9435adb201110308b389ba5cb2f935de96a0190cc347dc28cbf7a41da45fe387

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

983b7c98aae7dd6b3e370c5c3d8d404a.exe
Size

262KB
MD5

983b7c98aae7dd6b3e370c5c3d8d404a
SHA1

bfd6d26c2c573d3ba9859f391cb430678fed167a
SHA256

9435adb201110308b389ba5cb2f935de96a0190cc347dc28cbf7a41da45fe387
SHA512

429987cb8851d4d62f851a22275a56ae3d84a5e829835767fe71ca6c11a45cfb7aa132c312a4d3b3ca8ff5c2d20dea9d9fb472e2b3a43183ac1e2ae9b8c98cd7
SSDEEP

6144:2jJ8Gp+df0afmVTRMdQdpn94sLrNXel9Fb98+MAv6:uJ8YkfXf4TRMA94svNuzFb9ZU

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1632	ises.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\{40C758C8-CEFB-AD4E-7138-F2B16CEAD1AC} = "C:\\Users\\Admin\\AppData\\Roaming\\Opyji\\ises.exe"	ises.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 1900	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
824	1900	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy	983b7c98aae7dd6b3e370c5c3d8d404a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	983b7c98aae7dd6b3e370c5c3d8d404a.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe
1632	ises.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe
Token: SeSecurityPrivilege	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe
Token: SeSecurityPrivilege	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe
1632	ises.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1632	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	28
PID 2264 wrote to memory of 1632	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	28
PID 2264 wrote to memory of 1632	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	28
PID 2264 wrote to memory of 1632	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	28
PID 1632 wrote to memory of 1076	1632	ises.exe	12
PID 1632 wrote to memory of 1076	1632	ises.exe	12
PID 1632 wrote to memory of 1076	1632	ises.exe	12
PID 1632 wrote to memory of 1076	1632	ises.exe	12
PID 1632 wrote to memory of 1076	1632	ises.exe	12
PID 1632 wrote to memory of 1140	1632	ises.exe	15
PID 1632 wrote to memory of 1140	1632	ises.exe	15
PID 1632 wrote to memory of 1140	1632	ises.exe	15
PID 1632 wrote to memory of 1140	1632	ises.exe	15
PID 1632 wrote to memory of 1140	1632	ises.exe	15
PID 1632 wrote to memory of 1196	1632	ises.exe	13
PID 1632 wrote to memory of 1196	1632	ises.exe	13
PID 1632 wrote to memory of 1196	1632	ises.exe	13
PID 1632 wrote to memory of 1196	1632	ises.exe	13
PID 1632 wrote to memory of 1196	1632	ises.exe	13
PID 1632 wrote to memory of 1580	1632	ises.exe	23
PID 1632 wrote to memory of 1580	1632	ises.exe	23
PID 1632 wrote to memory of 1580	1632	ises.exe	23
PID 1632 wrote to memory of 1580	1632	ises.exe	23
PID 1632 wrote to memory of 1580	1632	ises.exe	23
PID 1632 wrote to memory of 2264	1632	ises.exe	27
PID 1632 wrote to memory of 2264	1632	ises.exe	27
PID 1632 wrote to memory of 2264	1632	ises.exe	27
PID 1632 wrote to memory of 2264	1632	ises.exe	27
PID 1632 wrote to memory of 2264	1632	ises.exe	27
PID 2264 wrote to memory of 1900	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	29
PID 2264 wrote to memory of 1900	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	29
PID 2264 wrote to memory of 1900	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	29
PID 2264 wrote to memory of 1900	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	29
PID 2264 wrote to memory of 1900	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	29
PID 2264 wrote to memory of 1900	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	29
PID 2264 wrote to memory of 1900	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	29
PID 2264 wrote to memory of 1900	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	29
PID 2264 wrote to memory of 1900	2264	983b7c98aae7dd6b3e370c5c3d8d404a.exe	29
PID 1900 wrote to memory of 824	1900	cmd.exe	31
PID 1900 wrote to memory of 824	1900	cmd.exe	31
PID 1900 wrote to memory of 824	1900	cmd.exe	31
PID 1900 wrote to memory of 824	1900	cmd.exe	31
PID 1632 wrote to memory of 576	1632	ises.exe	30
PID 1632 wrote to memory of 576	1632	ises.exe	30
PID 1632 wrote to memory of 576	1632	ises.exe	30
PID 1632 wrote to memory of 576	1632	ises.exe	30
PID 1632 wrote to memory of 576	1632	ises.exe	30
PID 1632 wrote to memory of 824	1632	ises.exe	31
PID 1632 wrote to memory of 824	1632	ises.exe	31
PID 1632 wrote to memory of 824	1632	ises.exe	31
PID 1632 wrote to memory of 824	1632	ises.exe	31
PID 1632 wrote to memory of 824	1632	ises.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1076

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\983b7c98aae7dd6b3e370c5c3d8d404a.exe
  "C:\Users\Admin\AppData\Local\Temp\983b7c98aae7dd6b3e370c5c3d8d404a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Roaming\Opyji\ises.exe
    "C:\Users\Admin\AppData\Roaming\Opyji\ises.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6384eabd.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 112
      4⤵
      Program crash
      PID:824

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-73151954121092935311792868294-389597356-954566899260017176-434677938429899974"
1⤵
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Dioc\iqdi.upc

Filesize
366B

MD5
7ec7400e01da63b48a209f6bee15984c

SHA1
b29f22715499c6b754cdffac0e3177104341f9a2

SHA256
2fa639074c9b40a5b9b2deceabcf28df3d435049f69805b5b7e791314047bb87

SHA512
37fc352f49b1c080d0e63c8d3d3cb506c37ddb258959c249f60f663d1019487430be09ad5083eb04361584f3ca1f2fd8c764421cbb090f7e7b7b96689f5a1b31

Download Submit
\Users\Admin\AppData\Roaming\Opyji\ises.exe

Filesize
262KB

MD5
dda55546461138fdc420228c1ed15e9e

SHA1
09c6cdd3c036e92e2db5a0e7dafffe77a661904c

SHA256
050c13be925b15fdf8f41cca34b668dd0a9ae2f27b5cad38e8a724fb99fb35f4

SHA512
a33e9a435696994e0bb2163e0632a6b4d9add2ced494e3ec43cfbac11c50a09a77e8fbc8466d55632432b269f75555bfa85ea8091e121a55aef5715d9daef8a5

Download Submit
memory/824-280-0x0000000002680000-0x00000000026C1000-memory.dmp

Filesize
260KB

Download
memory/824-277-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/824-207-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/824-179-0x0000000002680000-0x00000000026C1000-memory.dmp

Filesize
260KB

Download
memory/1076-15-0x0000000001F20000-0x0000000001F61000-memory.dmp

Filesize
260KB

Download
memory/1076-14-0x0000000001F20000-0x0000000001F61000-memory.dmp

Filesize
260KB

Download
memory/1076-17-0x0000000001F20000-0x0000000001F61000-memory.dmp

Filesize
260KB

Download
memory/1076-19-0x0000000001F20000-0x0000000001F61000-memory.dmp

Filesize
260KB

Download
memory/1076-20-0x0000000001F20000-0x0000000001F61000-memory.dmp

Filesize
260KB

Download
memory/1140-25-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1140-23-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1140-27-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1140-29-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1196-33-0x00000000024C0000-0x0000000002501000-memory.dmp

Filesize
260KB

Download
memory/1196-35-0x00000000024C0000-0x0000000002501000-memory.dmp

Filesize
260KB

Download
memory/1196-34-0x00000000024C0000-0x0000000002501000-memory.dmp

Filesize
260KB

Download
memory/1196-32-0x00000000024C0000-0x0000000002501000-memory.dmp

Filesize
260KB

Download
memory/1580-39-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1580-40-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1580-37-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1580-38-0x0000000001B90000-0x0000000001BD1000-memory.dmp

Filesize
260KB

Download
memory/1632-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1632-13-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1632-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1632-16-0x0000000000360000-0x00000000003A5000-memory.dmp

Filesize
276KB

Download
memory/2264-72-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-78-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-74-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-48-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/2264-70-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-68-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-66-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-64-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-62-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-60-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-58-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-56-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-54-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-46-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/2264-44-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/2264-43-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/2264-42-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/2264-76-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-0-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2264-145-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-45-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/2264-80-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-47-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-52-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/2264-51-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2264-166-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/2264-167-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/2264-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2264-1-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/2264-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2264-50-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/2264-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download