5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050

General

Target

0a646c7eddb377017672fd782a89c081.exe
Size

323KB
MD5

0a646c7eddb377017672fd782a89c081
SHA1

e39e1758fbb1a10b94e1e5dfdd2a6849fa66901e
SHA256

5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050
SHA512

50dbe326b60716554615daf9cf68f82a189d67bb3f84739251d8aa85ca1ea282e8a2d017dd04d6b4edf907f415979589b19a0aa8fcfd72b1f34edb96628580b9
SSDEEP

6144:Dqfawfwd99vxoYC7+Li9IBCiiortLeY9ZvLmE7JWAN:Wfaos9DodvorsYzCQJBN

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

uhis.exe

pid process

2832 uhis.exe
Loads dropped DLL 4 IoCs

Processes:

0a646c7eddb377017672fd782a89c081.exeuhis.exe

pid process

2080 0a646c7eddb377017672fd782a89c081.exe
2832 uhis.exe
2832 uhis.exe
2832 uhis.exe

pid	process
2080	0a646c7eddb377017672fd782a89c081.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uhis.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\{99FD42C8-CEFB-AD4E-9644-6D1A8CD24E07} = "C:\\Users\\Admin\\AppData\\Roaming\\Rour\\uhis.exe"	uhis.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0a646c7eddb377017672fd782a89c081.exe

description pid process target process

PID 2080 set thread context of 796 2080 0a646c7eddb377017672fd782a89c081.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1984 796 WerFault.exe cmd.exe

description	pid	process	target process
PID 2080 set thread context of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe

pid	pid_target	process	target process
1984	796	WerFault.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

0a646c7eddb377017672fd782a89c081.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy	0a646c7eddb377017672fd782a89c081.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	0a646c7eddb377017672fd782a89c081.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

uhis.exe

pid	process
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe
2832	uhis.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0a646c7eddb377017672fd782a89c081.exe

description	pid	process
Token: SeSecurityPrivilege	2080	0a646c7eddb377017672fd782a89c081.exe
Token: SeSecurityPrivilege	2080	0a646c7eddb377017672fd782a89c081.exe
Token: SeSecurityPrivilege	2080	0a646c7eddb377017672fd782a89c081.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

0a646c7eddb377017672fd782a89c081.exeuhis.exe

pid process

2080 0a646c7eddb377017672fd782a89c081.exe
2832 uhis.exe

pid	process
2080	0a646c7eddb377017672fd782a89c081.exe
2832	uhis.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

0a646c7eddb377017672fd782a89c081.exeuhis.execmd.exe

description	pid	process	target process
PID 2080 wrote to memory of 2832	2080	0a646c7eddb377017672fd782a89c081.exe	uhis.exe
PID 2080 wrote to memory of 2832	2080	0a646c7eddb377017672fd782a89c081.exe	uhis.exe
PID 2080 wrote to memory of 2832	2080	0a646c7eddb377017672fd782a89c081.exe	uhis.exe
PID 2080 wrote to memory of 2832	2080	0a646c7eddb377017672fd782a89c081.exe	uhis.exe
PID 2080 wrote to memory of 2832	2080	0a646c7eddb377017672fd782a89c081.exe	uhis.exe
PID 2080 wrote to memory of 2832	2080	0a646c7eddb377017672fd782a89c081.exe	uhis.exe
PID 2080 wrote to memory of 2832	2080	0a646c7eddb377017672fd782a89c081.exe	uhis.exe
PID 2832 wrote to memory of 1072	2832	uhis.exe	taskhost.exe
PID 2832 wrote to memory of 1072	2832	uhis.exe	taskhost.exe
PID 2832 wrote to memory of 1072	2832	uhis.exe	taskhost.exe
PID 2832 wrote to memory of 1072	2832	uhis.exe	taskhost.exe
PID 2832 wrote to memory of 1072	2832	uhis.exe	taskhost.exe
PID 2832 wrote to memory of 1116	2832	uhis.exe	Dwm.exe
PID 2832 wrote to memory of 1116	2832	uhis.exe	Dwm.exe
PID 2832 wrote to memory of 1116	2832	uhis.exe	Dwm.exe
PID 2832 wrote to memory of 1116	2832	uhis.exe	Dwm.exe
PID 2832 wrote to memory of 1116	2832	uhis.exe	Dwm.exe
PID 2832 wrote to memory of 1140	2832	uhis.exe	Explorer.EXE
PID 2832 wrote to memory of 1140	2832	uhis.exe	Explorer.EXE
PID 2832 wrote to memory of 1140	2832	uhis.exe	Explorer.EXE
PID 2832 wrote to memory of 1140	2832	uhis.exe	Explorer.EXE
PID 2832 wrote to memory of 1140	2832	uhis.exe	Explorer.EXE
PID 2832 wrote to memory of 1588	2832	uhis.exe	DllHost.exe
PID 2832 wrote to memory of 1588	2832	uhis.exe	DllHost.exe
PID 2832 wrote to memory of 1588	2832	uhis.exe	DllHost.exe
PID 2832 wrote to memory of 1588	2832	uhis.exe	DllHost.exe
PID 2832 wrote to memory of 1588	2832	uhis.exe	DllHost.exe
PID 2832 wrote to memory of 2080	2832	uhis.exe	0a646c7eddb377017672fd782a89c081.exe
PID 2832 wrote to memory of 2080	2832	uhis.exe	0a646c7eddb377017672fd782a89c081.exe
PID 2832 wrote to memory of 2080	2832	uhis.exe	0a646c7eddb377017672fd782a89c081.exe
PID 2832 wrote to memory of 2080	2832	uhis.exe	0a646c7eddb377017672fd782a89c081.exe
PID 2832 wrote to memory of 2080	2832	uhis.exe	0a646c7eddb377017672fd782a89c081.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2080 wrote to memory of 796	2080	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 796 wrote to memory of 1984	796	cmd.exe	WerFault.exe
PID 796 wrote to memory of 1984	796	cmd.exe	WerFault.exe
PID 796 wrote to memory of 1984	796	cmd.exe	WerFault.exe
PID 796 wrote to memory of 1984	796	cmd.exe	WerFault.exe
PID 796 wrote to memory of 1984	796	cmd.exe	WerFault.exe
PID 796 wrote to memory of 1984	796	cmd.exe	WerFault.exe
PID 796 wrote to memory of 1984	796	cmd.exe	WerFault.exe
PID 2832 wrote to memory of 1132	2832	uhis.exe	conhost.exe
PID 2832 wrote to memory of 1132	2832	uhis.exe	conhost.exe
PID 2832 wrote to memory of 1132	2832	uhis.exe	conhost.exe
PID 2832 wrote to memory of 1132	2832	uhis.exe	conhost.exe
PID 2832 wrote to memory of 1132	2832	uhis.exe	conhost.exe
PID 2832 wrote to memory of 1984	2832	uhis.exe	WerFault.exe
PID 2832 wrote to memory of 1984	2832	uhis.exe	WerFault.exe
PID 2832 wrote to memory of 1984	2832	uhis.exe	WerFault.exe
PID 2832 wrote to memory of 1984	2832	uhis.exe	WerFault.exe
PID 2832 wrote to memory of 1984	2832	uhis.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0a646c7eddb377017672fd782a89c081.exe
"C:\Users\Admin\AppData\Local\Temp\0a646c7eddb377017672fd782a89c081.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp54b7b187.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 272
3⤵
- Program crash
PID:1984

C:\Users\Admin\AppData\Roaming\Rour\uhis.exe
"C:\Users\Admin\AppData\Roaming\Rour\uhis.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1588

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1140

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1116

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-845709972-2939177632099109353-453192087-497321901-1391067799-780358365-1213839394"
1⤵
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-24-0x0000000002130000-0x0000000002171000-memory.dmp

Filesize
260KB

Download
memory/1072-20-0x0000000002130000-0x0000000002171000-memory.dmp

Filesize
260KB

Download
memory/1072-26-0x0000000002130000-0x0000000002171000-memory.dmp

Filesize
260KB

Download
memory/1072-17-0x0000000002130000-0x0000000002171000-memory.dmp

Filesize
260KB

Download
memory/1072-22-0x0000000002130000-0x0000000002171000-memory.dmp

Filesize
260KB

Download
memory/1116-35-0x0000000001FD0000-0x0000000002011000-memory.dmp

Filesize
260KB

Download
memory/1116-33-0x0000000001FD0000-0x0000000002011000-memory.dmp

Filesize
260KB

Download
memory/1116-31-0x0000000001FD0000-0x0000000002011000-memory.dmp

Filesize
260KB

Download
memory/1116-29-0x0000000001FD0000-0x0000000002011000-memory.dmp

Filesize
260KB

Download
memory/1140-38-0x0000000002D30000-0x0000000002D71000-memory.dmp

Filesize
260KB

Download
memory/1140-39-0x0000000002D30000-0x0000000002D71000-memory.dmp

Filesize
260KB

Download
memory/1140-40-0x0000000002D30000-0x0000000002D71000-memory.dmp

Filesize
260KB

Download
memory/1140-41-0x0000000002D30000-0x0000000002D71000-memory.dmp

Filesize
260KB

Download
memory/1588-45-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1588-49-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1588-43-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1588-47-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1984-294-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1984-292-0x0000000077C50000-0x0000000077C51000-memory.dmp

Filesize
4KB

Download
memory/1984-291-0x0000000000410000-0x0000000000451000-memory.dmp

Filesize
260KB

Download
memory/1984-299-0x0000000000410000-0x0000000000451000-memory.dmp

Filesize
260KB

Download
memory/2080-194-0x0000000000560000-0x00000000005B3000-memory.dmp

Filesize
332KB

Download
memory/2080-196-0x0000000002760000-0x00000000027A1000-memory.dmp

Filesize
260KB

Download
memory/2080-54-0x0000000002760000-0x00000000027A1000-memory.dmp

Filesize
260KB

Download
memory/2080-53-0x0000000002760000-0x00000000027A1000-memory.dmp

Filesize
260KB

Download
memory/2080-56-0x0000000002760000-0x00000000027A1000-memory.dmp

Filesize
260KB

Download
memory/2080-58-0x0000000002760000-0x00000000027A1000-memory.dmp

Filesize
260KB

Download
memory/2080-59-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2080-61-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2080-63-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2080-65-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2080-67-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2080-69-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2080-71-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x0000000000560000-0x00000000005B3000-memory.dmp

Filesize
332KB

Download
memory/2080-195-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-55-0x0000000002760000-0x00000000027A1000-memory.dmp

Filesize
260KB

Download
memory/2080-73-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2080-75-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2080-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-77-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2080-57-0x0000000002760000-0x00000000027A1000-memory.dmp

Filesize
260KB

Download
memory/2080-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-0-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/2080-79-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2832-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-15-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/2832-296-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/2832-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-19-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads