955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a

Analysis

max time kernel
248s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe
Size

129KB
MD5

e44cf997ab41fd6bae63e4e6b4a3c0f1
SHA1

87fd2df0baf51210691bd073a2afad72b7f9461d
SHA256

955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a
SHA512

927c281badb14f7210d38172250fea5f5cdd516ca9dc0d72b528131a4eb9c4d6d1c528b62b871f44df0a4b1c7e1ff594514cb3a3f618a0759953b5f81ab52921
SSDEEP

3072:doK2HC2jtsrenrlvRvz4Evo+TTSPeHrV/T4Ra:uEAtsen5J8E9TTSPeHZr4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1528	obhuh.exe

Loads dropped DLL 2 IoCs

pid	Process
544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe
544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	obhuh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F8E4B76A-8C76-54F0-9B59-157B953A6902} = "C:\\Users\\Admin\\AppData\\Roaming\\Afxo\\obhuh.exe"	obhuh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 544 set thread context of 768	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe
1528	obhuh.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe
Token: SeSecurityPrivilege	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe
Token: SeSecurityPrivilege	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe
Token: SeSecurityPrivilege	768	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1572	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1528	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	28
PID 544 wrote to memory of 1528	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	28
PID 544 wrote to memory of 1528	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	28
PID 544 wrote to memory of 1528	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	28
PID 1528 wrote to memory of 1156	1528	obhuh.exe	17
PID 1528 wrote to memory of 1156	1528	obhuh.exe	17
PID 1528 wrote to memory of 1156	1528	obhuh.exe	17
PID 1528 wrote to memory of 1156	1528	obhuh.exe	17
PID 1528 wrote to memory of 1156	1528	obhuh.exe	17
PID 1528 wrote to memory of 1236	1528	obhuh.exe	16
PID 1528 wrote to memory of 1236	1528	obhuh.exe	16
PID 1528 wrote to memory of 1236	1528	obhuh.exe	16
PID 1528 wrote to memory of 1236	1528	obhuh.exe	16
PID 1528 wrote to memory of 1236	1528	obhuh.exe	16
PID 1528 wrote to memory of 1272	1528	obhuh.exe	15
PID 1528 wrote to memory of 1272	1528	obhuh.exe	15
PID 1528 wrote to memory of 1272	1528	obhuh.exe	15
PID 1528 wrote to memory of 1272	1528	obhuh.exe	15
PID 1528 wrote to memory of 1272	1528	obhuh.exe	15
PID 1528 wrote to memory of 544	1528	obhuh.exe	27
PID 1528 wrote to memory of 544	1528	obhuh.exe	27
PID 1528 wrote to memory of 544	1528	obhuh.exe	27
PID 1528 wrote to memory of 544	1528	obhuh.exe	27
PID 1528 wrote to memory of 544	1528	obhuh.exe	27
PID 544 wrote to memory of 768	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	29
PID 544 wrote to memory of 768	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	29
PID 544 wrote to memory of 768	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	29
PID 544 wrote to memory of 768	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	29
PID 544 wrote to memory of 768	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	29
PID 544 wrote to memory of 768	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	29
PID 544 wrote to memory of 768	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	29
PID 544 wrote to memory of 768	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	29
PID 544 wrote to memory of 768	544	955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe	29
PID 1528 wrote to memory of 1476	1528	obhuh.exe	30
PID 1528 wrote to memory of 1476	1528	obhuh.exe	30
PID 1528 wrote to memory of 1476	1528	obhuh.exe	30
PID 1528 wrote to memory of 1476	1528	obhuh.exe	30
PID 1528 wrote to memory of 1476	1528	obhuh.exe	30
PID 1528 wrote to memory of 896	1528	obhuh.exe	31
PID 1528 wrote to memory of 896	1528	obhuh.exe	31
PID 1528 wrote to memory of 896	1528	obhuh.exe	31
PID 1528 wrote to memory of 896	1528	obhuh.exe	31
PID 1528 wrote to memory of 896	1528	obhuh.exe	31
PID 1528 wrote to memory of 188	1528	obhuh.exe	32
PID 1528 wrote to memory of 188	1528	obhuh.exe	32
PID 1528 wrote to memory of 188	1528	obhuh.exe	32
PID 1528 wrote to memory of 188	1528	obhuh.exe	32
PID 1528 wrote to memory of 188	1528	obhuh.exe	32
PID 1528 wrote to memory of 1572	1528	obhuh.exe	33
PID 1528 wrote to memory of 1572	1528	obhuh.exe	33
PID 1528 wrote to memory of 1572	1528	obhuh.exe	33
PID 1528 wrote to memory of 1572	1528	obhuh.exe	33
PID 1528 wrote to memory of 1572	1528	obhuh.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe
  "C:\Users\Admin\AppData\Local\Temp\955a6b4f98244dcbd5a824a983fccc3e21b605e168fbfefab9368e8a43f7074a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Roaming\Afxo\obhuh.exe
    "C:\Users\Admin\AppData\Roaming\Afxo\obhuh.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1757409c.bat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:768

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1753579364-1329706934861461990-15378150192077980647-1222295059-9895648401793765482"
1⤵
PID:1476

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:188

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Afxo\obhuh.exe

Filesize
129KB

MD5
6c1dc6a36b6137db548ea3854621b35e

SHA1
4118aed5f2a6a49841f4c49f06c727529ea9de51

SHA256
9c688164f4ac3fb2211f596e37f4ceaff4068eaa20f9871f0ea46ba888e41797

SHA512
79629a98efdd19b45d8719c053030a0731767c80ddbfe21c5733a74d9042fe6dd5900c7690d0069c5bdba25e6b9d19c7b18f65786ec3176e06be0757292f0c89

Download Submit
C:\Users\Admin\AppData\Roaming\Afxo\obhuh.exe

Filesize
129KB

MD5
6c1dc6a36b6137db548ea3854621b35e

SHA1
4118aed5f2a6a49841f4c49f06c727529ea9de51

SHA256
9c688164f4ac3fb2211f596e37f4ceaff4068eaa20f9871f0ea46ba888e41797

SHA512
79629a98efdd19b45d8719c053030a0731767c80ddbfe21c5733a74d9042fe6dd5900c7690d0069c5bdba25e6b9d19c7b18f65786ec3176e06be0757292f0c89

Download Submit
C:\Users\Admin\AppData\Roaming\Uxtoas\qyal.ray

Filesize
398B

MD5
bc9afba275e63f02ebe76467f7e81921

SHA1
d0c648732de2fcac7940fa72996db75809eb0e30

SHA256
bf4d1438881dc5989986e8a8717784567acd3aa8aebfce9a5ec88a29e4edfd1b

SHA512
b55e5ae7e2d43c8312dd0fddbbc5adf58b855b7cd50688234da702dfbf058651e6dab95ee67c493eed51ddec64ed3f7613ac64655e23e335cc989d8c35a19ee7

Download Submit
\Users\Admin\AppData\Roaming\Afxo\obhuh.exe

Filesize
129KB

MD5
6c1dc6a36b6137db548ea3854621b35e

SHA1
4118aed5f2a6a49841f4c49f06c727529ea9de51

SHA256
9c688164f4ac3fb2211f596e37f4ceaff4068eaa20f9871f0ea46ba888e41797

SHA512
79629a98efdd19b45d8719c053030a0731767c80ddbfe21c5733a74d9042fe6dd5900c7690d0069c5bdba25e6b9d19c7b18f65786ec3176e06be0757292f0c89

Download Submit
\Users\Admin\AppData\Roaming\Afxo\obhuh.exe

Filesize
129KB

MD5
6c1dc6a36b6137db548ea3854621b35e

SHA1
4118aed5f2a6a49841f4c49f06c727529ea9de51

SHA256
9c688164f4ac3fb2211f596e37f4ceaff4068eaa20f9871f0ea46ba888e41797

SHA512
79629a98efdd19b45d8719c053030a0731767c80ddbfe21c5733a74d9042fe6dd5900c7690d0069c5bdba25e6b9d19c7b18f65786ec3176e06be0757292f0c89

Download Submit
memory/188-129-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/188-130-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/188-131-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/188-128-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/544-110-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/544-86-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/544-56-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/544-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/544-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/544-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/544-99-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/544-90-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/544-89-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/544-88-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/544-87-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/768-109-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/768-93-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/768-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/768-97-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/768-96-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/768-95-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/896-123-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/896-122-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/896-125-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/896-124-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1156-68-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/1156-64-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/1156-66-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/1156-67-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/1156-69-0x0000000001E90000-0x0000000001EB7000-memory.dmp

Filesize
156KB

Download
memory/1236-73-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1236-72-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1236-75-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1236-74-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1272-79-0x0000000002A50000-0x0000000002A77000-memory.dmp

Filesize
156KB

Download
memory/1272-81-0x0000000002A50000-0x0000000002A77000-memory.dmp

Filesize
156KB

Download
memory/1272-78-0x0000000002A50000-0x0000000002A77000-memory.dmp

Filesize
156KB

Download
memory/1272-80-0x0000000002A50000-0x0000000002A77000-memory.dmp

Filesize
156KB

Download
memory/1476-105-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1476-107-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1476-106-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1476-104-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1528-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1528-85-0x0000000001C80000-0x0000000001CB9000-memory.dmp

Filesize
228KB

Download
memory/1528-98-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1572-113-0x000007FEF5ED1000-0x000007FEF5ED3000-memory.dmp

Filesize
8KB

Download
memory/1572-114-0x0000000002090000-0x00000000020A0000-memory.dmp

Filesize
64KB

Download
memory/1572-112-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download
memory/1572-134-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/1572-135-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download