26da38192a595e7c444ed150dfea0671156f3721e8c0ba4608afe405f62c5525

General

Target

uncategorized_3.0.0.5.vir.exe
Size

285KB
MD5

ab487e4eb8eddcac9fd6bcec1abdc026
SHA1

250b7c4e03094da5b2bb8cd49ba57065ce188bc7
SHA256

26da38192a595e7c444ed150dfea0671156f3721e8c0ba4608afe405f62c5525
SHA512

397fefa08d47c50f3c6640d14f0df4a693e290d7ce33a18589cf9d1c23831775e4cbbf0e18ff6a6ef7b9631399d801698ee8ed8cfaa5f424c9a8348dfc421de1

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

uncategorized_3.0.0.5.vir.exe

description	pid	process
Token: SeSecurityPrivilege	1256	uncategorized_3.0.0.5.vir.exe
Token: SeSecurityPrivilege	1256	uncategorized_3.0.0.5.vir.exe
Token: SeSecurityPrivilege	1256	uncategorized_3.0.0.5.vir.exe

Loads dropped DLL 1 IoCs

Processes:

uncategorized_3.0.0.5.vir.exe

pid process

1256 uncategorized_3.0.0.5.vir.exe
Executes dropped EXE 2 IoCs

Processes:

syozq.exesyozq.exe

pid process

316 syozq.exe
796 syozq.exe

pid	process
1256	uncategorized_3.0.0.5.vir.exe

pid	process
316	syozq.exe
796	syozq.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

uncategorized_3.0.0.5.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy	uncategorized_3.0.0.5.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	uncategorized_3.0.0.5.vir.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

uncategorized_3.0.0.5.vir.exesyozq.exesyozq.exe

pid	process
1100	uncategorized_3.0.0.5.vir.exe
1100	uncategorized_3.0.0.5.vir.exe
316	syozq.exe
316	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe
796	syozq.exe

Suspicious use of WriteProcessMemory 76 IoCs

Processes:

uncategorized_3.0.0.5.vir.exeuncategorized_3.0.0.5.vir.exesyozq.exesyozq.exe

description	pid	process	target process
PID 1100 wrote to memory of 1256	1100	uncategorized_3.0.0.5.vir.exe	uncategorized_3.0.0.5.vir.exe
PID 1100 wrote to memory of 1256	1100	uncategorized_3.0.0.5.vir.exe	uncategorized_3.0.0.5.vir.exe
PID 1100 wrote to memory of 1256	1100	uncategorized_3.0.0.5.vir.exe	uncategorized_3.0.0.5.vir.exe
PID 1100 wrote to memory of 1256	1100	uncategorized_3.0.0.5.vir.exe	uncategorized_3.0.0.5.vir.exe
PID 1100 wrote to memory of 1256	1100	uncategorized_3.0.0.5.vir.exe	uncategorized_3.0.0.5.vir.exe
PID 1100 wrote to memory of 1256	1100	uncategorized_3.0.0.5.vir.exe	uncategorized_3.0.0.5.vir.exe
PID 1100 wrote to memory of 1256	1100	uncategorized_3.0.0.5.vir.exe	uncategorized_3.0.0.5.vir.exe
PID 1100 wrote to memory of 1256	1100	uncategorized_3.0.0.5.vir.exe	uncategorized_3.0.0.5.vir.exe
PID 1100 wrote to memory of 1256	1100	uncategorized_3.0.0.5.vir.exe	uncategorized_3.0.0.5.vir.exe
PID 1256 wrote to memory of 316	1256	uncategorized_3.0.0.5.vir.exe	syozq.exe
PID 1256 wrote to memory of 316	1256	uncategorized_3.0.0.5.vir.exe	syozq.exe
PID 1256 wrote to memory of 316	1256	uncategorized_3.0.0.5.vir.exe	syozq.exe
PID 1256 wrote to memory of 316	1256	uncategorized_3.0.0.5.vir.exe	syozq.exe
PID 316 wrote to memory of 796	316	syozq.exe	syozq.exe
PID 316 wrote to memory of 796	316	syozq.exe	syozq.exe
PID 316 wrote to memory of 796	316	syozq.exe	syozq.exe
PID 316 wrote to memory of 796	316	syozq.exe	syozq.exe
PID 316 wrote to memory of 796	316	syozq.exe	syozq.exe
PID 316 wrote to memory of 796	316	syozq.exe	syozq.exe
PID 316 wrote to memory of 796	316	syozq.exe	syozq.exe
PID 316 wrote to memory of 796	316	syozq.exe	syozq.exe
PID 316 wrote to memory of 796	316	syozq.exe	syozq.exe
PID 796 wrote to memory of 1124	796	syozq.exe	taskhost.exe
PID 796 wrote to memory of 1124	796	syozq.exe	taskhost.exe
PID 796 wrote to memory of 1124	796	syozq.exe	taskhost.exe
PID 796 wrote to memory of 1124	796	syozq.exe	taskhost.exe
PID 796 wrote to memory of 1124	796	syozq.exe	taskhost.exe
PID 796 wrote to memory of 1212	796	syozq.exe	Dwm.exe
PID 796 wrote to memory of 1212	796	syozq.exe	Dwm.exe
PID 796 wrote to memory of 1212	796	syozq.exe	Dwm.exe
PID 796 wrote to memory of 1212	796	syozq.exe	Dwm.exe
PID 796 wrote to memory of 1212	796	syozq.exe	Dwm.exe
PID 796 wrote to memory of 1264	796	syozq.exe	Explorer.EXE
PID 796 wrote to memory of 1264	796	syozq.exe	Explorer.EXE
PID 796 wrote to memory of 1264	796	syozq.exe	Explorer.EXE
PID 796 wrote to memory of 1264	796	syozq.exe	Explorer.EXE
PID 796 wrote to memory of 1264	796	syozq.exe	Explorer.EXE
PID 796 wrote to memory of 1256	796	syozq.exe	uncategorized_3.0.0.5.vir.exe
PID 796 wrote to memory of 1256	796	syozq.exe	uncategorized_3.0.0.5.vir.exe
PID 796 wrote to memory of 1256	796	syozq.exe	uncategorized_3.0.0.5.vir.exe
PID 796 wrote to memory of 1256	796	syozq.exe	uncategorized_3.0.0.5.vir.exe
PID 796 wrote to memory of 1256	796	syozq.exe	uncategorized_3.0.0.5.vir.exe
PID 1256 wrote to memory of 604	1256	uncategorized_3.0.0.5.vir.exe	cmd.exe
PID 1256 wrote to memory of 604	1256	uncategorized_3.0.0.5.vir.exe	cmd.exe
PID 1256 wrote to memory of 604	1256	uncategorized_3.0.0.5.vir.exe	cmd.exe
PID 1256 wrote to memory of 604	1256	uncategorized_3.0.0.5.vir.exe	cmd.exe
PID 796 wrote to memory of 604	796	syozq.exe	cmd.exe
PID 796 wrote to memory of 604	796	syozq.exe	cmd.exe
PID 796 wrote to memory of 604	796	syozq.exe	cmd.exe
PID 796 wrote to memory of 604	796	syozq.exe	cmd.exe
PID 796 wrote to memory of 604	796	syozq.exe	cmd.exe
PID 796 wrote to memory of 1048	796	syozq.exe	conhost.exe
PID 796 wrote to memory of 1048	796	syozq.exe	conhost.exe
PID 796 wrote to memory of 1048	796	syozq.exe	conhost.exe
PID 796 wrote to memory of 1048	796	syozq.exe	conhost.exe
PID 796 wrote to memory of 1048	796	syozq.exe	conhost.exe
PID 796 wrote to memory of 1580	796	syozq.exe	DllHost.exe
PID 796 wrote to memory of 1580	796	syozq.exe	DllHost.exe
PID 796 wrote to memory of 1580	796	syozq.exe	DllHost.exe
PID 796 wrote to memory of 1580	796	syozq.exe	DllHost.exe
PID 796 wrote to memory of 1580	796	syozq.exe	DllHost.exe
PID 796 wrote to memory of 1872	796	syozq.exe	DllHost.exe
PID 796 wrote to memory of 1872	796	syozq.exe	DllHost.exe
PID 796 wrote to memory of 1872	796	syozq.exe	DllHost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

uncategorized_3.0.0.5.vir.exesyozq.exe

description	pid	process	target process
PID 1100 set thread context of 1256	1100	uncategorized_3.0.0.5.vir.exe	uncategorized_3.0.0.5.vir.exe
PID 316 set thread context of 796	316	syozq.exe	syozq.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

604 cmd.exe

pid	process
604	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

syozq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9A95E218-179F-213C-BBEE-F5356BF1E87C} = "C:\\Users\\Admin\\AppData\\Roaming\\Utoz\\syozq.exe"	syozq.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	syozq.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1212

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\uncategorized_3.0.0.5.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_3.0.0.5.vir.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1100

C:\Users\Admin\AppData\Local\Temp\uncategorized_3.0.0.5.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_3.0.0.5.vir.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Roaming\Utoz\syozq.exe
"C:\Users\Admin\AppData\Roaming\Utoz\syozq.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:316

C:\Users\Admin\AppData\Roaming\Utoz\syozq.exe
"C:\Users\Admin\AppData\Roaming\Utoz\syozq.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
PID:796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6ab99bd3.bat"
4⤵
- Deletes itself
PID:604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6671988402045116353-287331403-1710238482-2034463985537686513-8363061801397798297"
1⤵
PID:1048

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6ab99bd3.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Gohu\guavo.yla

Download Submit
C:\Users\Admin\AppData\Roaming\Utoz\syozq.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Utoz\syozq.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Utoz\syozq.exe

Download Submit
\Users\Admin\AppData\Roaming\Utoz\syozq.exe

Download Submit
memory/316-4-0x0000000000000000-mapping.dmp

Download
memory/604-12-0x0000000000000000-mapping.dmp

Download
memory/604-13-0x0000000000000000-mapping.dmp

Download
memory/796-7-0x0000000000419308-mapping.dmp

Download
memory/1256-11-0x0000000000419308-mapping.dmp

Download
memory/1256-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1256-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1256-1-0x0000000000419308-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads