b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7

General

Target

b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
Size

135KB
MD5

9667507db2ef67dd8aa974f747d11c48
SHA1

74a869b20f433dc6d1df3cd5fff23db785c196c3
SHA256

b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7
SHA512

4cf53dc70359078794173e0679761fd077401b8955cbf4d0b8c202b5e0d064e085dce56a558344813f682493409dd2fe3ae3c72b5359968a69400b70d6ac1379

Score

8^/10

spyware persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tiyg.exe

pid process

1676 tiyg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1920 cmd.exe

pid	process
1920	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe

pid	process
488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tiyg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\Currentversion\Run	tiyg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Run\{31BFB48A-B873-C00D-606C-19070A5963F0} = "C:\\Users\\Admin\\AppData\\Roaming\\Insyy\\tiyg.exe"	tiyg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe

description pid process target process

PID 488 set thread context of 1920 488 b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe cmd.exe

description	pid	process	target process
PID 488 set thread context of 1920	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Internet Explorer\Privacy	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tiyg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	tiyg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	tiyg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	tiyg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181181900000001000000100000000b6cd9778e41ad67fd6be0a6903710442000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	tiyg.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\71E32FB3-00000001.eml:OECustomProperty	WinMail.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

tiyg.exe

pid	process
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe
1676	tiyg.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
Token: SeSecurityPrivilege	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
Token: SeSecurityPrivilege	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
Token: SeSecurityPrivilege	1920	cmd.exe
Token: SeManageVolumePrivilege	1100	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1100 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1100 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1100 WinMail.exe

pid	process
1100	WinMail.exe

pid	process
1100	WinMail.exe

pid	process
1100	WinMail.exe

Suspicious use of WriteProcessMemory 85 IoCs

Processes:

b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exenet.exenet.exetiyg.exenet.exenet.exe

description	pid	process	target process
PID 488 wrote to memory of 804	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	net.exe
PID 488 wrote to memory of 804	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	net.exe
PID 488 wrote to memory of 804	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	net.exe
PID 488 wrote to memory of 804	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	net.exe
PID 804 wrote to memory of 1084	804	net.exe	net1.exe
PID 804 wrote to memory of 1084	804	net.exe	net1.exe
PID 804 wrote to memory of 1084	804	net.exe	net1.exe
PID 804 wrote to memory of 1084	804	net.exe	net1.exe
PID 488 wrote to memory of 1052	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	net.exe
PID 488 wrote to memory of 1052	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	net.exe
PID 488 wrote to memory of 1052	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	net.exe
PID 488 wrote to memory of 1052	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	net.exe
PID 1052 wrote to memory of 1520	1052	net.exe	net1.exe
PID 1052 wrote to memory of 1520	1052	net.exe	net1.exe
PID 1052 wrote to memory of 1520	1052	net.exe	net1.exe
PID 1052 wrote to memory of 1520	1052	net.exe	net1.exe
PID 488 wrote to memory of 1676	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	tiyg.exe
PID 488 wrote to memory of 1676	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	tiyg.exe
PID 488 wrote to memory of 1676	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	tiyg.exe
PID 488 wrote to memory of 1676	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	tiyg.exe
PID 1676 wrote to memory of 1252	1676	tiyg.exe	net.exe
PID 1676 wrote to memory of 1252	1676	tiyg.exe	net.exe
PID 1676 wrote to memory of 1252	1676	tiyg.exe	net.exe
PID 1676 wrote to memory of 1252	1676	tiyg.exe	net.exe
PID 1252 wrote to memory of 1816	1252	net.exe	net1.exe
PID 1252 wrote to memory of 1816	1252	net.exe	net1.exe
PID 1252 wrote to memory of 1816	1252	net.exe	net1.exe
PID 1252 wrote to memory of 1816	1252	net.exe	net1.exe
PID 1676 wrote to memory of 1828	1676	tiyg.exe	net.exe
PID 1676 wrote to memory of 1828	1676	tiyg.exe	net.exe
PID 1676 wrote to memory of 1828	1676	tiyg.exe	net.exe
PID 1676 wrote to memory of 1828	1676	tiyg.exe	net.exe
PID 1676 wrote to memory of 1164	1676	tiyg.exe	taskhost.exe
PID 1676 wrote to memory of 1164	1676	tiyg.exe	taskhost.exe
PID 1676 wrote to memory of 1164	1676	tiyg.exe	taskhost.exe
PID 1676 wrote to memory of 1164	1676	tiyg.exe	taskhost.exe
PID 1676 wrote to memory of 1164	1676	tiyg.exe	taskhost.exe
PID 1676 wrote to memory of 1272	1676	tiyg.exe	Dwm.exe
PID 1676 wrote to memory of 1272	1676	tiyg.exe	Dwm.exe
PID 1676 wrote to memory of 1272	1676	tiyg.exe	Dwm.exe
PID 1676 wrote to memory of 1272	1676	tiyg.exe	Dwm.exe
PID 1676 wrote to memory of 1272	1676	tiyg.exe	Dwm.exe
PID 1676 wrote to memory of 1316	1676	tiyg.exe	Explorer.EXE
PID 1676 wrote to memory of 1316	1676	tiyg.exe	Explorer.EXE
PID 1676 wrote to memory of 1316	1676	tiyg.exe	Explorer.EXE
PID 1676 wrote to memory of 1316	1676	tiyg.exe	Explorer.EXE
PID 1676 wrote to memory of 1316	1676	tiyg.exe	Explorer.EXE
PID 1676 wrote to memory of 488	1676	tiyg.exe	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
PID 1676 wrote to memory of 488	1676	tiyg.exe	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
PID 1676 wrote to memory of 488	1676	tiyg.exe	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
PID 1676 wrote to memory of 488	1676	tiyg.exe	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
PID 1676 wrote to memory of 488	1676	tiyg.exe	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
PID 1828 wrote to memory of 1864	1828	net.exe	net1.exe
PID 1828 wrote to memory of 1864	1828	net.exe	net1.exe
PID 1828 wrote to memory of 1864	1828	net.exe	net1.exe
PID 1828 wrote to memory of 1864	1828	net.exe	net1.exe
PID 488 wrote to memory of 1920	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	cmd.exe
PID 488 wrote to memory of 1920	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	cmd.exe
PID 488 wrote to memory of 1920	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	cmd.exe
PID 488 wrote to memory of 1920	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	cmd.exe
PID 488 wrote to memory of 1920	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	cmd.exe
PID 488 wrote to memory of 1920	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	cmd.exe
PID 488 wrote to memory of 1920	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	cmd.exe
PID 488 wrote to memory of 1920	488	b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1164

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1272

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe
"C:\Users\Admin\AppData\Local\Temp\b05e4d408f5731b0bb0c194570a3c86a31ce291ec70b54e1e76ecd5bc9bee3f7.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\net.exe
net stop wscsvc
3⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
4⤵
PID:1084

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
3⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
4⤵
PID:1520

C:\Users\Admin\AppData\Roaming\Insyy\tiyg.exe
"C:\Users\Admin\AppData\Roaming\Insyy\tiyg.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\net.exe
net stop wscsvc
4⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
5⤵
PID:1816

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
4⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
5⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb16c1757.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14319505791220373902-7800447791430333131700568551845116318-15815766441706411194"
1⤵
PID:1948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1636

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpb16c1757.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Insyy\tiyg.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Insyy\tiyg.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Unvoi\kyri.boa

Download Submit
\Users\Admin\AppData\Roaming\Insyy\tiyg.exe

Download Submit
\Users\Admin\AppData\Roaming\Insyy\tiyg.exe

Download Submit
memory/804-0-0x0000000000000000-mapping.dmp

Download
memory/1052-2-0x0000000000000000-mapping.dmp

Download
memory/1084-1-0x0000000000000000-mapping.dmp

Download
memory/1100-53-0x0000000003D30000-0x0000000003D32000-memory.dmp

Filesize
8KB

Download
memory/1100-43-0x00000000042C0000-0x00000000042C2000-memory.dmp

Filesize
8KB

Download
memory/1100-73-0x0000000001FD0000-0x0000000001FE0000-memory.dmp

Filesize
64KB

Download
memory/1100-67-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/1100-66-0x00000000039E0000-0x0000000003AE0000-memory.dmp

Filesize
1024KB

Download
memory/1100-65-0x00000000038E0000-0x0000000003AE0000-memory.dmp

Filesize
2.0MB

Download
memory/1100-64-0x00000000040C0000-0x00000000040C2000-memory.dmp

Filesize
8KB

Download
memory/1100-18-0x000007FEF78F0000-0x000007FEF7B6A000-memory.dmp

Filesize
2.5MB

Download
memory/1100-19-0x00000000038E0000-0x00000000039E0000-memory.dmp

Filesize
1024KB

Download
memory/1100-21-0x00000000038E0000-0x0000000003AE0000-memory.dmp

Filesize
2.0MB

Download
memory/1100-23-0x00000000038E0000-0x00000000039E0000-memory.dmp

Filesize
1024KB

Download
memory/1100-24-0x00000000038E0000-0x0000000003AE0000-memory.dmp

Filesize
2.0MB

Download
memory/1100-25-0x00000000039E0000-0x0000000003AE0000-memory.dmp

Filesize
1024KB

Download
memory/1100-29-0x0000000003650000-0x0000000003652000-memory.dmp

Filesize
8KB

Download
memory/1100-30-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1100-31-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1100-32-0x0000000003D50000-0x0000000003D52000-memory.dmp

Filesize
8KB

Download
memory/1100-33-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1100-34-0x0000000003FD0000-0x0000000003FD2000-memory.dmp

Filesize
8KB

Download
memory/1100-35-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1100-36-0x0000000003D60000-0x0000000003D62000-memory.dmp

Filesize
8KB

Download
memory/1100-37-0x0000000003D60000-0x0000000003D62000-memory.dmp

Filesize
8KB

Download
memory/1100-38-0x0000000003D70000-0x0000000003D72000-memory.dmp

Filesize
8KB

Download
memory/1100-39-0x00000000041A0000-0x00000000041A2000-memory.dmp

Filesize
8KB

Download
memory/1100-40-0x00000000042B0000-0x00000000042B2000-memory.dmp

Filesize
8KB

Download
memory/1100-41-0x0000000004040000-0x0000000004042000-memory.dmp

Filesize
8KB

Download
memory/1100-42-0x0000000003DD0000-0x0000000003DD2000-memory.dmp

Filesize
8KB

Download
memory/1100-63-0x00000000040B0000-0x00000000040B2000-memory.dmp

Filesize
8KB

Download
memory/1100-44-0x0000000003D30000-0x0000000003D32000-memory.dmp

Filesize
8KB

Download
memory/1100-45-0x0000000003D50000-0x0000000003D52000-memory.dmp

Filesize
8KB

Download
memory/1100-46-0x0000000003D70000-0x0000000003D72000-memory.dmp

Filesize
8KB

Download
memory/1100-47-0x00000000041A0000-0x00000000041A2000-memory.dmp

Filesize
8KB

Download
memory/1100-62-0x00000000040A0000-0x00000000040A2000-memory.dmp

Filesize
8KB

Download
memory/1100-61-0x0000000003D40000-0x0000000003D42000-memory.dmp

Filesize
8KB

Download
memory/1100-50-0x0000000003D50000-0x0000000003D52000-memory.dmp

Filesize
8KB

Download
memory/1100-51-0x0000000003D70000-0x0000000003D72000-memory.dmp

Filesize
8KB

Download
memory/1100-52-0x00000000042B0000-0x00000000042B2000-memory.dmp

Filesize
8KB

Download
memory/1100-60-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1100-54-0x00000000041A0000-0x00000000041A2000-memory.dmp

Filesize
8KB

Download
memory/1100-55-0x0000000003B60000-0x0000000003B62000-memory.dmp

Filesize
8KB

Download
memory/1100-56-0x0000000003D40000-0x0000000003D42000-memory.dmp

Filesize
8KB

Download
memory/1100-57-0x0000000003D70000-0x0000000003D72000-memory.dmp

Filesize
8KB

Download
memory/1100-58-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

Filesize
8KB

Download
memory/1100-59-0x0000000003FC0000-0x0000000003FC2000-memory.dmp

Filesize
8KB

Download
memory/1252-8-0x0000000000000000-mapping.dmp

Download
memory/1520-3-0x0000000000000000-mapping.dmp

Download
memory/1636-16-0x000007FEF78F0000-0x000007FEF7B6A000-memory.dmp

Filesize
2.5MB

Download
memory/1676-6-0x0000000000000000-mapping.dmp

Download
memory/1816-9-0x0000000000000000-mapping.dmp

Download
memory/1828-10-0x0000000000000000-mapping.dmp

Download
memory/1864-12-0x0000000000000000-mapping.dmp

Download
memory/1920-17-0x0000000073470000-0x0000000073613000-memory.dmp

Filesize
1.6MB

Download
memory/1920-14-0x000000000005A9DB-mapping.dmp

Download
memory/1920-13-0x0000000000050000-0x0000000000078000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads