2b123fa8f08714a93a01db03bdf4ecd31d268d5d279900b9c67fec861c2bc11c

General

Target

Commercial Invoice & PL - TWNYC3469342.scr
Size

787KB
MD5

cc41e556572c9bf5ba045f89198f7b98
SHA1

47f2431463872774d27e3ce89999bc69b0fdab2f
SHA256

2b123fa8f08714a93a01db03bdf4ecd31d268d5d279900b9c67fec861c2bc11c
SHA512

72391718a6e316bf8e72a2f2dfb4b5d889034c2300307562d4548ef6be896632eb23f0203f69c2b93a01bdb154ce8ba2512b0bc4aa832acea028f6d283428525

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

otrudoedade.exeotrudoedade.exe

pid process

3168 otrudoedade.exe
3176 otrudoedade.exe
Loads dropped DLL 4 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrotrudoedade.exe

pid process

3952 Commercial Invoice & PL - TWNYC3469342.scr
3952 Commercial Invoice & PL - TWNYC3469342.scr
3176 otrudoedade.exe
3176 otrudoedade.exe

pid	process
3168	otrudoedade.exe
3176	otrudoedade.exe

pid	process
3952	Commercial Invoice & PL - TWNYC3469342.scr
3952	Commercial Invoice & PL - TWNYC3469342.scr
3176	otrudoedade.exe
3176	otrudoedade.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

otrudoedade.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run	otrudoedade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Currentversion\Run	otrudoedade.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wosahu = "C:\\Users\\Admin\\AppData\\Roaming\\Wyaryphioma\\otrudoedade.exe"	otrudoedade.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrotrudoedade.exe

description	pid	process	target process
PID 2484 set thread context of 3952	2484	Commercial Invoice & PL - TWNYC3469342.scr	Commercial Invoice & PL - TWNYC3469342.scr
PID 3168 set thread context of 3176	3168	otrudoedade.exe	otrudoedade.exe

Suspicious behavior: EnumeratesProcesses 68 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrCommercial Invoice & PL - TWNYC3469342.scrotrudoedade.exeotrudoedade.exe

pid	process
2484	Commercial Invoice & PL - TWNYC3469342.scr
2484	Commercial Invoice & PL - TWNYC3469342.scr
3952	Commercial Invoice & PL - TWNYC3469342.scr
3952	Commercial Invoice & PL - TWNYC3469342.scr
3168	otrudoedade.exe
3168	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe
3176	otrudoedade.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrotrudoedade.exe

pid process

2484 Commercial Invoice & PL - TWNYC3469342.scr
3168 otrudoedade.exe

Suspicious use of AdjustPrivilegeToken 1398 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrotrudoedade.exe

description	pid	process
Token: SeSecurityPrivilege	3952	Commercial Invoice & PL - TWNYC3469342.scr
Token: SeSecurityPrivilege	3952	Commercial Invoice & PL - TWNYC3469342.scr
Token: SeSecurityPrivilege	3952	Commercial Invoice & PL - TWNYC3469342.scr
Token: SeSecurityPrivilege	3952	Commercial Invoice & PL - TWNYC3469342.scr
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe
Token: SeSecurityPrivilege	3176	otrudoedade.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrCommercial Invoice & PL - TWNYC3469342.scrotrudoedade.exeotrudoedade.exe

description	pid	process	target process
PID 2484 wrote to memory of 3952	2484	Commercial Invoice & PL - TWNYC3469342.scr	Commercial Invoice & PL - TWNYC3469342.scr
PID 2484 wrote to memory of 3952	2484	Commercial Invoice & PL - TWNYC3469342.scr	Commercial Invoice & PL - TWNYC3469342.scr
PID 2484 wrote to memory of 3952	2484	Commercial Invoice & PL - TWNYC3469342.scr	Commercial Invoice & PL - TWNYC3469342.scr
PID 3952 wrote to memory of 3168	3952	Commercial Invoice & PL - TWNYC3469342.scr	otrudoedade.exe
PID 3952 wrote to memory of 3168	3952	Commercial Invoice & PL - TWNYC3469342.scr	otrudoedade.exe
PID 3952 wrote to memory of 3168	3952	Commercial Invoice & PL - TWNYC3469342.scr	otrudoedade.exe
PID 3168 wrote to memory of 3176	3168	otrudoedade.exe	otrudoedade.exe
PID 3168 wrote to memory of 3176	3168	otrudoedade.exe	otrudoedade.exe
PID 3168 wrote to memory of 3176	3168	otrudoedade.exe	otrudoedade.exe
PID 3952 wrote to memory of 2976	3952	Commercial Invoice & PL - TWNYC3469342.scr	cmd.exe
PID 3952 wrote to memory of 2976	3952	Commercial Invoice & PL - TWNYC3469342.scr	cmd.exe
PID 3952 wrote to memory of 2976	3952	Commercial Invoice & PL - TWNYC3469342.scr	cmd.exe
PID 3176 wrote to memory of 2336	3176	otrudoedade.exe	sihost.exe
PID 3176 wrote to memory of 2336	3176	otrudoedade.exe	sihost.exe
PID 3176 wrote to memory of 2336	3176	otrudoedade.exe	sihost.exe
PID 3176 wrote to memory of 2336	3176	otrudoedade.exe	sihost.exe
PID 3176 wrote to memory of 2336	3176	otrudoedade.exe	sihost.exe
PID 3176 wrote to memory of 2344	3176	otrudoedade.exe	svchost.exe
PID 3176 wrote to memory of 2344	3176	otrudoedade.exe	svchost.exe
PID 3176 wrote to memory of 2344	3176	otrudoedade.exe	svchost.exe
PID 3176 wrote to memory of 2344	3176	otrudoedade.exe	svchost.exe
PID 3176 wrote to memory of 2344	3176	otrudoedade.exe	svchost.exe
PID 3176 wrote to memory of 2436	3176	otrudoedade.exe	taskhostw.exe
PID 3176 wrote to memory of 2436	3176	otrudoedade.exe	taskhostw.exe
PID 3176 wrote to memory of 2436	3176	otrudoedade.exe	taskhostw.exe
PID 3176 wrote to memory of 2436	3176	otrudoedade.exe	taskhostw.exe
PID 3176 wrote to memory of 2436	3176	otrudoedade.exe	taskhostw.exe
PID 3176 wrote to memory of 2876	3176	otrudoedade.exe	Explorer.EXE
PID 3176 wrote to memory of 2876	3176	otrudoedade.exe	Explorer.EXE
PID 3176 wrote to memory of 2876	3176	otrudoedade.exe	Explorer.EXE
PID 3176 wrote to memory of 2876	3176	otrudoedade.exe	Explorer.EXE
PID 3176 wrote to memory of 2876	3176	otrudoedade.exe	Explorer.EXE
PID 3176 wrote to memory of 3264	3176	otrudoedade.exe	ShellExperienceHost.exe
PID 3176 wrote to memory of 3264	3176	otrudoedade.exe	ShellExperienceHost.exe
PID 3176 wrote to memory of 3264	3176	otrudoedade.exe	ShellExperienceHost.exe
PID 3176 wrote to memory of 3264	3176	otrudoedade.exe	ShellExperienceHost.exe
PID 3176 wrote to memory of 3264	3176	otrudoedade.exe	ShellExperienceHost.exe
PID 3176 wrote to memory of 3276	3176	otrudoedade.exe	SearchUI.exe
PID 3176 wrote to memory of 3276	3176	otrudoedade.exe	SearchUI.exe
PID 3176 wrote to memory of 3276	3176	otrudoedade.exe	SearchUI.exe
PID 3176 wrote to memory of 3276	3176	otrudoedade.exe	SearchUI.exe
PID 3176 wrote to memory of 3276	3176	otrudoedade.exe	SearchUI.exe
PID 3176 wrote to memory of 3488	3176	otrudoedade.exe	RuntimeBroker.exe
PID 3176 wrote to memory of 3488	3176	otrudoedade.exe	RuntimeBroker.exe
PID 3176 wrote to memory of 3488	3176	otrudoedade.exe	RuntimeBroker.exe
PID 3176 wrote to memory of 3488	3176	otrudoedade.exe	RuntimeBroker.exe
PID 3176 wrote to memory of 3488	3176	otrudoedade.exe	RuntimeBroker.exe
PID 3176 wrote to memory of 3744	3176	otrudoedade.exe	DllHost.exe
PID 3176 wrote to memory of 3744	3176	otrudoedade.exe	DllHost.exe
PID 3176 wrote to memory of 3744	3176	otrudoedade.exe	DllHost.exe
PID 3176 wrote to memory of 3744	3176	otrudoedade.exe	DllHost.exe
PID 3176 wrote to memory of 3744	3176	otrudoedade.exe	DllHost.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2344

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr
"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr" /S
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr
"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr" /S
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Roaming\Wyaryphioma\otrudoedade.exe
"C:\Users\Admin\AppData\Roaming\Wyaryphioma\otrudoedade.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Roaming\Wyaryphioma\otrudoedade.exe
"C:\Users\Admin\AppData\Roaming\Wyaryphioma\otrudoedade.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb63560c1.bat"
4⤵
PID:2976

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3264

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3276

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3488

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb63560c1.bat
MD5
60f3a63f03c6399fd2c19d5cb5703be8

SHA1
852c28ce086d200c770407c432258f652aac61ea

SHA256
b640d82e963e9b072b5b9ca7f8f4c3c5bd81b0879db1a21ba95c3e0dfecf8c52

SHA512
8daf0f0374cde14026ae4782ccda94fe5880985904086835819f018351860d8778090acc833ff1c8093cf870e3c5d90db12cc3bbd66c52bd552d9b8ab8e7ba6d

Download Submit
C:\Users\Admin\AppData\Roaming\Wyaryphioma\otrudoedade.exe
MD5
e01d606f748f96f7ebcd8e9c8b547273

SHA1
6f9579126e66341a8ac1b600134dd36e08b8e615

SHA256
005513cf9e2d9a9881eb8275713e62562c3d75513d994a66fa66f8844eb34c07

SHA512
e251500f1f1248787a5da15b1202b3ea6e25261013e20f57e48d0b323e89e8280aa09600300ea41e6f8bca676e968cb9f6bb54b420eb4feaa41312fee1cda6ff

Download Submit
C:\Users\Admin\AppData\Roaming\Wyaryphioma\otrudoedade.exe
MD5
e01d606f748f96f7ebcd8e9c8b547273

SHA1
6f9579126e66341a8ac1b600134dd36e08b8e615

SHA256
005513cf9e2d9a9881eb8275713e62562c3d75513d994a66fa66f8844eb34c07

SHA512
e251500f1f1248787a5da15b1202b3ea6e25261013e20f57e48d0b323e89e8280aa09600300ea41e6f8bca676e968cb9f6bb54b420eb4feaa41312fee1cda6ff

Download Submit
C:\Users\Admin\AppData\Roaming\Wyaryphioma\otrudoedade.exe
MD5
e01d606f748f96f7ebcd8e9c8b547273

SHA1
6f9579126e66341a8ac1b600134dd36e08b8e615

SHA256
005513cf9e2d9a9881eb8275713e62562c3d75513d994a66fa66f8844eb34c07

SHA512
e251500f1f1248787a5da15b1202b3ea6e25261013e20f57e48d0b323e89e8280aa09600300ea41e6f8bca676e968cb9f6bb54b420eb4feaa41312fee1cda6ff

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8B4E.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8BFB.tmp
MD5
f95c32012c88766c2ada6cee46c4544a

SHA1
fc79967b76842ce42a8c9308e4d8da7151bfebc5

SHA256
d0d56aee6ed7383d89ffd6b89dd90be0144c40578b04f35a2520f01d2cf69c1e

SHA512
a18e28c6fb98b1b45125b6da1b6944ad1fe12c2343a5153b68d15a53c4cb74bf21497cbd5c9c9689dd5813bbf1056032a806e66dcc99f1ca18e3798c6f54b15d

Download Submit
\Users\Admin\AppData\Local\Temp\tmp97E0.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9830.tmp
MD5
f95c32012c88766c2ada6cee46c4544a

SHA1
fc79967b76842ce42a8c9308e4d8da7151bfebc5

SHA256
d0d56aee6ed7383d89ffd6b89dd90be0144c40578b04f35a2520f01d2cf69c1e

SHA512
a18e28c6fb98b1b45125b6da1b6944ad1fe12c2343a5153b68d15a53c4cb74bf21497cbd5c9c9689dd5813bbf1056032a806e66dcc99f1ca18e3798c6f54b15d

Download Submit
memory/2976-12-0x0000000000000000-mapping.dmp

Download
memory/3168-5-0x0000000000000000-mapping.dmp

Download
memory/3176-9-0x000000000043F4D4-mapping.dmp

Download
memory/3952-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3952-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3952-1-0x000000000043F4D4-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads