Analysis
-
max time kernel
133s -
resource
win7v191014 -
submitted
27-01-2020 17:27
Task
task1
Sample
444444.png.exe
Resource
win7v191014
0 signatures
General
Malware Config
Signatures
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\aujweoyj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Ekpgnmoza\\zytkuh.exe\"" explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
444444.png.exe444444.png.exezytkuh.exezytkuh.exeexplorer.exe444444.png.exezytkuh.exezytkuh.exepid process 316 444444.png.exe 1088 444444.png.exe 1108 zytkuh.exe 2004 zytkuh.exe 1968 explorer.exe 1952 444444.png.exe 1220 zytkuh.exe 520 zytkuh.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
444444.png.exezytkuh.exetaskeng.exe444444.png.exezytkuh.exedescription pid process target process PID 316 wrote to memory of 1088 316 444444.png.exe 444444.png.exe PID 316 wrote to memory of 1108 316 444444.png.exe zytkuh.exe PID 316 wrote to memory of 1104 316 444444.png.exe schtasks.exe PID 1108 wrote to memory of 2004 1108 zytkuh.exe zytkuh.exe PID 1108 wrote to memory of 1968 1108 zytkuh.exe explorer.exe PID 836 wrote to memory of 1952 836 taskeng.exe 444444.png.exe PID 1952 wrote to memory of 1900 1952 444444.png.exe reg.exe PID 1952 wrote to memory of 1148 1952 444444.png.exe reg.exe PID 1952 wrote to memory of 2028 1952 444444.png.exe reg.exe PID 1952 wrote to memory of 1832 1952 444444.png.exe reg.exe PID 1952 wrote to memory of 1264 1952 444444.png.exe reg.exe PID 1952 wrote to memory of 1964 1952 444444.png.exe reg.exe PID 1952 wrote to memory of 1104 1952 444444.png.exe reg.exe PID 1952 wrote to memory of 1100 1952 444444.png.exe reg.exe PID 1952 wrote to memory of 1352 1952 444444.png.exe reg.exe PID 1952 wrote to memory of 1220 1952 444444.png.exe zytkuh.exe PID 1220 wrote to memory of 520 1220 zytkuh.exe zytkuh.exe PID 1952 wrote to memory of 988 1952 444444.png.exe cmd.exe PID 1952 wrote to memory of 1128 1952 444444.png.exe schtasks.exe -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza = "0" reg.exe -
Loads dropped DLL 1 IoCs
Processes:
444444.png.exepid process 316 444444.png.exe -
Executes dropped EXE 4 IoCs
Processes:
zytkuh.exezytkuh.exezytkuh.exezytkuh.exepid process 1108 zytkuh.exe 2004 zytkuh.exe 1220 zytkuh.exe 520 zytkuh.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
zytkuh.exepid process 1108 zytkuh.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\444444.png.exe"C:\Users\Admin\AppData\Local\Temp\444444.png.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\444444.png.exeC:\Users\Admin\AppData\Local\Temp\444444.png.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nulffedj /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.png.exe\" /I nulffedj" /SC ONCE /Z /ST 18:29 /ET 18:412⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {B1917106-BE34-4D49-9738-E2B89A2336B6} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\444444.png.exeC:\Users\Admin\AppData\Local\Temp\444444.png.exe /I nulffedj2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza" /d "0"3⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe /C4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.png.exe"3⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN nulffedj3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
-
memory/520-9-0x00000000023A0000-0x00000000023B1000-memory.dmpFilesize
68KB
-
memory/1088-0-0x0000000002230000-0x0000000002241000-memory.dmpFilesize
68KB
-
memory/1108-5-0x0000000000530000-0x000000000056B000-memory.dmpFilesize
236KB
-
memory/2004-4-0x00000000022F0000-0x0000000002301000-memory.dmpFilesize
68KB