e6171ffbc8e0cd50e6136464a37763fd748502030b62519867e4f9e994a83bc4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6d645b00bde814fd35edb3c07d72a80.exe
Size

125KB
MD5

d6d645b00bde814fd35edb3c07d72a80
SHA1

764781724b5af6d9f14cf4d0463271ea05358ce8
SHA256

e6171ffbc8e0cd50e6136464a37763fd748502030b62519867e4f9e994a83bc4
SHA512

227b00b51f90f3f196676fd010c3801062e07b110fd2aeb182e32c0000242dd7672fd4e49242b998706ddec084c13ba66588bcea521f021096eeaf6fb0840a2f
SSDEEP

3072:EJgwBIxhn+dz7diTqkGqcZBUPs7dHNnu3lAzyDJkluJfBd8l:EuwWx8fScnUPey1BtB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	Dmuvoa.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Dmuvoa.exe	d6d645b00bde814fd35edb3c07d72a80.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Dmuvoa.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Dmuvoa.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	d6d645b00bde814fd35edb3c07d72a80.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	d6d645b00bde814fd35edb3c07d72a80.exe
File created	C:\Windows\Dmuvoa.exe	d6d645b00bde814fd35edb3c07d72a80.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Main	Dmuvoa.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\International	Dmuvoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe
2984	Dmuvoa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2984	1988	d6d645b00bde814fd35edb3c07d72a80.exe	90
PID 1988 wrote to memory of 2984	1988	d6d645b00bde814fd35edb3c07d72a80.exe	90
PID 1988 wrote to memory of 2984	1988	d6d645b00bde814fd35edb3c07d72a80.exe	90

C:\Users\Admin\AppData\Local\Temp\d6d645b00bde814fd35edb3c07d72a80.exe
"C:\Users\Admin\AppData\Local\Temp\d6d645b00bde814fd35edb3c07d72a80.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\Dmuvoa.exe
  C:\Windows\Dmuvoa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Dmuvoa.exe

Filesize
125KB

MD5
d6d645b00bde814fd35edb3c07d72a80

SHA1
764781724b5af6d9f14cf4d0463271ea05358ce8

SHA256
e6171ffbc8e0cd50e6136464a37763fd748502030b62519867e4f9e994a83bc4

SHA512
227b00b51f90f3f196676fd010c3801062e07b110fd2aeb182e32c0000242dd7672fd4e49242b998706ddec084c13ba66588bcea521f021096eeaf6fb0840a2f

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
362B

MD5
68910acc33c78d38bfb6551436719bc5

SHA1
7f27c532dccf23cb8078f330913136416f1be483

SHA256
32dc01826c865846c2dd50cfa0fc3df9b5a6dee014577e1fcd62dd4d017c8457

SHA512
5cc0050bfb992aeae00e95d6001abb380c325ab735b68f66a34761dcb8a2b3dfc796e28ce97f608a0d991ade2874dc71fba500b0a80d49f0b94bba4fa05a9202

Download Submit
memory/1988-16602-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-0-0x0000000000510000-0x0000000000523000-memory.dmp

Filesize
76KB

Download
memory/1988-6824-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-6826-0x00000000004D0000-0x00000000004FE000-memory.dmp

Filesize
184KB

Download
memory/2984-25282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-69508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-10386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-33383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-41939-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-57502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-10388-0x00000000005A0000-0x00000000005CE000-memory.dmp

Filesize
184KB

Download
memory/2984-86045-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-102213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-118380-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-135415-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-135417-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-135419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-135423-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download