36c5ca36ba7b1bef77c1d694e9e9ced0875c1e93d27ff7b63a35a3b256c2270f

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a33a46bb3a2b6fb429cbb14f882b720.exe
Size

294KB
MD5

5a33a46bb3a2b6fb429cbb14f882b720
SHA1

076b7d67c959f8a78c045342fe0b1be6923dbed5
SHA256

36c5ca36ba7b1bef77c1d694e9e9ced0875c1e93d27ff7b63a35a3b256c2270f
SHA512

c306586aaf21b90bc6a8855d8dd27d636f278f7ed7c74b8cf0f4ac614fa6313c48baec1e90fd064ec30910ba9692c3704ea5665f1ce8d3d34e5984205f24ef69
SSDEEP

6144:xiGtsLYAlqNC+u+1PTG/qm/PgCnmUSFMhl41+M/oI29kKg:EGtsLDt+H1PTEn/iUSFM81+rI2/g

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1996	ohgemo.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	5a33a46bb3a2b6fb429cbb14f882b720.exe
2380	5a33a46bb3a2b6fb429cbb14f882b720.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F08D48C8-DA76-AD4E-F540-ECC2E1DBCFDF} = "C:\\Users\\Admin\\AppData\\Roaming\\Yglo\\ohgemo.exe"	ohgemo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 920	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1824	920	WerFault.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy	5a33a46bb3a2b6fb429cbb14f882b720.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5a33a46bb3a2b6fb429cbb14f882b720.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe
1996	ohgemo.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2380	5a33a46bb3a2b6fb429cbb14f882b720.exe
1996	ohgemo.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1996	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	31
PID 2380 wrote to memory of 1996	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	31
PID 2380 wrote to memory of 1996	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	31
PID 2380 wrote to memory of 1996	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	31
PID 1996 wrote to memory of 1224	1996	ohgemo.exe	9
PID 1996 wrote to memory of 1224	1996	ohgemo.exe	9
PID 1996 wrote to memory of 1224	1996	ohgemo.exe	9
PID 1996 wrote to memory of 1224	1996	ohgemo.exe	9
PID 1996 wrote to memory of 1224	1996	ohgemo.exe	9
PID 1996 wrote to memory of 1312	1996	ohgemo.exe	8
PID 1996 wrote to memory of 1312	1996	ohgemo.exe	8
PID 1996 wrote to memory of 1312	1996	ohgemo.exe	8
PID 1996 wrote to memory of 1312	1996	ohgemo.exe	8
PID 1996 wrote to memory of 1312	1996	ohgemo.exe	8
PID 1996 wrote to memory of 1360	1996	ohgemo.exe	7
PID 1996 wrote to memory of 1360	1996	ohgemo.exe	7
PID 1996 wrote to memory of 1360	1996	ohgemo.exe	7
PID 1996 wrote to memory of 1360	1996	ohgemo.exe	7
PID 1996 wrote to memory of 1360	1996	ohgemo.exe	7
PID 1996 wrote to memory of 1632	1996	ohgemo.exe	5
PID 1996 wrote to memory of 1632	1996	ohgemo.exe	5
PID 1996 wrote to memory of 1632	1996	ohgemo.exe	5
PID 1996 wrote to memory of 1632	1996	ohgemo.exe	5
PID 1996 wrote to memory of 1632	1996	ohgemo.exe	5
PID 1996 wrote to memory of 2380	1996	ohgemo.exe	1
PID 1996 wrote to memory of 2380	1996	ohgemo.exe	1
PID 1996 wrote to memory of 2380	1996	ohgemo.exe	1
PID 1996 wrote to memory of 2380	1996	ohgemo.exe	1
PID 1996 wrote to memory of 2380	1996	ohgemo.exe	1
PID 2380 wrote to memory of 920	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	28
PID 2380 wrote to memory of 920	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	28
PID 2380 wrote to memory of 920	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	28
PID 2380 wrote to memory of 920	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	28
PID 2380 wrote to memory of 920	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	28
PID 2380 wrote to memory of 920	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	28
PID 2380 wrote to memory of 920	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	28
PID 2380 wrote to memory of 920	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	28
PID 2380 wrote to memory of 920	2380	5a33a46bb3a2b6fb429cbb14f882b720.exe	28
PID 920 wrote to memory of 1824	920	cmd.exe	29
PID 920 wrote to memory of 1824	920	cmd.exe	29
PID 920 wrote to memory of 1824	920	cmd.exe	29
PID 920 wrote to memory of 1824	920	cmd.exe	29
PID 1996 wrote to memory of 1808	1996	ohgemo.exe	30
PID 1996 wrote to memory of 1808	1996	ohgemo.exe	30
PID 1996 wrote to memory of 1808	1996	ohgemo.exe	30
PID 1996 wrote to memory of 1808	1996	ohgemo.exe	30
PID 1996 wrote to memory of 1808	1996	ohgemo.exe	30
PID 1996 wrote to memory of 1824	1996	ohgemo.exe	29
PID 1996 wrote to memory of 1824	1996	ohgemo.exe	29
PID 1996 wrote to memory of 1824	1996	ohgemo.exe	29
PID 1996 wrote to memory of 1824	1996	ohgemo.exe	29
PID 1996 wrote to memory of 1824	1996	ohgemo.exe	29

C:\Users\Admin\AppData\Local\Temp\5a33a46bb3a2b6fb429cbb14f882b720.exe
"C:\Users\Admin\AppData\Local\Temp\5a33a46bb3a2b6fb429cbb14f882b720.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7d28b1ec.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 112
    3⤵
    - Program crash
    PID:1824
- C:\Users\Admin\AppData\Roaming\Yglo\ohgemo.exe
  "C:\Users\Admin\AppData\Roaming\Yglo\ohgemo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1632

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "246393859-1172992333-1328325953-2080319002-290213022-36355240120573164551568580906"
1⤵
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Yglo\ohgemo.exe

Filesize
294KB

MD5
ad445286c0b4daa2ea242c07bf0d1b21

SHA1
d4d1d32a32cbbc4e1d8bcbc2288055d1dc409ec6

SHA256
7af1ae230dfa18318561082ed1623f446edd43a308cbd4deb1392ae0e2f329e1

SHA512
4440039fbc94dbcd55f21134dc22312c77df14546fd69d76e110146d65f4fc68d10831c4224f8e2fbd41f7456be3642cc1f66e4238f20c5927ba21b74b4694c9

Download Submit
C:\Users\Admin\AppData\Roaming\Yglo\ohgemo.exe

Filesize
28KB

MD5
29bf1f197b1713c35d3a7bf58bd37e81

SHA1
42830bcbddb41912532d192c5732beba087c9e50

SHA256
a2849f8f0b7b6b428638a86a7a09e4235df3b333e12c0b5a8656511f0abff983

SHA512
1dec5f4636109138ba0f25b433b80236c931f753a6729a04ad62eea0646a30c70e51ee85cced0956205c8b8e5eb906ae9849cb89a03532393120874e8fb72bda

Download Submit
C:\Users\Admin\AppData\Roaming\Yglo\ohgemo.exe

Filesize
281KB

MD5
2d1a08e4faa7da160e1b0b0ef22a5462

SHA1
5c4c388b3b1628df13657aaa9a10c18c699aefab

SHA256
e4d72b8cfe2a6951150d33606b2e69fb04e67526dd0d5e8ac07b19496120c238

SHA512
50f04b9281a7e52e0f104ce35df9e226bc5c40bce4299ba47e2f59847d91e6ca15a77bbcf6d55e7f9b0cbe70d7cef700cfff0cc29952d6077865431803226178

Download Submit
memory/1224-21-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1224-22-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1224-18-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1224-23-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1224-19-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1312-32-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1312-30-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1312-28-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1312-26-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1360-38-0x0000000002E50000-0x0000000002E94000-memory.dmp

Filesize
272KB

Download
memory/1360-37-0x0000000002E50000-0x0000000002E94000-memory.dmp

Filesize
272KB

Download
memory/1360-36-0x0000000002E50000-0x0000000002E94000-memory.dmp

Filesize
272KB

Download
memory/1360-35-0x0000000002E50000-0x0000000002E94000-memory.dmp

Filesize
272KB

Download
memory/1632-47-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1632-43-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1632-45-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1632-41-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1824-289-0x00000000026F0000-0x0000000002734000-memory.dmp

Filesize
272KB

Download
memory/1824-192-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/1824-286-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1824-191-0x00000000026F0000-0x0000000002734000-memory.dmp

Filesize
272KB

Download
memory/1996-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-17-0x00000000003A0000-0x00000000003ED000-memory.dmp

Filesize
308KB

Download
memory/1996-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-15-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2380-80-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-53-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/2380-51-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/2380-55-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/2380-57-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/2380-59-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/2380-60-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-62-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-64-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-66-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-68-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-70-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-72-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-74-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-76-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-78-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-173-0x0000000001C70000-0x0000000001CBD000-memory.dmp

Filesize
308KB

Download
memory/2380-174-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-1-0x0000000001C70000-0x0000000001CBD000-memory.dmp

Filesize
308KB

Download
memory/2380-153-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-81-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2380-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-0-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download