0c05ce6ae32ba064520e1245f1cc2157ec4ae05a1b098883d82a53f2017a52e9

Analysis

max time kernel
152s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53d1c374b8ee68b21d22f089229f6d9b.exe
Size

1.2MB
MD5

53d1c374b8ee68b21d22f089229f6d9b
SHA1

0fb8a04232dc31cab1e86c05035f25e93293baaa
SHA256

0c05ce6ae32ba064520e1245f1cc2157ec4ae05a1b098883d82a53f2017a52e9
SHA512

a46d29bbb87dac862d476b74963bff628d606a51293c739931f5728b443362ca44365f166aef6d394b6c00d85a5b407f28d48530c0d96f7b29ba8db8650b2ca8
SSDEEP

6144:fS/ZFKc3p9BhKS/ZFKc3p9BhVcnQ3nWdJWXkeX3QPBFez5b:venTt3QPBFy

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2092	mawa.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	53d1c374b8ee68b21d22f089229f6d9b.exe
1720	53d1c374b8ee68b21d22f089229f6d9b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8D03B3C8-CEC5-AD4E-9D6C-4FF59E096CE8} = "C:\\Users\\Admin\\AppData\\Roaming\\Laer\\mawa.exe"	mawa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2764	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy	53d1c374b8ee68b21d22f089229f6d9b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	53d1c374b8ee68b21d22f089229f6d9b.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe
2092	mawa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1720	53d1c374b8ee68b21d22f089229f6d9b.exe
Token: SeSecurityPrivilege	1720	53d1c374b8ee68b21d22f089229f6d9b.exe
Token: SeSecurityPrivilege	1720	53d1c374b8ee68b21d22f089229f6d9b.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2092	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	28
PID 1720 wrote to memory of 2092	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	28
PID 1720 wrote to memory of 2092	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	28
PID 1720 wrote to memory of 2092	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	28
PID 2092 wrote to memory of 1128	2092	mawa.exe	9
PID 2092 wrote to memory of 1128	2092	mawa.exe	9
PID 2092 wrote to memory of 1128	2092	mawa.exe	9
PID 2092 wrote to memory of 1128	2092	mawa.exe	9
PID 2092 wrote to memory of 1128	2092	mawa.exe	9
PID 2092 wrote to memory of 1188	2092	mawa.exe	8
PID 2092 wrote to memory of 1188	2092	mawa.exe	8
PID 2092 wrote to memory of 1188	2092	mawa.exe	8
PID 2092 wrote to memory of 1188	2092	mawa.exe	8
PID 2092 wrote to memory of 1188	2092	mawa.exe	8
PID 2092 wrote to memory of 1224	2092	mawa.exe	7
PID 2092 wrote to memory of 1224	2092	mawa.exe	7
PID 2092 wrote to memory of 1224	2092	mawa.exe	7
PID 2092 wrote to memory of 1224	2092	mawa.exe	7
PID 2092 wrote to memory of 1224	2092	mawa.exe	7
PID 2092 wrote to memory of 1984	2092	mawa.exe	5
PID 2092 wrote to memory of 1984	2092	mawa.exe	5
PID 2092 wrote to memory of 1984	2092	mawa.exe	5
PID 2092 wrote to memory of 1984	2092	mawa.exe	5
PID 2092 wrote to memory of 1984	2092	mawa.exe	5
PID 2092 wrote to memory of 1720	2092	mawa.exe	4
PID 2092 wrote to memory of 1720	2092	mawa.exe	4
PID 2092 wrote to memory of 1720	2092	mawa.exe	4
PID 2092 wrote to memory of 1720	2092	mawa.exe	4
PID 2092 wrote to memory of 1720	2092	mawa.exe	4
PID 1720 wrote to memory of 2764	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	29
PID 1720 wrote to memory of 2764	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	29
PID 1720 wrote to memory of 2764	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	29
PID 1720 wrote to memory of 2764	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	29
PID 1720 wrote to memory of 2764	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	29
PID 1720 wrote to memory of 2764	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	29
PID 1720 wrote to memory of 2764	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	29
PID 1720 wrote to memory of 2764	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	29
PID 1720 wrote to memory of 2764	1720	53d1c374b8ee68b21d22f089229f6d9b.exe	29

C:\Users\Admin\AppData\Local\Temp\53d1c374b8ee68b21d22f089229f6d9b.exe
"C:\Users\Admin\AppData\Local\Temp\53d1c374b8ee68b21d22f089229f6d9b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Roaming\Laer\mawa.exe
  "C:\Users\Admin\AppData\Roaming\Laer\mawa.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpab60d451.bat"
  2⤵
  - Deletes itself
  PID:2764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1984

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpab60d451.bat

Filesize
243B

MD5
e1a9c1aa95661431874667e839fcdb49

SHA1
5f173eca34d8d55fc2ea9520f3a8f980dbc8a6f6

SHA256
81f4757fe0333b50e7a8b50f193fa0f7194554a3702c8d6bcb05e497f45c6d37

SHA512
43b2ba090c43ea6fbb603c7f844027b50f800c49a78a1eb55d148b52fb03c0bbb054c53ce7f00b52be7ac71120cf6d0bebae12455a28752eeabe1beb33a3ae03

Download Submit
C:\Users\Admin\AppData\Roaming\Laer\mawa.exe

Filesize
1.1MB

MD5
e646549b797413dc1ee800c8ffe71907

SHA1
a47b38f23418f566d17559d6e3a98521122cff4c

SHA256
5944b7e9c66ffe9e5bf8ba9d9317c4a9e01cc147c0350688eecbc770c722dc5b

SHA512
e12969ed48017fcc5afc2367726f7b1ca9f0671ab2e7ee20bab93965968d3a945d49b7b8a868a7e2ebf823ee99d03c10d1f0eb5a0e87ceba454744d3a3f598f8

Download Submit
C:\Users\Admin\AppData\Roaming\Laer\mawa.exe

Filesize
838KB

MD5
ad8a005414c8d5cc5a146560085d020f

SHA1
ca9db2caa189c16e39e49d0090c178598f97a75f

SHA256
7ea0aa60b1324ac0fe1d34289a846ee5fe3f6b1bb4fbc020ae10d9656b712a1e

SHA512
db4e3d087b87a488d829ddd1220dcca6197a39c553e8b7143eba6d360c3b404a1e7033b7eba981246cda3f1e03b2fb7c2acba8bf64fc4aa2ebdb3da97e564b9c

Download Submit
C:\Users\Admin\AppData\Roaming\Ulhao\owbud.myb

Filesize
366B

MD5
621c8d227ead51e74bd9dab95cb9ecd5

SHA1
57be69dd6cecca77316532bf68ea1a91485c1a5c

SHA256
13106053ae09ea4d25df4c5b8d44414eae0b5d3be4385b93a3b8a54e202e4686

SHA512
0e4f0b2c73bfaad31fe270c8550daeea68362ba17795cac9b2cc0be467a5dd4b8a40efc98d3171dcfc9a11c7e3f0f82bbb45844352f07276b0c7f47280736072

Download Submit
\Users\Admin\AppData\Roaming\Laer\mawa.exe

Filesize
1.2MB

MD5
76405e8d63c9c55be0a654c26d870166

SHA1
efab2139b64f7291bb2f6487b0ddca3d682315db

SHA256
dc512d94fa874e64712ff2c4aad1918ef35651761bd868a0d53862340e44143c

SHA512
c71dc073b630f10712c92f4ee73da81ace37dc3098e6aedcb36b9c990ac2c08e75be0cc25c0e7112bd7830a3c7177fec9c3046e54b709c86407372f7c2fbc464

Download Submit
memory/1128-14-0x0000000001EA0000-0x0000000001ED5000-memory.dmp

Filesize
212KB

Download
memory/1128-16-0x0000000001EA0000-0x0000000001ED5000-memory.dmp

Filesize
212KB

Download
memory/1128-18-0x0000000001EA0000-0x0000000001ED5000-memory.dmp

Filesize
212KB

Download
memory/1128-21-0x0000000001EA0000-0x0000000001ED5000-memory.dmp

Filesize
212KB

Download
memory/1128-12-0x0000000001EA0000-0x0000000001ED5000-memory.dmp

Filesize
212KB

Download
memory/1188-30-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download
memory/1188-32-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download
memory/1188-25-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download
memory/1188-27-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download
memory/1224-37-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/1224-38-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/1224-35-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/1224-36-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/1720-49-0x00000000042D0000-0x0000000004305000-memory.dmp

Filesize
212KB

Download
memory/1720-11-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1720-58-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-64-0x00000000042D0000-0x0000000004305000-memory.dmp

Filesize
212KB

Download
memory/1720-66-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-78-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-76-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-146-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-48-0x00000000042D0000-0x0000000004305000-memory.dmp

Filesize
212KB

Download
memory/1720-72-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-70-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-68-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-65-0x00000000772D0000-0x00000000772D1000-memory.dmp

Filesize
4KB

Download
memory/1720-56-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-54-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-52-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-50-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-46-0x00000000042D0000-0x0000000004305000-memory.dmp

Filesize
212KB

Download
memory/1720-74-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-8-0x0000000000400000-0x000000000286E000-memory.dmp

Filesize
36.4MB

Download
memory/1720-45-0x00000000042D0000-0x0000000004305000-memory.dmp

Filesize
212KB

Download
memory/1720-215-0x00000000042D0000-0x0000000004305000-memory.dmp

Filesize
212KB

Download
memory/1720-213-0x0000000000400000-0x000000000286E000-memory.dmp

Filesize
36.4MB

Download
memory/1720-62-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-28-0x0000000000400000-0x000000000286E000-memory.dmp

Filesize
36.4MB

Download
memory/1720-60-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1720-47-0x00000000042D0000-0x0000000004305000-memory.dmp

Filesize
212KB

Download
memory/1984-42-0x0000000000390000-0x00000000003C5000-memory.dmp

Filesize
212KB

Download
memory/1984-40-0x0000000000390000-0x00000000003C5000-memory.dmp

Filesize
212KB

Download
memory/1984-41-0x0000000000390000-0x00000000003C5000-memory.dmp

Filesize
212KB

Download
memory/1984-43-0x0000000000390000-0x00000000003C5000-memory.dmp

Filesize
212KB

Download
memory/2092-20-0x0000000000400000-0x000000000286E000-memory.dmp

Filesize
36.4MB

Download
memory/2092-264-0x0000000000400000-0x000000000286E000-memory.dmp

Filesize
36.4MB

Download
memory/2764-160-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/2764-162-0x00000000772D0000-0x00000000772D1000-memory.dmp

Filesize
4KB

Download
memory/2764-164-0x00000000772D0000-0x00000000772D1000-memory.dmp

Filesize
4KB

Download
memory/2764-263-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/2764-260-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download