2fcc86a28dcd1de07aefff4212e0d6024a72076afa042f3606d4ecdc010ad88d

General

Target

9ad22b128ad5b37a4fb392fab44b9487.exe
Size

230KB
MD5

9ad22b128ad5b37a4fb392fab44b9487
SHA1

1cdef4c3556f3c2af65777f1c962153315eb4083
SHA256

2fcc86a28dcd1de07aefff4212e0d6024a72076afa042f3606d4ecdc010ad88d
SHA512

c40163289486144abddac917030a029d337911be9d05723a113176f8468973edb43811f5db4c394a3e057beec6577edfe84ac2519c0aa505a2203c801a575c6f
SSDEEP

6144:P7qqgZi/MGm0gXxZW2J0knJMMqVfxcQcTAwHNKwNSwbBOmxdoSV:PRg4NmNMZknZqVfWPlHNKwNVEmxdoSV

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1496 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

vohi.exe

pid process

2700 vohi.exe
Loads dropped DLL 2 IoCs

Processes:

9ad22b128ad5b37a4fb392fab44b9487.exe

pid process

2504 9ad22b128ad5b37a4fb392fab44b9487.exe
2504 9ad22b128ad5b37a4fb392fab44b9487.exe

pid	process
1496	cmd.exe

pid	process
2504	9ad22b128ad5b37a4fb392fab44b9487.exe
2504	9ad22b128ad5b37a4fb392fab44b9487.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2504-0-0x0000000000400000-0x0000000000464000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Okaqlu\vohi.exe	upx
behavioral1/memory/2504-13-0x0000000000470000-0x00000000004D4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vohi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\{DA6CC81F-ACDB-37B7-3780-4801EAC2A88A} = "C:\\Users\\Admin\\AppData\\Roaming\\Okaqlu\\vohi.exe"	vohi.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9ad22b128ad5b37a4fb392fab44b9487.exevohi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	9ad22b128ad5b37a4fb392fab44b9487.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	9ad22b128ad5b37a4fb392fab44b9487.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	vohi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	vohi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9ad22b128ad5b37a4fb392fab44b9487.exe

description pid process target process

PID 2504 set thread context of 1496 2504 9ad22b128ad5b37a4fb392fab44b9487.exe cmd.exe

description	pid	process	target process
PID 2504 set thread context of 1496	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

9ad22b128ad5b37a4fb392fab44b9487.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy	9ad22b128ad5b37a4fb392fab44b9487.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	9ad22b128ad5b37a4fb392fab44b9487.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\745C6FCD-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

vohi.exe

pid	process
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe
2700	vohi.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

9ad22b128ad5b37a4fb392fab44b9487.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	2504	9ad22b128ad5b37a4fb392fab44b9487.exe
Token: SeSecurityPrivilege	2504	9ad22b128ad5b37a4fb392fab44b9487.exe
Token: SeSecurityPrivilege	2504	9ad22b128ad5b37a4fb392fab44b9487.exe
Token: SeManageVolumePrivilege	2440	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

2440 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

2440 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

2440 WinMail.exe

pid	process
2440	WinMail.exe

pid	process
2440	WinMail.exe

pid	process
2440	WinMail.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

9ad22b128ad5b37a4fb392fab44b9487.exevohi.exe

description	pid	process	target process
PID 2504 wrote to memory of 2700	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	vohi.exe
PID 2504 wrote to memory of 2700	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	vohi.exe
PID 2504 wrote to memory of 2700	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	vohi.exe
PID 2504 wrote to memory of 2700	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	vohi.exe
PID 2700 wrote to memory of 1168	2700	vohi.exe	taskhost.exe
PID 2700 wrote to memory of 1168	2700	vohi.exe	taskhost.exe
PID 2700 wrote to memory of 1168	2700	vohi.exe	taskhost.exe
PID 2700 wrote to memory of 1168	2700	vohi.exe	taskhost.exe
PID 2700 wrote to memory of 1168	2700	vohi.exe	taskhost.exe
PID 2700 wrote to memory of 1212	2700	vohi.exe	Dwm.exe
PID 2700 wrote to memory of 1212	2700	vohi.exe	Dwm.exe
PID 2700 wrote to memory of 1212	2700	vohi.exe	Dwm.exe
PID 2700 wrote to memory of 1212	2700	vohi.exe	Dwm.exe
PID 2700 wrote to memory of 1212	2700	vohi.exe	Dwm.exe
PID 2700 wrote to memory of 1272	2700	vohi.exe	Explorer.EXE
PID 2700 wrote to memory of 1272	2700	vohi.exe	Explorer.EXE
PID 2700 wrote to memory of 1272	2700	vohi.exe	Explorer.EXE
PID 2700 wrote to memory of 1272	2700	vohi.exe	Explorer.EXE
PID 2700 wrote to memory of 1272	2700	vohi.exe	Explorer.EXE
PID 2700 wrote to memory of 2196	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 2196	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 2196	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 2196	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 2196	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 2504	2700	vohi.exe	9ad22b128ad5b37a4fb392fab44b9487.exe
PID 2700 wrote to memory of 2504	2700	vohi.exe	9ad22b128ad5b37a4fb392fab44b9487.exe
PID 2700 wrote to memory of 2504	2700	vohi.exe	9ad22b128ad5b37a4fb392fab44b9487.exe
PID 2700 wrote to memory of 2504	2700	vohi.exe	9ad22b128ad5b37a4fb392fab44b9487.exe
PID 2700 wrote to memory of 2504	2700	vohi.exe	9ad22b128ad5b37a4fb392fab44b9487.exe
PID 2504 wrote to memory of 1496	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	cmd.exe
PID 2504 wrote to memory of 1496	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	cmd.exe
PID 2504 wrote to memory of 1496	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	cmd.exe
PID 2504 wrote to memory of 1496	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	cmd.exe
PID 2504 wrote to memory of 1496	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	cmd.exe
PID 2504 wrote to memory of 1496	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	cmd.exe
PID 2504 wrote to memory of 1496	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	cmd.exe
PID 2504 wrote to memory of 1496	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	cmd.exe
PID 2504 wrote to memory of 1496	2504	9ad22b128ad5b37a4fb392fab44b9487.exe	cmd.exe
PID 2700 wrote to memory of 1080	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 1080	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 1080	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 1080	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 1080	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 2564	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 2564	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 2564	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 2564	2700	vohi.exe	DllHost.exe
PID 2700 wrote to memory of 2564	2700	vohi.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1168

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1212

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2196

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\9ad22b128ad5b37a4fb392fab44b9487.exe
"C:\Users\Admin\AppData\Local\Temp\9ad22b128ad5b37a4fb392fab44b9487.exe"
2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Roaming\Okaqlu\vohi.exe
"C:\Users\Admin\AppData\Roaming\Okaqlu\vohi.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp53a2508d.bat"
3⤵
- Deletes itself
PID:1496

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
Filesize
2.0MB

MD5
a1b6c3695845f0291580c6159a8a99a1

SHA1
38d2707016573e4a016712a386c9d1984f955834

SHA256
bce50ad0b1db394d9dea821b2bec48a9d04f1cd42e82befb018a8cfd10863ba1

SHA512
8ca44c196358008fbf6b3fa532b168b6312fae6bebcb72f7b1143272849fb036890e9c1e5c51eebcbd89224944ea423f619f6231e6c26912250b4789a846ce3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp53a2508d.bat
Filesize
243B

MD5
7ce67538ffc55409ee88e0e3ade7352e

SHA1
51d609ad2e7d032aa07f87cc4917772e221d78a4

SHA256
0470f885ee309a998da2ec34086c56cb25d0fb0eb784caacb90f26bc361bd9d1

SHA512
a9abfa992379866401b4e0a3170ae8d49f50a62d598bced2ff6e5b4a2d6cc81a918bc8f39dc90071d3a8afa009a2d198e507074e633cebf0bca6add5a08aa916

Download Submit
C:\Users\Admin\AppData\Roaming\Perab\elqau.tua
Filesize
389B

MD5
f00792e701356b98bc216efd1762c0e2

SHA1
c46eff7d15b81d63defb3631446987371f9aad63

SHA256
9ca43d321b1403131c8d801e143a886c9de3389f90a126fd36aff49e2f00b0b1

SHA512
951222dfdf7c0a6271bc62f6e2c234a01918e429051a0caec987b6d8d6fbc0f01920e1fa5b1c11ab22651be0a039a7451bd550ecf54e029ff8c962c124cf72fb

Download Submit
\Users\Admin\AppData\Roaming\Okaqlu\vohi.exe
Filesize
230KB

MD5
4b02b09f32cc63ca7180e37dbb41289b

SHA1
bc6bdae7c379fc1917f272d1eed69a8c2eec5a3f

SHA256
74a11beef83855b0508e5de91e82060d82ef4dc7c2c756cdd6453bafcbba5fb8

SHA512
e6f0eedcf332a021134b0a3a15e310321b235245b44927d7e3ca5505b98f03890b3ad25f0db250f94c2ed15849b21fb8a2f547f2a05d4d931e6ea79f478d8378

Download Submit
memory/1168-30-0x0000000001CC0000-0x0000000001CF0000-memory.dmp

Filesize
192KB

Download
memory/1168-31-0x0000000001CC0000-0x0000000001CF0000-memory.dmp

Filesize
192KB

Download
memory/1168-29-0x0000000001CC0000-0x0000000001CF0000-memory.dmp

Filesize
192KB

Download
memory/1168-28-0x0000000001CC0000-0x0000000001CF0000-memory.dmp

Filesize
192KB

Download
memory/1168-32-0x0000000001CC0000-0x0000000001CF0000-memory.dmp

Filesize
192KB

Download
memory/1212-35-0x0000000001B70000-0x0000000001BA0000-memory.dmp

Filesize
192KB

Download
memory/1212-37-0x0000000001B70000-0x0000000001BA0000-memory.dmp

Filesize
192KB

Download
memory/1212-36-0x0000000001B70000-0x0000000001BA0000-memory.dmp

Filesize
192KB

Download
memory/1212-34-0x0000000001B70000-0x0000000001BA0000-memory.dmp

Filesize
192KB

Download
memory/1272-41-0x0000000002A50000-0x0000000002A80000-memory.dmp

Filesize
192KB

Download
memory/1272-39-0x0000000002A50000-0x0000000002A80000-memory.dmp

Filesize
192KB

Download
memory/1272-40-0x0000000002A50000-0x0000000002A80000-memory.dmp

Filesize
192KB

Download
memory/1272-42-0x0000000002A50000-0x0000000002A80000-memory.dmp

Filesize
192KB

Download
memory/1496-505-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1496-506-0x0000000000050000-0x0000000000080000-memory.dmp

Filesize
192KB

Download
memory/1496-321-0x0000000000050000-0x0000000000080000-memory.dmp

Filesize
192KB

Download
memory/1496-331-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

Filesize
4KB

Download
memory/2196-45-0x0000000000190000-0x00000000001C0000-memory.dmp

Filesize
192KB

Download
memory/2196-47-0x0000000000190000-0x00000000001C0000-memory.dmp

Filesize
192KB

Download
memory/2196-49-0x0000000000190000-0x00000000001C0000-memory.dmp

Filesize
192KB

Download
memory/2196-51-0x0000000000190000-0x00000000001C0000-memory.dmp

Filesize
192KB

Download
memory/2504-318-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-71-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2504-59-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-7-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2504-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2504-57-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-58-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-55-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-54-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-60-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-63-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

Filesize
4KB

Download
memory/2504-65-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

Filesize
4KB

Download
memory/2504-64-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2504-67-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2504-69-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-5-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2504-73-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-75-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2504-77-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-79-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2504-81-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2504-229-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2504-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2504-269-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2504-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2504-19-0x0000000000470000-0x00000000004D4000-memory.dmp

Filesize
400KB

Download
memory/2504-317-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2504-13-0x0000000000470000-0x00000000004D4000-memory.dmp

Filesize
400KB

Download
memory/2504-1-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2504-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2700-25-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2700-276-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2700-56-0x0000000000390000-0x00000000003F4000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads