10da9cfc721819a55d159253469b7a88c803241d8eda417854d5348bbaf12d60

General

Target

tasks_188.vir.exe
Size

226KB
MD5

d36d308b43b5451c72203b2e0c99d9b0
SHA1

d34ff4e2491da20f2a982fa73d0d6ab9e2102b0b
SHA256

10da9cfc721819a55d159253469b7a88c803241d8eda417854d5348bbaf12d60
SHA512

07a2cfe21e62ecb8286edff7be2e9e20146354b491f8e202aee6189af490ec0591293da88e7d97d45ad4c693b09127278958631182ac265cfef45b553f8d1a66

Score

8^/10

evasion trojan persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1352 cmd.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

pid	process
1352	cmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winsec32.exeExplorer.EXEhytei.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Neleigeroz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tituam\\hytei.exe\""	winsec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	hytei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Neleigeroz = "C:\\Users\\Admin\\AppData\\Roaming\\Tituam\\hytei.exe"	hytei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hytei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winsec32.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Neleigeroz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tituam\\hytei.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Neleigeroz = "C:\\Users\\Admin\\AppData\\Roaming\\Tituam\\hytei.exe"	hytei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neleigeroz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tituam\\hytei.exe\""	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

hytei.exe

pid process

1364 hytei.exe
1364 hytei.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1316 Explorer.EXE
1316 Explorer.EXE
1316 Explorer.EXE
1316 Explorer.EXE
1316 Explorer.EXE

pid	process
1364	hytei.exe
1364	hytei.exe

pid	process
1316	Explorer.EXE
1316	Explorer.EXE
1316	Explorer.EXE
1316	Explorer.EXE
1316	Explorer.EXE

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

hytei.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	hytei.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	hytei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	hytei.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hytei.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hytei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	hytei.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	hytei.exe

Drops file in Windows directory 1 IoCs

Processes:

tasks_188.vir.exe

description ioc process

File created C:\Windows\Tasks\Security Center Update - 715181976.job tasks_188.vir.exe
Executes dropped EXE 3 IoCs

Processes:

winsec32.exehytei.exehytei.exe

pid process

112 winsec32.exe
1100 hytei.exe
1364 hytei.exe

description	ioc	process
File created	C:\Windows\Tasks\Security Center Update - 715181976.job	tasks_188.vir.exe

pid	process
112	winsec32.exe
1100	hytei.exe
1364	hytei.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

tasks_188.vir.exehytei.exehytei.exe

description	pid	process	target process
PID 1528 wrote to memory of 1100	1528	tasks_188.vir.exe	hytei.exe
PID 1528 wrote to memory of 1100	1528	tasks_188.vir.exe	hytei.exe
PID 1528 wrote to memory of 1100	1528	tasks_188.vir.exe	hytei.exe
PID 1528 wrote to memory of 1100	1528	tasks_188.vir.exe	hytei.exe
PID 1100 wrote to memory of 1316	1100	hytei.exe	Explorer.EXE
PID 1100 wrote to memory of 1316	1100	hytei.exe	Explorer.EXE
PID 1100 wrote to memory of 1316	1100	hytei.exe	Explorer.EXE
PID 1100 wrote to memory of 1316	1100	hytei.exe	Explorer.EXE
PID 1100 wrote to memory of 1316	1100	hytei.exe	Explorer.EXE
PID 1100 wrote to memory of 1316	1100	hytei.exe	Explorer.EXE
PID 1100 wrote to memory of 1316	1100	hytei.exe	Explorer.EXE
PID 1100 wrote to memory of 1364	1100	hytei.exe	hytei.exe
PID 1100 wrote to memory of 1364	1100	hytei.exe	hytei.exe
PID 1100 wrote to memory of 1364	1100	hytei.exe	hytei.exe
PID 1100 wrote to memory of 1364	1100	hytei.exe	hytei.exe
PID 1528 wrote to memory of 1352	1528	tasks_188.vir.exe	cmd.exe
PID 1528 wrote to memory of 1352	1528	tasks_188.vir.exe	cmd.exe
PID 1528 wrote to memory of 1352	1528	tasks_188.vir.exe	cmd.exe
PID 1528 wrote to memory of 1352	1528	tasks_188.vir.exe	cmd.exe
PID 1364 wrote to memory of 1864	1364	hytei.exe	ctfmon.exe
PID 1364 wrote to memory of 1864	1364	hytei.exe	ctfmon.exe
PID 1364 wrote to memory of 1864	1364	hytei.exe	ctfmon.exe
PID 1364 wrote to memory of 1864	1364	hytei.exe	ctfmon.exe

Suspicious behavior: EnumeratesProcesses 82 IoCs

Processes:

hytei.exehytei.exe

pid	process
1100	hytei.exe
1100	hytei.exe
1100	hytei.exe
1100	hytei.exe
1100	hytei.exe
1100	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe
1364	hytei.exe

Drops file in System32 directory 2 IoCs

Processes:

tasks_188.vir.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winsec32.exe	tasks_188.vir.exe
File opened for modification	C:\Windows\SysWOW64\winsec32.exe	tasks_188.vir.exe

Loads dropped DLL 1 IoCs

Processes:

tasks_188.vir.exe

pid process

1528 tasks_188.vir.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1316 Explorer.EXE
1316 Explorer.EXE
1316 Explorer.EXE
1316 Explorer.EXE
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

hytei.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main hytei.exe

pid	process
1528	tasks_188.vir.exe

pid	process
1316	Explorer.EXE
1316	Explorer.EXE
1316	Explorer.EXE
1316	Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	hytei.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Checks whether UAC is enabled
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316

C:\Users\Admin\AppData\Local\Temp\tasks_188.vir.exe
"C:\Users\Admin\AppData\Local\Temp\tasks_188.vir.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Loads dropped DLL
PID:1528

C:\Users\Admin\AppData\Roaming\Tituam\hytei.exe
"C:\Users\Admin\AppData\Roaming\Tituam\hytei.exe"
3⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Users\Admin\AppData\Roaming\Tituam\hytei.exe
"C:\Users\Admin\AppData\Roaming\Tituam\hytei.exe" -child
4⤵
- Suspicious use of SetWindowsHookEx
- Modifies system certificate store
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
PID:1364

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
5⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp49b6de75.bat"
3⤵
- Deletes itself
PID:1352

C:\Windows\SysWOW64\winsec32.exe
"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Tituam\hytei.exe"
1⤵
- Adds Run key to start application
- Executes dropped EXE
PID:112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp49b6de75.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FN2ZD4VC.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Tituam\hytei.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Tituam\hytei.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Tituam\hytei.exe

Download Submit
C:\Windows\SysWOW64\winsec32.exe

Download Submit
C:\Windows\SysWOW64\winsec32.exe

Download Submit
\Users\Admin\AppData\Roaming\Tituam\hytei.exe

Download Submit
memory/1100-4-0x0000000000000000-mapping.dmp

Download
memory/1316-6-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/1352-12-0x0000000000000000-mapping.dmp

Download
memory/1364-13-0x0000000000000000-mapping.dmp

Download
memory/1864-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads