67194d7cca91a384ff434f919afa6092d4864d8cc5270db0e305c0f0dbd10aa8

Analysis

max time kernel
153s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

641c3c7d49843b55abaa3d465f6dc34a.exe
Size

466KB
MD5

641c3c7d49843b55abaa3d465f6dc34a
SHA1

406c97e453d90abcc92bcc367737b04c7f5c7d6f
SHA256

67194d7cca91a384ff434f919afa6092d4864d8cc5270db0e305c0f0dbd10aa8
SHA512

f40df88c8efa781c69f5d6f3b19c93e72e3fbac9eee061271bc7e5b7c6eded93ad4b3833bb47d3c424992064859506ef22e82647d65570522b0173772293cf85
SSDEEP

3072:hH+j007BHFVmoXgS8+E3xeChcrtDL2BJehd5xjnhvOygYCH8F/P3YuFON:h1mBfVXyq1rEBJyjp4cFPr4N

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	acdo.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	641c3c7d49843b55abaa3d465f6dc34a.exe
1732	641c3c7d49843b55abaa3d465f6dc34a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-0-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/files/0x0037000000015daa-6.dat	upx
behavioral1/memory/1732-13-0x0000000002220000-0x0000000002296000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\{443CA79A-40FF-B279-3403-045D49EB886B} = "C:\\Users\\Admin\\AppData\\Roaming\\Ohug\\acdo.exe"	acdo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 2624	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Privacy	641c3c7d49843b55abaa3d465f6dc34a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	641c3c7d49843b55abaa3d465f6dc34a.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe
2676	acdo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1732	641c3c7d49843b55abaa3d465f6dc34a.exe
Token: SeSecurityPrivilege	1732	641c3c7d49843b55abaa3d465f6dc34a.exe
Token: SeSecurityPrivilege	1732	641c3c7d49843b55abaa3d465f6dc34a.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2676	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	28
PID 1732 wrote to memory of 2676	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	28
PID 1732 wrote to memory of 2676	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	28
PID 1732 wrote to memory of 2676	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	28
PID 2676 wrote to memory of 1244	2676	acdo.exe	12
PID 2676 wrote to memory of 1244	2676	acdo.exe	12
PID 2676 wrote to memory of 1244	2676	acdo.exe	12
PID 2676 wrote to memory of 1244	2676	acdo.exe	12
PID 2676 wrote to memory of 1244	2676	acdo.exe	12
PID 2676 wrote to memory of 1328	2676	acdo.exe	15
PID 2676 wrote to memory of 1328	2676	acdo.exe	15
PID 2676 wrote to memory of 1328	2676	acdo.exe	15
PID 2676 wrote to memory of 1328	2676	acdo.exe	15
PID 2676 wrote to memory of 1328	2676	acdo.exe	15
PID 2676 wrote to memory of 1372	2676	acdo.exe	14
PID 2676 wrote to memory of 1372	2676	acdo.exe	14
PID 2676 wrote to memory of 1372	2676	acdo.exe	14
PID 2676 wrote to memory of 1372	2676	acdo.exe	14
PID 2676 wrote to memory of 1372	2676	acdo.exe	14
PID 2676 wrote to memory of 1732	2676	acdo.exe	27
PID 2676 wrote to memory of 1732	2676	acdo.exe	27
PID 2676 wrote to memory of 1732	2676	acdo.exe	27
PID 2676 wrote to memory of 1732	2676	acdo.exe	27
PID 2676 wrote to memory of 1732	2676	acdo.exe	27
PID 1732 wrote to memory of 2624	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	29
PID 1732 wrote to memory of 2624	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	29
PID 1732 wrote to memory of 2624	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	29
PID 1732 wrote to memory of 2624	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	29
PID 1732 wrote to memory of 2624	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	29
PID 1732 wrote to memory of 2624	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	29
PID 1732 wrote to memory of 2624	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	29
PID 1732 wrote to memory of 2624	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	29
PID 1732 wrote to memory of 2624	1732	641c3c7d49843b55abaa3d465f6dc34a.exe	29
PID 2676 wrote to memory of 1724	2676	acdo.exe	31
PID 2676 wrote to memory of 1724	2676	acdo.exe	31
PID 2676 wrote to memory of 1724	2676	acdo.exe	31
PID 2676 wrote to memory of 1724	2676	acdo.exe	31
PID 2676 wrote to memory of 1724	2676	acdo.exe	31
PID 2676 wrote to memory of 2872	2676	acdo.exe	32
PID 2676 wrote to memory of 2872	2676	acdo.exe	32
PID 2676 wrote to memory of 2872	2676	acdo.exe	32
PID 2676 wrote to memory of 2872	2676	acdo.exe	32
PID 2676 wrote to memory of 2872	2676	acdo.exe	32
PID 2676 wrote to memory of 2444	2676	acdo.exe	33
PID 2676 wrote to memory of 2444	2676	acdo.exe	33
PID 2676 wrote to memory of 2444	2676	acdo.exe	33
PID 2676 wrote to memory of 2444	2676	acdo.exe	33
PID 2676 wrote to memory of 2444	2676	acdo.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1244

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\641c3c7d49843b55abaa3d465f6dc34a.exe
  "C:\Users\Admin\AppData\Local\Temp\641c3c7d49843b55abaa3d465f6dc34a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Roaming\Ohug\acdo.exe
    "C:\Users\Admin\AppData\Roaming\Ohug\acdo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp04ceaea7.bat"
    3⤵
    - Deletes itself
    PID:2624

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp04ceaea7.bat

Filesize
243B

MD5
8360bf98bec2945f4cba6b0eb0a6d151

SHA1
be997799b6ecbefa7c2658172d1b7584cb3183d6

SHA256
de8c873561bf190631a1a19471bfad2171a04d691925a5cde4ab03c45c388af7

SHA512
02a9653e8ee1ac2e9d1bdd889cbb7dba268a00211306504dd82d704b00e574c1e5f0078c417e0dc361b39fbbabae3560453c1859b870541772c188c60db9e3b8

Download Submit
C:\Users\Admin\AppData\Roaming\Keakaq\siyda.goa

Filesize
366B

MD5
e4a6b8382964015ca34da9ce98c67e4e

SHA1
f51adfbd25287348e8b502ba8a8da411c8069bdd

SHA256
5708e8a0818131147e2254ff51ee402dd70c469f629bf7b25cc710fce67ae170

SHA512
5fdebc79f2cc19ca47daebdd2ae74f9c49a55f4fc9329d58bad2916b5f6d4ed51f21632c65f768acc5e2d1a59387b9eea0c8a2aecd6f29661f15b5774f3f8e6a

Download Submit
\Users\Admin\AppData\Roaming\Ohug\acdo.exe

Filesize
466KB

MD5
ab631002e2ea3b2391733a4614c0b0e3

SHA1
4338a8fcd223442d8db2a69dfe304a4fce45cff4

SHA256
870017ff282015fb7a0f8be56dc1ae3e813c72c5a3b320de24e3327bc369f5f6

SHA512
a39eecd87b0e09db10a5cd9dfecfa98e4d42ddaec1c663e4554563ecfded05c97ab8e83654899d137703388fd6968997040055517737cf3a7e0974747136bf72

Download Submit
memory/1244-19-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/1244-17-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/1244-16-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/1244-21-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/1244-23-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/1328-32-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/1328-26-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/1328-30-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/1328-28-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/1372-38-0x00000000025A0000-0x00000000025BE000-memory.dmp

Filesize
120KB

Download
memory/1372-37-0x00000000025A0000-0x00000000025BE000-memory.dmp

Filesize
120KB

Download
memory/1372-36-0x00000000025A0000-0x00000000025BE000-memory.dmp

Filesize
120KB

Download
memory/1372-35-0x00000000025A0000-0x00000000025BE000-memory.dmp

Filesize
120KB

Download
memory/1732-50-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-63-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1732-22-0x0000000002220000-0x0000000002296000-memory.dmp

Filesize
472KB

Download
memory/1732-99-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1732-13-0x0000000002220000-0x0000000002296000-memory.dmp

Filesize
472KB

Download
memory/1732-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1732-41-0x00000000002C0000-0x00000000002DE000-memory.dmp

Filesize
120KB

Download
memory/1732-43-0x00000000002C0000-0x00000000002DE000-memory.dmp

Filesize
120KB

Download
memory/1732-45-0x00000000002C0000-0x00000000002DE000-memory.dmp

Filesize
120KB

Download
memory/1732-47-0x00000000002C0000-0x00000000002DE000-memory.dmp

Filesize
120KB

Download
memory/1732-49-0x00000000002C0000-0x00000000002DE000-memory.dmp

Filesize
120KB

Download
memory/1732-0-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1732-52-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-54-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-57-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-56-0x0000000077670000-0x0000000077671000-memory.dmp

Filesize
4KB

Download
memory/1732-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-2-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1732-65-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-67-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-69-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-71-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-73-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-75-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-77-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-79-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-81-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-83-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1732-87-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2624-102-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/2624-103-0x0000000077670000-0x0000000077671000-memory.dmp

Filesize
4KB

Download
memory/2624-106-0x0000000077670000-0x0000000077671000-memory.dmp

Filesize
4KB

Download
memory/2624-141-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/2624-140-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2676-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2676-15-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2676-20-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2676-153-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download