4bb32cbfadd59f25357978b8eba4370044dc4ebf0e00b04f39f478dde8ad2a91

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

712198f524ecc6d53f331bd16895ae84.exe
Size

105KB
MD5

712198f524ecc6d53f331bd16895ae84
SHA1

b9b05293ff89d697b1d5ebd04d0beccffa9875b6
SHA256

4bb32cbfadd59f25357978b8eba4370044dc4ebf0e00b04f39f478dde8ad2a91
SHA512

76e8f13bf633555d061b42923345b74430abc99054dd1c682940c116a876dc13beb3e5a32f97be81251e5d01854cadc2ced051a323737c8320b53941717171bf
SSDEEP

1536:Q5oaJTXYdJqxDFvi8Se4S1KlvUY5TJqlmoQtc9YX2xvbVqSZQof5y:Q5HTo7qxDpi/FS1KqCq8qYGZbVqSZJfk

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2200	ihur.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	712198f524ecc6d53f331bd16895ae84.exe
2976	712198f524ecc6d53f331bd16895ae84.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\{0B1824F7-EDAC-9233-8602-3A0B54C481C1} = "C:\\Users\\Admin\\AppData\\Roaming\\Ziqodi\\ihur.exe"	ihur.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2976 set thread context of 2656	2976	712198f524ecc6d53f331bd16895ae84.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Privacy	712198f524ecc6d53f331bd16895ae84.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	712198f524ecc6d53f331bd16895ae84.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe
2200	ihur.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2976	712198f524ecc6d53f331bd16895ae84.exe
Token: SeSecurityPrivilege	2976	712198f524ecc6d53f331bd16895ae84.exe
Token: SeSecurityPrivilege	2976	712198f524ecc6d53f331bd16895ae84.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2200	2976	712198f524ecc6d53f331bd16895ae84.exe	28
PID 2976 wrote to memory of 2200	2976	712198f524ecc6d53f331bd16895ae84.exe	28
PID 2976 wrote to memory of 2200	2976	712198f524ecc6d53f331bd16895ae84.exe	28
PID 2976 wrote to memory of 2200	2976	712198f524ecc6d53f331bd16895ae84.exe	28
PID 2200 wrote to memory of 1120	2200	ihur.exe	22
PID 2200 wrote to memory of 1120	2200	ihur.exe	22
PID 2200 wrote to memory of 1120	2200	ihur.exe	22
PID 2200 wrote to memory of 1120	2200	ihur.exe	22
PID 2200 wrote to memory of 1120	2200	ihur.exe	22
PID 2200 wrote to memory of 1188	2200	ihur.exe	21
PID 2200 wrote to memory of 1188	2200	ihur.exe	21
PID 2200 wrote to memory of 1188	2200	ihur.exe	21
PID 2200 wrote to memory of 1188	2200	ihur.exe	21
PID 2200 wrote to memory of 1188	2200	ihur.exe	21
PID 2200 wrote to memory of 1244	2200	ihur.exe	20
PID 2200 wrote to memory of 1244	2200	ihur.exe	20
PID 2200 wrote to memory of 1244	2200	ihur.exe	20
PID 2200 wrote to memory of 1244	2200	ihur.exe	20
PID 2200 wrote to memory of 1244	2200	ihur.exe	20
PID 2200 wrote to memory of 2556	2200	ihur.exe	18
PID 2200 wrote to memory of 2556	2200	ihur.exe	18
PID 2200 wrote to memory of 2556	2200	ihur.exe	18
PID 2200 wrote to memory of 2556	2200	ihur.exe	18
PID 2200 wrote to memory of 2556	2200	ihur.exe	18
PID 2200 wrote to memory of 2976	2200	ihur.exe	14
PID 2200 wrote to memory of 2976	2200	ihur.exe	14
PID 2200 wrote to memory of 2976	2200	ihur.exe	14
PID 2200 wrote to memory of 2976	2200	ihur.exe	14
PID 2200 wrote to memory of 2976	2200	ihur.exe	14
PID 2976 wrote to memory of 2656	2976	712198f524ecc6d53f331bd16895ae84.exe	29
PID 2976 wrote to memory of 2656	2976	712198f524ecc6d53f331bd16895ae84.exe	29
PID 2976 wrote to memory of 2656	2976	712198f524ecc6d53f331bd16895ae84.exe	29
PID 2976 wrote to memory of 2656	2976	712198f524ecc6d53f331bd16895ae84.exe	29
PID 2976 wrote to memory of 2656	2976	712198f524ecc6d53f331bd16895ae84.exe	29
PID 2976 wrote to memory of 2656	2976	712198f524ecc6d53f331bd16895ae84.exe	29
PID 2976 wrote to memory of 2656	2976	712198f524ecc6d53f331bd16895ae84.exe	29
PID 2976 wrote to memory of 2656	2976	712198f524ecc6d53f331bd16895ae84.exe	29
PID 2976 wrote to memory of 2656	2976	712198f524ecc6d53f331bd16895ae84.exe	29
PID 2200 wrote to memory of 1376	2200	ihur.exe	31
PID 2200 wrote to memory of 1376	2200	ihur.exe	31
PID 2200 wrote to memory of 1376	2200	ihur.exe	31
PID 2200 wrote to memory of 1376	2200	ihur.exe	31
PID 2200 wrote to memory of 1376	2200	ihur.exe	31
PID 2200 wrote to memory of 1556	2200	ihur.exe	34
PID 2200 wrote to memory of 1556	2200	ihur.exe	34
PID 2200 wrote to memory of 1556	2200	ihur.exe	34
PID 2200 wrote to memory of 1556	2200	ihur.exe	34
PID 2200 wrote to memory of 1556	2200	ihur.exe	34

C:\Users\Admin\AppData\Local\Temp\712198f524ecc6d53f331bd16895ae84.exe
"C:\Users\Admin\AppData\Local\Temp\712198f524ecc6d53f331bd16895ae84.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Roaming\Ziqodi\ihur.exe
  "C:\Users\Admin\AppData\Roaming\Ziqodi\ihur.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa4bcfc4f.bat"
  2⤵
  - Deletes itself
  PID:2656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2556

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa4bcfc4f.bat

Filesize
243B

MD5
4d18c555ea82b0d8b4f7631d1832f307

SHA1
cef76e0615167347a99e6b0530fed3c7598078ec

SHA256
6b8373e88483a775d960416722fcdffcba8baad9a4ef7187c436c183f1ac6ff8

SHA512
66651aeb8389ca8ddaebc118420e7302baa3fe31abaf4935b23c84a867d29731cbac07a868fda4b768fc443f5b0fe3088fd87ae15d26c1869511f763749babce

Download Submit
C:\Users\Admin\AppData\Roaming\Arko\mauzo.akr

Filesize
366B

MD5
f3005547d86a3e0754eb6d41b78c9438

SHA1
97e08b0bd3ae57ef6c92444221f8834338931e6e

SHA256
8e6dc5e7d435705f25d38a467503f2f0bddffaff1e348c5059cf8d65b831c8ad

SHA512
3442ed45423866e25dd53e6be4c5bd726583ec4e682045995eb27c7ad70a706b445497df262b46d3f7c61b4f8d08411daf6f17a5b242952a20a90ef3b8d1cb56

Download Submit
\Users\Admin\AppData\Roaming\Ziqodi\ihur.exe

Filesize
105KB

MD5
26eff7b318dbdea7d51fe4a3a68d99a7

SHA1
f2527e504d2d6aac0a591bca59b1c170580cc1aa

SHA256
e14c75f6373aed1d5388d3f7cdf68a4aa3744ff46e300b32f47a35e253068061

SHA512
550534d734c0388411c1a3f9c9b939abc025db53ef796f5afbdc3e63a01dc33d339d43d803b1e65733c7ac6f288bc19f0d10d90884fe38f934da5049ff50e59b

Download Submit
memory/1120-23-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/1120-29-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/1120-27-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/1120-25-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/1120-21-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/1188-32-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1188-33-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1188-34-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1188-35-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1244-38-0x0000000002950000-0x000000000296F000-memory.dmp

Filesize
124KB

Download
memory/1244-39-0x0000000002950000-0x000000000296F000-memory.dmp

Filesize
124KB

Download
memory/1244-40-0x0000000002950000-0x000000000296F000-memory.dmp

Filesize
124KB

Download
memory/1244-37-0x0000000002950000-0x000000000296F000-memory.dmp

Filesize
124KB

Download
memory/2200-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2200-156-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2200-18-0x0000000000320000-0x000000000034D000-memory.dmp

Filesize
180KB

Download
memory/2200-17-0x0000000000320000-0x000000000034D000-memory.dmp

Filesize
180KB

Download
memory/2200-15-0x0000000000320000-0x000000000034D000-memory.dmp

Filesize
180KB

Download
memory/2200-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2200-154-0x0000000000320000-0x000000000034D000-memory.dmp

Filesize
180KB

Download
memory/2556-45-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2556-44-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2556-43-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2556-42-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2656-148-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/2656-147-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2656-113-0x0000000077D60000-0x0000000077D61000-memory.dmp

Filesize
4KB

Download
memory/2656-108-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/2976-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2976-54-0x0000000002040000-0x000000000205F000-memory.dmp

Filesize
124KB

Download
memory/2976-56-0x0000000002040000-0x000000000205F000-memory.dmp

Filesize
124KB

Download
memory/2976-59-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-77-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-80-0x0000000077D60000-0x0000000077D61000-memory.dmp

Filesize
4KB

Download
memory/2976-79-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-75-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-73-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-71-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-69-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-67-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-65-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-63-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-61-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-57-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-82-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-94-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2976-52-0x0000000002040000-0x000000000205F000-memory.dmp

Filesize
124KB

Download
memory/2976-106-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2976-107-0x00000000003B0000-0x00000000003DD000-memory.dmp

Filesize
180KB

Download
memory/2976-50-0x0000000002040000-0x000000000205F000-memory.dmp

Filesize
124KB

Download
memory/2976-48-0x0000000002040000-0x000000000205F000-memory.dmp

Filesize
124KB

Download
memory/2976-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2976-3-0x00000000003B0000-0x00000000003DD000-memory.dmp

Filesize
180KB

Download
memory/2976-2-0x00000000003B0000-0x00000000003DD000-memory.dmp

Filesize
180KB

Download
memory/2976-1-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2976-0-0x00000000003B0000-0x00000000003DD000-memory.dmp

Filesize
180KB

Download