3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd

General

Target

5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Size

116KB
MD5

21102185c207602505d45019f5d782b9
SHA1

5dab5108857805f7535aaf5b8cb54ba289827e61
SHA256

3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd
SHA512

0e23dc3ad9171c86a74f58452d8b7871a147b3d1cdd4550df93bf5c74b1a3661e76da106b1f6ea9b080b2f7cec4d66ba8f1cffbf757d049ed5f1a0c68dcbe247
SSDEEP

3072:77Z/40Gq94BICd5X2NShaMJ0ejq6+l0Yt2EKL4niDjd:7z4BjdqMaoHB194Gx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

odox.exe

pid process

1388 odox.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

840 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid process

1496 5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid	process
840	cmd.exe

pid	process
1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

odox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	odox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{24FA8574-788F-795B-F6FB-BD3699435C3D} = "C:\\Users\\Admin\\AppData\\Roaming\\Mookim\\odox.exe"	odox.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description pid process target process

PID 1496 set thread context of 840 1496 5dab5108857805f7535aaf5b8cb54ba289827e61.exe cmd.exe

description	pid	process	target process
PID 1496 set thread context of 840	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

odox.exe

pid	process
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe
1388	odox.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	pid	process
Token: SeSecurityPrivilege	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exeodox.exe

description	pid	process	target process
PID 1496 wrote to memory of 1388	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	odox.exe
PID 1496 wrote to memory of 1388	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	odox.exe
PID 1496 wrote to memory of 1388	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	odox.exe
PID 1496 wrote to memory of 1388	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	odox.exe
PID 1388 wrote to memory of 1280	1388	odox.exe	taskhost.exe
PID 1388 wrote to memory of 1280	1388	odox.exe	taskhost.exe
PID 1388 wrote to memory of 1280	1388	odox.exe	taskhost.exe
PID 1388 wrote to memory of 1280	1388	odox.exe	taskhost.exe
PID 1388 wrote to memory of 1280	1388	odox.exe	taskhost.exe
PID 1388 wrote to memory of 1396	1388	odox.exe	Dwm.exe
PID 1388 wrote to memory of 1396	1388	odox.exe	Dwm.exe
PID 1388 wrote to memory of 1396	1388	odox.exe	Dwm.exe
PID 1388 wrote to memory of 1396	1388	odox.exe	Dwm.exe
PID 1388 wrote to memory of 1396	1388	odox.exe	Dwm.exe
PID 1388 wrote to memory of 1424	1388	odox.exe	Explorer.EXE
PID 1388 wrote to memory of 1424	1388	odox.exe	Explorer.EXE
PID 1388 wrote to memory of 1424	1388	odox.exe	Explorer.EXE
PID 1388 wrote to memory of 1424	1388	odox.exe	Explorer.EXE
PID 1388 wrote to memory of 1424	1388	odox.exe	Explorer.EXE
PID 1388 wrote to memory of 1496	1388	odox.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 1388 wrote to memory of 1496	1388	odox.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 1388 wrote to memory of 1496	1388	odox.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 1388 wrote to memory of 1496	1388	odox.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 1388 wrote to memory of 1496	1388	odox.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 1496 wrote to memory of 840	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1496 wrote to memory of 840	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1496 wrote to memory of 840	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1496 wrote to memory of 840	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1496 wrote to memory of 840	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1496 wrote to memory of 840	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1496 wrote to memory of 840	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1496 wrote to memory of 840	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1496 wrote to memory of 840	1496	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1388 wrote to memory of 1912	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1912	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1912	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1912	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1912	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1144	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1144	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1144	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1144	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1144	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1736	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1736	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1736	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1736	1388	odox.exe	DllHost.exe
PID 1388 wrote to memory of 1736	1388	odox.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe
"C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Roaming\Mookim\odox.exe
"C:\Users\Admin\AppData\Roaming\Mookim\odox.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa04a7cf1.bat"
3⤵
- Deletes itself
PID:840

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1396

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1144

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa04a7cf1.bat
Filesize
259B

MD5
6452df3662c558f34dc9b4d916f249b2

SHA1
a9607de4bf7cd76e5c2a978632671c136e0aeb8e

SHA256
d8f0f96fe70d97a1f63cc0cedff07d5e17374d36575ffb9640ac1073c99bb8f7

SHA512
e85014f960e2254b48265179b0f221e45eea4b1032de291aee0ac2f7d5bfbc5accfc40fa967f4bebfc47328445b0628d3183b5685ef495b58625a4082b9d9817

Download Submit
C:\Users\Admin\AppData\Roaming\Mookim\odox.exe
Filesize
116KB

MD5
5ad27d6e3d2f9fc092a0ad2afa75d422

SHA1
d4057a9ee8c5702fb2ae33ffdc1acf31eab83072

SHA256
ed39e8a3b614f8f7010e481dfb3b9dc134c3122e66fccb88f7ad6e6455997dcb

SHA512
99a0902ab1da51f4509a23cd07e8b51efd7fefddc1ac938604d1d071346bb77d5cc23d6cb5dd94b58ddef7f6cd1abf72c488fd2e1728b884d7738531d59bc7be

Download Submit
C:\Users\Admin\AppData\Roaming\Mookim\odox.exe
Filesize
116KB

MD5
5ad27d6e3d2f9fc092a0ad2afa75d422

SHA1
d4057a9ee8c5702fb2ae33ffdc1acf31eab83072

SHA256
ed39e8a3b614f8f7010e481dfb3b9dc134c3122e66fccb88f7ad6e6455997dcb

SHA512
99a0902ab1da51f4509a23cd07e8b51efd7fefddc1ac938604d1d071346bb77d5cc23d6cb5dd94b58ddef7f6cd1abf72c488fd2e1728b884d7738531d59bc7be

Download Submit
C:\Users\Admin\AppData\Roaming\Obguuk\piuxn.ycv
Filesize
374B

MD5
ddfb10f8e2b0b8f81831f422ee0243ad

SHA1
d78eeaaa03e2225cc070f2b3d0ab711a8e81560c

SHA256
e72ec7dfead565b6cff2125467b580ca24bda5605cb52c7c281f345de16eacc7

SHA512
05df778ea0a78051fa31e24aec4c5f5ad28381b07f163211dba5d0bb12f5a3858ddecbcee58e1793bdac67662ab49777736d7ed2827050c7f8bff3b336e92bd8

Download Submit
\Users\Admin\AppData\Roaming\Mookim\odox.exe
Filesize
116KB

MD5
5ad27d6e3d2f9fc092a0ad2afa75d422

SHA1
d4057a9ee8c5702fb2ae33ffdc1acf31eab83072

SHA256
ed39e8a3b614f8f7010e481dfb3b9dc134c3122e66fccb88f7ad6e6455997dcb

SHA512
99a0902ab1da51f4509a23cd07e8b51efd7fefddc1ac938604d1d071346bb77d5cc23d6cb5dd94b58ddef7f6cd1abf72c488fd2e1728b884d7738531d59bc7be

Download Submit
memory/840-96-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/840-102-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/840-98-0x0000000000055A36-mapping.dmp

Download
memory/840-97-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/840-95-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/840-93-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1144-112-0x0000000003B70000-0x0000000003B95000-memory.dmp

Filesize
148KB

Download
memory/1144-114-0x0000000003B70000-0x0000000003B95000-memory.dmp

Filesize
148KB

Download
memory/1144-111-0x0000000003B70000-0x0000000003B95000-memory.dmp

Filesize
148KB

Download
memory/1144-113-0x0000000003B70000-0x0000000003B95000-memory.dmp

Filesize
148KB

Download
memory/1280-68-0x0000000001BE0000-0x0000000001C05000-memory.dmp

Filesize
148KB

Download
memory/1280-66-0x0000000001BE0000-0x0000000001C05000-memory.dmp

Filesize
148KB

Download
memory/1280-67-0x0000000001BE0000-0x0000000001C05000-memory.dmp

Filesize
148KB

Download
memory/1280-65-0x0000000001BE0000-0x0000000001C05000-memory.dmp

Filesize
148KB

Download
memory/1280-63-0x0000000001BE0000-0x0000000001C05000-memory.dmp

Filesize
148KB

Download
memory/1388-87-0x00000000002D0000-0x00000000002F5000-memory.dmp

Filesize
148KB

Download
memory/1388-88-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1388-115-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1388-59-0x0000000000000000-mapping.dmp

Download
memory/1396-73-0x0000000001AD0000-0x0000000001AF5000-memory.dmp

Filesize
148KB

Download
memory/1396-74-0x0000000001AD0000-0x0000000001AF5000-memory.dmp

Filesize
148KB

Download
memory/1396-72-0x0000000001AD0000-0x0000000001AF5000-memory.dmp

Filesize
148KB

Download
memory/1396-71-0x0000000001AD0000-0x0000000001AF5000-memory.dmp

Filesize
148KB

Download
memory/1424-80-0x0000000002AF0000-0x0000000002B15000-memory.dmp

Filesize
148KB

Download
memory/1424-79-0x0000000002AF0000-0x0000000002B15000-memory.dmp

Filesize
148KB

Download
memory/1424-78-0x0000000002AF0000-0x0000000002B15000-memory.dmp

Filesize
148KB

Download
memory/1424-77-0x0000000002AF0000-0x0000000002B15000-memory.dmp

Filesize
148KB

Download
memory/1496-86-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/1496-83-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/1496-99-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1496-89-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/1496-85-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/1496-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1496-55-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1496-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1496-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1496-84-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/1736-118-0x00000000005D0000-0x00000000005F5000-memory.dmp

Filesize
148KB

Download
memory/1736-119-0x00000000005D0000-0x00000000005F5000-memory.dmp

Filesize
148KB

Download
memory/1736-120-0x00000000005D0000-0x00000000005F5000-memory.dmp

Filesize
148KB

Download
memory/1736-121-0x00000000005D0000-0x00000000005F5000-memory.dmp

Filesize
148KB

Download
memory/1912-108-0x0000000000620000-0x0000000000645000-memory.dmp

Filesize
148KB

Download
memory/1912-107-0x0000000000620000-0x0000000000645000-memory.dmp

Filesize
148KB

Download
memory/1912-106-0x0000000000620000-0x0000000000645000-memory.dmp

Filesize
148KB

Download
memory/1912-105-0x0000000000620000-0x0000000000645000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads