Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 14:09
Static task
static1
Behavioral task
behavioral1
Sample
779156930f35c787b6db9d4a3c33cc05.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
779156930f35c787b6db9d4a3c33cc05.exe
Resource
win10v2004-20231222-en
General
-
Target
779156930f35c787b6db9d4a3c33cc05.exe
-
Size
293KB
-
MD5
779156930f35c787b6db9d4a3c33cc05
-
SHA1
171214c93c3fbe11e06480588bd38ef4f5b67981
-
SHA256
66c7f9516e0f564e90ac8fa9c783bc29c3a57bd98d76bae797945ee4a4495d71
-
SHA512
65bb46caa2607fc6703a1614227a804aef6749bdaa3b58a379615e971b3f47f4c9cc177c1536498ccc7a1e0d824048c8818c73b4f393dfca1b4b97aeab3f0e8c
-
SSDEEP
6144:EPdMyMANEVzGlcEDUl4qaRYVQ+CJTGbusJRhgnGXcjD7Xm2BeddhMHpmMDr:mNEh8cSLqdtCsisDhgnGABBedDMJmMX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
laohg.exepid process 2504 laohg.exe -
Loads dropped DLL 2 IoCs
Processes:
779156930f35c787b6db9d4a3c33cc05.exepid process 3032 779156930f35c787b6db9d4a3c33cc05.exe 3032 779156930f35c787b6db9d4a3c33cc05.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
laohg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6CF0A0C8-CEE0-AD4E-46DF-EAE75CAEC9FA} = "C:\\Users\\Admin\\AppData\\Roaming\\Otol\\laohg.exe" laohg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
779156930f35c787b6db9d4a3c33cc05.exedescription pid process target process PID 3032 set thread context of 848 3032 779156930f35c787b6db9d4a3c33cc05.exe cmd.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1092 848 WerFault.exe cmd.exe 2492 1092 WerFault.exe WerFault.exe -
Processes:
779156930f35c787b6db9d4a3c33cc05.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 779156930f35c787b6db9d4a3c33cc05.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Privacy 779156930f35c787b6db9d4a3c33cc05.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
laohg.exepid process 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe 2504 laohg.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
779156930f35c787b6db9d4a3c33cc05.exedescription pid process Token: SeSecurityPrivilege 3032 779156930f35c787b6db9d4a3c33cc05.exe Token: SeSecurityPrivilege 3032 779156930f35c787b6db9d4a3c33cc05.exe Token: SeSecurityPrivilege 3032 779156930f35c787b6db9d4a3c33cc05.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
779156930f35c787b6db9d4a3c33cc05.exelaohg.exepid process 3032 779156930f35c787b6db9d4a3c33cc05.exe 2504 laohg.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
779156930f35c787b6db9d4a3c33cc05.exelaohg.execmd.exeWerFault.exedescription pid process target process PID 3032 wrote to memory of 2504 3032 779156930f35c787b6db9d4a3c33cc05.exe laohg.exe PID 3032 wrote to memory of 2504 3032 779156930f35c787b6db9d4a3c33cc05.exe laohg.exe PID 3032 wrote to memory of 2504 3032 779156930f35c787b6db9d4a3c33cc05.exe laohg.exe PID 3032 wrote to memory of 2504 3032 779156930f35c787b6db9d4a3c33cc05.exe laohg.exe PID 2504 wrote to memory of 1136 2504 laohg.exe taskhost.exe PID 2504 wrote to memory of 1136 2504 laohg.exe taskhost.exe PID 2504 wrote to memory of 1136 2504 laohg.exe taskhost.exe PID 2504 wrote to memory of 1136 2504 laohg.exe taskhost.exe PID 2504 wrote to memory of 1136 2504 laohg.exe taskhost.exe PID 2504 wrote to memory of 1228 2504 laohg.exe Dwm.exe PID 2504 wrote to memory of 1228 2504 laohg.exe Dwm.exe PID 2504 wrote to memory of 1228 2504 laohg.exe Dwm.exe PID 2504 wrote to memory of 1228 2504 laohg.exe Dwm.exe PID 2504 wrote to memory of 1228 2504 laohg.exe Dwm.exe PID 2504 wrote to memory of 1264 2504 laohg.exe Explorer.EXE PID 2504 wrote to memory of 1264 2504 laohg.exe Explorer.EXE PID 2504 wrote to memory of 1264 2504 laohg.exe Explorer.EXE PID 2504 wrote to memory of 1264 2504 laohg.exe Explorer.EXE PID 2504 wrote to memory of 1264 2504 laohg.exe Explorer.EXE PID 2504 wrote to memory of 1792 2504 laohg.exe DllHost.exe PID 2504 wrote to memory of 1792 2504 laohg.exe DllHost.exe PID 2504 wrote to memory of 1792 2504 laohg.exe DllHost.exe PID 2504 wrote to memory of 1792 2504 laohg.exe DllHost.exe PID 2504 wrote to memory of 1792 2504 laohg.exe DllHost.exe PID 2504 wrote to memory of 3032 2504 laohg.exe 779156930f35c787b6db9d4a3c33cc05.exe PID 2504 wrote to memory of 3032 2504 laohg.exe 779156930f35c787b6db9d4a3c33cc05.exe PID 2504 wrote to memory of 3032 2504 laohg.exe 779156930f35c787b6db9d4a3c33cc05.exe PID 2504 wrote to memory of 3032 2504 laohg.exe 779156930f35c787b6db9d4a3c33cc05.exe PID 2504 wrote to memory of 3032 2504 laohg.exe 779156930f35c787b6db9d4a3c33cc05.exe PID 3032 wrote to memory of 848 3032 779156930f35c787b6db9d4a3c33cc05.exe cmd.exe PID 3032 wrote to memory of 848 3032 779156930f35c787b6db9d4a3c33cc05.exe cmd.exe PID 3032 wrote to memory of 848 3032 779156930f35c787b6db9d4a3c33cc05.exe cmd.exe PID 3032 wrote to memory of 848 3032 779156930f35c787b6db9d4a3c33cc05.exe cmd.exe PID 3032 wrote to memory of 848 3032 779156930f35c787b6db9d4a3c33cc05.exe cmd.exe PID 3032 wrote to memory of 848 3032 779156930f35c787b6db9d4a3c33cc05.exe cmd.exe PID 3032 wrote to memory of 848 3032 779156930f35c787b6db9d4a3c33cc05.exe cmd.exe PID 3032 wrote to memory of 848 3032 779156930f35c787b6db9d4a3c33cc05.exe cmd.exe PID 3032 wrote to memory of 848 3032 779156930f35c787b6db9d4a3c33cc05.exe cmd.exe PID 848 wrote to memory of 1092 848 cmd.exe WerFault.exe PID 848 wrote to memory of 1092 848 cmd.exe WerFault.exe PID 848 wrote to memory of 1092 848 cmd.exe WerFault.exe PID 848 wrote to memory of 1092 848 cmd.exe WerFault.exe PID 2504 wrote to memory of 940 2504 laohg.exe conhost.exe PID 2504 wrote to memory of 940 2504 laohg.exe conhost.exe PID 2504 wrote to memory of 940 2504 laohg.exe conhost.exe PID 2504 wrote to memory of 940 2504 laohg.exe conhost.exe PID 2504 wrote to memory of 940 2504 laohg.exe conhost.exe PID 2504 wrote to memory of 1092 2504 laohg.exe WerFault.exe PID 2504 wrote to memory of 1092 2504 laohg.exe WerFault.exe PID 2504 wrote to memory of 1092 2504 laohg.exe WerFault.exe PID 2504 wrote to memory of 1092 2504 laohg.exe WerFault.exe PID 2504 wrote to memory of 1092 2504 laohg.exe WerFault.exe PID 1092 wrote to memory of 2492 1092 WerFault.exe WerFault.exe PID 1092 wrote to memory of 2492 1092 WerFault.exe WerFault.exe PID 1092 wrote to memory of 2492 1092 WerFault.exe WerFault.exe PID 1092 wrote to memory of 2492 1092 WerFault.exe WerFault.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1228
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1136
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\779156930f35c787b6db9d4a3c33cc05.exe"C:\Users\Admin\AppData\Local\Temp\779156930f35c787b6db9d4a3c33cc05.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Roaming\Otol\laohg.exe"C:\Users\Admin\AppData\Roaming\Otol\laohg.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfda2bcd2.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1164⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 5365⤵
- Program crash
PID:2492
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1792
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1424715491-17636202432092576943-2082516846-19000619004159814701797933612-1709803293"1⤵PID:940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366B
MD5c87e4133e93178c278c92f377c076b5a
SHA1d4e36d9ad7f86b21c141f31f3c857d8b55101a16
SHA2564fa8c78cef46b5e1b160c9265f6cd28fa33f7da7b98bd32644bcf28ee147d23a
SHA512916125cab7a635c1ef3edcbc2398e29938644024ca6e9c77f3505f03198271c5121804a876b8579a324f885f99bfe6238cb07ebfbed7c06b053029190448716b
-
Filesize
293KB
MD539dc318c21e2ec9ff38468c3e8ce3562
SHA13290d6cdfc8476565512bc85a291f52f3cf83f1a
SHA2561a3d4e75f991c55959b2519731fba831892d44cc4522d651f64780a8d629e2c8
SHA512f3ff75f1cbcf777deedf6d215eef96bfa3c4e9dcc472dd3ddf1592534a523aa53aa2a87596afa5956c54d6e49ed0ebada4a4f83cb8224800e83e5e53ec27b40c