022bb7e17a2e044b664ccdd88530f93c6a97213ae43e12ac8623c0b4657e5104

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dfba448bce4408a7c9f3492c6876325.exe
Size

298KB
MD5

0dfba448bce4408a7c9f3492c6876325
SHA1

24ef027617bbc0d19b511a4fff983f48cbd11bbb
SHA256

022bb7e17a2e044b664ccdd88530f93c6a97213ae43e12ac8623c0b4657e5104
SHA512

91f6082c784116016c41d2d1a19a83e4a17744d00193691fba0b8ab14509aeb1173c04b61e3606e03112adf8bde71835bee4f7331d080b897d162f93a1193819
SSDEEP

6144:4awRHWSIg118HWULKjC7Jif1mO45xiVN0cp0cyI4m:49jIaC7Jy45xiko0cyI4m

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1884	oznol.exe

Loads dropped DLL 2 IoCs

pid	Process
1636	0dfba448bce4408a7c9f3492c6876325.exe
1636	0dfba448bce4408a7c9f3492c6876325.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6F76ACC8-CEF3-AD4E-FF1F-3295E8F41188} = "C:\\Users\\Admin\\AppData\\Roaming\\Ydaput\\oznol.exe"	oznol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 2032	1636	0dfba448bce4408a7c9f3492c6876325.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
888	2032	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Privacy	0dfba448bce4408a7c9f3492c6876325.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	0dfba448bce4408a7c9f3492c6876325.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe
1884	oznol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1636	0dfba448bce4408a7c9f3492c6876325.exe
Token: SeSecurityPrivilege	1636	0dfba448bce4408a7c9f3492c6876325.exe
Token: SeSecurityPrivilege	1636	0dfba448bce4408a7c9f3492c6876325.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1636	0dfba448bce4408a7c9f3492c6876325.exe
1884	oznol.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1884	1636	0dfba448bce4408a7c9f3492c6876325.exe	28
PID 1636 wrote to memory of 1884	1636	0dfba448bce4408a7c9f3492c6876325.exe	28
PID 1636 wrote to memory of 1884	1636	0dfba448bce4408a7c9f3492c6876325.exe	28
PID 1636 wrote to memory of 1884	1636	0dfba448bce4408a7c9f3492c6876325.exe	28
PID 1884 wrote to memory of 1120	1884	oznol.exe	14
PID 1884 wrote to memory of 1120	1884	oznol.exe	14
PID 1884 wrote to memory of 1120	1884	oznol.exe	14
PID 1884 wrote to memory of 1120	1884	oznol.exe	14
PID 1884 wrote to memory of 1120	1884	oznol.exe	14
PID 1884 wrote to memory of 1180	1884	oznol.exe	13
PID 1884 wrote to memory of 1180	1884	oznol.exe	13
PID 1884 wrote to memory of 1180	1884	oznol.exe	13
PID 1884 wrote to memory of 1180	1884	oznol.exe	13
PID 1884 wrote to memory of 1180	1884	oznol.exe	13
PID 1884 wrote to memory of 1260	1884	oznol.exe	12
PID 1884 wrote to memory of 1260	1884	oznol.exe	12
PID 1884 wrote to memory of 1260	1884	oznol.exe	12
PID 1884 wrote to memory of 1260	1884	oznol.exe	12
PID 1884 wrote to memory of 1260	1884	oznol.exe	12
PID 1884 wrote to memory of 896	1884	oznol.exe	10
PID 1884 wrote to memory of 896	1884	oznol.exe	10
PID 1884 wrote to memory of 896	1884	oznol.exe	10
PID 1884 wrote to memory of 896	1884	oznol.exe	10
PID 1884 wrote to memory of 896	1884	oznol.exe	10
PID 1884 wrote to memory of 1636	1884	oznol.exe	19
PID 1884 wrote to memory of 1636	1884	oznol.exe	19
PID 1884 wrote to memory of 1636	1884	oznol.exe	19
PID 1884 wrote to memory of 1636	1884	oznol.exe	19
PID 1884 wrote to memory of 1636	1884	oznol.exe	19
PID 1636 wrote to memory of 2032	1636	0dfba448bce4408a7c9f3492c6876325.exe	29
PID 1636 wrote to memory of 2032	1636	0dfba448bce4408a7c9f3492c6876325.exe	29
PID 1636 wrote to memory of 2032	1636	0dfba448bce4408a7c9f3492c6876325.exe	29
PID 1636 wrote to memory of 2032	1636	0dfba448bce4408a7c9f3492c6876325.exe	29
PID 1636 wrote to memory of 2032	1636	0dfba448bce4408a7c9f3492c6876325.exe	29
PID 1636 wrote to memory of 2032	1636	0dfba448bce4408a7c9f3492c6876325.exe	29
PID 1636 wrote to memory of 2032	1636	0dfba448bce4408a7c9f3492c6876325.exe	29
PID 1636 wrote to memory of 2032	1636	0dfba448bce4408a7c9f3492c6876325.exe	29
PID 1636 wrote to memory of 2032	1636	0dfba448bce4408a7c9f3492c6876325.exe	29
PID 2032 wrote to memory of 888	2032	cmd.exe	31
PID 2032 wrote to memory of 888	2032	cmd.exe	31
PID 2032 wrote to memory of 888	2032	cmd.exe	31
PID 2032 wrote to memory of 888	2032	cmd.exe	31
PID 1884 wrote to memory of 588	1884	oznol.exe	30
PID 1884 wrote to memory of 588	1884	oznol.exe	30
PID 1884 wrote to memory of 588	1884	oznol.exe	30
PID 1884 wrote to memory of 588	1884	oznol.exe	30
PID 1884 wrote to memory of 588	1884	oznol.exe	30
PID 1884 wrote to memory of 888	1884	oznol.exe	31
PID 1884 wrote to memory of 888	1884	oznol.exe	31
PID 1884 wrote to memory of 888	1884	oznol.exe	31
PID 1884 wrote to memory of 888	1884	oznol.exe	31
PID 1884 wrote to memory of 888	1884	oznol.exe	31

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:896

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\0dfba448bce4408a7c9f3492c6876325.exe
  "C:\Users\Admin\AppData\Local\Temp\0dfba448bce4408a7c9f3492c6876325.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Roaming\Ydaput\oznol.exe
    "C:\Users\Admin\AppData\Roaming\Ydaput\oznol.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9ca6773b.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 116
      4⤵
      Program crash
      PID:888

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1072321675866274578-184780819-2973093101163349538-1766942531738204485396571127"
1⤵
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Tusui\loam.elk

Filesize
366B

MD5
6dd85ae06c571b6a107ecd084227cce2

SHA1
143bed9984ce5e7019c875af196baae998bf35a7

SHA256
347bce028ff501ceaf792e1f1396b338e8fb8536996aa2730aee42908161c38f

SHA512
45fec35ceff47b3d0b0d000ba2e54f02570e8938e4d2d471a2148388a0c765a6254f4457517f60c4c09a5f31ec882d5bfe45c2216d7474888b803d9180a1a0e8

Download Submit
\Users\Admin\AppData\Roaming\Ydaput\oznol.exe

Filesize
298KB

MD5
bca699e2610040c6967e5e1f2c3f314b

SHA1
f3b464c88dd35751b61da69254f826c085dd3d35

SHA256
b488cb8b985ffe97dae75a59aa033a75668792c97012e795030bbc36cc5feadb

SHA512
29fdad1f4d0f5aa525a87b8fef466f062e3ee3c9c82fd38cdcbfb9cb8d066f94eec67fa54cc9b973727ca45c13233498ef1276edee0f380a2a0c807c04d43d03

Download Submit
memory/888-283-0x0000000000D30000-0x0000000000D71000-memory.dmp

Filesize
260KB

Download
memory/888-280-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/888-185-0x0000000000D30000-0x0000000000D71000-memory.dmp

Filesize
260KB

Download
memory/888-187-0x0000000077410000-0x0000000077411000-memory.dmp

Filesize
4KB

Download
memory/896-42-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/896-40-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/896-39-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/896-41-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/1120-26-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/1120-24-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/1120-22-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/1120-20-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/1120-19-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/1180-30-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1180-29-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1180-31-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1180-32-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1260-35-0x0000000002B80000-0x0000000002BC1000-memory.dmp

Filesize
260KB

Download
memory/1260-36-0x0000000002B80000-0x0000000002BC1000-memory.dmp

Filesize
260KB

Download
memory/1260-37-0x0000000002B80000-0x0000000002BC1000-memory.dmp

Filesize
260KB

Download
memory/1260-34-0x0000000002B80000-0x0000000002BC1000-memory.dmp

Filesize
260KB

Download
memory/1636-77-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-55-0x0000000077410000-0x0000000077411000-memory.dmp

Filesize
4KB

Download
memory/1636-79-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-83-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-145-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-81-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-48-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1636-75-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-73-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-71-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-69-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-67-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-65-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-63-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-61-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-59-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-57-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-51-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1636-170-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1636-169-0x00000000002D0000-0x0000000000328000-memory.dmp

Filesize
352KB

Download
memory/1636-54-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-53-0x0000000077410000-0x0000000077411000-memory.dmp

Filesize
4KB

Download
memory/1636-50-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1636-49-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1636-47-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1636-46-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1636-45-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1636-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-0-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1636-1-0x00000000002D0000-0x0000000000328000-memory.dmp

Filesize
352KB

Download
memory/1884-16-0x0000000000380000-0x00000000003D8000-memory.dmp

Filesize
352KB

Download
memory/1884-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-15-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download