Overview
overview
10Static
static
1008751be484...2d.dll
windows7-x64
1008751be484...2d.dll
windows10-2004-x64
100a9f79abd4...51.exe
windows7-x64
30a9f79abd4...51.exe
windows10-2004-x64
30di3x.exe
windows7-x64
100di3x.exe
windows10-2004-x64
102019-09-02...10.exe
windows7-x64
102019-09-02...10.exe
windows10-2004-x64
102c01b00772...eb.exe
windows7-x64
72c01b00772...eb.exe
windows10-2004-x64
1031.exe
windows7-x64
1031.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows7-x64
13DMark 11 ...on.exe
windows10-2004-x64
142f9729255...61.exe
windows7-x64
1042f9729255...61.exe
windows10-2004-x64
105da0116af4...18.exe
windows7-x64
75da0116af4...18.exe
windows10-2004-x64
1069c56d12ed...6b.exe
windows7-x64
1069c56d12ed...6b.exe
windows10-2004-x64
10905d572f23...50.exe
windows7-x64
10905d572f23...50.exe
windows10-2004-x64
10948340be97...54.exe
windows7-x64
10948340be97...54.exe
windows10-2004-x64
1095560f1a46...f9.dll
windows7-x64
195560f1a46...f9.dll
windows10-2004-x64
5Archive.zi...3e.exe
windows7-x64
8Archive.zi...3e.exe
windows10-2004-x64
8[email protected]
windows7-x64
4[email protected]
windows10-2004-x64
4[email protected]
windows7-x64
1[email protected]
windows10-2004-x64
1Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 22:59
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
0di3x.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
0di3x.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
2019-09-02_22-41-10.exe
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
31.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
31.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
3DMark 11 Advanced Edition.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
42f972925508a82236e8533567487761.exe
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win7-20231129-en
Behavioral task
behavioral26
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral27
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win7-20240611-en
Behavioral task
behavioral28
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v2004-20240508-en
General
-
Target
2c01b007729230c415420ad641ad92eb.exe
-
Size
1.3MB
-
MD5
daef338f9c47d5394b7e1e60ce38d02d
-
SHA1
c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e
-
SHA256
5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58
-
SHA512
d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4
-
SSDEEP
24576:W85y6Jwdt8jtWoJpXWHALGX+C1Co3aP8jvuC7g6zwm4m53Sb21SR:HXsSGuC/MIvuC5kFm53Sy1SR
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2532 odm.exe 1824 odm.exe -
Loads dropped DLL 5 IoCs
pid Process 2428 2c01b007729230c415420ad641ad92eb.exe 2428 2c01b007729230c415420ad641ad92eb.exe 2428 2c01b007729230c415420ad641ad92eb.exe 2428 2c01b007729230c415420ad641ad92eb.exe 2532 odm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wou\\odm.exe C:\\Users\\Admin\\AppData\\Roaming\\wou\\kja-pex" odm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wou\\odm.exe C:\\Users\\Admin\\AppData\\Roaming\\wou\\kja-pex" RegSvcs.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1824 set thread context of 1720 1824 odm.exe 31 PID 1824 set thread context of 2024 1824 odm.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2532 odm.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe 2024 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2788 DllHost.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2532 2428 2c01b007729230c415420ad641ad92eb.exe 29 PID 2428 wrote to memory of 2532 2428 2c01b007729230c415420ad641ad92eb.exe 29 PID 2428 wrote to memory of 2532 2428 2c01b007729230c415420ad641ad92eb.exe 29 PID 2428 wrote to memory of 2532 2428 2c01b007729230c415420ad641ad92eb.exe 29 PID 2428 wrote to memory of 2532 2428 2c01b007729230c415420ad641ad92eb.exe 29 PID 2428 wrote to memory of 2532 2428 2c01b007729230c415420ad641ad92eb.exe 29 PID 2428 wrote to memory of 2532 2428 2c01b007729230c415420ad641ad92eb.exe 29 PID 2532 wrote to memory of 1824 2532 odm.exe 30 PID 2532 wrote to memory of 1824 2532 odm.exe 30 PID 2532 wrote to memory of 1824 2532 odm.exe 30 PID 2532 wrote to memory of 1824 2532 odm.exe 30 PID 2532 wrote to memory of 1824 2532 odm.exe 30 PID 2532 wrote to memory of 1824 2532 odm.exe 30 PID 2532 wrote to memory of 1824 2532 odm.exe 30 PID 1824 wrote to memory of 1720 1824 odm.exe 31 PID 1824 wrote to memory of 1720 1824 odm.exe 31 PID 1824 wrote to memory of 1720 1824 odm.exe 31 PID 1824 wrote to memory of 1720 1824 odm.exe 31 PID 1824 wrote to memory of 1720 1824 odm.exe 31 PID 1824 wrote to memory of 1720 1824 odm.exe 31 PID 1824 wrote to memory of 1720 1824 odm.exe 31 PID 1824 wrote to memory of 1720 1824 odm.exe 31 PID 1824 wrote to memory of 2024 1824 odm.exe 32 PID 1824 wrote to memory of 2024 1824 odm.exe 32 PID 1824 wrote to memory of 2024 1824 odm.exe 32 PID 1824 wrote to memory of 2024 1824 odm.exe 32 PID 1824 wrote to memory of 2024 1824 odm.exe 32 PID 1824 wrote to memory of 2024 1824 odm.exe 32 PID 1824 wrote to memory of 2024 1824 odm.exe 32 PID 1824 wrote to memory of 2024 1824 odm.exe 32 PID 1824 wrote to memory of 2024 1824 odm.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Roaming\wou\odm.exe"C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Roaming\wou\odm.exeC:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\FCBRN3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1720
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeC:\Users\Admin\AppData\Roaming\wou\FCBRN4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD59375872d82fbfe00eb4f6e608aa170d8
SHA1b6d6f7059c025075141293cc0c1f80c1063ef75b
SHA256a1b44347af8b2b2bf0409bb96e99f012035dc494ef44db409dbcd2bb726ff2e9
SHA512f05e7f8c5d4edc6c41c0a2e4c63492a8578a4ae44e093396214fe422b90bd6e6d5fc98e1d8c4ee2253845a8b1a0bf202cd27450f641a8261d7f660b26162b863
-
Filesize
1KB
MD5f6efac00916f3425d6079ae5a956df11
SHA13153abfe46186c1186882f67444c82c544615fb7
SHA2561e866a8f06f125fa1c439f9cb00199be827e74b87eae12368bd1e2cf7ab28728
SHA5120ba766d5816057941ad9afc80f7b20620b0120411357fe2b97ab0a425b32d4309396ed4866c8b23c92893ed68971c4a8a8c6f25ffa411ba0c70b602a63bd4743
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
1.2MB
MD5a5f2dcee6a2a6047aa8fdde1ae2ce290
SHA17a082661c9a3431cd89ed4d9959178d60b9570f7
SHA2567da78e767ff859970c8dae593b62f1366c2c651500eb280f0077a2245a9a8625
SHA512e001300fc56f9bc8e9d61cb904ea6dec5ca447729015c9ff3dccc021f319fcce57ebaabb196a56f80d249dfbb88b4a0a273858cf14c7b9a93c10c9c8bc243d0a
-
Filesize
4B
MD5098f6bcd4621d373cade4e832627b4f6
SHA1a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA2569f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff
-
Filesize
16KB
MD56285049d1e4f854943856164652da8d8
SHA1f29c791ddb940be594bfb431eca7d4cb6d9e2688
SHA2560aeb7e8a131b53991567db463519ea005d41ddd1f227a744d4f7066805ce684f
SHA5122bb954a07f82c19b26d745ac19cd66e6eb82c525db0bd6e9e6880b0077465897d7fc49521d40361262c9dccdba4de6cead5b7d8dc09a9beaae2d668537097291