2b93f9095e8695ccecddb46f5c79252d226f665d29e781cb53b0b8d237414a29

General

Target

7fb15605dccd06a70ae7644062a69114.exe
Size

262KB
MD5

7fb15605dccd06a70ae7644062a69114
SHA1

3fa5587c045a0e99f2304828e275776154a30ed1
SHA256

2b93f9095e8695ccecddb46f5c79252d226f665d29e781cb53b0b8d237414a29
SHA512

83dda785e21f940a92ab863839130767e15184c83cd828d1778986092c06934a65ae8f81ea32de8b55c129575b3e4f9a8cbe989462fb69664349ee7c8b4c5654
SSDEEP

6144:wZ8Gp+df0afmVTRMdVdpn94sLrNXel9Qb98+MARI:w8YkfXf4TRMn94svNuzQb9Zw

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

odica.exe

pid process

2168 odica.exe
Loads dropped DLL 1 IoCs

Processes:

7fb15605dccd06a70ae7644062a69114.exe

pid process

2580 7fb15605dccd06a70ae7644062a69114.exe

pid	process
2580	7fb15605dccd06a70ae7644062a69114.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

odica.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9DB029C8-CEC5-AD4E-0EA6-58580BF07B45} = "C:\\Users\\Admin\\AppData\\Roaming\\Ixjao\\odica.exe"	odica.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7fb15605dccd06a70ae7644062a69114.exe

description pid process target process

PID 2580 set thread context of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2916 2516 WerFault.exe cmd.exe

description	pid	process	target process
PID 2580 set thread context of 2516	2580	7fb15605dccd06a70ae7644062a69114.exe	cmd.exe

pid	pid_target	process	target process
2916	2516	WerFault.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

7fb15605dccd06a70ae7644062a69114.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7fb15605dccd06a70ae7644062a69114.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy	7fb15605dccd06a70ae7644062a69114.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

odica.exe

pid	process
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe
2168	odica.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7fb15605dccd06a70ae7644062a69114.exe

description	pid	process
Token: SeSecurityPrivilege	2580	7fb15605dccd06a70ae7644062a69114.exe
Token: SeSecurityPrivilege	2580	7fb15605dccd06a70ae7644062a69114.exe
Token: SeSecurityPrivilege	2580	7fb15605dccd06a70ae7644062a69114.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

7fb15605dccd06a70ae7644062a69114.exeodica.exe

pid process

2580 7fb15605dccd06a70ae7644062a69114.exe
2168 odica.exe

pid	process
2580	7fb15605dccd06a70ae7644062a69114.exe
2168	odica.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

7fb15605dccd06a70ae7644062a69114.exeodica.execmd.exe

description	pid	process	target process
PID 2580 wrote to memory of 2168	2580	7fb15605dccd06a70ae7644062a69114.exe	odica.exe
PID 2580 wrote to memory of 2168	2580	7fb15605dccd06a70ae7644062a69114.exe	odica.exe
PID 2580 wrote to memory of 2168	2580	7fb15605dccd06a70ae7644062a69114.exe	odica.exe
PID 2580 wrote to memory of 2168	2580	7fb15605dccd06a70ae7644062a69114.exe	odica.exe
PID 2168 wrote to memory of 1120	2168	odica.exe	taskhost.exe
PID 2168 wrote to memory of 1120	2168	odica.exe	taskhost.exe
PID 2168 wrote to memory of 1120	2168	odica.exe	taskhost.exe
PID 2168 wrote to memory of 1120	2168	odica.exe	taskhost.exe
PID 2168 wrote to memory of 1120	2168	odica.exe	taskhost.exe
PID 2168 wrote to memory of 1192	2168	odica.exe	Dwm.exe
PID 2168 wrote to memory of 1192	2168	odica.exe	Dwm.exe
PID 2168 wrote to memory of 1192	2168	odica.exe	Dwm.exe
PID 2168 wrote to memory of 1192	2168	odica.exe	Dwm.exe
PID 2168 wrote to memory of 1192	2168	odica.exe	Dwm.exe
PID 2168 wrote to memory of 1248	2168	odica.exe	Explorer.EXE
PID 2168 wrote to memory of 1248	2168	odica.exe	Explorer.EXE
PID 2168 wrote to memory of 1248	2168	odica.exe	Explorer.EXE
PID 2168 wrote to memory of 1248	2168	odica.exe	Explorer.EXE
PID 2168 wrote to memory of 1248	2168	odica.exe	Explorer.EXE
PID 2168 wrote to memory of 1476	2168	odica.exe	DllHost.exe
PID 2168 wrote to memory of 1476	2168	odica.exe	DllHost.exe
PID 2168 wrote to memory of 1476	2168	odica.exe	DllHost.exe
PID 2168 wrote to memory of 1476	2168	odica.exe	DllHost.exe
PID 2168 wrote to memory of 1476	2168	odica.exe	DllHost.exe
PID 2168 wrote to memory of 2580	2168	odica.exe	7fb15605dccd06a70ae7644062a69114.exe
PID 2168 wrote to memory of 2580	2168	odica.exe	7fb15605dccd06a70ae7644062a69114.exe
PID 2168 wrote to memory of 2580	2168	odica.exe	7fb15605dccd06a70ae7644062a69114.exe
PID 2168 wrote to memory of 2580	2168	odica.exe	7fb15605dccd06a70ae7644062a69114.exe
PID 2168 wrote to memory of 2580	2168	odica.exe	7fb15605dccd06a70ae7644062a69114.exe
PID 2580 wrote to memory of 2516	2580	7fb15605dccd06a70ae7644062a69114.exe	cmd.exe
PID 2580 wrote to memory of 2516	2580	7fb15605dccd06a70ae7644062a69114.exe	cmd.exe
PID 2580 wrote to memory of 2516	2580	7fb15605dccd06a70ae7644062a69114.exe	cmd.exe
PID 2580 wrote to memory of 2516	2580	7fb15605dccd06a70ae7644062a69114.exe	cmd.exe
PID 2580 wrote to memory of 2516	2580	7fb15605dccd06a70ae7644062a69114.exe	cmd.exe
PID 2580 wrote to memory of 2516	2580	7fb15605dccd06a70ae7644062a69114.exe	cmd.exe
PID 2580 wrote to memory of 2516	2580	7fb15605dccd06a70ae7644062a69114.exe	cmd.exe
PID 2580 wrote to memory of 2516	2580	7fb15605dccd06a70ae7644062a69114.exe	cmd.exe
PID 2580 wrote to memory of 2516	2580	7fb15605dccd06a70ae7644062a69114.exe	cmd.exe
PID 2516 wrote to memory of 2916	2516	cmd.exe	WerFault.exe
PID 2516 wrote to memory of 2916	2516	cmd.exe	WerFault.exe
PID 2516 wrote to memory of 2916	2516	cmd.exe	WerFault.exe
PID 2516 wrote to memory of 2916	2516	cmd.exe	WerFault.exe
PID 2168 wrote to memory of 1348	2168	odica.exe	conhost.exe
PID 2168 wrote to memory of 1348	2168	odica.exe	conhost.exe
PID 2168 wrote to memory of 1348	2168	odica.exe	conhost.exe
PID 2168 wrote to memory of 1348	2168	odica.exe	conhost.exe
PID 2168 wrote to memory of 1348	2168	odica.exe	conhost.exe
PID 2168 wrote to memory of 2916	2168	odica.exe	WerFault.exe
PID 2168 wrote to memory of 2916	2168	odica.exe	WerFault.exe
PID 2168 wrote to memory of 2916	2168	odica.exe	WerFault.exe
PID 2168 wrote to memory of 2916	2168	odica.exe	WerFault.exe
PID 2168 wrote to memory of 2916	2168	odica.exe	WerFault.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1476

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\7fb15605dccd06a70ae7644062a69114.exe
"C:\Users\Admin\AppData\Local\Temp\7fb15605dccd06a70ae7644062a69114.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Roaming\Ixjao\odica.exe
"C:\Users\Admin\AppData\Roaming\Ixjao\odica.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp78bd084e.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 116
4⤵
- Program crash
PID:2916

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-74572143134126534894404360896267244-853178830-15463016641409243809-1293393539"
1⤵
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ajyrn\izles.qea
Filesize
366B

MD5
91cb8d68078ed838a417b5aa917c9c07

SHA1
0dd718aee59377fc11eabe879afe7d2eb477472b

SHA256
084563ac11f878e2881b8ad06bf8bd3282ef51a4cb773317214101b346f484ed

SHA512
950c31a894cb9f64ed22c4c87536afe21adf1d3b73e2b857e49494a2c164b39a0f22cab72a9c89bfb748d35d6257213ae2c00d88189baf5f93b0f894b6962ea4

Download Submit
\Users\Admin\AppData\Roaming\Ixjao\odica.exe
Filesize
262KB

MD5
cfa2f82657d11aae3ca237783155f109

SHA1
2c102dec2a524402d9c5afcc495cc6e34c41a4af

SHA256
639c5142bcd38aa869de7dc956a4435c9a51c22ac47c20755f6bad0d02097f4f

SHA512
0debd73058a4a20c2a2ce39f145a7276859b465569b07dc8e58504839944b159c7088a1bc6dd517f0413d16d2fff4eb1fc07dd2bf9b7b50e7c6fadef4039c08d

Download Submit
memory/1120-15-0x0000000001D00000-0x0000000001D41000-memory.dmp

Filesize
260KB

Download
memory/1120-17-0x0000000001D00000-0x0000000001D41000-memory.dmp

Filesize
260KB

Download
memory/1120-14-0x0000000001D00000-0x0000000001D41000-memory.dmp

Filesize
260KB

Download
memory/1120-20-0x0000000001D00000-0x0000000001D41000-memory.dmp

Filesize
260KB

Download
memory/1120-19-0x0000000001D00000-0x0000000001D41000-memory.dmp

Filesize
260KB

Download
memory/1192-22-0x0000000000120000-0x0000000000161000-memory.dmp

Filesize
260KB

Download
memory/1192-23-0x0000000000120000-0x0000000000161000-memory.dmp

Filesize
260KB

Download
memory/1192-24-0x0000000000120000-0x0000000000161000-memory.dmp

Filesize
260KB

Download
memory/1192-25-0x0000000000120000-0x0000000000161000-memory.dmp

Filesize
260KB

Download
memory/1248-29-0x0000000002930000-0x0000000002971000-memory.dmp

Filesize
260KB

Download
memory/1248-28-0x0000000002930000-0x0000000002971000-memory.dmp

Filesize
260KB

Download
memory/1248-27-0x0000000002930000-0x0000000002971000-memory.dmp

Filesize
260KB

Download
memory/1248-30-0x0000000002930000-0x0000000002971000-memory.dmp

Filesize
260KB

Download
memory/1476-33-0x0000000001D40000-0x0000000001D81000-memory.dmp

Filesize
260KB

Download
memory/1476-32-0x0000000001D40000-0x0000000001D81000-memory.dmp

Filesize
260KB

Download
memory/1476-34-0x0000000001D40000-0x0000000001D81000-memory.dmp

Filesize
260KB

Download
memory/1476-35-0x0000000001D40000-0x0000000001D81000-memory.dmp

Filesize
260KB

Download
memory/2168-13-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2168-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-16-0x0000000000360000-0x00000000003A5000-memory.dmp

Filesize
276KB

Download
memory/2580-64-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-46-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-61-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/2580-60-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-56-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-54-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-52-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-58-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-78-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-136-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-76-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-74-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-72-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-70-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-68-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-66-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-50-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-48-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-37-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/2580-62-0x00000000777D0000-0x00000000777D1000-memory.dmp

Filesize
4KB

Download
memory/2580-44-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-161-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/2580-160-0x0000000000510000-0x0000000000555000-memory.dmp

Filesize
276KB

Download
memory/2580-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-42-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-41-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/2580-39-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/2580-40-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/2580-38-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/2580-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-1-0x0000000000510000-0x0000000000555000-memory.dmp

Filesize
276KB

Download
memory/2580-0-0x00000000004C0000-0x0000000000501000-memory.dmp

Filesize
260KB

Download
memory/2916-174-0x00000000023F0000-0x0000000002431000-memory.dmp

Filesize
260KB

Download
memory/2916-272-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2916-269-0x00000000777D0000-0x00000000777D1000-memory.dmp

Filesize
4KB

Download
memory/2916-275-0x00000000023F0000-0x0000000002431000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads