53a3d448c4385ea27d03ad8c77473f7269301de6f3e65d9523ba468403f449ec

General

Target

73cf80903d668f7987f842fa89f3ff99.exe
Size

189KB
MD5

73cf80903d668f7987f842fa89f3ff99
SHA1

caec341016693dac84e59423a0e3e5d347ec5166
SHA256

53a3d448c4385ea27d03ad8c77473f7269301de6f3e65d9523ba468403f449ec
SHA512

d5f23992696b25460f651cf7dc15a8d55bd1d748962a34a46105233551aaf5eee6f1e789c909c0a3eb2b47639ea6468b867e214500b159f4e5449f93bc9a4db8
SSDEEP

3072:jlTI6MCyhr3bm9VdfQcvgOI/Ff7w+aMUTPtTweC3XnUFwKjt96:pIMyhrcdxItfMYUDtT1C3XI1j

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2464 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

iwome.exe

pid process

2656 iwome.exe
Loads dropped DLL 2 IoCs

Processes:

73cf80903d668f7987f842fa89f3ff99.exe

pid process

2404 73cf80903d668f7987f842fa89f3ff99.exe
2404 73cf80903d668f7987f842fa89f3ff99.exe

pid	process
2464	cmd.exe

pid	process
2404	73cf80903d668f7987f842fa89f3ff99.exe
2404	73cf80903d668f7987f842fa89f3ff99.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2404-0-0x0000000000400000-0x0000000000449000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Usno\iwome.exe	upx
behavioral1/memory/2404-8-0x0000000000390000-0x00000000003D9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iwome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C2A529CD-6553-EBAF-6801-5A5C5EE3D519} = "C:\\Users\\Admin\\AppData\\Roaming\\Usno\\iwome.exe"	iwome.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

73cf80903d668f7987f842fa89f3ff99.exe

description pid process target process

PID 2404 set thread context of 2464 2404 73cf80903d668f7987f842fa89f3ff99.exe cmd.exe

description	pid	process	target process
PID 2404 set thread context of 2464	2404	73cf80903d668f7987f842fa89f3ff99.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

73cf80903d668f7987f842fa89f3ff99.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Privacy	73cf80903d668f7987f842fa89f3ff99.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	73cf80903d668f7987f842fa89f3ff99.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

iwome.exe

pid	process
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe
2656	iwome.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

73cf80903d668f7987f842fa89f3ff99.exe

description	pid	process
Token: SeSecurityPrivilege	2404	73cf80903d668f7987f842fa89f3ff99.exe
Token: SeSecurityPrivilege	2404	73cf80903d668f7987f842fa89f3ff99.exe
Token: SeSecurityPrivilege	2404	73cf80903d668f7987f842fa89f3ff99.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

73cf80903d668f7987f842fa89f3ff99.exeiwome.exe

description	pid	process	target process
PID 2404 wrote to memory of 2656	2404	73cf80903d668f7987f842fa89f3ff99.exe	iwome.exe
PID 2404 wrote to memory of 2656	2404	73cf80903d668f7987f842fa89f3ff99.exe	iwome.exe
PID 2404 wrote to memory of 2656	2404	73cf80903d668f7987f842fa89f3ff99.exe	iwome.exe
PID 2404 wrote to memory of 2656	2404	73cf80903d668f7987f842fa89f3ff99.exe	iwome.exe
PID 2656 wrote to memory of 1216	2656	iwome.exe	taskhost.exe
PID 2656 wrote to memory of 1216	2656	iwome.exe	taskhost.exe
PID 2656 wrote to memory of 1216	2656	iwome.exe	taskhost.exe
PID 2656 wrote to memory of 1216	2656	iwome.exe	taskhost.exe
PID 2656 wrote to memory of 1216	2656	iwome.exe	taskhost.exe
PID 2656 wrote to memory of 1320	2656	iwome.exe	Dwm.exe
PID 2656 wrote to memory of 1320	2656	iwome.exe	Dwm.exe
PID 2656 wrote to memory of 1320	2656	iwome.exe	Dwm.exe
PID 2656 wrote to memory of 1320	2656	iwome.exe	Dwm.exe
PID 2656 wrote to memory of 1320	2656	iwome.exe	Dwm.exe
PID 2656 wrote to memory of 1360	2656	iwome.exe	Explorer.EXE
PID 2656 wrote to memory of 1360	2656	iwome.exe	Explorer.EXE
PID 2656 wrote to memory of 1360	2656	iwome.exe	Explorer.EXE
PID 2656 wrote to memory of 1360	2656	iwome.exe	Explorer.EXE
PID 2656 wrote to memory of 1360	2656	iwome.exe	Explorer.EXE
PID 2656 wrote to memory of 1652	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1652	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1652	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1652	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1652	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2404	2656	iwome.exe	73cf80903d668f7987f842fa89f3ff99.exe
PID 2656 wrote to memory of 2404	2656	iwome.exe	73cf80903d668f7987f842fa89f3ff99.exe
PID 2656 wrote to memory of 2404	2656	iwome.exe	73cf80903d668f7987f842fa89f3ff99.exe
PID 2656 wrote to memory of 2404	2656	iwome.exe	73cf80903d668f7987f842fa89f3ff99.exe
PID 2656 wrote to memory of 2404	2656	iwome.exe	73cf80903d668f7987f842fa89f3ff99.exe
PID 2404 wrote to memory of 2464	2404	73cf80903d668f7987f842fa89f3ff99.exe	cmd.exe
PID 2404 wrote to memory of 2464	2404	73cf80903d668f7987f842fa89f3ff99.exe	cmd.exe
PID 2404 wrote to memory of 2464	2404	73cf80903d668f7987f842fa89f3ff99.exe	cmd.exe
PID 2404 wrote to memory of 2464	2404	73cf80903d668f7987f842fa89f3ff99.exe	cmd.exe
PID 2404 wrote to memory of 2464	2404	73cf80903d668f7987f842fa89f3ff99.exe	cmd.exe
PID 2404 wrote to memory of 2464	2404	73cf80903d668f7987f842fa89f3ff99.exe	cmd.exe
PID 2404 wrote to memory of 2464	2404	73cf80903d668f7987f842fa89f3ff99.exe	cmd.exe
PID 2404 wrote to memory of 2464	2404	73cf80903d668f7987f842fa89f3ff99.exe	cmd.exe
PID 2404 wrote to memory of 2464	2404	73cf80903d668f7987f842fa89f3ff99.exe	cmd.exe
PID 2656 wrote to memory of 1072	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1072	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1072	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1072	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1072	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1172	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1172	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1172	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1172	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 1172	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2720	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2720	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2720	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2720	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2720	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2628	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2628	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2628	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2628	2656	iwome.exe	DllHost.exe
PID 2656 wrote to memory of 2628	2656	iwome.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1216

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\73cf80903d668f7987f842fa89f3ff99.exe
"C:\Users\Admin\AppData\Local\Temp\73cf80903d668f7987f842fa89f3ff99.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Roaming\Usno\iwome.exe
"C:\Users\Admin\AppData\Roaming\Usno\iwome.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6a5fa42c.bat"
3⤵
- Deletes itself
PID:2464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1652

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1072

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1172

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6a5fa42c.bat
Filesize
243B

MD5
e31f20cddc40b9749a2e7861815ae135

SHA1
187b759e330c4a9233c2dd949e3550ce3729eff5

SHA256
bef6c5f230d7fd3a6da6e1ef833e2e6c5db74c71ffb9c251afaee7996ac73ba8

SHA512
a8433dc57ec9dd05f27005af6265b98daff4c8dd3a0184cd54e2450aeb61fe1db7fabe3193884de68ca7b9cec052066ad69d7fa8e6e6559bca0d599c1aa37cf3

Download Submit
C:\Users\Admin\AppData\Roaming\Ubaz\izen.qim
Filesize
366B

MD5
a7c0975f041b1892b5ad9c49e4665768

SHA1
8bcea9bea6d31ddbb6fe7f8983bc9434a21c13ea

SHA256
80aae35bf815255c842dcecab0d44ff1369d653f3459de1831b4ff95d035a304

SHA512
3a5fa6d6015be57f7cfbd407673fa281cafa22a64baeb1c08a907f2377d3dbce5c4f22e68e2c92c5291dcf2741fd7aef028793f99444b880c50e7242102a25b0

Download Submit
\Users\Admin\AppData\Roaming\Usno\iwome.exe
Filesize
189KB

MD5
9b2e2a7bf91079f1343f8d92d99a9a85

SHA1
f9040ecb33438704908bbb73c5d040de052495cf

SHA256
52f87760be57f79772c28dfdd42eaf7b6d3eed4cc30ff3d7a2402fee7e7d17bc

SHA512
f3a5a5e3f45844b7bd3220ba90a3e50e1e61bfff06e5dc53d48ed7f032709e959f613fd55041157b77dad203aa92ec767a2306aab42e6d0410e680d38faf759c

Download Submit
memory/1216-16-0x0000000001E50000-0x0000000001E76000-memory.dmp

Filesize
152KB

Download
memory/1216-17-0x0000000001E50000-0x0000000001E76000-memory.dmp

Filesize
152KB

Download
memory/1216-18-0x0000000001E50000-0x0000000001E76000-memory.dmp

Filesize
152KB

Download
memory/1216-19-0x0000000001E50000-0x0000000001E76000-memory.dmp

Filesize
152KB

Download
memory/1216-20-0x0000000001E50000-0x0000000001E76000-memory.dmp

Filesize
152KB

Download
memory/1320-27-0x00000000001B0000-0x00000000001D6000-memory.dmp

Filesize
152KB

Download
memory/1320-25-0x00000000001B0000-0x00000000001D6000-memory.dmp

Filesize
152KB

Download
memory/1320-23-0x00000000001B0000-0x00000000001D6000-memory.dmp

Filesize
152KB

Download
memory/1320-29-0x00000000001B0000-0x00000000001D6000-memory.dmp

Filesize
152KB

Download
memory/1360-32-0x0000000002630000-0x0000000002656000-memory.dmp

Filesize
152KB

Download
memory/1360-33-0x0000000002630000-0x0000000002656000-memory.dmp

Filesize
152KB

Download
memory/1360-34-0x0000000002630000-0x0000000002656000-memory.dmp

Filesize
152KB

Download
memory/1360-35-0x0000000002630000-0x0000000002656000-memory.dmp

Filesize
152KB

Download
memory/1652-37-0x0000000000160000-0x0000000000186000-memory.dmp

Filesize
152KB

Download
memory/1652-38-0x0000000000160000-0x0000000000186000-memory.dmp

Filesize
152KB

Download
memory/1652-39-0x0000000000160000-0x0000000000186000-memory.dmp

Filesize
152KB

Download
memory/1652-40-0x0000000000160000-0x0000000000186000-memory.dmp

Filesize
152KB

Download
memory/2404-55-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-64-0x0000000077E40000-0x0000000077E41000-memory.dmp

Filesize
4KB

Download
memory/2404-8-0x0000000000390000-0x00000000003D9000-memory.dmp

Filesize
292KB

Download
memory/2404-42-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/2404-44-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/2404-48-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/2404-46-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/2404-50-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/2404-2-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2404-74-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-80-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-78-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-76-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-72-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-70-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-68-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-66-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2404-63-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-141-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2404-142-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-61-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-59-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-57-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-53-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-51-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2404-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2404-154-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2404-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2464-157-0x0000000077E40000-0x0000000077E41000-memory.dmp

Filesize
4KB

Download
memory/2464-184-0x0000000077E40000-0x0000000077E41000-memory.dmp

Filesize
4KB

Download
memory/2464-155-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/2464-248-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2464-250-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/2656-15-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2656-251-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads