ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a

Analysis

max time kernel
151s
max time network
161s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe
Size

313KB
MD5

eadb3bf1c491a14b11ea029ee995c89d
SHA1

d6a35ac9a12a9b2f3d63c3a42dcb795032bf35d1
SHA256

ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a
SHA512

aab6bc5c621e21122b37d214a6178d14f3ce1801d06dc265cd8396fa7c3ab5691d7340e32e637aa54f6e7ed3e36e92a6e1e3d337107f31433d230d4cced01a4f
SSDEEP

6144:yzjGe0QzQTyVrO+mDiKpMSIqmUKtwj5+nHNs9RsiYsyiRO3VZNZY:yPYQcTUqBDigRdmUQ8QXOOnNZ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
976	caag.exe

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe
1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	caag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Caag = "C:\\Users\\Admin\\AppData\\Roaming\\Ajawxo\\caag.exe"	caag.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 1632	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	29

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe
976	caag.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 976	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	28
PID 1340 wrote to memory of 976	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	28
PID 1340 wrote to memory of 976	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	28
PID 1340 wrote to memory of 976	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	28
PID 976 wrote to memory of 1108	976	caag.exe	14
PID 976 wrote to memory of 1108	976	caag.exe	14
PID 976 wrote to memory of 1108	976	caag.exe	14
PID 976 wrote to memory of 1108	976	caag.exe	14
PID 976 wrote to memory of 1108	976	caag.exe	14
PID 976 wrote to memory of 1176	976	caag.exe	13
PID 976 wrote to memory of 1176	976	caag.exe	13
PID 976 wrote to memory of 1176	976	caag.exe	13
PID 976 wrote to memory of 1176	976	caag.exe	13
PID 976 wrote to memory of 1176	976	caag.exe	13
PID 976 wrote to memory of 1208	976	caag.exe	6
PID 976 wrote to memory of 1208	976	caag.exe	6
PID 976 wrote to memory of 1208	976	caag.exe	6
PID 976 wrote to memory of 1208	976	caag.exe	6
PID 976 wrote to memory of 1208	976	caag.exe	6
PID 976 wrote to memory of 1340	976	caag.exe	16
PID 976 wrote to memory of 1340	976	caag.exe	16
PID 976 wrote to memory of 1340	976	caag.exe	16
PID 976 wrote to memory of 1340	976	caag.exe	16
PID 976 wrote to memory of 1340	976	caag.exe	16
PID 1340 wrote to memory of 1632	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	29
PID 1340 wrote to memory of 1632	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	29
PID 1340 wrote to memory of 1632	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	29
PID 1340 wrote to memory of 1632	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	29
PID 1340 wrote to memory of 1632	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	29
PID 1340 wrote to memory of 1632	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	29
PID 1340 wrote to memory of 1632	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	29
PID 1340 wrote to memory of 1632	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	29
PID 1340 wrote to memory of 1632	1340	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe
  "C:\Users\Admin\AppData\Local\Temp\ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Roaming\Ajawxo\caag.exe
    "C:\Users\Admin\AppData\Roaming\Ajawxo\caag.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\TTW21C2.bat"
    3⤵
    - Deletes itself
    PID:1632

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TTW21C2.bat

Filesize
303B

MD5
72e0dc775b197e41692b7dfa2cc98b5d

SHA1
7374937ebf3c1df7dfcac11daea436d2c61ee28f

SHA256
e33531552e367fde4c092f5d068b6544be08ca6017044ec154fa8f00ea5d69c7

SHA512
a6496763cf651c5fd561cdc0adbe0a1a493001d196dd646c373b5799e92e2b57ada2b8fb8c7ad7ed183b04a2a32d73541ab3f6615e40840593b8ad85b6a6e462

Download Submit
C:\Users\Admin\AppData\Roaming\Ajawxo\caag.exe

Filesize
313KB

MD5
6f97ae551b925e6517620982724f2839

SHA1
6208c2e8901a9bdde77af5bf0aaf3d834856bd21

SHA256
f119ddaebea7ba9317ed08a176a8a8231bc75ccbb8821c05e2491ee480ecdbb5

SHA512
bd04ea5be96bff56c8aae503f0936f408cca0526beb7dd3d54fd770b18c46dae0324bfcb5700489f988be436a617d629db2674150c04f05499d8273665315965

Download Submit
C:\Users\Admin\AppData\Roaming\Ajawxo\caag.exe

Filesize
313KB

MD5
6f97ae551b925e6517620982724f2839

SHA1
6208c2e8901a9bdde77af5bf0aaf3d834856bd21

SHA256
f119ddaebea7ba9317ed08a176a8a8231bc75ccbb8821c05e2491ee480ecdbb5

SHA512
bd04ea5be96bff56c8aae503f0936f408cca0526beb7dd3d54fd770b18c46dae0324bfcb5700489f988be436a617d629db2674150c04f05499d8273665315965

Download Submit
\Users\Admin\AppData\Roaming\Ajawxo\caag.exe

Filesize
313KB

MD5
6f97ae551b925e6517620982724f2839

SHA1
6208c2e8901a9bdde77af5bf0aaf3d834856bd21

SHA256
f119ddaebea7ba9317ed08a176a8a8231bc75ccbb8821c05e2491ee480ecdbb5

SHA512
bd04ea5be96bff56c8aae503f0936f408cca0526beb7dd3d54fd770b18c46dae0324bfcb5700489f988be436a617d629db2674150c04f05499d8273665315965

Download Submit
\Users\Admin\AppData\Roaming\Ajawxo\caag.exe

Filesize
313KB

MD5
6f97ae551b925e6517620982724f2839

SHA1
6208c2e8901a9bdde77af5bf0aaf3d834856bd21

SHA256
f119ddaebea7ba9317ed08a176a8a8231bc75ccbb8821c05e2491ee480ecdbb5

SHA512
bd04ea5be96bff56c8aae503f0936f408cca0526beb7dd3d54fd770b18c46dae0324bfcb5700489f988be436a617d629db2674150c04f05499d8273665315965

Download Submit
memory/976-62-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1108-67-0x0000000001CC0000-0x0000000001D09000-memory.dmp

Filesize
292KB

Download
memory/1108-65-0x0000000001CC0000-0x0000000001D09000-memory.dmp

Filesize
292KB

Download
memory/1108-68-0x0000000001CC0000-0x0000000001D09000-memory.dmp

Filesize
292KB

Download
memory/1108-69-0x0000000001CC0000-0x0000000001D09000-memory.dmp

Filesize
292KB

Download
memory/1108-70-0x0000000001CC0000-0x0000000001D09000-memory.dmp

Filesize
292KB

Download
memory/1176-73-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1176-74-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1176-75-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1176-76-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1208-82-0x0000000002B70000-0x0000000002BB9000-memory.dmp

Filesize
292KB

Download
memory/1208-81-0x0000000002B70000-0x0000000002BB9000-memory.dmp

Filesize
292KB

Download
memory/1208-79-0x0000000002B70000-0x0000000002BB9000-memory.dmp

Filesize
292KB

Download
memory/1208-80-0x0000000002B70000-0x0000000002BB9000-memory.dmp

Filesize
292KB

Download
memory/1340-85-0x00000000025A0000-0x00000000025E9000-memory.dmp

Filesize
292KB

Download
memory/1340-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-54-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1340-86-0x00000000025A0000-0x00000000025E9000-memory.dmp

Filesize
292KB

Download
memory/1340-87-0x00000000025A0000-0x00000000025E9000-memory.dmp

Filesize
292KB

Download
memory/1340-88-0x00000000025A0000-0x00000000025E9000-memory.dmp

Filesize
292KB

Download
memory/1340-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-103-0x00000000025A0000-0x00000000025E9000-memory.dmp

Filesize
292KB

Download
memory/1340-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1340-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1340-56-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1632-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1632-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1632-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1632-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1632-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1632-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download