137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd

Analysis

max time kernel
279s
max time network
367s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe
Size

284KB
MD5

2b86e41c47a73965f31071e9f823a6c5
SHA1

2eeb0f495049d2b17aa7b56fb805afc3e41d722d
SHA256

137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd
SHA512

0df345740ff30b1c75e3c66c7bfd84b8ee914ab7d635741c2e0117178412f7145fc23dcf2a5f9becd2643d3c929c31020bbb3621cee5baa9742a0f15751511cd
SSDEEP

6144:205XASk3NyyIk88dxDxQLVlZAYvRQYThzAZ/x40X2:2gkQyU6xuZ0pCUZrG

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1252	odca.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\WINE	odca.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\WINE	odca.exe

Loads dropped DLL 1 IoCs

pid	Process
268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	odca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Etruimp = "C:\\Users\\Admin\\AppData\\Roaming\\Iwun\\odca.exe"	odca.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 268 set thread context of 2036	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe
1252	odca.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSecurityPrivilege	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe
Token: SeSecurityPrivilege	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe
Token: SeSecurityPrivilege	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe
Token: SeSecurityPrivilege	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe
Token: SeSecurityPrivilege	2036	cmd.exe
Token: SeManageVolumePrivilege	2012	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2012	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 1252	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	28
PID 268 wrote to memory of 1252	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	28
PID 268 wrote to memory of 1252	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	28
PID 268 wrote to memory of 1252	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	28
PID 1252 wrote to memory of 1128	1252	odca.exe	18
PID 1252 wrote to memory of 1128	1252	odca.exe	18
PID 1252 wrote to memory of 1128	1252	odca.exe	18
PID 1252 wrote to memory of 1128	1252	odca.exe	18
PID 1252 wrote to memory of 1128	1252	odca.exe	18
PID 1252 wrote to memory of 1220	1252	odca.exe	17
PID 1252 wrote to memory of 1220	1252	odca.exe	17
PID 1252 wrote to memory of 1220	1252	odca.exe	17
PID 1252 wrote to memory of 1220	1252	odca.exe	17
PID 1252 wrote to memory of 1220	1252	odca.exe	17
PID 1252 wrote to memory of 1284	1252	odca.exe	9
PID 1252 wrote to memory of 1284	1252	odca.exe	9
PID 1252 wrote to memory of 1284	1252	odca.exe	9
PID 1252 wrote to memory of 1284	1252	odca.exe	9
PID 1252 wrote to memory of 1284	1252	odca.exe	9
PID 1252 wrote to memory of 268	1252	odca.exe	14
PID 1252 wrote to memory of 268	1252	odca.exe	14
PID 1252 wrote to memory of 268	1252	odca.exe	14
PID 1252 wrote to memory of 268	1252	odca.exe	14
PID 1252 wrote to memory of 268	1252	odca.exe	14
PID 268 wrote to memory of 2036	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	29
PID 268 wrote to memory of 2036	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	29
PID 268 wrote to memory of 2036	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	29
PID 268 wrote to memory of 2036	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	29
PID 268 wrote to memory of 2036	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	29
PID 268 wrote to memory of 2036	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	29
PID 268 wrote to memory of 2036	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	29
PID 268 wrote to memory of 2036	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	29
PID 268 wrote to memory of 2036	268	137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe	29
PID 1252 wrote to memory of 944	1252	odca.exe	30
PID 1252 wrote to memory of 944	1252	odca.exe	30
PID 1252 wrote to memory of 944	1252	odca.exe	30
PID 1252 wrote to memory of 944	1252	odca.exe	30
PID 1252 wrote to memory of 944	1252	odca.exe	30
PID 1252 wrote to memory of 1340	1252	odca.exe	32
PID 1252 wrote to memory of 1340	1252	odca.exe	32
PID 1252 wrote to memory of 1340	1252	odca.exe	32
PID 1252 wrote to memory of 1340	1252	odca.exe	32
PID 1252 wrote to memory of 1340	1252	odca.exe	32
PID 1252 wrote to memory of 2012	1252	odca.exe	33
PID 1252 wrote to memory of 2012	1252	odca.exe	33
PID 1252 wrote to memory of 2012	1252	odca.exe	33
PID 1252 wrote to memory of 2012	1252	odca.exe	33
PID 1252 wrote to memory of 2012	1252	odca.exe	33
PID 1252 wrote to memory of 1592	1252	odca.exe	34
PID 1252 wrote to memory of 1592	1252	odca.exe	34
PID 1252 wrote to memory of 1592	1252	odca.exe	34
PID 1252 wrote to memory of 1592	1252	odca.exe	34
PID 1252 wrote to memory of 1592	1252	odca.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe
  "C:\Users\Admin\AppData\Local\Temp\137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Users\Admin\AppData\Roaming\Iwun\odca.exe
    "C:\Users\Admin\AppData\Roaming\Iwun\odca.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe2f70714.bat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-978413527-671147033-169569890864978759-19828003671927373744-321206093-251449120"
1⤵
PID:944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1340

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Fynaut\saux.oti

Filesize
437B

MD5
b24a6ecaffd261cd6a99fd7c91657d19

SHA1
d79fbf5f4a8f249639900ca6f211b17094b6e75e

SHA256
a9cf93196c49364df442d6b96ed229c44657f2f9e48875471e73e0a27849e63c

SHA512
2a5ed97b109c2d2a3db5a62d7106f5db9452f38f881e6b145c1805ea8f5fc3c3911f1e39a170619a393e9845b92304883ca57ee8c7742e1eb3a97ea1ea4f6d1a

Download Submit
C:\Users\Admin\AppData\Roaming\Iwun\odca.exe

Filesize
284KB

MD5
84f0e96c82012e6154d0dcf9ff7cae5d

SHA1
bc5727eee735b5fb2d108b8f909ed20a12ec5251

SHA256
9de9c940657554288c433fc635d5758409a0e9c6b824453248a7ef622b973df1

SHA512
cdbe9c8aafe5f733ebb5fe2d6267971b41413181ae92d22d2094751e35d477dddbd10ae770d08855b9ae8347b8e4b9bf9a61cebfda64cc3a73ae76aee4f45c67

Download Submit
C:\Users\Admin\AppData\Roaming\Iwun\odca.exe

Filesize
284KB

MD5
84f0e96c82012e6154d0dcf9ff7cae5d

SHA1
bc5727eee735b5fb2d108b8f909ed20a12ec5251

SHA256
9de9c940657554288c433fc635d5758409a0e9c6b824453248a7ef622b973df1

SHA512
cdbe9c8aafe5f733ebb5fe2d6267971b41413181ae92d22d2094751e35d477dddbd10ae770d08855b9ae8347b8e4b9bf9a61cebfda64cc3a73ae76aee4f45c67

Download Submit
\Users\Admin\AppData\Roaming\Iwun\odca.exe

Filesize
284KB

MD5
84f0e96c82012e6154d0dcf9ff7cae5d

SHA1
bc5727eee735b5fb2d108b8f909ed20a12ec5251

SHA256
9de9c940657554288c433fc635d5758409a0e9c6b824453248a7ef622b973df1

SHA512
cdbe9c8aafe5f733ebb5fe2d6267971b41413181ae92d22d2094751e35d477dddbd10ae770d08855b9ae8347b8e4b9bf9a61cebfda64cc3a73ae76aee4f45c67

Download Submit
memory/268-54-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/268-115-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-58-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/268-232-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-57-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/268-229-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-56-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/268-123-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-121-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-55-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/268-94-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-119-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-117-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-59-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/268-113-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-111-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-109-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-107-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-105-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-103-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-101-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-98-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-96-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-90-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-91-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-92-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/268-93-0x00000000006A0000-0x00000000006E5000-memory.dmp

Filesize
276KB

Download
memory/1128-70-0x0000000001B80000-0x0000000001BC5000-memory.dmp

Filesize
276KB

Download
memory/1128-75-0x0000000001B80000-0x0000000001BC5000-memory.dmp

Filesize
276KB

Download
memory/1128-72-0x0000000001B80000-0x0000000001BC5000-memory.dmp

Filesize
276KB

Download
memory/1128-73-0x0000000001B80000-0x0000000001BC5000-memory.dmp

Filesize
276KB

Download
memory/1128-74-0x0000000001B80000-0x0000000001BC5000-memory.dmp

Filesize
276KB

Download
memory/1220-80-0x00000000001A0000-0x00000000001E5000-memory.dmp

Filesize
276KB

Download
memory/1220-81-0x00000000001A0000-0x00000000001E5000-memory.dmp

Filesize
276KB

Download
memory/1220-79-0x00000000001A0000-0x00000000001E5000-memory.dmp

Filesize
276KB

Download
memory/1220-78-0x00000000001A0000-0x00000000001E5000-memory.dmp

Filesize
276KB

Download
memory/1252-66-0x00000000003B0000-0x00000000003EE000-memory.dmp

Filesize
248KB

Download
memory/1252-68-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1252-67-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1252-65-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1252-61-0x0000000000000000-mapping.dmp

Download
memory/1284-84-0x0000000002A20000-0x0000000002A65000-memory.dmp

Filesize
276KB

Download
memory/1284-87-0x0000000002A20000-0x0000000002A65000-memory.dmp

Filesize
276KB

Download
memory/1284-85-0x0000000002A20000-0x0000000002A65000-memory.dmp

Filesize
276KB

Download
memory/1284-86-0x0000000002A20000-0x0000000002A65000-memory.dmp

Filesize
276KB

Download
memory/2036-230-0x0000000000181D29-mapping.dmp

Download
memory/2036-233-0x0000000000160000-0x00000000001A5000-memory.dmp

Filesize
276KB

Download
memory/2036-366-0x0000000000160000-0x00000000001A5000-memory.dmp

Filesize
276KB

Download