Analysis

  • max time kernel
    112s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2023 04:22

General

  • Target

    stage/orochi.swf

  • Size

    242KB

  • MD5

    635db6e1d9ebf05c87769c0c6691ca59

  • SHA1

    141306472e7bef3cfabd9e9f2d5af43f9a16e058

  • SHA256

    ab09043c168a2a6f43819e0f42a8dc1526a117d9f0d7da1eae6fe0a317fe4583

  • SHA512

    21cc6ee80a834fdc0147cbd31124c681476ae85cddb1ddd64c2a04745556a2b3ef7e9c59f4d9bbd60c2188fa44dff27a1ef7b212b9f95c858807b256c0442a8f

  • SSDEEP

    6144:ztmMGpSTpQSwemZIbOyv6rltqQY140Rf1WHe7i:ztb4vvOCq6JtqQ4Ti

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\stage\orochi.swf
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\stage\orochi.swf
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\stage\orochi.swf
        3⤵
        • Modifies Internet Explorer Phishing Filter
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1512

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JD20PZFI.txt

    Filesize

    608B

    MD5

    22e5f4482f3b12d9f5318fa24e836635

    SHA1

    6c829134ca2ba6fe07574bffc20a5b6d66626dcf

    SHA256

    edbaba4860edd4397199a12f566a2fd6714a09803cbf378be048868811fb0065

    SHA512

    d493327860ff46c8e065acf04f0ee300941f06eca469dadff788a26c0e1f2816e28c86f0233bef8b8545b77b640aa989c50257b93b838556fa77e0b63f859e7c