5772a906a31f122517d868725978155e36a49136ccf90f7a6e9d8423f86b5481

Resubmissions

21/09/2023, 07:25

230921-h9ggmsgc45 7

21/09/2023, 07:15

230921-h3pvfagb35 8

Analysis

max time kernel
600s
max time network
601s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/09/2023, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO.exe
Size

385KB
MD5

cb3189302cc617861bf7e82a97501db7
SHA1

e094abe55caf8ded3f3f9a9b0d26346589234750
SHA256

5772a906a31f122517d868725978155e36a49136ccf90f7a6e9d8423f86b5481
SHA512

34bafb7ff9117ea9875049648513079fb6f1eb1d39d3cc10edfa6ac2bf984b97fb4c83854d1d969f2e3c8f0122611f544f02aacff94c28b9a41ff87b06924d21
SSDEEP

12288:vYpG6CYyxy1mGMsvjRk/34gArcWlA2I5Vsn:vYpuxyOIy3bc7Qg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\Geo\Nation	eowebxl.exe

Executes dropped EXE 2 IoCs

pid	Process
2096	eowebxl.exe
2876	eowebxl.exe

Loads dropped DLL 3 IoCs

pid	Process
1200	PO.exe
2096	eowebxl.exe
2796	cmmon32.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 2876	2096	eowebxl.exe	29
PID 2876 set thread context of 1208	2876	eowebxl.exe	9
PID 2876 set thread context of 2796	2876	eowebxl.exe	31
PID 2796 set thread context of 1208	2796	cmmon32.exe	9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-686452656-3203474025-4140627569-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	eowebxl.exe
2876	eowebxl.exe
2876	eowebxl.exe
2876	eowebxl.exe
2876	eowebxl.exe
2876	eowebxl.exe
2876	eowebxl.exe
2876	eowebxl.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2096	eowebxl.exe
2876	eowebxl.exe
1208	Explorer.EXE
1208	Explorer.EXE
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe
2796	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	eowebxl.exe
Token: SeDebugPrivilege	2796	cmmon32.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2096	1200	PO.exe	28
PID 1200 wrote to memory of 2096	1200	PO.exe	28
PID 1200 wrote to memory of 2096	1200	PO.exe	28
PID 1200 wrote to memory of 2096	1200	PO.exe	28
PID 2096 wrote to memory of 2876	2096	eowebxl.exe	29
PID 2096 wrote to memory of 2876	2096	eowebxl.exe	29
PID 2096 wrote to memory of 2876	2096	eowebxl.exe	29
PID 2096 wrote to memory of 2876	2096	eowebxl.exe	29
PID 2096 wrote to memory of 2876	2096	eowebxl.exe	29
PID 1208 wrote to memory of 2796	1208	Explorer.EXE	31
PID 1208 wrote to memory of 2796	1208	Explorer.EXE	31
PID 1208 wrote to memory of 2796	1208	Explorer.EXE	31
PID 1208 wrote to memory of 2796	1208	Explorer.EXE	31
PID 2796 wrote to memory of 2476	2796	cmmon32.exe	36
PID 2796 wrote to memory of 2476	2796	cmmon32.exe	36
PID 2796 wrote to memory of 2476	2796	cmmon32.exe	36
PID 2796 wrote to memory of 2476	2796	cmmon32.exe	36
PID 2796 wrote to memory of 2476	2796	cmmon32.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\PO.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\eowebxl.exe
    "C:\Users\Admin\AppData\Local\Temp\eowebxl.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\eowebxl.exe
      "C:\Users\Admin\AppData\Local\Temp\eowebxl.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2876
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eowebxl.exe

Filesize
200KB

MD5
d892bbb27689d7e26f086a7b3be36393

SHA1
fa4fb597884fcfbe132d6a119ddeed4020e6692a

SHA256
109d05c994f8db7d25baa7163eb61e90c82130ab8716e241c99b6fbabfb9a985

SHA512
3e957325372e5fc971648a9a8582328486bcdd17c0fbd31b11ce4dc429b52fff34096c4ef31b98f5e13f567eae33f7cb4a31fd2369dc28230ca86485d83302b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eowebxl.exe

Filesize
200KB

MD5
d892bbb27689d7e26f086a7b3be36393

SHA1
fa4fb597884fcfbe132d6a119ddeed4020e6692a

SHA256
109d05c994f8db7d25baa7163eb61e90c82130ab8716e241c99b6fbabfb9a985

SHA512
3e957325372e5fc971648a9a8582328486bcdd17c0fbd31b11ce4dc429b52fff34096c4ef31b98f5e13f567eae33f7cb4a31fd2369dc28230ca86485d83302b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eowebxl.exe

Filesize
200KB

MD5
d892bbb27689d7e26f086a7b3be36393

SHA1
fa4fb597884fcfbe132d6a119ddeed4020e6692a

SHA256
109d05c994f8db7d25baa7163eb61e90c82130ab8716e241c99b6fbabfb9a985

SHA512
3e957325372e5fc971648a9a8582328486bcdd17c0fbd31b11ce4dc429b52fff34096c4ef31b98f5e13f567eae33f7cb4a31fd2369dc28230ca86485d83302b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mvvyz.sx

Filesize
249KB

MD5
b521da60b4763cbb36eefd038dc7181a

SHA1
71660e78081d0a49cc1604b6d1ff75e04156eeff

SHA256
9e41b2a891049f4d84a85e9ff77c5983ac5baaf6eb397910b57dd0082062b295

SHA512
f18330e5c970726d99f317723bdfbc19b8631707157ebf30b4c3812ae073b135eda396c9c3569dbea8d724a77480ec4d539a6a221060deef976087c86653d352

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvxxdrix.zip

Filesize
478KB

MD5
72b88067a5a1a4f8d52c45e6621d13fe

SHA1
f84542474b8583f4371749282e5cc4d52661c222

SHA256
70a11669bb8ad1099fd7fba9da92e1a75124bef0d16a01fd10dcdc45e9582092

SHA512
a8bf75fd4f38e4c8dee5e6f2527062c5be21f5a8bae4ea561f4aa28139d65a6f215afb212f1e4857ee482e16e813fc0d63ef8ec43ec94d5f8a722489e89e154d

Download Submit
\Users\Admin\AppData\Local\Temp\eowebxl.exe

Filesize
200KB

MD5
d892bbb27689d7e26f086a7b3be36393

SHA1
fa4fb597884fcfbe132d6a119ddeed4020e6692a

SHA256
109d05c994f8db7d25baa7163eb61e90c82130ab8716e241c99b6fbabfb9a985

SHA512
3e957325372e5fc971648a9a8582328486bcdd17c0fbd31b11ce4dc429b52fff34096c4ef31b98f5e13f567eae33f7cb4a31fd2369dc28230ca86485d83302b6

Download Submit
\Users\Admin\AppData\Local\Temp\eowebxl.exe

Filesize
200KB

MD5
d892bbb27689d7e26f086a7b3be36393

SHA1
fa4fb597884fcfbe132d6a119ddeed4020e6692a

SHA256
109d05c994f8db7d25baa7163eb61e90c82130ab8716e241c99b6fbabfb9a985

SHA512
3e957325372e5fc971648a9a8582328486bcdd17c0fbd31b11ce4dc429b52fff34096c4ef31b98f5e13f567eae33f7cb4a31fd2369dc28230ca86485d83302b6

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
910KB

MD5
d79258c5189103d69502eac786addb04

SHA1
f34b33681cfe8ce649218173a7f58b237821c1ef

SHA256
57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

SHA512
da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

Download Submit
memory/1208-31-0x0000000004AB0000-0x0000000004BAB000-memory.dmp

Filesize
1004KB

Download
memory/1208-28-0x0000000004AB0000-0x0000000004BAB000-memory.dmp

Filesize
1004KB

Download
memory/1208-27-0x0000000004AB0000-0x0000000004BAB000-memory.dmp

Filesize
1004KB

Download
memory/1208-25-0x0000000008C90000-0x0000000008F4E000-memory.dmp

Filesize
2.7MB

Download
memory/1208-18-0x0000000008C90000-0x0000000008F4E000-memory.dmp

Filesize
2.7MB

Download
memory/2096-6-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download
memory/2796-19-0x00000000000F0000-0x0000000000126000-memory.dmp

Filesize
216KB

Download
memory/2796-26-0x0000000000940000-0x00000000009E2000-memory.dmp

Filesize
648KB

Download
memory/2796-72-0x0000000061E00000-0x0000000061ECF000-memory.dmp

Filesize
828KB

Download
memory/2796-30-0x0000000000940000-0x00000000009E2000-memory.dmp

Filesize
648KB

Download
memory/2796-23-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/2796-24-0x00000000000F0000-0x0000000000126000-memory.dmp

Filesize
216KB

Download
memory/2796-29-0x00000000000F0000-0x0000000000126000-memory.dmp

Filesize
216KB

Download
memory/2796-20-0x00000000000F0000-0x0000000000126000-memory.dmp

Filesize
216KB

Download
memory/2876-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2876-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2876-17-0x00000000001A0000-0x00000000001C3000-memory.dmp

Filesize
140KB

Download
memory/2876-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2876-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2876-13-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/2876-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2876-22-0x00000000001A0000-0x00000000001C3000-memory.dmp

Filesize
140KB

Download