966794e8fc1be091307b4aaeee721920734278ddae04eda17f205ffada16422c

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 20:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ODEME.exe
Size

1.4MB
MD5

1afac30d0748bd539783d4346facbcb3
SHA1

5c4492047f046ee05f8f8d105f3e757180f0ff10
SHA256

966794e8fc1be091307b4aaeee721920734278ddae04eda17f205ffada16422c
SHA512

cd60b13f34d2e14b966dc0f6128f24a1ce79d8946b1bcf9176d35d93193ddf7f03d214427ad5ae75fcc67f96f20242ebc512e449e6fd1856bfb7faacdb7ddd8c
SSDEEP

24576:wNA3R5drXmDgFJ1awm2KcREhI2gdFtyxSKBXk9ZDJFABAWbDT1F4RjpTSsAgb/L+:p5UVwlihHkeC9ZfqrbDn4i6L+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation	dgsfgsdf.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation	dgsfgsdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation	server1.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation	ODEME.exe

Executes dropped EXE 5 IoCs

pid	Process
1456	dgsfgsdf.sfx.exe
4476	dgsfgsdf.exe
3000	server1.sfx.exe
2560	server1.exe
1080	server1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2560 set thread context of 1080	2560	server1.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2836	1080	WerFault.exe	98

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings	ODEME.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	server1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4124	DllHost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 3372	4400	ODEME.exe	87
PID 4400 wrote to memory of 3372	4400	ODEME.exe	87
PID 4400 wrote to memory of 3372	4400	ODEME.exe	87
PID 3372 wrote to memory of 1456	3372	cmd.exe	90
PID 3372 wrote to memory of 1456	3372	cmd.exe	90
PID 3372 wrote to memory of 1456	3372	cmd.exe	90
PID 1456 wrote to memory of 4476	1456	dgsfgsdf.sfx.exe	92
PID 1456 wrote to memory of 4476	1456	dgsfgsdf.sfx.exe	92
PID 1456 wrote to memory of 4476	1456	dgsfgsdf.sfx.exe	92
PID 4476 wrote to memory of 1620	4476	dgsfgsdf.exe	94
PID 4476 wrote to memory of 1620	4476	dgsfgsdf.exe	94
PID 4476 wrote to memory of 1620	4476	dgsfgsdf.exe	94
PID 1620 wrote to memory of 3000	1620	cmd.exe	96
PID 1620 wrote to memory of 3000	1620	cmd.exe	96
PID 1620 wrote to memory of 3000	1620	cmd.exe	96
PID 3000 wrote to memory of 2560	3000	server1.sfx.exe	97
PID 3000 wrote to memory of 2560	3000	server1.sfx.exe	97
PID 3000 wrote to memory of 2560	3000	server1.sfx.exe	97
PID 2560 wrote to memory of 1080	2560	server1.exe	98
PID 2560 wrote to memory of 1080	2560	server1.exe	98
PID 2560 wrote to memory of 1080	2560	server1.exe	98
PID 2560 wrote to memory of 1080	2560	server1.exe	98
PID 2560 wrote to memory of 1080	2560	server1.exe	98
PID 2560 wrote to memory of 1080	2560	server1.exe	98
PID 2560 wrote to memory of 1080	2560	server1.exe	98
PID 2560 wrote to memory of 1080	2560	server1.exe	98
PID 2560 wrote to memory of 1080	2560	server1.exe	98
PID 2560 wrote to memory of 1080	2560	server1.exe	98
PID 2560 wrote to memory of 1080	2560	server1.exe	98

C:\Users\Admin\AppData\Local\Temp\ODEME.exe
"C:\Users\Admin\AppData\Local\Temp\ODEME.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwawzdg.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.sfx.exe
    dgsfgsdf.sfx.exe -pkgyttnwmkpiuthnjmdkolqhjyoNomeyjmjhgtprbnhotafugBbsddfdtuxTnBn -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe
      "C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\iloma.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Users\Admin\AppData\Roaming\server1.sfx.exe
        
        server1.sfx.exe -pghtjkluiopmhjfjgBbsdirhndgfszafugyRfvwytndkMnfkmkaloyrhnlyunhlndfdyehn -dC:\Users\Admin\AppData\Roaming
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\server1.exe
        
        "C:\Users\Admin\AppData\Roaming\server1.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\server1.exe
        
        C:\Users\Admin\AppData\Roaming\server1.exe
        8⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 80
        9⤵
        Program crash
        
        PID:2836

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1080 -ip 1080
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe

Filesize
976KB

MD5
0c8e9299cd362ddc0b6d6ec21d0959a3

SHA1
2d952d6ed245a3698c8a2157f8e6e52805dc6d28

SHA256
73a52bc9ce0ae6c53926a8a865565e6af19c0482c2cd13c71fb7803e99eb73e5

SHA512
8e644834fa2bef5cd6a7962d472f16a200e325f9f5b6a06a9ad88204f2a5ef0a9cbe2e77a28808dcd61f859b8a2814299f294c5d268c9f9418295f035455ba48

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe

Filesize
976KB

MD5
0c8e9299cd362ddc0b6d6ec21d0959a3

SHA1
2d952d6ed245a3698c8a2157f8e6e52805dc6d28

SHA256
73a52bc9ce0ae6c53926a8a865565e6af19c0482c2cd13c71fb7803e99eb73e5

SHA512
8e644834fa2bef5cd6a7962d472f16a200e325f9f5b6a06a9ad88204f2a5ef0a9cbe2e77a28808dcd61f859b8a2814299f294c5d268c9f9418295f035455ba48

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe

Filesize
976KB

MD5
0c8e9299cd362ddc0b6d6ec21d0959a3

SHA1
2d952d6ed245a3698c8a2157f8e6e52805dc6d28

SHA256
73a52bc9ce0ae6c53926a8a865565e6af19c0482c2cd13c71fb7803e99eb73e5

SHA512
8e644834fa2bef5cd6a7962d472f16a200e325f9f5b6a06a9ad88204f2a5ef0a9cbe2e77a28808dcd61f859b8a2814299f294c5d268c9f9418295f035455ba48

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.sfx.exe

Filesize
1.5MB

MD5
ede974cca5d03f063e5f54cc166da9b2

SHA1
5cf6253caf78ab6801c53aa625c4194af13bcedc

SHA256
a20026e02904bdcf3f4f3c92d8cb60509be9681422fe3d835b9e65c4eea78359

SHA512
2bfc9bc0186da1ca8ee42ca938219b6c43653c1b95e970c41b3cd13c5563fb11458b9e25681e4a755e5c4fd475291a13a7f4281104e427e3009e5720e0de554d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.sfx.exe

Filesize
1.5MB

MD5
ede974cca5d03f063e5f54cc166da9b2

SHA1
5cf6253caf78ab6801c53aa625c4194af13bcedc

SHA256
a20026e02904bdcf3f4f3c92d8cb60509be9681422fe3d835b9e65c4eea78359

SHA512
2bfc9bc0186da1ca8ee42ca938219b6c43653c1b95e970c41b3cd13c5563fb11458b9e25681e4a755e5c4fd475291a13a7f4281104e427e3009e5720e0de554d

Download Submit
C:\Users\Admin\AppData\Local\Temp\swift010.tif

Filesize
127KB

MD5
6b3831ca202119b0c2e9d67a20b1e5b3

SHA1
a339dfcc39f87defaceee7c1ea4cea8ad201ef28

SHA256
5875d3ee98bf9ccc7104fb764b38b77f237d02710ab1011908a0e0bf3dd5d78c

SHA512
a2f914e6c5f83bef2232fba67f68e1bf74df81bbb54322028a59263ef7c264fa8a98088e5185d4cb48efa6ccc6ef8015caed2a3dc7bd42ecacb0b7bcd424fa0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\swift010.tif

Filesize
127KB

MD5
6b3831ca202119b0c2e9d67a20b1e5b3

SHA1
a339dfcc39f87defaceee7c1ea4cea8ad201ef28

SHA256
5875d3ee98bf9ccc7104fb764b38b77f237d02710ab1011908a0e0bf3dd5d78c

SHA512
a2f914e6c5f83bef2232fba67f68e1bf74df81bbb54322028a59263ef7c264fa8a98088e5185d4cb48efa6ccc6ef8015caed2a3dc7bd42ecacb0b7bcd424fa0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwawzdg.cmd

Filesize
11KB

MD5
dfba212ea164cfb7c0efa47aa66ad3a6

SHA1
6f094dfcf755460f175cde6f65e9ddabd32f68eb

SHA256
2cff60863a80ef35e98e41de0c2fd4575b7910a9263305cb5835507aba6e3844

SHA512
fb3fc1a4aae037ce64b55c28db2012975ef30adca315a8adc8df65e5e08b289eed478e277ef36c81d3bbeb7ae3cfbaa283be5fde9f0fcb4a4ebc256874dad1fa

Download Submit
C:\Users\Admin\AppData\Roaming\iloma.bat

Filesize
11KB

MD5
828026a69b9016165c7bac87e6b7ebde

SHA1
6a84b3090ec280675aa93907baa8df7c025c04d0

SHA256
4c6d7e4ff1b563745a335c709065e2ac413394979665d702478935632ad21ec7

SHA512
8afa917d0a37da35c7476e5b0e94e311b32e000333ea8b7f00068e7ee618b4c4efb96be9dac0a3c510a80b58bc2e72bbb39713d464140dc229b5099e0c303514

Download Submit
C:\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
C:\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
C:\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
C:\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
C:\Users\Admin\AppData\Roaming\server1.sfx.exe

Filesize
846KB

MD5
4c17aa436d9ff1899b4b34efa54d30c1

SHA1
45d2df3b61da8d06f7b4f6a171b699c371b27b90

SHA256
fac2c19956c4bea5dcd24ab2deef46df4b0151cb1caa6ee147dec046c85c1ed5

SHA512
2bac08be253531507e4ade794551f7ff99c7c2d4496225ecd62f69c903c0bc886ffeac9bb8f99852e7816306704cd37a6df30aaf49f0de31838c93fa67893aa0

Download Submit
C:\Users\Admin\AppData\Roaming\server1.sfx.exe

Filesize
846KB

MD5
4c17aa436d9ff1899b4b34efa54d30c1

SHA1
45d2df3b61da8d06f7b4f6a171b699c371b27b90

SHA256
fac2c19956c4bea5dcd24ab2deef46df4b0151cb1caa6ee147dec046c85c1ed5

SHA512
2bac08be253531507e4ade794551f7ff99c7c2d4496225ecd62f69c903c0bc886ffeac9bb8f99852e7816306704cd37a6df30aaf49f0de31838c93fa67893aa0

Download Submit
memory/2560-49-0x00000000718A0000-0x0000000072050000-memory.dmp

Filesize
7.7MB

Download
memory/2560-50-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/2560-51-0x0000000007C50000-0x0000000007CEC000-memory.dmp

Filesize
624KB

Download
memory/2560-52-0x00000000082A0000-0x0000000008844000-memory.dmp

Filesize
5.6MB

Download
memory/2560-53-0x0000000007D90000-0x0000000007E22000-memory.dmp

Filesize
584KB

Download
memory/2560-48-0x0000000000C80000-0x0000000000CF6000-memory.dmp

Filesize
472KB

Download
memory/2560-57-0x00000000718A0000-0x0000000072050000-memory.dmp

Filesize
7.7MB

Download