e33d33ca9654eb33b767b3d5f2491301fe2b18b3d8fff630dbd140fd7e1f0215

Analysis

max time kernel
147s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7ade8c12f0c6ef083d4a452bd7dfb5.exe
Size

222KB
MD5

0e7ade8c12f0c6ef083d4a452bd7dfb5
SHA1

36ff6165bce937232a335ce7d165853c5f239cdf
SHA256

e33d33ca9654eb33b767b3d5f2491301fe2b18b3d8fff630dbd140fd7e1f0215
SHA512

9cc7eacddc5ae7c046524711937e3c161f9d9e26febd08ddb00ac4678d29b54ebdf623f3825a39822526485f9566c0460ffed25736ab4b3a884adfb2303f6610
SSDEEP

6144:SosZZfyqdnCIEfFutYRlUcUJDfNZ+kB/sM:SoKZfyKCIEZacGfNRH

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	Mmokoa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\J40NOZ44HU = "C:\\Windows\\Mmokoa.exe"	Mmokoa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Mmokoa.exe	0e7ade8c12f0c6ef083d4a452bd7dfb5.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	0e7ade8c12f0c6ef083d4a452bd7dfb5.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	0e7ade8c12f0c6ef083d4a452bd7dfb5.exe
File created	C:\Windows\Mmokoa.exe	0e7ade8c12f0c6ef083d4a452bd7dfb5.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	0e7ade8c12f0c6ef083d4a452bd7dfb5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Mmokoa.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	Mmokoa.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\International	Mmokoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe
1992	Mmokoa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1992	Mmokoa.exe
1992	Mmokoa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 1992	2688	0e7ade8c12f0c6ef083d4a452bd7dfb5.exe	28
PID 2688 wrote to memory of 1992	2688	0e7ade8c12f0c6ef083d4a452bd7dfb5.exe	28
PID 2688 wrote to memory of 1992	2688	0e7ade8c12f0c6ef083d4a452bd7dfb5.exe	28
PID 2688 wrote to memory of 1992	2688	0e7ade8c12f0c6ef083d4a452bd7dfb5.exe	28

C:\Users\Admin\AppData\Local\Temp\0e7ade8c12f0c6ef083d4a452bd7dfb5.exe
"C:\Users\Admin\AppData\Local\Temp\0e7ade8c12f0c6ef083d4a452bd7dfb5.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\Mmokoa.exe
  C:\Windows\Mmokoa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Mmokoa.exe

Filesize
222KB

MD5
0e7ade8c12f0c6ef083d4a452bd7dfb5

SHA1
36ff6165bce937232a335ce7d165853c5f239cdf

SHA256
e33d33ca9654eb33b767b3d5f2491301fe2b18b3d8fff630dbd140fd7e1f0215

SHA512
9cc7eacddc5ae7c046524711937e3c161f9d9e26febd08ddb00ac4678d29b54ebdf623f3825a39822526485f9566c0460ffed25736ab4b3a884adfb2303f6610

Download Submit
C:\Windows\Mmokoa.exe

Filesize
162KB

MD5
6cca2363a363df3bfa252c2adbfb6c26

SHA1
7b818a90a3bd3ce86f94e12b0b93ff4e53da3ce7

SHA256
d6f486459e0094c987c5badec44888ae8c6ed412c57ae2288bb5162a4afc65a3

SHA512
d4b476aa38af030193f7460c34118afb1995cdb0b2f5c2543a1ccb53b067fbc133d7250fa3e30669be63fb3e83aed70b70b4dd1cb8f1694a3ca4c02d9a44e2ae

Download Submit
C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
344B

MD5
85987eb9e39fe17bd746855ed694da2a

SHA1
7daea96ee0d1ca5357ca6457ad6182aa1a6cf83f

SHA256
d0380dd282e256b1d6648997c444dedd55bafd6cee64072914707628d3953e7f

SHA512
36295bc3d32c6d9d19818eb282930f6d7ff7cc8113133b5651f0beaf8c95f2fd0d0f128d29cb3b05bc46fa1a4a83179e8318eba37eea122fde736982835faca3

Download Submit
memory/1992-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-53471-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-53474-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-53475-0x0000000072DD0000-0x0000000073E32000-memory.dmp

Filesize
16.4MB

Download
memory/1992-53476-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-1-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2688-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-37256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-53472-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download