3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd

General

Target

5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Size

116KB
MD5

21102185c207602505d45019f5d782b9
SHA1

5dab5108857805f7535aaf5b8cb54ba289827e61
SHA256

3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd
SHA512

0e23dc3ad9171c86a74f58452d8b7871a147b3d1cdd4550df93bf5c74b1a3661e76da106b1f6ea9b080b2f7cec4d66ba8f1cffbf757d049ed5f1a0c68dcbe247
SSDEEP

3072:77Z/40Gq94BICd5X2NShaMJ0ejq6+l0Yt2EKL4niDjd:7z4BjdqMaoHB194Gx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

weub.exe

pid process

360 weub.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

748 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid process

2000 5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid	process
748	cmd.exe

pid	process
2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

weub.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	weub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{07485E54-30A2-795B-6989-374937CFD642} = "C:\\Users\\Admin\\AppData\\Roaming\\Haroga\\weub.exe"	weub.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description pid process target process

PID 2000 set thread context of 748 2000 5dab5108857805f7535aaf5b8cb54ba289827e61.exe cmd.exe

description	pid	process	target process
PID 2000 set thread context of 748	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

weub.exe

pid	process
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe
360	weub.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	pid	process
Token: SeSecurityPrivilege	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exeweub.exe

description	pid	process	target process
PID 2000 wrote to memory of 360	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	weub.exe
PID 2000 wrote to memory of 360	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	weub.exe
PID 2000 wrote to memory of 360	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	weub.exe
PID 2000 wrote to memory of 360	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	weub.exe
PID 360 wrote to memory of 1120	360	weub.exe	taskhost.exe
PID 360 wrote to memory of 1120	360	weub.exe	taskhost.exe
PID 360 wrote to memory of 1120	360	weub.exe	taskhost.exe
PID 360 wrote to memory of 1120	360	weub.exe	taskhost.exe
PID 360 wrote to memory of 1120	360	weub.exe	taskhost.exe
PID 360 wrote to memory of 1220	360	weub.exe	Dwm.exe
PID 360 wrote to memory of 1220	360	weub.exe	Dwm.exe
PID 360 wrote to memory of 1220	360	weub.exe	Dwm.exe
PID 360 wrote to memory of 1220	360	weub.exe	Dwm.exe
PID 360 wrote to memory of 1220	360	weub.exe	Dwm.exe
PID 360 wrote to memory of 1268	360	weub.exe	Explorer.EXE
PID 360 wrote to memory of 1268	360	weub.exe	Explorer.EXE
PID 360 wrote to memory of 1268	360	weub.exe	Explorer.EXE
PID 360 wrote to memory of 1268	360	weub.exe	Explorer.EXE
PID 360 wrote to memory of 1268	360	weub.exe	Explorer.EXE
PID 360 wrote to memory of 2000	360	weub.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 360 wrote to memory of 2000	360	weub.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 360 wrote to memory of 2000	360	weub.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 360 wrote to memory of 2000	360	weub.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 360 wrote to memory of 2000	360	weub.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 2000 wrote to memory of 748	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2000 wrote to memory of 748	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2000 wrote to memory of 748	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2000 wrote to memory of 748	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2000 wrote to memory of 748	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2000 wrote to memory of 748	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2000 wrote to memory of 748	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2000 wrote to memory of 748	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 2000 wrote to memory of 748	2000	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 360 wrote to memory of 1932	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1932	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1932	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1932	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1932	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1020	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1020	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1020	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1020	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1020	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1604	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1604	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1604	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1604	360	weub.exe	DllHost.exe
PID 360 wrote to memory of 1604	360	weub.exe	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe
"C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Roaming\Haroga\weub.exe
"C:\Users\Admin\AppData\Roaming\Haroga\weub.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5932a2d8.bat"
2⤵
- Deletes itself
PID:748

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5932a2d8.bat
Filesize
259B

MD5
8b02b8504e03d747eff24acbfb888e77

SHA1
4ee6ce1bb0eb6124524712d9b4b164ded931e28d

SHA256
436ee9815f95cb12d5eca6f3544b515b7f7189b5a816c51935497f825fb71f60

SHA512
59bb0b391ab5af98fd5ff4a127301a05c5d150b96f08e22df07f22a843b880c1d30b94744c0416c4757e588bd85d1272d190598d6a11b5bc576181abed3c392e

Download Submit
C:\Users\Admin\AppData\Roaming\Haroga\weub.exe
Filesize
116KB

MD5
04546d955d782c1d5852aa9975656611

SHA1
ab6ca658de7eb55c6a806a4ecdb816dbff084ff7

SHA256
79dbded6cc636aefe0506eb6a0051d562bcb9bd931441367b9518ed0d926393f

SHA512
891007f00ee4595f324ab53947baf585c303873da7e5ecdc2503117f042cadbe51216f24853c4543546a7b71651c71a3af74cbbe0c91916617b61faf242abe61

Download Submit
C:\Users\Admin\AppData\Roaming\Haroga\weub.exe
Filesize
116KB

MD5
04546d955d782c1d5852aa9975656611

SHA1
ab6ca658de7eb55c6a806a4ecdb816dbff084ff7

SHA256
79dbded6cc636aefe0506eb6a0051d562bcb9bd931441367b9518ed0d926393f

SHA512
891007f00ee4595f324ab53947baf585c303873da7e5ecdc2503117f042cadbe51216f24853c4543546a7b71651c71a3af74cbbe0c91916617b61faf242abe61

Download Submit
C:\Users\Admin\AppData\Roaming\Ucoq\ezkuo.keg
Filesize
374B

MD5
03d17a88a4e349bc55c2e288ee853b0b

SHA1
d7914ddf1c0db307f8fd04767d66123f6ec701b8

SHA256
07008ff76c003387b554f3406f37832dd85323008be39154d7355fb5f16bcedf

SHA512
d0afdc068b9fbde6ba89a7ffbc2ad8e0286a9e4588643e6c27bb82514ed2da9d1824c826f4082c8e89748f39c994bf0c0bdb3bbcaad57d9e51012d69c93f1115

Download Submit
\Users\Admin\AppData\Roaming\Haroga\weub.exe
Filesize
116KB

MD5
04546d955d782c1d5852aa9975656611

SHA1
ab6ca658de7eb55c6a806a4ecdb816dbff084ff7

SHA256
79dbded6cc636aefe0506eb6a0051d562bcb9bd931441367b9518ed0d926393f

SHA512
891007f00ee4595f324ab53947baf585c303873da7e5ecdc2503117f042cadbe51216f24853c4543546a7b71651c71a3af74cbbe0c91916617b61faf242abe61

Download Submit
memory/360-116-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/360-89-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/360-88-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/360-60-0x0000000000000000-mapping.dmp

Download
memory/748-99-0x0000000000055A36-mapping.dmp

Download
memory/748-103-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/748-98-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/748-97-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/748-96-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/748-94-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1020-112-0x00000000001F0000-0x0000000000215000-memory.dmp

Filesize
148KB

Download
memory/1020-113-0x00000000001F0000-0x0000000000215000-memory.dmp

Filesize
148KB

Download
memory/1020-114-0x00000000001F0000-0x0000000000215000-memory.dmp

Filesize
148KB

Download
memory/1020-115-0x00000000001F0000-0x0000000000215000-memory.dmp

Filesize
148KB

Download
memory/1120-68-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1120-64-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1120-66-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1120-69-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1120-67-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1220-72-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/1220-75-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/1220-74-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/1220-73-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/1268-81-0x0000000002A00000-0x0000000002A25000-memory.dmp

Filesize
148KB

Download
memory/1268-80-0x0000000002A00000-0x0000000002A25000-memory.dmp

Filesize
148KB

Download
memory/1268-79-0x0000000002A00000-0x0000000002A25000-memory.dmp

Filesize
148KB

Download
memory/1268-78-0x0000000002A00000-0x0000000002A25000-memory.dmp

Filesize
148KB

Download
memory/1604-119-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/1604-120-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/1604-121-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/1604-122-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/1932-109-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1932-108-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1932-106-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1932-107-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/2000-58-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2000-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/2000-90-0x0000000000690000-0x00000000006B5000-memory.dmp

Filesize
148KB

Download
memory/2000-100-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2000-57-0x00000000003C0000-0x00000000003E5000-memory.dmp

Filesize
148KB

Download
memory/2000-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2000-55-0x00000000003C0000-0x00000000003E5000-memory.dmp

Filesize
148KB

Download
memory/2000-87-0x0000000000690000-0x00000000006B5000-memory.dmp

Filesize
148KB

Download
memory/2000-86-0x0000000000690000-0x00000000006B5000-memory.dmp

Filesize
148KB

Download
memory/2000-85-0x0000000000690000-0x00000000006B5000-memory.dmp

Filesize
148KB

Download
memory/2000-84-0x0000000000690000-0x00000000006B5000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads