b9dfb3078612dc7d47c58e0e0a595c6ce4892a12789eae7e8d88765cc9434052

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08-01-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b5e9622bc3d49f7868f18f9f9001fb3.exe
Size

293KB
MD5

4b5e9622bc3d49f7868f18f9f9001fb3
SHA1

17c4663d0576ca485219f928ca1654ad042f9351
SHA256

b9dfb3078612dc7d47c58e0e0a595c6ce4892a12789eae7e8d88765cc9434052
SHA512

5d292a6082ff8a673e19455a9c69da5626bfda03b01064e1bd039dd661a06a8208302b42fb9689f12e68d496367ad7a35cd113771de47310fa03f81b517d4d5c
SSDEEP

6144:VPdMyMANEVzGlcEDUl4qaRYVQ6JTGbusJRhgnGXcLD7Xm2BeddhMHHY/9:5NEh8cSLqd5sisDhgnGQBBedDMnYl

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

orex.exe

pid process

2196 orex.exe
Loads dropped DLL 2 IoCs

Processes:

4b5e9622bc3d49f7868f18f9f9001fb3.exe

pid process

2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe
2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe

pid	process
2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe
2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

orex.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E705BD28-DA76-AD4E-D262-B4D1F82197CC} = "C:\\Users\\Admin\\AppData\\Roaming\\Umav\\orex.exe"	orex.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4b5e9622bc3d49f7868f18f9f9001fb3.exe

description pid process target process

PID 2928 set thread context of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1424 1632 WerFault.exe cmd.exe

description	pid	process	target process
PID 2928 set thread context of 1632	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	cmd.exe

pid	pid_target	process	target process
1424	1632	WerFault.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

4b5e9622bc3d49f7868f18f9f9001fb3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Privacy	4b5e9622bc3d49f7868f18f9f9001fb3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4b5e9622bc3d49f7868f18f9f9001fb3.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

orex.exe

pid	process
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe
2196	orex.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

4b5e9622bc3d49f7868f18f9f9001fb3.exe

description	pid	process
Token: SeSecurityPrivilege	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe
Token: SeSecurityPrivilege	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe
Token: SeSecurityPrivilege	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

4b5e9622bc3d49f7868f18f9f9001fb3.exeorex.exe

pid process

2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe
2196 orex.exe

pid	process
2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe
2196	orex.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

4b5e9622bc3d49f7868f18f9f9001fb3.exeorex.execmd.exe

description	pid	process	target process
PID 2928 wrote to memory of 2196	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	orex.exe
PID 2928 wrote to memory of 2196	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	orex.exe
PID 2928 wrote to memory of 2196	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	orex.exe
PID 2928 wrote to memory of 2196	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	orex.exe
PID 2196 wrote to memory of 1228	2196	orex.exe	taskhost.exe
PID 2196 wrote to memory of 1228	2196	orex.exe	taskhost.exe
PID 2196 wrote to memory of 1228	2196	orex.exe	taskhost.exe
PID 2196 wrote to memory of 1228	2196	orex.exe	taskhost.exe
PID 2196 wrote to memory of 1228	2196	orex.exe	taskhost.exe
PID 2196 wrote to memory of 1320	2196	orex.exe	Dwm.exe
PID 2196 wrote to memory of 1320	2196	orex.exe	Dwm.exe
PID 2196 wrote to memory of 1320	2196	orex.exe	Dwm.exe
PID 2196 wrote to memory of 1320	2196	orex.exe	Dwm.exe
PID 2196 wrote to memory of 1320	2196	orex.exe	Dwm.exe
PID 2196 wrote to memory of 1368	2196	orex.exe	Explorer.EXE
PID 2196 wrote to memory of 1368	2196	orex.exe	Explorer.EXE
PID 2196 wrote to memory of 1368	2196	orex.exe	Explorer.EXE
PID 2196 wrote to memory of 1368	2196	orex.exe	Explorer.EXE
PID 2196 wrote to memory of 1368	2196	orex.exe	Explorer.EXE
PID 2196 wrote to memory of 1948	2196	orex.exe	DllHost.exe
PID 2196 wrote to memory of 1948	2196	orex.exe	DllHost.exe
PID 2196 wrote to memory of 1948	2196	orex.exe	DllHost.exe
PID 2196 wrote to memory of 1948	2196	orex.exe	DllHost.exe
PID 2196 wrote to memory of 1948	2196	orex.exe	DllHost.exe
PID 2196 wrote to memory of 2928	2196	orex.exe	4b5e9622bc3d49f7868f18f9f9001fb3.exe
PID 2196 wrote to memory of 2928	2196	orex.exe	4b5e9622bc3d49f7868f18f9f9001fb3.exe
PID 2196 wrote to memory of 2928	2196	orex.exe	4b5e9622bc3d49f7868f18f9f9001fb3.exe
PID 2196 wrote to memory of 2928	2196	orex.exe	4b5e9622bc3d49f7868f18f9f9001fb3.exe
PID 2196 wrote to memory of 2928	2196	orex.exe	4b5e9622bc3d49f7868f18f9f9001fb3.exe
PID 2928 wrote to memory of 1632	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	cmd.exe
PID 2928 wrote to memory of 1632	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	cmd.exe
PID 2928 wrote to memory of 1632	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	cmd.exe
PID 2928 wrote to memory of 1632	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	cmd.exe
PID 2928 wrote to memory of 1632	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	cmd.exe
PID 2928 wrote to memory of 1632	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	cmd.exe
PID 2928 wrote to memory of 1632	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	cmd.exe
PID 2928 wrote to memory of 1632	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	cmd.exe
PID 2928 wrote to memory of 1632	2928	4b5e9622bc3d49f7868f18f9f9001fb3.exe	cmd.exe
PID 1632 wrote to memory of 1424	1632	cmd.exe	WerFault.exe
PID 1632 wrote to memory of 1424	1632	cmd.exe	WerFault.exe
PID 1632 wrote to memory of 1424	1632	cmd.exe	WerFault.exe
PID 1632 wrote to memory of 1424	1632	cmd.exe	WerFault.exe
PID 2196 wrote to memory of 1924	2196	orex.exe	conhost.exe
PID 2196 wrote to memory of 1924	2196	orex.exe	conhost.exe
PID 2196 wrote to memory of 1924	2196	orex.exe	conhost.exe
PID 2196 wrote to memory of 1924	2196	orex.exe	conhost.exe
PID 2196 wrote to memory of 1924	2196	orex.exe	conhost.exe
PID 2196 wrote to memory of 1424	2196	orex.exe	WerFault.exe
PID 2196 wrote to memory of 1424	2196	orex.exe	WerFault.exe
PID 2196 wrote to memory of 1424	2196	orex.exe	WerFault.exe
PID 2196 wrote to memory of 1424	2196	orex.exe	WerFault.exe
PID 2196 wrote to memory of 1424	2196	orex.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4b5e9622bc3d49f7868f18f9f9001fb3.exe
"C:\Users\Admin\AppData\Local\Temp\4b5e9622bc3d49f7868f18f9f9001fb3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Roaming\Umav\orex.exe
"C:\Users\Admin\AppData\Roaming\Umav\orex.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe2112b20.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 112
3⤵
- Program crash
PID:1424

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1948

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21100968441493804971153305481312558690671390480969-682573411913778802503913378"
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Axib\exec.yke

Filesize
366B

MD5
8e7d51b5204768f6ab8079e10124cb48

SHA1
a6c40eca0692602d890fd3c236594282c9187718

SHA256
6ba81741afe6069445d31192fa784642b9e48d2d5f29935bcb629f38e81cdef3

SHA512
930b5d731c896aa10d1636cb7903293606a4436792d5f1b6d3a9bd28b60af15231ad885f728320eff3237e50bc274fc1f3cc77c2c74309244e9522c6dbdeffd4

Download Submit
C:\Users\Admin\AppData\Roaming\Umav\orex.exe

Filesize
111KB

MD5
5178376d3009156f49ac214ab9904947

SHA1
245ecd974c5187b14f948f642fa6a6c0b157e502

SHA256
ff0f363ab332b2654ca2260b88af0754df9bb4594d4c981b4dc3a547670c81b4

SHA512
66228186286de53dadc406ead149c32d03475e56f3f5092ac3f1bb5731b23df267462b799c54fa373e1896491d50b61ffd387d9133b234ad2d141cbed289430a

Download Submit
C:\Users\Admin\AppData\Roaming\Umav\orex.exe

Filesize
285KB

MD5
06b2a14b21b53084cb608722b00429d1

SHA1
758b30663174b72843f41e53bf1b7824854ef761

SHA256
52991c4b3ae1e962fac1cd40c0a8c0e82195015c6471dff99a154b70774516ec

SHA512
6ba21210a985d1f6bfab9bc8a5cc54454f935777a026b4e7b726a36b47bb147eb62f9aa2f2a09d62629aaff37e960d5d677b81aa9542b90630309f31e79ecc96

Download Submit
C:\Users\Admin\AppData\Roaming\Umav\orex.exe

Filesize
94KB

MD5
85d51485736cc261e8fcaac03f17c14c

SHA1
ec4a153eb2e8933df76eb13a71db22b95dac1900

SHA256
a2544ce72f5795eae6ee20246c31413bc27334f0e54c3b506ab9dfe1e9db7a81

SHA512
d0e879837e57f336072c42f7fd3a0f53ecd8a77ac5c39fd2b06f6924b910b776ba80092ca706bb9a2a46f645c32d8ddf9d8a01e4cdd925ec1a1a56928b59d9ca

Download Submit
\Users\Admin\AppData\Roaming\Umav\orex.exe

Filesize
80KB

MD5
b747bb029b89c0ab6a643d48960ac3f3

SHA1
9df205a5033f24400010aaadf34eca670be0fe39

SHA256
8bce7418468ec3389b493e6c6c7e56ce1a0f4e2c022e487e9ec0c20b3baf0023

SHA512
aecccc4b4b1691aa7470aaca73dd4c05e237c90d7051be3766078443f37c6ce6d2d2016e0c7df71edadcdbe94b2285b9e62ef881131d4d94bb5281c4b9eb47fa

Download Submit
\Users\Admin\AppData\Roaming\Umav\orex.exe

Filesize
271KB

MD5
cd21ba2283f1abbbab329283291f2ade

SHA1
b640dd7480cf0495a8e03b74da9c9f0f65e488f3

SHA256
22065c4a2c2e327310c204de2cf034a85173f5c6c27d061e80691ec4d9713b5e

SHA512
e52f697f18ffc71d7b387c68a3a6b0d6b48d20c92bb4f0ebd948e51a6287180c3757469a7a0b222da3b3c9d1aa3b68340c511d2d86f4a6549f22fc065d90c20c

Download Submit
memory/1228-27-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1228-25-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1228-23-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1228-21-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1228-19-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1320-33-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1320-31-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1320-37-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1320-35-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1368-43-0x0000000002900000-0x0000000002941000-memory.dmp

Filesize
260KB

Download
memory/1368-42-0x0000000002900000-0x0000000002941000-memory.dmp

Filesize
260KB

Download
memory/1368-40-0x0000000002900000-0x0000000002941000-memory.dmp

Filesize
260KB

Download
memory/1368-41-0x0000000002900000-0x0000000002941000-memory.dmp

Filesize
260KB

Download
memory/1424-281-0x0000000000B70000-0x0000000000BB1000-memory.dmp

Filesize
260KB

Download
memory/1424-285-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/1424-283-0x0000000077290000-0x0000000077291000-memory.dmp

Filesize
4KB

Download
memory/1424-290-0x0000000000B70000-0x0000000000BB1000-memory.dmp

Filesize
260KB

Download
memory/1948-48-0x0000000001BA0000-0x0000000001BE1000-memory.dmp

Filesize
260KB

Download
memory/1948-47-0x0000000001BA0000-0x0000000001BE1000-memory.dmp

Filesize
260KB

Download
memory/1948-46-0x0000000001BA0000-0x0000000001BE1000-memory.dmp

Filesize
260KB

Download
memory/1948-45-0x0000000001BA0000-0x0000000001BE1000-memory.dmp

Filesize
260KB

Download
memory/2196-287-0x00000000003B0000-0x00000000003FB000-memory.dmp

Filesize
300KB

Download
memory/2196-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-15-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2196-286-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2196-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-16-0x00000000003B0000-0x00000000003FB000-memory.dmp

Filesize
300KB

Download
memory/2928-173-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2928-50-0x00000000022F0000-0x0000000002331000-memory.dmp

Filesize
260KB

Download
memory/2928-51-0x00000000022F0000-0x0000000002331000-memory.dmp

Filesize
260KB

Download
memory/2928-52-0x00000000022F0000-0x0000000002331000-memory.dmp

Filesize
260KB

Download
memory/2928-54-0x00000000022F0000-0x0000000002331000-memory.dmp

Filesize
260KB

Download
memory/2928-55-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-57-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-59-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-61-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-63-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-65-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-69-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-73-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-75-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-77-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-172-0x0000000000310000-0x000000000035B000-memory.dmp

Filesize
300KB

Download
memory/2928-0-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2928-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-175-0x00000000022F0000-0x0000000002331000-memory.dmp

Filesize
260KB

Download
memory/2928-79-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-1-0x0000000000310000-0x000000000035B000-memory.dmp

Filesize
300KB

Download
memory/2928-81-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-149-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-71-0x0000000077290000-0x0000000077291000-memory.dmp

Filesize
4KB

Download
memory/2928-70-0x00000000022F0000-0x0000000002331000-memory.dmp

Filesize
260KB

Download
memory/2928-67-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2928-53-0x00000000022F0000-0x0000000002331000-memory.dmp

Filesize
260KB

Download
memory/2928-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download