b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d

General

Target

SKM_454e20070310530.scr
Size

809KB
MD5

f5b3048dd2e673f152d32b45a627f75a
SHA1

231899877604d50a2692781358f090f0fdd21c62
SHA256

b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d
SHA512

36d5ee0eeb2472fd5f61ce34906f4b17ae64b609262009e5548697911216aa31f139cf95739cbbbb4036b9ff07de7135cb4bf990b7985e99c6cd6e4ade76c130

Score

8^/10

evasion persistence

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

SKM_454e20070310530.scrufynakmodi.exe

pid process

1232 SKM_454e20070310530.scr
1232 SKM_454e20070310530.scr
3584 ufynakmodi.exe
3584 ufynakmodi.exe
Executes dropped EXE 2 IoCs

Processes:

ufynakmodi.exeufynakmodi.exe

pid process

3528 ufynakmodi.exe
3584 ufynakmodi.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2160 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

956 ipconfig.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Runs net.exe

pid	process
1232	SKM_454e20070310530.scr
1232	SKM_454e20070310530.scr
3584	ufynakmodi.exe
3584	ufynakmodi.exe

pid	process
3528	ufynakmodi.exe
3584	ufynakmodi.exe

pid	process
2160	tasklist.exe

pid	process
956	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 70 IoCs

Processes:

SKM_454e20070310530.scrSKM_454e20070310530.scrufynakmodi.exeufynakmodi.exe

pid	process
720	SKM_454e20070310530.scr
720	SKM_454e20070310530.scr
1232	SKM_454e20070310530.scr
1232	SKM_454e20070310530.scr
3528	ufynakmodi.exe
3528	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe
3584	ufynakmodi.exe

Suspicious use of WriteProcessMemory 83 IoCs

Processes:

SKM_454e20070310530.scrSKM_454e20070310530.scrufynakmodi.exeufynakmodi.execmd.exe

description	pid	process	target process
PID 720 wrote to memory of 1232	720	SKM_454e20070310530.scr	SKM_454e20070310530.scr
PID 720 wrote to memory of 1232	720	SKM_454e20070310530.scr	SKM_454e20070310530.scr
PID 720 wrote to memory of 1232	720	SKM_454e20070310530.scr	SKM_454e20070310530.scr
PID 1232 wrote to memory of 3528	1232	SKM_454e20070310530.scr	ufynakmodi.exe
PID 1232 wrote to memory of 3528	1232	SKM_454e20070310530.scr	ufynakmodi.exe
PID 1232 wrote to memory of 3528	1232	SKM_454e20070310530.scr	ufynakmodi.exe
PID 3528 wrote to memory of 3584	3528	ufynakmodi.exe	ufynakmodi.exe
PID 3528 wrote to memory of 3584	3528	ufynakmodi.exe	ufynakmodi.exe
PID 3528 wrote to memory of 3584	3528	ufynakmodi.exe	ufynakmodi.exe
PID 1232 wrote to memory of 3872	1232	SKM_454e20070310530.scr	cmd.exe
PID 1232 wrote to memory of 3872	1232	SKM_454e20070310530.scr	cmd.exe
PID 1232 wrote to memory of 3872	1232	SKM_454e20070310530.scr	cmd.exe
PID 3584 wrote to memory of 2660	3584	ufynakmodi.exe	sihost.exe
PID 3584 wrote to memory of 2660	3584	ufynakmodi.exe	sihost.exe
PID 3584 wrote to memory of 2660	3584	ufynakmodi.exe	sihost.exe
PID 3584 wrote to memory of 2660	3584	ufynakmodi.exe	sihost.exe
PID 3584 wrote to memory of 2660	3584	ufynakmodi.exe	sihost.exe
PID 3584 wrote to memory of 2672	3584	ufynakmodi.exe	svchost.exe
PID 3584 wrote to memory of 2672	3584	ufynakmodi.exe	svchost.exe
PID 3584 wrote to memory of 2672	3584	ufynakmodi.exe	svchost.exe
PID 3584 wrote to memory of 2672	3584	ufynakmodi.exe	svchost.exe
PID 3584 wrote to memory of 2672	3584	ufynakmodi.exe	svchost.exe
PID 3584 wrote to memory of 2808	3584	ufynakmodi.exe	taskhostw.exe
PID 3584 wrote to memory of 2808	3584	ufynakmodi.exe	taskhostw.exe
PID 3584 wrote to memory of 2808	3584	ufynakmodi.exe	taskhostw.exe
PID 3584 wrote to memory of 2808	3584	ufynakmodi.exe	taskhostw.exe
PID 3584 wrote to memory of 2808	3584	ufynakmodi.exe	taskhostw.exe
PID 3584 wrote to memory of 2984	3584	ufynakmodi.exe	Explorer.EXE
PID 3584 wrote to memory of 2984	3584	ufynakmodi.exe	Explorer.EXE
PID 3584 wrote to memory of 2984	3584	ufynakmodi.exe	Explorer.EXE
PID 3584 wrote to memory of 2984	3584	ufynakmodi.exe	Explorer.EXE
PID 3584 wrote to memory of 2984	3584	ufynakmodi.exe	Explorer.EXE
PID 3584 wrote to memory of 3136	3584	ufynakmodi.exe	ShellExperienceHost.exe
PID 3584 wrote to memory of 3136	3584	ufynakmodi.exe	ShellExperienceHost.exe
PID 3584 wrote to memory of 3136	3584	ufynakmodi.exe	ShellExperienceHost.exe
PID 3584 wrote to memory of 3136	3584	ufynakmodi.exe	ShellExperienceHost.exe
PID 3584 wrote to memory of 3136	3584	ufynakmodi.exe	ShellExperienceHost.exe
PID 3584 wrote to memory of 3148	3584	ufynakmodi.exe	SearchUI.exe
PID 3584 wrote to memory of 3148	3584	ufynakmodi.exe	SearchUI.exe
PID 3584 wrote to memory of 3148	3584	ufynakmodi.exe	SearchUI.exe
PID 3584 wrote to memory of 3148	3584	ufynakmodi.exe	SearchUI.exe
PID 3584 wrote to memory of 3148	3584	ufynakmodi.exe	SearchUI.exe
PID 3584 wrote to memory of 3376	3584	ufynakmodi.exe	RuntimeBroker.exe
PID 3584 wrote to memory of 3376	3584	ufynakmodi.exe	RuntimeBroker.exe
PID 3584 wrote to memory of 3376	3584	ufynakmodi.exe	RuntimeBroker.exe
PID 3584 wrote to memory of 3376	3584	ufynakmodi.exe	RuntimeBroker.exe
PID 3584 wrote to memory of 3376	3584	ufynakmodi.exe	RuntimeBroker.exe
PID 3584 wrote to memory of 3600	3584	ufynakmodi.exe	DllHost.exe
PID 3584 wrote to memory of 3600	3584	ufynakmodi.exe	DllHost.exe
PID 3584 wrote to memory of 3600	3584	ufynakmodi.exe	DllHost.exe
PID 3584 wrote to memory of 3600	3584	ufynakmodi.exe	DllHost.exe
PID 3584 wrote to memory of 3600	3584	ufynakmodi.exe	DllHost.exe
PID 3584 wrote to memory of 3836	3584	ufynakmodi.exe	backgroundTaskHost.exe
PID 3584 wrote to memory of 3836	3584	ufynakmodi.exe	backgroundTaskHost.exe
PID 3584 wrote to memory of 3836	3584	ufynakmodi.exe	backgroundTaskHost.exe
PID 3584 wrote to memory of 3836	3584	ufynakmodi.exe	backgroundTaskHost.exe
PID 3584 wrote to memory of 3836	3584	ufynakmodi.exe	backgroundTaskHost.exe
PID 3584 wrote to memory of 3388	3584	ufynakmodi.exe	cmd.exe
PID 3584 wrote to memory of 3388	3584	ufynakmodi.exe	cmd.exe
PID 3584 wrote to memory of 3388	3584	ufynakmodi.exe	cmd.exe
PID 3388 wrote to memory of 2208	3388	cmd.exe	HOSTNAME.EXE
PID 3388 wrote to memory of 2208	3388	cmd.exe	HOSTNAME.EXE
PID 3388 wrote to memory of 2208	3388	cmd.exe	HOSTNAME.EXE
PID 3388 wrote to memory of 956	3388	cmd.exe	ipconfig.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

SKM_454e20070310530.scrufynakmodi.exe

pid process

720 SKM_454e20070310530.scr
3528 ufynakmodi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SKM_454e20070310530.scrufynakmodi.exe

description	pid	process	target process
PID 720 set thread context of 1232	720	SKM_454e20070310530.scr	SKM_454e20070310530.scr
PID 3528 set thread context of 3584	3528	ufynakmodi.exe	ufynakmodi.exe

Suspicious use of AdjustPrivilegeToken 1443 IoCs

Processes:

SKM_454e20070310530.scrufynakmodi.exetasklist.exe

description	pid	process
Token: SeSecurityPrivilege	1232	SKM_454e20070310530.scr
Token: SeSecurityPrivilege	1232	SKM_454e20070310530.scr
Token: SeSecurityPrivilege	1232	SKM_454e20070310530.scr
Token: SeSecurityPrivilege	1232	SKM_454e20070310530.scr
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeDebugPrivilege	2160	tasklist.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe
Token: SeSecurityPrivilege	3584	ufynakmodi.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ufynakmodi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Woyxabc = "C:\\Users\\Admin\\AppData\\Roaming\\Biugfyqunu\\ufynakmodi.exe"	ufynakmodi.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run	ufynakmodi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Currentversion\Run	ufynakmodi.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2672

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2808

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.scr
"C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.scr" /S
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:720

C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.scr
"C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.scr" /S
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe
"C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3528

C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe
"C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe"
5⤵
- Loads dropped DLL
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
PID:3584

C:\Windows\SysWOW64\cmd.exe
cmd.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SysWOW64\HOSTNAME.EXE
hostname
7⤵
PID:2208

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
7⤵
- Gathers network information
PID:956

C:\Windows\SysWOW64\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
7⤵
PID:980

C:\Windows\SysWOW64\net.exe
net share
7⤵
PID:724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
8⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6a775f43.bat"
4⤵
PID:3872

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3136

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3148

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3600

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:3836

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6a775f43.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe

Download Submit
\Users\Admin\AppData\Local\Temp\tmpE5DB.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmpE5FC.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF424.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF444.tmp

Download Submit
memory/724-21-0x0000000000000000-mapping.dmp

Download
memory/956-18-0x0000000000000000-mapping.dmp

Download
memory/980-20-0x0000000000000000-mapping.dmp

Download
memory/1232-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1232-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1232-1-0x000000000043F4D4-mapping.dmp

Download
memory/2160-19-0x0000000000000000-mapping.dmp

Download
memory/2208-17-0x0000000000000000-mapping.dmp

Download
memory/3388-16-0x0000000000000000-mapping.dmp

Download
memory/3528-5-0x0000000000000000-mapping.dmp

Download
memory/3584-9-0x000000000043F4D4-mapping.dmp

Download
memory/3680-22-0x0000000000000000-mapping.dmp

Download
memory/3872-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads