dec245690b87d93788cc8eff89021dd69f069a6e2a52dbce14e4b4952542a355

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38388b46b999eb04af32f6ffe5a3cb6d.exe
Size

1.2MB
MD5

38388b46b999eb04af32f6ffe5a3cb6d
SHA1

c7628a8af84988b608dd03dce635fde70b815e1a
SHA256

dec245690b87d93788cc8eff89021dd69f069a6e2a52dbce14e4b4952542a355
SHA512

3f1ab02c1235afa14d46eb0065e26859a3156a34ed405fe3002705a9f432ec0d208db41fd969c6d621709165f4f2ffbf5576cde78b8a9fc07398352aff53ece8
SSDEEP

12288:5VrOL3zUFwNI8JGTnTcKyErfL3WICPi0ki3e5BQL:i3zzlsDW95eB

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2728	netsh.exe

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2676	vohizee.exe
2596	vohizee.exe

Loads dropped DLL 2 IoCs

pid	Process
2500	38388b46b999eb04af32f6ffe5a3cb6d.exe
2500	38388b46b999eb04af32f6ffe5a3cb6d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8F8C0273-55CC-EBDD-D7E6-1FAEF3F7D26A} = "C:\\Users\\Admin\\AppData\\Roaming\\Tasec\\vohizee.exe"	vohizee.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 776 set thread context of 2500	776	38388b46b999eb04af32f6ffe5a3cb6d.exe	28
PID 2676 set thread context of 2596	2676	vohizee.exe	33

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe
2596	vohizee.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
776	38388b46b999eb04af32f6ffe5a3cb6d.exe
2676	vohizee.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2500	776	38388b46b999eb04af32f6ffe5a3cb6d.exe	28
PID 776 wrote to memory of 2500	776	38388b46b999eb04af32f6ffe5a3cb6d.exe	28
PID 776 wrote to memory of 2500	776	38388b46b999eb04af32f6ffe5a3cb6d.exe	28
PID 776 wrote to memory of 2500	776	38388b46b999eb04af32f6ffe5a3cb6d.exe	28
PID 776 wrote to memory of 2500	776	38388b46b999eb04af32f6ffe5a3cb6d.exe	28
PID 776 wrote to memory of 2500	776	38388b46b999eb04af32f6ffe5a3cb6d.exe	28
PID 776 wrote to memory of 2500	776	38388b46b999eb04af32f6ffe5a3cb6d.exe	28
PID 776 wrote to memory of 2500	776	38388b46b999eb04af32f6ffe5a3cb6d.exe	28
PID 776 wrote to memory of 2500	776	38388b46b999eb04af32f6ffe5a3cb6d.exe	28
PID 2500 wrote to memory of 2152	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	29
PID 2500 wrote to memory of 2152	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	29
PID 2500 wrote to memory of 2152	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	29
PID 2500 wrote to memory of 2152	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	29
PID 2500 wrote to memory of 2676	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	31
PID 2500 wrote to memory of 2676	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	31
PID 2500 wrote to memory of 2676	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	31
PID 2500 wrote to memory of 2676	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	31
PID 2152 wrote to memory of 2728	2152	cmd.exe	32
PID 2152 wrote to memory of 2728	2152	cmd.exe	32
PID 2152 wrote to memory of 2728	2152	cmd.exe	32
PID 2152 wrote to memory of 2728	2152	cmd.exe	32
PID 2676 wrote to memory of 2596	2676	vohizee.exe	33
PID 2676 wrote to memory of 2596	2676	vohizee.exe	33
PID 2676 wrote to memory of 2596	2676	vohizee.exe	33
PID 2676 wrote to memory of 2596	2676	vohizee.exe	33
PID 2676 wrote to memory of 2596	2676	vohizee.exe	33
PID 2676 wrote to memory of 2596	2676	vohizee.exe	33
PID 2676 wrote to memory of 2596	2676	vohizee.exe	33
PID 2676 wrote to memory of 2596	2676	vohizee.exe	33
PID 2676 wrote to memory of 2596	2676	vohizee.exe	33
PID 2596 wrote to memory of 1136	2596	vohizee.exe	10
PID 2596 wrote to memory of 1136	2596	vohizee.exe	10
PID 2596 wrote to memory of 1136	2596	vohizee.exe	10
PID 2500 wrote to memory of 2584	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	35
PID 2500 wrote to memory of 2584	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	35
PID 2500 wrote to memory of 2584	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	35
PID 2500 wrote to memory of 2584	2500	38388b46b999eb04af32f6ffe5a3cb6d.exe	35
PID 2596 wrote to memory of 1136	2596	vohizee.exe	10
PID 2596 wrote to memory of 1136	2596	vohizee.exe	10
PID 2596 wrote to memory of 1228	2596	vohizee.exe	9
PID 2596 wrote to memory of 1228	2596	vohizee.exe	9
PID 2596 wrote to memory of 1228	2596	vohizee.exe	9
PID 2596 wrote to memory of 1228	2596	vohizee.exe	9
PID 2596 wrote to memory of 1228	2596	vohizee.exe	9
PID 2596 wrote to memory of 1264	2596	vohizee.exe	8
PID 2596 wrote to memory of 1264	2596	vohizee.exe	8
PID 2596 wrote to memory of 1264	2596	vohizee.exe	8
PID 2596 wrote to memory of 1264	2596	vohizee.exe	8
PID 2596 wrote to memory of 1264	2596	vohizee.exe	8
PID 2596 wrote to memory of 1472	2596	vohizee.exe	36
PID 2596 wrote to memory of 1472	2596	vohizee.exe	36
PID 2596 wrote to memory of 1472	2596	vohizee.exe	36
PID 2596 wrote to memory of 1472	2596	vohizee.exe	36
PID 2596 wrote to memory of 1472	2596	vohizee.exe	36
PID 2596 wrote to memory of 2888	2596	vohizee.exe	37
PID 2596 wrote to memory of 2888	2596	vohizee.exe	37
PID 2596 wrote to memory of 2888	2596	vohizee.exe	37
PID 2596 wrote to memory of 2888	2596	vohizee.exe	37
PID 2596 wrote to memory of 2888	2596	vohizee.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\38388b46b999eb04af32f6ffe5a3cb6d.exe
  "C:\Users\Admin\AppData\Local\Temp\38388b46b999eb04af32f6ffe5a3cb6d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\38388b46b999eb04af32f6ffe5a3cb6d.exe
    "C:\Users\Admin\AppData\Local\Temp\38388b46b999eb04af32f6ffe5a3cb6d.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp858b697a.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Tasec\vohizee.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2728
  - - C:\Users\Admin\AppData\Roaming\Tasec\vohizee.exe
      "C:\Users\Admin\AppData\Roaming\Tasec\vohizee.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Users\Admin\AppData\Roaming\Tasec\vohizee.exe
        
        "C:\Users\Admin\AppData\Roaming\Tasec\vohizee.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfd6ba8e8.bat"
      4⤵
      Deletes itself
      PID:2584

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp858b697a.bat

Filesize
202B

MD5
fe37a30274a9252dea4e5632f92f9fd9

SHA1
4f10a7299ac32200d96029b5cb3c4b8289751886

SHA256
a75ff55fa2af9d4a4ae99140f4fa2675bf9fc4441291616b6479bc9ad522da87

SHA512
43c9047101cefedde885dc4d17fbae2c4d3e92513ea5dc9241e6017b2c3373a0d013b82e93ccc7db98315a26d038e50894c128852878fef49e22f847932113ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfd6ba8e8.bat

Filesize
243B

MD5
f46489e643fa4eb0830a43c48d93aeb2

SHA1
9c8b90b984befa74eb8eda3f7981b11e07adcbb6

SHA256
7a8c13cac0b683125c11baee4dc1138d3943bdadc4d94666e5b8bb531d719008

SHA512
6ab77d50f811971bfaf98c9ec2e542d9e003d449537653ff31ca6e590121c5afb6977546d396a7927e7a3829b6b289efbe38b4325415e57167d94b0554596686

Download Submit
C:\Users\Admin\AppData\Roaming\Tasec\vohizee.exe

Filesize
1.2MB

MD5
92f1e5c99d2ea74b385c05dfd6cc694f

SHA1
d80db35ced1d671159c2c5ab9131ab7e30eac9a8

SHA256
213860c9b3b430408ad7d340c5d8f0fb064d2598624d5b9dbdf0310a500f159e

SHA512
2183fa9c13d5e252fde5e92758a9bf014067a1d313eb5cd4a309b50ef5785a348b8cc127ace4fa71d7f30db7c66c701a63644d4326ec0f1caf5a00bd39bb030e

Download Submit
C:\Users\Admin\AppData\Roaming\Tasec\vohizee.exe

Filesize
960KB

MD5
93f2964a459e1fef9cac2dafae4562ce

SHA1
6ae754ea3065392dbe8a1c8eb374445f03e3078b

SHA256
4098331fea6d5f87054574820bd840628673b8bb30b8261d2c6c66f796a9dd10

SHA512
30f33937e6595d32445532d2d6c5bf3742a012daaff427eebc61f23da4f22d9cf809995bac05b178ce71226422e286337a85124486c43def37c1dfa0f1b9893c

Download Submit
\Users\Admin\AppData\Roaming\Tasec\vohizee.exe

Filesize
1.1MB

MD5
a2f5f201606b80903294b4aae9c848f6

SHA1
b53866908e6629822fd636384c2c3ac33444e1ce

SHA256
26c3ca2db0e187e830785eda61bbc65211ce189421575284ac56bb967fc37574

SHA512
f7c60e5de96151fc4625f66b4384bef73c788a49930b8bac8d731d8c19b1496dcfdc10c23e0d07e980d83c5dfeb640e88aba5bf6bbbdbb7fa52131e4c28a3e6f

Download Submit
memory/776-3-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/776-5-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/776-6-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/776-9-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/776-12-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/776-0-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1136-50-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1136-45-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1136-43-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1136-47-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1136-44-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1228-55-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1228-53-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1228-56-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1228-54-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/1264-61-0x00000000029E0000-0x0000000002A07000-memory.dmp

Filesize
156KB

Download
memory/1264-62-0x00000000029E0000-0x0000000002A07000-memory.dmp

Filesize
156KB

Download
memory/1264-58-0x00000000029E0000-0x0000000002A07000-memory.dmp

Filesize
156KB

Download
memory/1264-60-0x00000000029E0000-0x0000000002A07000-memory.dmp

Filesize
156KB

Download
memory/1472-74-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1472-73-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1472-72-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1472-71-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/2500-49-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2500-11-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2500-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2500-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2500-16-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2500-13-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2596-80-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2596-42-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2596-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2596-64-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2596-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2596-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2596-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2596-68-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2596-69-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2596-85-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2676-33-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2676-31-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2676-34-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2676-40-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2676-46-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2888-77-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/2888-76-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/2888-78-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/2888-79-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download