5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe
Size

296KB
MD5

40ebee5a3d129c29e04d2907e4f282b1
SHA1

b830aee4f5dfc4acdf73abca6bbef1fc8b157289
SHA256

5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f
SHA512

e5d32f5727ccc912c5d271cee19ebc968a9b7fbb5dffe0d1177ac0358e03347b8af0abe4c21468aba0db43dfed5d44fdf03751ec85b49830cbb24665da69f3d4
SSDEEP

6144:Zw02VPodI+qWXgTSlSWbSyCEwRL/ztRPE4sl9UwL4EqGXbQgIn:YxgI+jXblSbNVztRPq4cqGXL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1956	icduq.exe

Deletes itself 1 IoCs

pid	Process
1784	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe
1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	icduq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Icduq = "C:\\Users\\Admin\\AppData\\Roaming\\Ezlu\\icduq.exe"	icduq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 1784	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	27

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe
1956	icduq.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1956	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	26
PID 1612 wrote to memory of 1956	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	26
PID 1612 wrote to memory of 1956	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	26
PID 1612 wrote to memory of 1956	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	26
PID 1956 wrote to memory of 1240	1956	icduq.exe	16
PID 1956 wrote to memory of 1240	1956	icduq.exe	16
PID 1956 wrote to memory of 1240	1956	icduq.exe	16
PID 1956 wrote to memory of 1240	1956	icduq.exe	16
PID 1956 wrote to memory of 1240	1956	icduq.exe	16
PID 1956 wrote to memory of 1320	1956	icduq.exe	15
PID 1956 wrote to memory of 1320	1956	icduq.exe	15
PID 1956 wrote to memory of 1320	1956	icduq.exe	15
PID 1956 wrote to memory of 1320	1956	icduq.exe	15
PID 1956 wrote to memory of 1320	1956	icduq.exe	15
PID 1956 wrote to memory of 1356	1956	icduq.exe	14
PID 1956 wrote to memory of 1356	1956	icduq.exe	14
PID 1956 wrote to memory of 1356	1956	icduq.exe	14
PID 1956 wrote to memory of 1356	1956	icduq.exe	14
PID 1956 wrote to memory of 1356	1956	icduq.exe	14
PID 1956 wrote to memory of 1612	1956	icduq.exe	25
PID 1956 wrote to memory of 1612	1956	icduq.exe	25
PID 1956 wrote to memory of 1612	1956	icduq.exe	25
PID 1956 wrote to memory of 1612	1956	icduq.exe	25
PID 1956 wrote to memory of 1612	1956	icduq.exe	25
PID 1612 wrote to memory of 1784	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	27
PID 1612 wrote to memory of 1784	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	27
PID 1612 wrote to memory of 1784	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	27
PID 1612 wrote to memory of 1784	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	27
PID 1612 wrote to memory of 1784	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	27
PID 1612 wrote to memory of 1784	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	27
PID 1612 wrote to memory of 1784	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	27
PID 1612 wrote to memory of 1784	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	27
PID 1612 wrote to memory of 1784	1612	5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1356
- C:\Users\Admin\AppData\Local\Temp\5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe
  "C:\Users\Admin\AppData\Local\Temp\5a5f2492ced1c16f5decd7a0a94a2f9d8013c26f8da58d864cf16abb61b4315f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Roaming\Ezlu\icduq.exe
    "C:\Users\Admin\AppData\Roaming\Ezlu\icduq.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HECF467.bat"
    3⤵
    - Deletes itself
    PID:1784

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HECF467.bat

Filesize
303B

MD5
4468c351d13d34f4383c04750281379e

SHA1
552734c262e4f964bb35bd640aa01ec96d3267d4

SHA256
d9116dc7911fb15f22937d809c0ae4c7d9d3d6afd2c2d5027daefece8d2def71

SHA512
1c443dff6adb59f6d0c8726718be22a5a2bd9df59b693ad25c26c247bf89c43f70ea3152e9948de616442f7612c2428f87066bfd0b5a63efc8a30aa4e1902e58

Download Submit
C:\Users\Admin\AppData\Roaming\Ezlu\icduq.exe

Filesize
296KB

MD5
9a94e977cd6688028498fa8dee8659dc

SHA1
1ef1bbce5322360319c3e7c4e521107f9325acac

SHA256
c7004ca194a862312f86501ad976a0c2b248019bd9d4999c67e6807f7ec7d990

SHA512
90002b20e2a09d1b2950601aa05784345193940ac8d1d28f8b21fbbebf44aeb957dc45354968794cebd7996fa43feb19a934b6c3fc66b8b8ef77789c3b3292b5

Download Submit
C:\Users\Admin\AppData\Roaming\Ezlu\icduq.exe

Filesize
296KB

MD5
9a94e977cd6688028498fa8dee8659dc

SHA1
1ef1bbce5322360319c3e7c4e521107f9325acac

SHA256
c7004ca194a862312f86501ad976a0c2b248019bd9d4999c67e6807f7ec7d990

SHA512
90002b20e2a09d1b2950601aa05784345193940ac8d1d28f8b21fbbebf44aeb957dc45354968794cebd7996fa43feb19a934b6c3fc66b8b8ef77789c3b3292b5

Download Submit
\Users\Admin\AppData\Roaming\Ezlu\icduq.exe

Filesize
296KB

MD5
9a94e977cd6688028498fa8dee8659dc

SHA1
1ef1bbce5322360319c3e7c4e521107f9325acac

SHA256
c7004ca194a862312f86501ad976a0c2b248019bd9d4999c67e6807f7ec7d990

SHA512
90002b20e2a09d1b2950601aa05784345193940ac8d1d28f8b21fbbebf44aeb957dc45354968794cebd7996fa43feb19a934b6c3fc66b8b8ef77789c3b3292b5

Download Submit
\Users\Admin\AppData\Roaming\Ezlu\icduq.exe

Filesize
296KB

MD5
9a94e977cd6688028498fa8dee8659dc

SHA1
1ef1bbce5322360319c3e7c4e521107f9325acac

SHA256
c7004ca194a862312f86501ad976a0c2b248019bd9d4999c67e6807f7ec7d990

SHA512
90002b20e2a09d1b2950601aa05784345193940ac8d1d28f8b21fbbebf44aeb957dc45354968794cebd7996fa43feb19a934b6c3fc66b8b8ef77789c3b3292b5

Download Submit
memory/1240-69-0x0000000001F30000-0x0000000001F79000-memory.dmp

Filesize
292KB

Download
memory/1240-65-0x0000000001F30000-0x0000000001F79000-memory.dmp

Filesize
292KB

Download
memory/1240-67-0x0000000001F30000-0x0000000001F79000-memory.dmp

Filesize
292KB

Download
memory/1240-68-0x0000000001F30000-0x0000000001F79000-memory.dmp

Filesize
292KB

Download
memory/1240-70-0x0000000001F30000-0x0000000001F79000-memory.dmp

Filesize
292KB

Download
memory/1320-73-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1320-74-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1320-75-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1320-76-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1356-82-0x00000000025A0000-0x00000000025E9000-memory.dmp

Filesize
292KB

Download
memory/1356-79-0x00000000025A0000-0x00000000025E9000-memory.dmp

Filesize
292KB

Download
memory/1356-81-0x00000000025A0000-0x00000000025E9000-memory.dmp

Filesize
292KB

Download
memory/1356-80-0x00000000025A0000-0x00000000025E9000-memory.dmp

Filesize
292KB

Download
memory/1612-87-0x0000000001DB0000-0x0000000001DF9000-memory.dmp

Filesize
292KB

Download
memory/1612-102-0x0000000001DB0000-0x0000000001E05000-memory.dmp

Filesize
340KB

Download
memory/1612-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1612-56-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1612-85-0x0000000001DB0000-0x0000000001DF9000-memory.dmp

Filesize
292KB

Download
memory/1612-88-0x0000000001DB0000-0x0000000001DF9000-memory.dmp

Filesize
292KB

Download
memory/1612-54-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1612-86-0x0000000001DB0000-0x0000000001DF9000-memory.dmp

Filesize
292KB

Download
memory/1612-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1612-104-0x0000000001DB0000-0x0000000001DF9000-memory.dmp

Filesize
292KB

Download
memory/1784-100-0x0000000000150000-0x0000000000199000-memory.dmp

Filesize
292KB

Download
memory/1784-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-101-0x0000000000150000-0x0000000000199000-memory.dmp

Filesize
292KB

Download
memory/1784-114-0x0000000000150000-0x0000000000199000-memory.dmp

Filesize
292KB

Download
memory/1784-99-0x0000000000150000-0x0000000000199000-memory.dmp

Filesize
292KB

Download
memory/1784-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-97-0x0000000000150000-0x0000000000199000-memory.dmp

Filesize
292KB

Download
memory/1784-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1956-62-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download