Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-01-2024 11:11
Static task
static1
Behavioral task
behavioral1
Sample
7fb15605dccd06a70ae7644062a69114.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7fb15605dccd06a70ae7644062a69114.exe
Resource
win10v2004-20231215-en
General
-
Target
7fb15605dccd06a70ae7644062a69114.exe
-
Size
262KB
-
MD5
7fb15605dccd06a70ae7644062a69114
-
SHA1
3fa5587c045a0e99f2304828e275776154a30ed1
-
SHA256
2b93f9095e8695ccecddb46f5c79252d226f665d29e781cb53b0b8d237414a29
-
SHA512
83dda785e21f940a92ab863839130767e15184c83cd828d1778986092c06934a65ae8f81ea32de8b55c129575b3e4f9a8cbe989462fb69664349ee7c8b4c5654
-
SSDEEP
6144:wZ8Gp+df0afmVTRMdVdpn94sLrNXel9Qb98+MARI:w8YkfXf4TRMn94svNuzQb9Zw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
odica.exepid process 2168 odica.exe -
Loads dropped DLL 1 IoCs
Processes:
7fb15605dccd06a70ae7644062a69114.exepid process 2580 7fb15605dccd06a70ae7644062a69114.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
odica.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9DB029C8-CEC5-AD4E-0EA6-58580BF07B45} = "C:\\Users\\Admin\\AppData\\Roaming\\Ixjao\\odica.exe" odica.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7fb15605dccd06a70ae7644062a69114.exedescription pid process target process PID 2580 set thread context of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2916 2516 WerFault.exe cmd.exe -
Processes:
7fb15605dccd06a70ae7644062a69114.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 7fb15605dccd06a70ae7644062a69114.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy 7fb15605dccd06a70ae7644062a69114.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
odica.exepid process 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe 2168 odica.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7fb15605dccd06a70ae7644062a69114.exedescription pid process Token: SeSecurityPrivilege 2580 7fb15605dccd06a70ae7644062a69114.exe Token: SeSecurityPrivilege 2580 7fb15605dccd06a70ae7644062a69114.exe Token: SeSecurityPrivilege 2580 7fb15605dccd06a70ae7644062a69114.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
7fb15605dccd06a70ae7644062a69114.exeodica.exepid process 2580 7fb15605dccd06a70ae7644062a69114.exe 2168 odica.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
7fb15605dccd06a70ae7644062a69114.exeodica.execmd.exedescription pid process target process PID 2580 wrote to memory of 2168 2580 7fb15605dccd06a70ae7644062a69114.exe odica.exe PID 2580 wrote to memory of 2168 2580 7fb15605dccd06a70ae7644062a69114.exe odica.exe PID 2580 wrote to memory of 2168 2580 7fb15605dccd06a70ae7644062a69114.exe odica.exe PID 2580 wrote to memory of 2168 2580 7fb15605dccd06a70ae7644062a69114.exe odica.exe PID 2168 wrote to memory of 1120 2168 odica.exe taskhost.exe PID 2168 wrote to memory of 1120 2168 odica.exe taskhost.exe PID 2168 wrote to memory of 1120 2168 odica.exe taskhost.exe PID 2168 wrote to memory of 1120 2168 odica.exe taskhost.exe PID 2168 wrote to memory of 1120 2168 odica.exe taskhost.exe PID 2168 wrote to memory of 1192 2168 odica.exe Dwm.exe PID 2168 wrote to memory of 1192 2168 odica.exe Dwm.exe PID 2168 wrote to memory of 1192 2168 odica.exe Dwm.exe PID 2168 wrote to memory of 1192 2168 odica.exe Dwm.exe PID 2168 wrote to memory of 1192 2168 odica.exe Dwm.exe PID 2168 wrote to memory of 1248 2168 odica.exe Explorer.EXE PID 2168 wrote to memory of 1248 2168 odica.exe Explorer.EXE PID 2168 wrote to memory of 1248 2168 odica.exe Explorer.EXE PID 2168 wrote to memory of 1248 2168 odica.exe Explorer.EXE PID 2168 wrote to memory of 1248 2168 odica.exe Explorer.EXE PID 2168 wrote to memory of 1476 2168 odica.exe DllHost.exe PID 2168 wrote to memory of 1476 2168 odica.exe DllHost.exe PID 2168 wrote to memory of 1476 2168 odica.exe DllHost.exe PID 2168 wrote to memory of 1476 2168 odica.exe DllHost.exe PID 2168 wrote to memory of 1476 2168 odica.exe DllHost.exe PID 2168 wrote to memory of 2580 2168 odica.exe 7fb15605dccd06a70ae7644062a69114.exe PID 2168 wrote to memory of 2580 2168 odica.exe 7fb15605dccd06a70ae7644062a69114.exe PID 2168 wrote to memory of 2580 2168 odica.exe 7fb15605dccd06a70ae7644062a69114.exe PID 2168 wrote to memory of 2580 2168 odica.exe 7fb15605dccd06a70ae7644062a69114.exe PID 2168 wrote to memory of 2580 2168 odica.exe 7fb15605dccd06a70ae7644062a69114.exe PID 2580 wrote to memory of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe PID 2580 wrote to memory of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe PID 2580 wrote to memory of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe PID 2580 wrote to memory of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe PID 2580 wrote to memory of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe PID 2580 wrote to memory of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe PID 2580 wrote to memory of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe PID 2580 wrote to memory of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe PID 2580 wrote to memory of 2516 2580 7fb15605dccd06a70ae7644062a69114.exe cmd.exe PID 2516 wrote to memory of 2916 2516 cmd.exe WerFault.exe PID 2516 wrote to memory of 2916 2516 cmd.exe WerFault.exe PID 2516 wrote to memory of 2916 2516 cmd.exe WerFault.exe PID 2516 wrote to memory of 2916 2516 cmd.exe WerFault.exe PID 2168 wrote to memory of 1348 2168 odica.exe conhost.exe PID 2168 wrote to memory of 1348 2168 odica.exe conhost.exe PID 2168 wrote to memory of 1348 2168 odica.exe conhost.exe PID 2168 wrote to memory of 1348 2168 odica.exe conhost.exe PID 2168 wrote to memory of 1348 2168 odica.exe conhost.exe PID 2168 wrote to memory of 2916 2168 odica.exe WerFault.exe PID 2168 wrote to memory of 2916 2168 odica.exe WerFault.exe PID 2168 wrote to memory of 2916 2168 odica.exe WerFault.exe PID 2168 wrote to memory of 2916 2168 odica.exe WerFault.exe PID 2168 wrote to memory of 2916 2168 odica.exe WerFault.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1476
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\7fb15605dccd06a70ae7644062a69114.exe"C:\Users\Admin\AppData\Local\Temp\7fb15605dccd06a70ae7644062a69114.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Roaming\Ixjao\odica.exe"C:\Users\Admin\AppData\Roaming\Ixjao\odica.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp78bd084e.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1164⤵
- Program crash
PID:2916
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1192
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-74572143134126534894404360896267244-853178830-15463016641409243809-1293393539"1⤵PID:1348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366B
MD591cb8d68078ed838a417b5aa917c9c07
SHA10dd718aee59377fc11eabe879afe7d2eb477472b
SHA256084563ac11f878e2881b8ad06bf8bd3282ef51a4cb773317214101b346f484ed
SHA512950c31a894cb9f64ed22c4c87536afe21adf1d3b73e2b857e49494a2c164b39a0f22cab72a9c89bfb748d35d6257213ae2c00d88189baf5f93b0f894b6962ea4
-
Filesize
262KB
MD5cfa2f82657d11aae3ca237783155f109
SHA12c102dec2a524402d9c5afcc495cc6e34c41a4af
SHA256639c5142bcd38aa869de7dc956a4435c9a51c22ac47c20755f6bad0d02097f4f
SHA5120debd73058a4a20c2a2ce39f145a7276859b465569b07dc8e58504839944b159c7088a1bc6dd517f0413d16d2fff4eb1fc07dd2bf9b7b50e7c6fadef4039c08d