Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-01-2024 11:57
Static task
static1
Behavioral task
behavioral1
Sample
4b5e9622bc3d49f7868f18f9f9001fb3.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4b5e9622bc3d49f7868f18f9f9001fb3.exe
Resource
win10v2004-20231215-en
General
-
Target
4b5e9622bc3d49f7868f18f9f9001fb3.exe
-
Size
293KB
-
MD5
4b5e9622bc3d49f7868f18f9f9001fb3
-
SHA1
17c4663d0576ca485219f928ca1654ad042f9351
-
SHA256
b9dfb3078612dc7d47c58e0e0a595c6ce4892a12789eae7e8d88765cc9434052
-
SHA512
5d292a6082ff8a673e19455a9c69da5626bfda03b01064e1bd039dd661a06a8208302b42fb9689f12e68d496367ad7a35cd113771de47310fa03f81b517d4d5c
-
SSDEEP
6144:VPdMyMANEVzGlcEDUl4qaRYVQ6JTGbusJRhgnGXcLD7Xm2BeddhMHHY/9:5NEh8cSLqd5sisDhgnGQBBedDMnYl
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
orex.exepid process 2196 orex.exe -
Loads dropped DLL 2 IoCs
Processes:
4b5e9622bc3d49f7868f18f9f9001fb3.exepid process 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
orex.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E705BD28-DA76-AD4E-D262-B4D1F82197CC} = "C:\\Users\\Admin\\AppData\\Roaming\\Umav\\orex.exe" orex.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4b5e9622bc3d49f7868f18f9f9001fb3.exedescription pid process target process PID 2928 set thread context of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1424 1632 WerFault.exe cmd.exe -
Processes:
4b5e9622bc3d49f7868f18f9f9001fb3.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Privacy 4b5e9622bc3d49f7868f18f9f9001fb3.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 4b5e9622bc3d49f7868f18f9f9001fb3.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
orex.exepid process 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe 2196 orex.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
4b5e9622bc3d49f7868f18f9f9001fb3.exedescription pid process Token: SeSecurityPrivilege 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe Token: SeSecurityPrivilege 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe Token: SeSecurityPrivilege 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
4b5e9622bc3d49f7868f18f9f9001fb3.exeorex.exepid process 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe 2196 orex.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
4b5e9622bc3d49f7868f18f9f9001fb3.exeorex.execmd.exedescription pid process target process PID 2928 wrote to memory of 2196 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe orex.exe PID 2928 wrote to memory of 2196 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe orex.exe PID 2928 wrote to memory of 2196 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe orex.exe PID 2928 wrote to memory of 2196 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe orex.exe PID 2196 wrote to memory of 1228 2196 orex.exe taskhost.exe PID 2196 wrote to memory of 1228 2196 orex.exe taskhost.exe PID 2196 wrote to memory of 1228 2196 orex.exe taskhost.exe PID 2196 wrote to memory of 1228 2196 orex.exe taskhost.exe PID 2196 wrote to memory of 1228 2196 orex.exe taskhost.exe PID 2196 wrote to memory of 1320 2196 orex.exe Dwm.exe PID 2196 wrote to memory of 1320 2196 orex.exe Dwm.exe PID 2196 wrote to memory of 1320 2196 orex.exe Dwm.exe PID 2196 wrote to memory of 1320 2196 orex.exe Dwm.exe PID 2196 wrote to memory of 1320 2196 orex.exe Dwm.exe PID 2196 wrote to memory of 1368 2196 orex.exe Explorer.EXE PID 2196 wrote to memory of 1368 2196 orex.exe Explorer.EXE PID 2196 wrote to memory of 1368 2196 orex.exe Explorer.EXE PID 2196 wrote to memory of 1368 2196 orex.exe Explorer.EXE PID 2196 wrote to memory of 1368 2196 orex.exe Explorer.EXE PID 2196 wrote to memory of 1948 2196 orex.exe DllHost.exe PID 2196 wrote to memory of 1948 2196 orex.exe DllHost.exe PID 2196 wrote to memory of 1948 2196 orex.exe DllHost.exe PID 2196 wrote to memory of 1948 2196 orex.exe DllHost.exe PID 2196 wrote to memory of 1948 2196 orex.exe DllHost.exe PID 2196 wrote to memory of 2928 2196 orex.exe 4b5e9622bc3d49f7868f18f9f9001fb3.exe PID 2196 wrote to memory of 2928 2196 orex.exe 4b5e9622bc3d49f7868f18f9f9001fb3.exe PID 2196 wrote to memory of 2928 2196 orex.exe 4b5e9622bc3d49f7868f18f9f9001fb3.exe PID 2196 wrote to memory of 2928 2196 orex.exe 4b5e9622bc3d49f7868f18f9f9001fb3.exe PID 2196 wrote to memory of 2928 2196 orex.exe 4b5e9622bc3d49f7868f18f9f9001fb3.exe PID 2928 wrote to memory of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe PID 2928 wrote to memory of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe PID 2928 wrote to memory of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe PID 2928 wrote to memory of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe PID 2928 wrote to memory of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe PID 2928 wrote to memory of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe PID 2928 wrote to memory of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe PID 2928 wrote to memory of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe PID 2928 wrote to memory of 1632 2928 4b5e9622bc3d49f7868f18f9f9001fb3.exe cmd.exe PID 1632 wrote to memory of 1424 1632 cmd.exe WerFault.exe PID 1632 wrote to memory of 1424 1632 cmd.exe WerFault.exe PID 1632 wrote to memory of 1424 1632 cmd.exe WerFault.exe PID 1632 wrote to memory of 1424 1632 cmd.exe WerFault.exe PID 2196 wrote to memory of 1924 2196 orex.exe conhost.exe PID 2196 wrote to memory of 1924 2196 orex.exe conhost.exe PID 2196 wrote to memory of 1924 2196 orex.exe conhost.exe PID 2196 wrote to memory of 1924 2196 orex.exe conhost.exe PID 2196 wrote to memory of 1924 2196 orex.exe conhost.exe PID 2196 wrote to memory of 1424 2196 orex.exe WerFault.exe PID 2196 wrote to memory of 1424 2196 orex.exe WerFault.exe PID 2196 wrote to memory of 1424 2196 orex.exe WerFault.exe PID 2196 wrote to memory of 1424 2196 orex.exe WerFault.exe PID 2196 wrote to memory of 1424 2196 orex.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b5e9622bc3d49f7868f18f9f9001fb3.exe"C:\Users\Admin\AppData\Local\Temp\4b5e9622bc3d49f7868f18f9f9001fb3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Roaming\Umav\orex.exe"C:\Users\Admin\AppData\Roaming\Umav\orex.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe2112b20.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1123⤵
- Program crash
PID:1424
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1948
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1368
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1320
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1228
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-21100968441493804971153305481312558690671390480969-682573411913778802503913378"1⤵PID:1924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366B
MD58e7d51b5204768f6ab8079e10124cb48
SHA1a6c40eca0692602d890fd3c236594282c9187718
SHA2566ba81741afe6069445d31192fa784642b9e48d2d5f29935bcb629f38e81cdef3
SHA512930b5d731c896aa10d1636cb7903293606a4436792d5f1b6d3a9bd28b60af15231ad885f728320eff3237e50bc274fc1f3cc77c2c74309244e9522c6dbdeffd4
-
Filesize
111KB
MD55178376d3009156f49ac214ab9904947
SHA1245ecd974c5187b14f948f642fa6a6c0b157e502
SHA256ff0f363ab332b2654ca2260b88af0754df9bb4594d4c981b4dc3a547670c81b4
SHA51266228186286de53dadc406ead149c32d03475e56f3f5092ac3f1bb5731b23df267462b799c54fa373e1896491d50b61ffd387d9133b234ad2d141cbed289430a
-
Filesize
285KB
MD506b2a14b21b53084cb608722b00429d1
SHA1758b30663174b72843f41e53bf1b7824854ef761
SHA25652991c4b3ae1e962fac1cd40c0a8c0e82195015c6471dff99a154b70774516ec
SHA5126ba21210a985d1f6bfab9bc8a5cc54454f935777a026b4e7b726a36b47bb147eb62f9aa2f2a09d62629aaff37e960d5d677b81aa9542b90630309f31e79ecc96
-
Filesize
94KB
MD585d51485736cc261e8fcaac03f17c14c
SHA1ec4a153eb2e8933df76eb13a71db22b95dac1900
SHA256a2544ce72f5795eae6ee20246c31413bc27334f0e54c3b506ab9dfe1e9db7a81
SHA512d0e879837e57f336072c42f7fd3a0f53ecd8a77ac5c39fd2b06f6924b910b776ba80092ca706bb9a2a46f645c32d8ddf9d8a01e4cdd925ec1a1a56928b59d9ca
-
Filesize
80KB
MD5b747bb029b89c0ab6a643d48960ac3f3
SHA19df205a5033f24400010aaadf34eca670be0fe39
SHA2568bce7418468ec3389b493e6c6c7e56ce1a0f4e2c022e487e9ec0c20b3baf0023
SHA512aecccc4b4b1691aa7470aaca73dd4c05e237c90d7051be3766078443f37c6ce6d2d2016e0c7df71edadcdbe94b2285b9e62ef881131d4d94bb5281c4b9eb47fa
-
Filesize
271KB
MD5cd21ba2283f1abbbab329283291f2ade
SHA1b640dd7480cf0495a8e03b74da9c9f0f65e488f3
SHA25622065c4a2c2e327310c204de2cf034a85173f5c6c27d061e80691ec4d9713b5e
SHA512e52f697f18ffc71d7b387c68a3a6b0d6b48d20c92bb4f0ebd948e51a6287180c3757469a7a0b222da3b3c9d1aa3b68340c511d2d86f4a6549f22fc065d90c20c