3dd7c774004ae61e5bb7303b2be797c43dfbb39d43c27d4257561b5f01782db3

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a46cd6a7b40e34d40577c1e0b0d173e4.exe
Size

196KB
MD5

a46cd6a7b40e34d40577c1e0b0d173e4
SHA1

be0394249c2ded68be837dd65c4b8a0184f7aa68
SHA256

3dd7c774004ae61e5bb7303b2be797c43dfbb39d43c27d4257561b5f01782db3
SHA512

93c7d82d4dea602f145b6198c2c1fa55c5bb9ec2ebc8b86b3f5ebfb89d8ea34f866cf2113ecac833162dffe6db976f3c25712b3862a987b8b570c5093eec0af8
SSDEEP

3072:ymromSkSck90GHWhW/+1NHV/iG9om/GEUlGKUmUidR1W5FmVHF4lMknZ9PBAt:ghV0Zb1/rqSGvJUmpdR16cknZ9JG

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2580	loma.exe
3020	loma.exe
2972	loma.exe

Loads dropped DLL 4 IoCs

pid	Process
1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe
2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe
2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe
2580	loma.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C6585163-28D1-E209-95FE-8F18C756A686} = "C:\\Users\\Admin\\AppData\\Roaming\\Uczy\\loma.exe"	loma.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 2228 set thread context of 2324	2228	a46cd6a7b40e34d40577c1e0b0d173e4.exe	29
PID 2580 set thread context of 3020	2580	loma.exe	31
PID 3020 set thread context of 2972	3020	loma.exe	33

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Privacy	loma.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	loma.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe
2972	loma.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe
Token: SeSecurityPrivilege	2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe
Token: SeDebugPrivilege	2580	loma.exe
Token: SeSecurityPrivilege	3020	loma.exe
Token: SeSecurityPrivilege	3020	loma.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 1896 wrote to memory of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 1896 wrote to memory of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 1896 wrote to memory of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 1896 wrote to memory of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 1896 wrote to memory of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 1896 wrote to memory of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 1896 wrote to memory of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 1896 wrote to memory of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 1896 wrote to memory of 2228	1896	a46cd6a7b40e34d40577c1e0b0d173e4.exe	28
PID 2228 wrote to memory of 2324	2228	a46cd6a7b40e34d40577c1e0b0d173e4.exe	29
PID 2228 wrote to memory of 2324	2228	a46cd6a7b40e34d40577c1e0b0d173e4.exe	29
PID 2228 wrote to memory of 2324	2228	a46cd6a7b40e34d40577c1e0b0d173e4.exe	29
PID 2228 wrote to memory of 2324	2228	a46cd6a7b40e34d40577c1e0b0d173e4.exe	29
PID 2228 wrote to memory of 2324	2228	a46cd6a7b40e34d40577c1e0b0d173e4.exe	29
PID 2228 wrote to memory of 2324	2228	a46cd6a7b40e34d40577c1e0b0d173e4.exe	29
PID 2228 wrote to memory of 2324	2228	a46cd6a7b40e34d40577c1e0b0d173e4.exe	29
PID 2228 wrote to memory of 2324	2228	a46cd6a7b40e34d40577c1e0b0d173e4.exe	29
PID 2228 wrote to memory of 2324	2228	a46cd6a7b40e34d40577c1e0b0d173e4.exe	29
PID 2324 wrote to memory of 2580	2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe	30
PID 2324 wrote to memory of 2580	2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe	30
PID 2324 wrote to memory of 2580	2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe	30
PID 2324 wrote to memory of 2580	2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe	30
PID 2580 wrote to memory of 3020	2580	loma.exe	31
PID 2580 wrote to memory of 3020	2580	loma.exe	31
PID 2580 wrote to memory of 3020	2580	loma.exe	31
PID 2580 wrote to memory of 3020	2580	loma.exe	31
PID 2580 wrote to memory of 3020	2580	loma.exe	31
PID 2580 wrote to memory of 3020	2580	loma.exe	31
PID 2580 wrote to memory of 3020	2580	loma.exe	31
PID 2580 wrote to memory of 3020	2580	loma.exe	31
PID 2580 wrote to memory of 3020	2580	loma.exe	31
PID 2580 wrote to memory of 3020	2580	loma.exe	31
PID 2324 wrote to memory of 2508	2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe	32
PID 2324 wrote to memory of 2508	2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe	32
PID 2324 wrote to memory of 2508	2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe	32
PID 2324 wrote to memory of 2508	2324	a46cd6a7b40e34d40577c1e0b0d173e4.exe	32
PID 3020 wrote to memory of 2972	3020	loma.exe	33
PID 3020 wrote to memory of 2972	3020	loma.exe	33
PID 3020 wrote to memory of 2972	3020	loma.exe	33
PID 3020 wrote to memory of 2972	3020	loma.exe	33
PID 3020 wrote to memory of 2972	3020	loma.exe	33
PID 3020 wrote to memory of 2972	3020	loma.exe	33
PID 3020 wrote to memory of 2972	3020	loma.exe	33
PID 3020 wrote to memory of 2972	3020	loma.exe	33
PID 3020 wrote to memory of 2972	3020	loma.exe	33
PID 2972 wrote to memory of 1124	2972	loma.exe	13
PID 2972 wrote to memory of 1124	2972	loma.exe	13
PID 2972 wrote to memory of 1124	2972	loma.exe	13
PID 2972 wrote to memory of 1124	2972	loma.exe	13
PID 2972 wrote to memory of 1124	2972	loma.exe	13
PID 2972 wrote to memory of 1240	2972	loma.exe	12
PID 2972 wrote to memory of 1240	2972	loma.exe	12
PID 2972 wrote to memory of 1240	2972	loma.exe	12
PID 2972 wrote to memory of 1240	2972	loma.exe	12
PID 2972 wrote to memory of 1240	2972	loma.exe	12
PID 2972 wrote to memory of 1272	2972	loma.exe	11
PID 2972 wrote to memory of 1272	2972	loma.exe	11
PID 2972 wrote to memory of 1272	2972	loma.exe	11
PID 2972 wrote to memory of 1272	2972	loma.exe	11
PID 2972 wrote to memory of 1272	2972	loma.exe	11
PID 2972 wrote to memory of 3020	2972	loma.exe	31
PID 2972 wrote to memory of 3020	2972	loma.exe	31
PID 2972 wrote to memory of 3020	2972	loma.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\a46cd6a7b40e34d40577c1e0b0d173e4.exe
  "C:\Users\Admin\AppData\Local\Temp\a46cd6a7b40e34d40577c1e0b0d173e4.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\a46cd6a7b40e34d40577c1e0b0d173e4.exe
    "C:\Users\Admin\AppData\Local\Temp\a46cd6a7b40e34d40577c1e0b0d173e4.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\a46cd6a7b40e34d40577c1e0b0d173e4.exe
      "C:\Users\Admin\AppData\Local\Temp\a46cd6a7b40e34d40577c1e0b0d173e4.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Users\Admin\AppData\Roaming\Uczy\loma.exe
        
        "C:\Users\Admin\AppData\Roaming\Uczy\loma.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Users\Admin\AppData\Roaming\Uczy\loma.exe
        
        "C:\Users\Admin\AppData\Roaming\Uczy\loma.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Uczy\loma.exe
        
        "C:\Users\Admin\AppData\Roaming\Uczy\loma.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp505a5529.bat"
        5⤵
        Deletes itself
        
        PID:2508

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp505a5529.bat

Filesize
243B

MD5
b8b0276c26af09af1e6457a7f2b286b1

SHA1
e19a04802cbe733a47910ff9c3c4a8c04d0c113c

SHA256
c35180f4688c2c55587c3697b52dac4c1d897ab47ae5d1d4a5be3e44a6c3a6f0

SHA512
dab1f2ae16688334445caba520d46a45386543e9474ccffecc35bfb4ab0ea6a93f02402e11bf1d949c2f22c068edda2e597017583f13ec66fcd0eaba151b1e31

Download Submit
C:\Users\Admin\AppData\Roaming\Huva\vekyu.pau

Filesize
340B

MD5
d67ffece39e234d9f907052a0ead1e60

SHA1
3144463ebf55e61e7c6a1b405562762d9d5f13d9

SHA256
9b84cf12ca26f0c4bf7400db2c6e519d120d5b43709cc460b144cc8405403f87

SHA512
67e4e38e92633adc1cf475c12a5059d990345acc5d207cf987f7630771bcd9ba84f3f79d550cbc6f27f12cff40c4aa06c1155903226d5f0cd276ab8f4af5ddd8

Download Submit
\Users\Admin\AppData\Local\Temp\vmEd2bdaVAiflgWSjhah36a.tmp

Filesize
3KB

MD5
c90cb999a81e4ec1acc46e32ec7096fe

SHA1
8ea6d6f89d22b15ad21aae205429e01b7b488dc3

SHA256
7041302235afb47611b5ab0d6563b09772ca085efe405937bdbf04971b8a852d

SHA512
7556eb8d14cc365a88a6fa1020a581335e99ebfffb81dde7d3c2dea51ddef47981825caa2b805a40933167f28872d5421d5510bc18efa3e73e310e4559c3b13a

Download Submit
\Users\Admin\AppData\Roaming\Uczy\loma.exe

Filesize
196KB

MD5
ad321dae06394fc77389d5120f4dc16b

SHA1
b50feed5a73a21e718b6d1ed55a6fbe468d86371

SHA256
b8f614a08d737ed5b4c119c0e0fb2ce15e64f3645f788b123bd4ef2f8df23206

SHA512
6aa0afa4183e219ec8b5298443ed3228d51b3628b3d43752293e15e54c40f6f22427e92a0a8e34c9bacae17c2756c4725c8d7ca216bee445d2ec9321aac8fff1

Download Submit
memory/2228-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2228-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2228-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2228-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2228-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2228-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2228-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2228-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2228-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2324-21-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2324-31-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2324-32-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2324-23-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2324-35-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2324-19-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2324-29-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2324-48-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2324-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2324-34-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2324-25-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2972-85-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2972-86-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2972-220-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3020-110-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/3020-112-0x0000000077850000-0x0000000077851000-memory.dmp

Filesize
4KB

Download
memory/3020-115-0x0000000077850000-0x0000000077851000-memory.dmp

Filesize
4KB

Download
memory/3020-195-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3020-200-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download