3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd

General

Target

5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Size

116KB
MD5

21102185c207602505d45019f5d782b9
SHA1

5dab5108857805f7535aaf5b8cb54ba289827e61
SHA256

3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd
SHA512

0e23dc3ad9171c86a74f58452d8b7871a147b3d1cdd4550df93bf5c74b1a3661e76da106b1f6ea9b080b2f7cec4d66ba8f1cffbf757d049ed5f1a0c68dcbe247
SSDEEP

3072:77Z/40Gq94BICd5X2NShaMJ0ejq6+l0Yt2EKL4niDjd:7z4BjdqMaoHB194Gx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

uzmu.exe

pid process

700 uzmu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1496 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid process

1748 5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid	process
1496	cmd.exe

pid	process
1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uzmu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{479145D4-30A2-795B-BE43-DA13CF383B18} = "C:\\Users\\Admin\\AppData\\Roaming\\Bair\\uzmu.exe"	uzmu.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	uzmu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description pid process target process

PID 1748 set thread context of 1496 1748 5dab5108857805f7535aaf5b8cb54ba289827e61.exe cmd.exe

description	pid	process	target process
PID 1748 set thread context of 1496	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

uzmu.exe

pid	process
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe
700	uzmu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	pid	process
Token: SeSecurityPrivilege	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exeuzmu.exe

description	pid	process	target process
PID 1748 wrote to memory of 700	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	uzmu.exe
PID 1748 wrote to memory of 700	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	uzmu.exe
PID 1748 wrote to memory of 700	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	uzmu.exe
PID 1748 wrote to memory of 700	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	uzmu.exe
PID 700 wrote to memory of 1140	700	uzmu.exe	taskhost.exe
PID 700 wrote to memory of 1140	700	uzmu.exe	taskhost.exe
PID 700 wrote to memory of 1140	700	uzmu.exe	taskhost.exe
PID 700 wrote to memory of 1140	700	uzmu.exe	taskhost.exe
PID 700 wrote to memory of 1140	700	uzmu.exe	taskhost.exe
PID 700 wrote to memory of 1184	700	uzmu.exe	Dwm.exe
PID 700 wrote to memory of 1184	700	uzmu.exe	Dwm.exe
PID 700 wrote to memory of 1184	700	uzmu.exe	Dwm.exe
PID 700 wrote to memory of 1184	700	uzmu.exe	Dwm.exe
PID 700 wrote to memory of 1184	700	uzmu.exe	Dwm.exe
PID 700 wrote to memory of 1228	700	uzmu.exe	Explorer.EXE
PID 700 wrote to memory of 1228	700	uzmu.exe	Explorer.EXE
PID 700 wrote to memory of 1228	700	uzmu.exe	Explorer.EXE
PID 700 wrote to memory of 1228	700	uzmu.exe	Explorer.EXE
PID 700 wrote to memory of 1228	700	uzmu.exe	Explorer.EXE
PID 700 wrote to memory of 1748	700	uzmu.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 700 wrote to memory of 1748	700	uzmu.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 700 wrote to memory of 1748	700	uzmu.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 700 wrote to memory of 1748	700	uzmu.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 700 wrote to memory of 1748	700	uzmu.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 1748 wrote to memory of 1496	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1748 wrote to memory of 1496	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1748 wrote to memory of 1496	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1748 wrote to memory of 1496	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1748 wrote to memory of 1496	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1748 wrote to memory of 1496	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1748 wrote to memory of 1496	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1748 wrote to memory of 1496	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1748 wrote to memory of 1496	1748	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 700 wrote to memory of 984	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 984	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 984	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 984	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 984	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 1040	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 1040	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 1040	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 1040	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 1040	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 1244	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 1244	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 1244	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 1244	700	uzmu.exe	DllHost.exe
PID 700 wrote to memory of 1244	700	uzmu.exe	DllHost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe
"C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\Bair\uzmu.exe
"C:\Users\Admin\AppData\Roaming\Bair\uzmu.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpeb947959.bat"
3⤵
- Deletes itself
PID:1496

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:984

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpeb947959.bat
Filesize
259B

MD5
7587d2afc2563440ec56fec391ba3900

SHA1
bc4b23b7901e0dafac3e2aa82816c495aba042b7

SHA256
c4edde335bf6ae533493052d2da2769ef71637fa8aad923d9654eb4ae3be6e17

SHA512
76a93b2613d9f51efde0c5e21b7c59c22ca590f2813cc63fd5bf2f12c14be6b61599b117fbffe95b99e205418c7f00228866aa692b8483ad4636ed04befb5614

Download Submit
C:\Users\Admin\AppData\Roaming\Bair\uzmu.exe
Filesize
116KB

MD5
3de1cedc922088b109f7b05b7bfa02c7

SHA1
3f0a38e20a03720543ad3c486fe0f39c1aade86b

SHA256
f97a6dcee749c9827841d3c6aba83fcae306e555bf9b607a841eba83ddd3e7a2

SHA512
8abc4b2da45bd07c0da0c720d40dab01518c3a54d60cd3f1a48f24a03b6735f9373a8f53c6b776d2d6877e7058023d744f3ed37d8dcd3450d171742573995060

Download Submit
C:\Users\Admin\AppData\Roaming\Bair\uzmu.exe
Filesize
116KB

MD5
3de1cedc922088b109f7b05b7bfa02c7

SHA1
3f0a38e20a03720543ad3c486fe0f39c1aade86b

SHA256
f97a6dcee749c9827841d3c6aba83fcae306e555bf9b607a841eba83ddd3e7a2

SHA512
8abc4b2da45bd07c0da0c720d40dab01518c3a54d60cd3f1a48f24a03b6735f9373a8f53c6b776d2d6877e7058023d744f3ed37d8dcd3450d171742573995060

Download Submit
C:\Users\Admin\AppData\Roaming\Ocloo\qyed.tuy
Filesize
374B

MD5
d5f1d25208fb09e718c7d34286c236ff

SHA1
a5c7df88a4ee69cf52c99c72d37da4ac9fcf2f21

SHA256
ee4b5c78ba40d3bcac2099d1ad406f9d0d1857c76229350d4feb4b2a857a0a89

SHA512
ca853533d6db674549f837998aaed59f1ab1ec4c28db6a747199e74a00a1f6f5fa59c87abee78df2c4ec9ad505e4ed62f467f5039088cdd58645f08d1b0b5d25

Download Submit
\Users\Admin\AppData\Roaming\Bair\uzmu.exe
Filesize
116KB

MD5
3de1cedc922088b109f7b05b7bfa02c7

SHA1
3f0a38e20a03720543ad3c486fe0f39c1aade86b

SHA256
f97a6dcee749c9827841d3c6aba83fcae306e555bf9b607a841eba83ddd3e7a2

SHA512
8abc4b2da45bd07c0da0c720d40dab01518c3a54d60cd3f1a48f24a03b6735f9373a8f53c6b776d2d6877e7058023d744f3ed37d8dcd3450d171742573995060

Download Submit
memory/700-101-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/700-102-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/700-59-0x0000000000000000-mapping.dmp

Download
memory/984-105-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/984-108-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/984-107-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/984-106-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1040-111-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1040-112-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1040-113-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1040-114-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1140-67-0x0000000001CC0000-0x0000000001CE5000-memory.dmp

Filesize
148KB

Download
memory/1140-63-0x0000000001CC0000-0x0000000001CE5000-memory.dmp

Filesize
148KB

Download
memory/1140-68-0x0000000001CC0000-0x0000000001CE5000-memory.dmp

Filesize
148KB

Download
memory/1140-66-0x0000000001CC0000-0x0000000001CE5000-memory.dmp

Filesize
148KB

Download
memory/1140-65-0x0000000001CC0000-0x0000000001CE5000-memory.dmp

Filesize
148KB

Download
memory/1184-74-0x0000000001BB0000-0x0000000001BD5000-memory.dmp

Filesize
148KB

Download
memory/1184-71-0x0000000001BB0000-0x0000000001BD5000-memory.dmp

Filesize
148KB

Download
memory/1184-72-0x0000000001BB0000-0x0000000001BD5000-memory.dmp

Filesize
148KB

Download
memory/1184-73-0x0000000001BB0000-0x0000000001BD5000-memory.dmp

Filesize
148KB

Download
memory/1228-80-0x0000000002A70000-0x0000000002A95000-memory.dmp

Filesize
148KB

Download
memory/1228-78-0x0000000002A70000-0x0000000002A95000-memory.dmp

Filesize
148KB

Download
memory/1228-79-0x0000000002A70000-0x0000000002A95000-memory.dmp

Filesize
148KB

Download
memory/1228-77-0x0000000002A70000-0x0000000002A95000-memory.dmp

Filesize
148KB

Download
memory/1244-120-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1496-89-0x00000000000B0000-0x00000000000D5000-memory.dmp

Filesize
148KB

Download
memory/1496-95-0x00000000000B5A36-mapping.dmp

Download
memory/1496-93-0x00000000000B0000-0x00000000000D5000-memory.dmp

Filesize
148KB

Download
memory/1496-92-0x00000000000B0000-0x00000000000D5000-memory.dmp

Filesize
148KB

Download
memory/1496-100-0x00000000000B0000-0x00000000000D5000-memory.dmp

Filesize
148KB

Download
memory/1496-94-0x00000000000B0000-0x00000000000D5000-memory.dmp

Filesize
148KB

Download
memory/1748-86-0x0000000000340000-0x0000000000365000-memory.dmp

Filesize
148KB

Download
memory/1748-97-0x0000000000340000-0x0000000000365000-memory.dmp

Filesize
148KB

Download
memory/1748-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1748-96-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1748-85-0x0000000000340000-0x0000000000365000-memory.dmp

Filesize
148KB

Download
memory/1748-84-0x0000000000340000-0x0000000000365000-memory.dmp

Filesize
148KB

Download
memory/1748-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1748-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1748-55-0x00000000002D0000-0x00000000002F5000-memory.dmp

Filesize
148KB

Download
memory/1748-83-0x0000000000340000-0x0000000000365000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads