aff31cff567948ba4ae2144bbcc562a4d3ab115f7e8b00482414b81ebf40a543

Analysis

max time kernel
148s
max time network
136s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

518c295dd4bc20e300c2bf5fe3bd540a.exe
Size

262KB
MD5

518c295dd4bc20e300c2bf5fe3bd540a
SHA1

845c6ddc19e0dad406a3cd96cb416080d196989d
SHA256

aff31cff567948ba4ae2144bbcc562a4d3ab115f7e8b00482414b81ebf40a543
SHA512

02ca9a41141c31a205c2f3ea4782d3135910aaa7434dd87a3d8b4866b889873aa00fe5449fea782641a74fd5edc9433303b9e4c7b8f49b0f4997ede7a41f9217
SSDEEP

6144:758Gp+df0afmVTRMdwdpn94sLrNXel9ibb98+MAAD:F8YkfXf4TRME94svNuzibb9Z+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

wiah.exe

pid process

2364 wiah.exe
Loads dropped DLL 1 IoCs

Processes:

518c295dd4bc20e300c2bf5fe3bd540a.exe

pid process

2168 518c295dd4bc20e300c2bf5fe3bd540a.exe

pid	process
2168	518c295dd4bc20e300c2bf5fe3bd540a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wiah.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F08D48C8-DA76-AD4E-F540-ECC2E1DBCFDF} = "C:\\Users\\Admin\\AppData\\Roaming\\Otkyi\\wiah.exe"	wiah.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

518c295dd4bc20e300c2bf5fe3bd540a.exe

description pid process target process

PID 2168 set thread context of 2164 2168 518c295dd4bc20e300c2bf5fe3bd540a.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1676 2164 WerFault.exe cmd.exe

description	pid	process	target process
PID 2168 set thread context of 2164	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	cmd.exe

pid	pid_target	process	target process
1676	2164	WerFault.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

518c295dd4bc20e300c2bf5fe3bd540a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy	518c295dd4bc20e300c2bf5fe3bd540a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	518c295dd4bc20e300c2bf5fe3bd540a.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

wiah.exe

pid	process
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe
2364	wiah.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

518c295dd4bc20e300c2bf5fe3bd540a.exe

description	pid	process
Token: SeSecurityPrivilege	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe
Token: SeSecurityPrivilege	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe
Token: SeSecurityPrivilege	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

518c295dd4bc20e300c2bf5fe3bd540a.exewiah.exe

pid process

2168 518c295dd4bc20e300c2bf5fe3bd540a.exe
2364 wiah.exe

pid	process
2168	518c295dd4bc20e300c2bf5fe3bd540a.exe
2364	wiah.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

518c295dd4bc20e300c2bf5fe3bd540a.exewiah.execmd.exe

description	pid	process	target process
PID 2168 wrote to memory of 2364	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	wiah.exe
PID 2168 wrote to memory of 2364	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	wiah.exe
PID 2168 wrote to memory of 2364	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	wiah.exe
PID 2168 wrote to memory of 2364	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	wiah.exe
PID 2364 wrote to memory of 1120	2364	wiah.exe	taskhost.exe
PID 2364 wrote to memory of 1120	2364	wiah.exe	taskhost.exe
PID 2364 wrote to memory of 1120	2364	wiah.exe	taskhost.exe
PID 2364 wrote to memory of 1120	2364	wiah.exe	taskhost.exe
PID 2364 wrote to memory of 1120	2364	wiah.exe	taskhost.exe
PID 2364 wrote to memory of 1224	2364	wiah.exe	Dwm.exe
PID 2364 wrote to memory of 1224	2364	wiah.exe	Dwm.exe
PID 2364 wrote to memory of 1224	2364	wiah.exe	Dwm.exe
PID 2364 wrote to memory of 1224	2364	wiah.exe	Dwm.exe
PID 2364 wrote to memory of 1224	2364	wiah.exe	Dwm.exe
PID 2364 wrote to memory of 1256	2364	wiah.exe	Explorer.EXE
PID 2364 wrote to memory of 1256	2364	wiah.exe	Explorer.EXE
PID 2364 wrote to memory of 1256	2364	wiah.exe	Explorer.EXE
PID 2364 wrote to memory of 1256	2364	wiah.exe	Explorer.EXE
PID 2364 wrote to memory of 1256	2364	wiah.exe	Explorer.EXE
PID 2364 wrote to memory of 1652	2364	wiah.exe	DllHost.exe
PID 2364 wrote to memory of 1652	2364	wiah.exe	DllHost.exe
PID 2364 wrote to memory of 1652	2364	wiah.exe	DllHost.exe
PID 2364 wrote to memory of 1652	2364	wiah.exe	DllHost.exe
PID 2364 wrote to memory of 1652	2364	wiah.exe	DllHost.exe
PID 2364 wrote to memory of 2168	2364	wiah.exe	518c295dd4bc20e300c2bf5fe3bd540a.exe
PID 2364 wrote to memory of 2168	2364	wiah.exe	518c295dd4bc20e300c2bf5fe3bd540a.exe
PID 2364 wrote to memory of 2168	2364	wiah.exe	518c295dd4bc20e300c2bf5fe3bd540a.exe
PID 2364 wrote to memory of 2168	2364	wiah.exe	518c295dd4bc20e300c2bf5fe3bd540a.exe
PID 2364 wrote to memory of 2168	2364	wiah.exe	518c295dd4bc20e300c2bf5fe3bd540a.exe
PID 2168 wrote to memory of 2164	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	cmd.exe
PID 2168 wrote to memory of 2164	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	cmd.exe
PID 2168 wrote to memory of 2164	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	cmd.exe
PID 2168 wrote to memory of 2164	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	cmd.exe
PID 2168 wrote to memory of 2164	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	cmd.exe
PID 2168 wrote to memory of 2164	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	cmd.exe
PID 2168 wrote to memory of 2164	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	cmd.exe
PID 2168 wrote to memory of 2164	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	cmd.exe
PID 2168 wrote to memory of 2164	2168	518c295dd4bc20e300c2bf5fe3bd540a.exe	cmd.exe
PID 2164 wrote to memory of 1676	2164	cmd.exe	WerFault.exe
PID 2164 wrote to memory of 1676	2164	cmd.exe	WerFault.exe
PID 2164 wrote to memory of 1676	2164	cmd.exe	WerFault.exe
PID 2164 wrote to memory of 1676	2164	cmd.exe	WerFault.exe
PID 2364 wrote to memory of 1628	2364	wiah.exe	conhost.exe
PID 2364 wrote to memory of 1628	2364	wiah.exe	conhost.exe
PID 2364 wrote to memory of 1628	2364	wiah.exe	conhost.exe
PID 2364 wrote to memory of 1628	2364	wiah.exe	conhost.exe
PID 2364 wrote to memory of 1628	2364	wiah.exe	conhost.exe
PID 2364 wrote to memory of 1676	2364	wiah.exe	WerFault.exe
PID 2364 wrote to memory of 1676	2364	wiah.exe	WerFault.exe
PID 2364 wrote to memory of 1676	2364	wiah.exe	WerFault.exe
PID 2364 wrote to memory of 1676	2364	wiah.exe	WerFault.exe
PID 2364 wrote to memory of 1676	2364	wiah.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\518c295dd4bc20e300c2bf5fe3bd540a.exe
"C:\Users\Admin\AppData\Local\Temp\518c295dd4bc20e300c2bf5fe3bd540a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9d45a64d.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 112
3⤵
- Program crash
PID:1676

C:\Users\Admin\AppData\Roaming\Otkyi\wiah.exe
"C:\Users\Admin\AppData\Roaming\Otkyi\wiah.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1652

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2016524993106840588312773213151382091468-1684313077-1872060101-738079523787781196"
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Otkyi\wiah.exe

Filesize
230KB

MD5
7b81fdf4ef7428b559608171b011dace

SHA1
ea43f84e5f27ba3be45ecf4182e4b6962ae24a02

SHA256
179d546fc1dd6c6db353ea56e2c225cef939602ef0586ac4c0b037aa19ad5fc1

SHA512
b92e0beadcb45dc68620e3b28e51370e43584d8c3ab61a42ddb3c3d40c131f6a1416a76d60d2fa4e825e72b3837cbccf2591afa704c8a0110058f7938549f65f

Download Submit
C:\Users\Admin\AppData\Roaming\Otkyi\wiah.exe

Filesize
262KB

MD5
3a0cdf7d687cfd7b0ee3a4470870b716

SHA1
9a3653af4fcf6d6ccb5037c47cd79e860cb065c0

SHA256
e1f0ca78949d4b3c388fcd6988a04299a7dbf57f0101cd0fd63bfc588d19d3bb

SHA512
2e5e80c2d8df3bb9667dfe4c1c179651fd8d96cf6085cbbd0a2f1ccce4952db538ad044050a11b6486b38c70f508a60f5d0169549808928b9b3b5c143420e563

Download Submit
C:\Users\Admin\AppData\Roaming\Ucicaw\iwza.noi

Filesize
366B

MD5
d34fc2d78b662906697cc10b6d341d7b

SHA1
d7022005f1eab423bb0d50be8a9b2f62c381cdb4

SHA256
702b79e7bd7a6382c5251b3b6abce9e504d2a30680542b44e98a2ef338a15ece

SHA512
96b8939bf864d4d76a0941d7f391b56be2299957564d6ebc23894dfef71385b5071e857ffc09e46613769ba017c0dc10a3f21f673384b58c48ea2a10249bc6af

Download Submit
\Users\Admin\AppData\Roaming\Otkyi\wiah.exe

Filesize
175KB

MD5
eed379f3a06ed397a13cda7469e85178

SHA1
7778c050aa38b0e758f22d457bcae4f938192360

SHA256
49d6dc637fd7cc4b33c0e79732bcb9a39500974a1c14529899c05bda76209652

SHA512
d40f7fe92ee7a6593985d6637ec042f40383e89f204dfb299b427de6a007fb24fd2048b06c8ee2771a1bd87a9b9687bc63a7e62025f8f6b52b92af8630dcb27e

Download Submit
memory/1120-22-0x0000000002050000-0x0000000002091000-memory.dmp

Filesize
260KB

Download
memory/1120-24-0x0000000002050000-0x0000000002091000-memory.dmp

Filesize
260KB

Download
memory/1120-20-0x0000000002050000-0x0000000002091000-memory.dmp

Filesize
260KB

Download
memory/1120-18-0x0000000002050000-0x0000000002091000-memory.dmp

Filesize
260KB

Download
memory/1120-14-0x0000000002050000-0x0000000002091000-memory.dmp

Filesize
260KB

Download
memory/1224-32-0x0000000001F90000-0x0000000001FD1000-memory.dmp

Filesize
260KB

Download
memory/1224-28-0x0000000001F90000-0x0000000001FD1000-memory.dmp

Filesize
260KB

Download
memory/1224-34-0x0000000001F90000-0x0000000001FD1000-memory.dmp

Filesize
260KB

Download
memory/1224-30-0x0000000001F90000-0x0000000001FD1000-memory.dmp

Filesize
260KB

Download
memory/1256-39-0x0000000002DA0000-0x0000000002DE1000-memory.dmp

Filesize
260KB

Download
memory/1256-37-0x0000000002DA0000-0x0000000002DE1000-memory.dmp

Filesize
260KB

Download
memory/1256-38-0x0000000002DA0000-0x0000000002DE1000-memory.dmp

Filesize
260KB

Download
memory/1256-40-0x0000000002DA0000-0x0000000002DE1000-memory.dmp

Filesize
260KB

Download
memory/1652-45-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/1652-44-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/1652-42-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/1652-43-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/1676-283-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1676-286-0x0000000000860000-0x00000000008A1000-memory.dmp

Filesize
260KB

Download
memory/1676-189-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/1676-185-0x0000000000860000-0x00000000008A1000-memory.dmp

Filesize
260KB

Download
memory/1676-187-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/2168-171-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/2168-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-51-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/2168-50-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/2168-49-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/2168-48-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/2168-47-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/2168-54-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-59-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-60-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/2168-62-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-64-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-66-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-68-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-70-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-72-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-169-0x00000000004C0000-0x0000000000505000-memory.dmp

Filesize
276KB

Download
memory/2168-52-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-74-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-76-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-56-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-78-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-1-0x00000000004C0000-0x0000000000505000-memory.dmp

Filesize
276KB

Download
memory/2168-0-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2168-146-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2168-58-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/2364-13-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2364-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2364-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2364-15-0x0000000001C10000-0x0000000001C55000-memory.dmp

Filesize
276KB

Download