727f09e37d8f54a1ede12bf8bc0ce9f8edddcd6d130e6a0802963cfc60ec8c17

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 04:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04758d397c81638f9146e4b54849e68f.exe
Size

220KB
MD5

04758d397c81638f9146e4b54849e68f
SHA1

61c42b655952a846737e079f72c83e73f05d3c29
SHA256

727f09e37d8f54a1ede12bf8bc0ce9f8edddcd6d130e6a0802963cfc60ec8c17
SHA512

c393087274f282686124bc445460426241231ff7b95afb76ea8146836e77b0123baecc248734d78034618d812e3ffe9613b50567b545b36694ea9f25d6e997d4
SSDEEP

3072:yOkEXFtVI7huijyivefSjIeVXcJZn+ehHcNeBS1SNmiH3jDfRtoJpUCIwZ1ApqKw:fkEXFtV6nFxXcJZkNe6fQB2zUDw

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\imapioko.sys	04758d397c81638f9146e4b54849e68f.exe.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2576	netsh.exe
2644	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cpqoko6\Parameters\ServiceDll = "C:\\Windows\\system32\\erokosvc.dll"	reg.exe

Deletes itself 1 IoCs

pid	Process
2060	cMd.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	04758d397c81638f9146e4b54849e68f.exe.exe

Loads dropped DLL 3 IoCs

pid	Process
2792	CmD.exe
2792	CmD.exe
1056	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\erokosvc.dll	04758d397c81638f9146e4b54849e68f.exe.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2072	sc.exe
456	sc.exe
1728	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2556	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TP = "1000"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	svchost.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3012	1984	04758d397c81638f9146e4b54849e68f.exe	28
PID 1984 wrote to memory of 3012	1984	04758d397c81638f9146e4b54849e68f.exe	28
PID 1984 wrote to memory of 3012	1984	04758d397c81638f9146e4b54849e68f.exe	28
PID 1984 wrote to memory of 3012	1984	04758d397c81638f9146e4b54849e68f.exe	28
PID 1984 wrote to memory of 2792	1984	04758d397c81638f9146e4b54849e68f.exe	30
PID 1984 wrote to memory of 2792	1984	04758d397c81638f9146e4b54849e68f.exe	30
PID 1984 wrote to memory of 2792	1984	04758d397c81638f9146e4b54849e68f.exe	30
PID 1984 wrote to memory of 2792	1984	04758d397c81638f9146e4b54849e68f.exe	30
PID 2792 wrote to memory of 2840	2792	CmD.exe	32
PID 2792 wrote to memory of 2840	2792	CmD.exe	32
PID 2792 wrote to memory of 2840	2792	CmD.exe	32
PID 2792 wrote to memory of 2840	2792	CmD.exe	32
PID 1984 wrote to memory of 2060	1984	04758d397c81638f9146e4b54849e68f.exe	35
PID 1984 wrote to memory of 2060	1984	04758d397c81638f9146e4b54849e68f.exe	35
PID 1984 wrote to memory of 2060	1984	04758d397c81638f9146e4b54849e68f.exe	35
PID 1984 wrote to memory of 2060	1984	04758d397c81638f9146e4b54849e68f.exe	35
PID 2060 wrote to memory of 2688	2060	cMd.exe	37
PID 2060 wrote to memory of 2688	2060	cMd.exe	37
PID 2060 wrote to memory of 2688	2060	cMd.exe	37
PID 2060 wrote to memory of 2688	2060	cMd.exe	37
PID 2060 wrote to memory of 2576	2060	cMd.exe	38
PID 2060 wrote to memory of 2576	2060	cMd.exe	38
PID 2060 wrote to memory of 2576	2060	cMd.exe	38
PID 2060 wrote to memory of 2576	2060	cMd.exe	38
PID 2060 wrote to memory of 2644	2060	cMd.exe	39
PID 2060 wrote to memory of 2644	2060	cMd.exe	39
PID 2060 wrote to memory of 2644	2060	cMd.exe	39
PID 2060 wrote to memory of 2644	2060	cMd.exe	39
PID 2060 wrote to memory of 2072	2060	cMd.exe	40
PID 2060 wrote to memory of 2072	2060	cMd.exe	40
PID 2060 wrote to memory of 2072	2060	cMd.exe	40
PID 2060 wrote to memory of 2072	2060	cMd.exe	40
PID 2060 wrote to memory of 3036	2060	cMd.exe	41
PID 2060 wrote to memory of 3036	2060	cMd.exe	41
PID 2060 wrote to memory of 3036	2060	cMd.exe	41
PID 2060 wrote to memory of 3036	2060	cMd.exe	41
PID 2060 wrote to memory of 2400	2060	cMd.exe	42
PID 2060 wrote to memory of 2400	2060	cMd.exe	42
PID 2060 wrote to memory of 2400	2060	cMd.exe	42
PID 2060 wrote to memory of 2400	2060	cMd.exe	42
PID 2060 wrote to memory of 2068	2060	cMd.exe	43
PID 2060 wrote to memory of 2068	2060	cMd.exe	43
PID 2060 wrote to memory of 2068	2060	cMd.exe	43
PID 2060 wrote to memory of 2068	2060	cMd.exe	43
PID 2060 wrote to memory of 456	2060	cMd.exe	44
PID 2060 wrote to memory of 456	2060	cMd.exe	44
PID 2060 wrote to memory of 456	2060	cMd.exe	44
PID 2060 wrote to memory of 456	2060	cMd.exe	44
PID 2060 wrote to memory of 1728	2060	cMd.exe	46
PID 2060 wrote to memory of 1728	2060	cMd.exe	46
PID 2060 wrote to memory of 1728	2060	cMd.exe	46
PID 2060 wrote to memory of 1728	2060	cMd.exe	46
PID 2060 wrote to memory of 2556	2060	cMd.exe	47
PID 2060 wrote to memory of 2556	2060	cMd.exe	47
PID 2060 wrote to memory of 2556	2060	cMd.exe	47
PID 2060 wrote to memory of 2556	2060	cMd.exe	47

C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe
"C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\CmD.exe
  CmD /c copy "C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe" "C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe.exe"
  2⤵
  PID:3012
- C:\Windows\SysWOW64\CmD.exe
  CmD /c ""C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe.exe" /okoarg > "C:\Users\Admin\AppData\Local\Temp\w3oko.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe.exe" /okoarg
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2840
- C:\Windows\SysWOW64\cMd.exe
  cMd /c "C:\Users\Admin\AppData\Local\Temp\w3oko.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\reg.exe
    reG aDd "hklm\SOFTWARE\Microsoft\Internet Explorer\Main" /v TP /t ReG_Sz /d 1000 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2688
- - C:\Windows\SysWOW64\netsh.exe
    NetSh FIReWAlL Add allOweDPrOgrAm naMe="BlueSoleil OKO" prOGram="C:\Windows\system32\svchost.exe" mode=ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2576
- - C:\Windows\SysWOW64\netsh.exe
    nETsH fIrEwaLl aDD pOrToPEnIng tcP 8085 "OKOToGate" eNABLe
    3⤵
    - Modifies Windows Firewall
    PID:2644
- - C:\Windows\SysWOW64\sc.exe
    Sc CreATe "cpqoko6" tyPE= share start= auto binPaTh= "C:\Windows\system32\svchost.exe -k tapisrvs" DisplayName= "Service Serenum Temporary CPL Search HID Bluetooth SyncMgr"
    3⤵
    - Launches sc.exe
    PID:2072
- - C:\Windows\SysWOW64\reg.exe
    rEg adD "hkLm\sYsTEm\CuRrenTcoNtRoLSeT\seRvIcES\cpqoko6\Parameters" /v ServiceDll /t ReG_EXpaND_Sz /d "C:\Windows\system32\erokosvc.dll" /f
    3⤵
    - Sets DLL path for service in the registry
    PID:3036
- - C:\Windows\SysWOW64\reg.exe
    rEg adD "hkLm\sYsTEm\CuRrenTcoNtRoLSeT\seRvIcES\cpqoko6" /v FailureActions /t rEG_BInaRY /d 00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000 /f
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\reg.exe
    ReG adD "hklm\SOfTwaRe\mIcrOSoFt\WiNdoWs nt\CURrENtveRSiOn\svcHoSt" /v tapisrvs /t rEg_mULti_sz /d "cpqoko6\0" /f
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\sc.exe
    sc start "cpqoko6"
    3⤵
    - Launches sc.exe
    PID:456
- - C:\Windows\SysWOW64\sc.exe
    sc boot ok
    3⤵
    - Launches sc.exe
    PID:1728
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k tapisrvs
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\w3oko.bat

Filesize
1KB

MD5
fb18f8577093aac5c56b2944f6ab2f5d

SHA1
461fce72325f0c87dd5b6b06df0a0811ded9d319

SHA256
1d990e5397cfd57eafb5bc8e0832a8ee7c59b71606cdab31f232e6a15e4450dc

SHA512
31f94379808b73d5e0e0b0a2ad2abd2f8abaa1481edd8cc0d18ec131a88ebc1a2cdb5b1fafb4d82775a286c4c2c06d119170bf19e10f09e77fd9cd2761de7b49

Download Submit
\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe.exe

Filesize
220KB

MD5
04758d397c81638f9146e4b54849e68f

SHA1
61c42b655952a846737e079f72c83e73f05d3c29

SHA256
727f09e37d8f54a1ede12bf8bc0ce9f8edddcd6d130e6a0802963cfc60ec8c17

SHA512
c393087274f282686124bc445460426241231ff7b95afb76ea8146836e77b0123baecc248734d78034618d812e3ffe9613b50567b545b36694ea9f25d6e997d4

Download Submit
\Windows\SysWOW64\erokosvc.dll

Filesize
118KB

MD5
14947076c826c1ae5cb965cd1bd2efcb

SHA1
550a0115ad401ce0c37ec45de94c9004ff46cc4b

SHA256
f49a73b3006891c7fcf38157f3923c44fe89e4f298429b2df6139c2e2964f9e0

SHA512
6cf84506bc1e8c045e61eea107c36809f246d1a535d01d77760f8cba3e57a32028254fc053afae30342f18adb164b3fb10bdcbeb0c3520923a16d9b7f1c19169

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads