0a72bd995cfe82e3972af107681877b0c05d1a45eb27c965ea7e5a83e6db68a82b4515f160e83b5a06c833660794176833da3989fdaad9ec64dbfb

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
408B

MD5
17275bcbbc918744f8a04e04c64afdca

SHA1
148dcb1a968380ccc3e45e7d204bfd24e2bf02d1

SHA256
14d570ee50cef3210649997d45c7af9f65bb48a34acbc524aeff172dd3acd36f

SHA512
6b6f7e49adffe8aad71e8c5fddd6efea98d9a9b718f12c403c7e3b863345781da676a83bc8026e6d5a0cc3c7fabff74ec2a7cc9fe51186c75a6e77cfaee95f24

Download Submit
memory/560-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/560-55-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/560-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/560-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/560-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1500-58-0x0000000000000000-mapping.dmp

Download
memory/1500-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1500-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download