364aa99eb17c51abc154bdb82abba55f7a481034261e9449111030d12985fa09

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ocean.exe
Size

2.3MB
MD5

6bbe05cd611c00f2028fd3926293d17b
SHA1

1f34b1c9d88e5d8c3debeb14d26b7262e810e25d
SHA256

364aa99eb17c51abc154bdb82abba55f7a481034261e9449111030d12985fa09
SHA512

226fdaf50fd1c948b127afa267ff28c12e4fb013314f27dcdc9076b1b3452418edcb4169de56a418f862e4acfb82d49c923b24730065d2601e48d3b044a77132
SSDEEP

24576:WqdOsTyYgDnTSTbJSByTvNOtGv8I45XmilZeTFaiMZyCV1ED/T2hn23:WiOsTyYgnfBy8V5XbehZz7Mnq

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1400	E6inKw.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1400	E6inKw.exe
1400	E6inKw.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1400	E6inKw.exe
1400	E6inKw.exe
1400	E6inKw.exe
1400	E6inKw.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4320	Ocean.exe
464	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	E6inKw.exe
Token: SeDebugPrivilege	1400	E6inKw.exe
Token: SeSecurityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: SeSecurityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe
Token: 33	464	mmc.exe
Token: SeIncBasePriorityPrivilege	464	mmc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
464	mmc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4320	Ocean.exe
464	mmc.exe
464	mmc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 1400	4320	Ocean.exe	92
PID 4320 wrote to memory of 1400	4320	Ocean.exe	92

C:\Users\Admin\AppData\Local\Temp\Ocean.exe
"C:\Users\Admin\AppData\Local\Temp\Ocean.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\lgodbqCr1E\E6inKw.exe
  C:\Users\Admin\AppData\Local\Temp\\lgodbqCr1E\E6inKw.exe 1111
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1400

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Event Viewer\Settings.Xml

Filesize
109B

MD5
884320a9b8f018f309f5a96107133f89

SHA1
102e8a8f3c91a10d9d670e0b3715bd2e0acee5ff

SHA256
50fd9d76d1c43bb16b166de02aaf8adec09eb5bc4cefdca9d1af2e0f7b1d8f64

SHA512
b815fcbd7263b6667f01478b955f9734b1bddbcd7ca8e62ef8ff1ec46ed99931ba466c976ac781f1bd899125571585d580f6f232cc37b8e9ed87935981b99b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgodbqCr1E\E6inKw.exe

Filesize
6.1MB

MD5
8c9d2934bda494f3de30991de7a3134e

SHA1
22c22196916ec9f7c90e95b1d8183c0703ef6000

SHA256
897f3f68a8ca3874b8a2d1d4aa35848a5c2a0c588aa468f61f1c4d5b9ee244d2

SHA512
0789b0afab27ad966e77eb3722f7c944ced2a56f515cc0bef9095f49870a0c52a03ffc9a02fd420a2c0190c26c6f252a8d73d7372e197bf31d40f192606a497e

Download Submit
memory/464-22-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-20-0x00007FFB49650000-0x00007FFB4A111000-memory.dmp

Filesize
10.8MB

Download
memory/464-28-0x0000000020D00000-0x0000000021228000-memory.dmp

Filesize
5.2MB

Download
memory/464-27-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-13-0x00007FFB49650000-0x00007FFB4A111000-memory.dmp

Filesize
10.8MB

Download
memory/464-14-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-15-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-16-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-17-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-18-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-19-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-26-0x00007FF42AC20000-0x00007FF42AC30000-memory.dmp

Filesize
64KB

Download
memory/464-21-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-24-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-23-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/464-25-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/1400-5-0x00007FFB69A50000-0x00007FFB69A52000-memory.dmp

Filesize
8KB

Download
memory/1400-6-0x00007FFB69A60000-0x00007FFB69A62000-memory.dmp

Filesize
8KB

Download
memory/1400-12-0x0000000140000000-0x0000000140FCB000-memory.dmp

Filesize
15.8MB

Download
memory/1400-8-0x0000000140000000-0x0000000140FCB000-memory.dmp

Filesize
15.8MB

Download
memory/1400-4-0x0000000140000000-0x0000000140FCB000-memory.dmp

Filesize
15.8MB

Download