24bfb8878c1c000adb90e508cfadee23e4d2750954bd1ab21bec2ae8acde2620

General

Target

3ea72dd4bbbfaab102a73c412c266809.exe
Size

136KB
MD5

3ea72dd4bbbfaab102a73c412c266809
SHA1

2157bb5dbb0d802161e6922fa4f87a5128d7935f
SHA256

24bfb8878c1c000adb90e508cfadee23e4d2750954bd1ab21bec2ae8acde2620
SHA512

31c7a01040ee9025e8ff604e4743ab90adcc9dfb0ae453bdd918f960dc9eebfd378b56f10f55c89e5af269ff5587db6cea489ba9588604c17c8d08728eaeead9
SSDEEP

3072:RGqn9XQqXTcjeJ0MjH80NSsdL8NEI20tG+Tx7NEMtn3KYUvwcsL:wikez7voNA0tDTt6MoYWwc0

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1640 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

ogyxoqu.exe

pid process

860 ogyxoqu.exe
Loads dropped DLL 2 IoCs

Processes:

3ea72dd4bbbfaab102a73c412c266809.exe

pid process

2532 3ea72dd4bbbfaab102a73c412c266809.exe
2532 3ea72dd4bbbfaab102a73c412c266809.exe

pid	process
1640	cmd.exe

pid	process
2532	3ea72dd4bbbfaab102a73c412c266809.exe
2532	3ea72dd4bbbfaab102a73c412c266809.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ogyxoqu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F4051947-D183-39F6-FA8B-B5022D638059} = "C:\\Users\\Admin\\AppData\\Roaming\\Enlydey\\ogyxoqu.exe"	ogyxoqu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3ea72dd4bbbfaab102a73c412c266809.exe

description pid process target process

PID 2532 set thread context of 1640 2532 3ea72dd4bbbfaab102a73c412c266809.exe cmd.exe

description	pid	process	target process
PID 2532 set thread context of 1640	2532	3ea72dd4bbbfaab102a73c412c266809.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

3ea72dd4bbbfaab102a73c412c266809.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy	3ea72dd4bbbfaab102a73c412c266809.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3ea72dd4bbbfaab102a73c412c266809.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\14A36849-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

ogyxoqu.exe

pid	process
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe
860	ogyxoqu.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

3ea72dd4bbbfaab102a73c412c266809.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	2532	3ea72dd4bbbfaab102a73c412c266809.exe
Token: SeSecurityPrivilege	2532	3ea72dd4bbbfaab102a73c412c266809.exe
Token: SeSecurityPrivilege	2532	3ea72dd4bbbfaab102a73c412c266809.exe
Token: SeManageVolumePrivilege	2236	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

2236 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

2236 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

2236 WinMail.exe

pid	process
2236	WinMail.exe

pid	process
2236	WinMail.exe

pid	process
2236	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

3ea72dd4bbbfaab102a73c412c266809.exeogyxoqu.exe

description	pid	process	target process
PID 2532 wrote to memory of 860	2532	3ea72dd4bbbfaab102a73c412c266809.exe	ogyxoqu.exe
PID 2532 wrote to memory of 860	2532	3ea72dd4bbbfaab102a73c412c266809.exe	ogyxoqu.exe
PID 2532 wrote to memory of 860	2532	3ea72dd4bbbfaab102a73c412c266809.exe	ogyxoqu.exe
PID 2532 wrote to memory of 860	2532	3ea72dd4bbbfaab102a73c412c266809.exe	ogyxoqu.exe
PID 860 wrote to memory of 1108	860	ogyxoqu.exe	taskhost.exe
PID 860 wrote to memory of 1108	860	ogyxoqu.exe	taskhost.exe
PID 860 wrote to memory of 1108	860	ogyxoqu.exe	taskhost.exe
PID 860 wrote to memory of 1108	860	ogyxoqu.exe	taskhost.exe
PID 860 wrote to memory of 1108	860	ogyxoqu.exe	taskhost.exe
PID 860 wrote to memory of 1164	860	ogyxoqu.exe	Dwm.exe
PID 860 wrote to memory of 1164	860	ogyxoqu.exe	Dwm.exe
PID 860 wrote to memory of 1164	860	ogyxoqu.exe	Dwm.exe
PID 860 wrote to memory of 1164	860	ogyxoqu.exe	Dwm.exe
PID 860 wrote to memory of 1164	860	ogyxoqu.exe	Dwm.exe
PID 860 wrote to memory of 1196	860	ogyxoqu.exe	Explorer.EXE
PID 860 wrote to memory of 1196	860	ogyxoqu.exe	Explorer.EXE
PID 860 wrote to memory of 1196	860	ogyxoqu.exe	Explorer.EXE
PID 860 wrote to memory of 1196	860	ogyxoqu.exe	Explorer.EXE
PID 860 wrote to memory of 1196	860	ogyxoqu.exe	Explorer.EXE
PID 860 wrote to memory of 1332	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 1332	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 1332	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 1332	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 1332	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2532	860	ogyxoqu.exe	3ea72dd4bbbfaab102a73c412c266809.exe
PID 860 wrote to memory of 2532	860	ogyxoqu.exe	3ea72dd4bbbfaab102a73c412c266809.exe
PID 860 wrote to memory of 2532	860	ogyxoqu.exe	3ea72dd4bbbfaab102a73c412c266809.exe
PID 860 wrote to memory of 2532	860	ogyxoqu.exe	3ea72dd4bbbfaab102a73c412c266809.exe
PID 860 wrote to memory of 2532	860	ogyxoqu.exe	3ea72dd4bbbfaab102a73c412c266809.exe
PID 2532 wrote to memory of 1640	2532	3ea72dd4bbbfaab102a73c412c266809.exe	cmd.exe
PID 2532 wrote to memory of 1640	2532	3ea72dd4bbbfaab102a73c412c266809.exe	cmd.exe
PID 2532 wrote to memory of 1640	2532	3ea72dd4bbbfaab102a73c412c266809.exe	cmd.exe
PID 2532 wrote to memory of 1640	2532	3ea72dd4bbbfaab102a73c412c266809.exe	cmd.exe
PID 2532 wrote to memory of 1640	2532	3ea72dd4bbbfaab102a73c412c266809.exe	cmd.exe
PID 2532 wrote to memory of 1640	2532	3ea72dd4bbbfaab102a73c412c266809.exe	cmd.exe
PID 2532 wrote to memory of 1640	2532	3ea72dd4bbbfaab102a73c412c266809.exe	cmd.exe
PID 2532 wrote to memory of 1640	2532	3ea72dd4bbbfaab102a73c412c266809.exe	cmd.exe
PID 2532 wrote to memory of 1640	2532	3ea72dd4bbbfaab102a73c412c266809.exe	cmd.exe
PID 860 wrote to memory of 1988	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 1988	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 1988	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 1988	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 1988	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2020	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2020	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2020	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2020	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2020	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2808	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2808	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2808	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2808	860	ogyxoqu.exe	DllHost.exe
PID 860 wrote to memory of 2808	860	ogyxoqu.exe	DllHost.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\3ea72dd4bbbfaab102a73c412c266809.exe
"C:\Users\Admin\AppData\Local\Temp\3ea72dd4bbbfaab102a73c412c266809.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Roaming\Enlydey\ogyxoqu.exe
"C:\Users\Admin\AppData\Roaming\Enlydey\ogyxoqu.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3d172eaf.bat"
3⤵
- Deletes itself
PID:1640

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
Filesize
2.0MB

MD5
794dfc2e5ffc8d2082f0066a4189e064

SHA1
c94bbf9c174ecbcd02d234fa6a57c0546d6a3462

SHA256
5df5b4dc539cfd0ea663f1ffe59097187f517b71604ef8689402431d798ab6ec

SHA512
2e8140a947a94819f4fe047baf63a17367127e5bc43b0c17d7b572fd94c10e68bac99fa125e60641748db606562ea0151df6b7a79fbd6c6cf05717793d038f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3d172eaf.bat
Filesize
243B

MD5
e5a0f8d3100d538b091115cf255645c4

SHA1
031639175455e8c97915eb851edf2fdc9a038368

SHA256
86544dc03a5d90d7e3f630e573f497bb682d6150a2348546025a1da2fe0be3bf

SHA512
2a377843c504033365a792d60ab7aa159773b7dcd75abd7374cbc17a3fe481e2062efd5345f0aa2ac3ed52087c23e754751321ea29d60d145c515a71cb0200ef

Download Submit
C:\Users\Admin\AppData\Roaming\Eqeltyy\kynyha.ozr
Filesize
366B

MD5
d0890f3ca5865a7c1f2b5deca166fc3b

SHA1
a0dfa4ad9b295c08a56f4d7a5e95a41eb9f2f020

SHA256
5536526002cd343ffb0ef1df4bb4cac09199d0a634ae424a20c6a1fd6976820e

SHA512
30634d72e47107d0c21011802be9f8356fa42ff2b9e08adf01d13ca43688694e404fab51b259e36892ff32d9911ce6bb7d716ad7a9cf898b790ba51d8b139dc3

Download Submit
\Users\Admin\AppData\Roaming\Enlydey\ogyxoqu.exe
Filesize
136KB

MD5
f4baa66a0e1b59038fa41314d056560d

SHA1
30ffa5a52623da8bd7fe90ad5ad2600cee6f6554

SHA256
d7701b85d8294923bb3f468bdc726fc99aa9b18e82e2cf91619482a13d4d26de

SHA512
9f25324cdef12853620c2c1c87b3fe9871d5b4206bd07f453914d6a498ed4839c695a224a8353c1b6f9aaf863ebbb00e17a599722d79f0cd4bd6368889695ebf

Download Submit
memory/860-12-0x0000000001DD0000-0x0000000001DF0000-memory.dmp

Filesize
128KB

Download
memory/860-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/860-327-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1108-18-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/1108-17-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/1108-15-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/1108-19-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/1108-16-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/1164-21-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1164-22-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1164-23-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1164-24-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1196-26-0x0000000002D70000-0x0000000002D97000-memory.dmp

Filesize
156KB

Download
memory/1196-27-0x0000000002D70000-0x0000000002D97000-memory.dmp

Filesize
156KB

Download
memory/1196-28-0x0000000002D70000-0x0000000002D97000-memory.dmp

Filesize
156KB

Download
memory/1196-29-0x0000000002D70000-0x0000000002D97000-memory.dmp

Filesize
156KB

Download
memory/1332-32-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/1332-34-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/1332-33-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/1332-31-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/1640-314-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1640-315-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1640-287-0x0000000077BF0000-0x0000000077BF1000-memory.dmp

Filesize
4KB

Download
memory/1640-221-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2532-42-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-68-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-37-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2532-44-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-46-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-48-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-50-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-52-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-54-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-56-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-58-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-60-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-62-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-64-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-66-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-36-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2532-70-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-72-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-75-0x0000000077BF0000-0x0000000077BF1000-memory.dmp

Filesize
4KB

Download
memory/2532-74-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-77-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-79-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-38-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2532-134-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2532-219-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2532-220-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2532-39-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2532-40-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2532-41-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2532-2-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2532-1-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2532-0-0x0000000001E30000-0x0000000001E50000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads