f10d70547c4ca3090d06d7519aa8697ece88419ccfeb5b6bc9aaf2967e301980

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HH_OODefragV10_LY.exe
Size

19.3MB
MD5

67f81daa0c91fc86467e2c3b437ab2d4
SHA1

d1f1944e9ea5fcfd9f551987bc53da4f07041098
SHA256

69135826d920f833561db730919451d3253dab4c3e46d2bc33df47eb94e49d45
SHA512

7c7fd3ba59f724c1cc9596c2e068d5d697457f9c26c3d25398de63790abbbccca5e5f8de9a4f19a309e40ae0e8f5e6549a213f2476c643b1da585a912e006e98
SSDEEP

393216:GomzrBaqIKvBl8CUwFcqHDVLU7ouLPIFKVhm6ZTnqXwP0vo4cS:SbdB2CJcMDVQ8uLPlyNX20PcS

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3040	O&O Defrag Server Edition CHS.exe

Loads dropped DLL 1 IoCs

pid	Process
1756	HH_OODefragV10_LY.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1756-0-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1756-8-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	O&O Defrag Server Edition CHS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	O&O Defrag Server Edition CHS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3040	O&O Defrag Server Edition CHS.exe
3040	O&O Defrag Server Edition CHS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 3040	1756	HH_OODefragV10_LY.exe	28
PID 1756 wrote to memory of 3040	1756	HH_OODefragV10_LY.exe	28
PID 1756 wrote to memory of 3040	1756	HH_OODefragV10_LY.exe	28
PID 1756 wrote to memory of 3040	1756	HH_OODefragV10_LY.exe	28

C:\Users\Admin\AppData\Local\Temp\HH_OODefragV10_LY.exe
"C:\Users\Admin\AppData\Local\Temp\HH_OODefragV10_LY.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\GCA8E1C.tmp\O&O Defrag Server Edition CHS.exe
  "O&O Defrag Server Edition CHS.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GCA8E1C.tmp\O&O Defrag Server Edition CHS.exe

Filesize
21.4MB

MD5
acb442ab6e8161f0629b2d216ccc0185

SHA1
82d10351dce485ad6fad7aba509cf5c481e99962

SHA256
95c83bff9b8c7b12ef94db4476da99879598aa0cc193600617082901ac2b2198

SHA512
1c03f9347f45405fe3e40da31644f172f4d4a39417de158396792289fcdd83ff3e7e2442f2094e32c8f3c7e9ea95a2782e89d64012aaaaac35fc8a7c32350dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCA8E1C.tmp\O&O Defrag Server Edition CHS.exe

Filesize
20.4MB

MD5
74cb794908d0cdccdefc0cbc3d6680e2

SHA1
5b650e06d7d8a8f2b953d52d7368f2b4adb7bbcd

SHA256
006d09bd8992ed1c7b92fc523702ca46f8aea549eb7af8d49277a885d0c0acb4

SHA512
7f9bef4fea268d6ea492627f8ff3ecba7b6b9e251756ce3b74e113966f62072262de250eae849c4f44a3819a58670040b25e2bccf162fbd9c254f30f3f114105

Download Submit
\Users\Admin\AppData\Local\Temp\GCA8E1C.tmp\O&O Defrag Server Edition CHS.exe

Filesize
5.1MB

MD5
e753202678c30a5f7c9aa1a4c98ce815

SHA1
d86d199e0c7a12378f8f4df72c0e88c6907c6bb0

SHA256
f3a91a818e2c9307dd82eacd33526c9949e8e1771bd501da969331e0018b4caf

SHA512
cd920bfc247a6d82fbfe9c510b60cef41d509d6cdd4cd69ebed6ecfce2a5e426b76543d48a15355ec74915839c9204904024467a29444d356028982aa39e721b

Download Submit
memory/1756-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1756-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3040-24-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download