6441b018905b8e4a1a048090dcc089ddfeeeea0f1c3fc607b9f44acf7d067cb1

General

Target

eef4326b6839f48f8176aa358c7a76f136df80d4.exe
Size

317KB
MD5

8e57ff928f910a50c009460bd11e6050
SHA1

eef4326b6839f48f8176aa358c7a76f136df80d4
SHA256

6441b018905b8e4a1a048090dcc089ddfeeeea0f1c3fc607b9f44acf7d067cb1
SHA512

12a7030530179597d87c11de64251ed5c0c951b256cefcd7ac41c772f473193b891fad28f2f6942bd990cd6333128645b4f87b2d74c09cd7c3184d5945ca120c

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ugypf.exeugypf.exe

pid process

1616 ugypf.exe
1628 ugypf.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

908 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

eef4326b6839f48f8176aa358c7a76f136df80d4.exe

pid process

1392 eef4326b6839f48f8176aa358c7a76f136df80d4.exe
1392 eef4326b6839f48f8176aa358c7a76f136df80d4.exe

pid	process
1616	ugypf.exe
1628	ugypf.exe

pid	process
908	cmd.exe

pid	process
1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ugypf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	ugypf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loriap = "C:\\Users\\Admin\\AppData\\Roaming\\Ahroe\\ugypf.exe"	ugypf.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\Currentversion\Run	ugypf.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

eef4326b6839f48f8176aa358c7a76f136df80d4.exeugypf.exe

description	pid	process	target process
PID 1652 set thread context of 1392	1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1616 set thread context of 1628	1616	ugypf.exe	ugypf.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

eef4326b6839f48f8176aa358c7a76f136df80d4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Privacy	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	eef4326b6839f48f8176aa358c7a76f136df80d4.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

ugypf.exe

pid	process
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe
1628	ugypf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

eef4326b6839f48f8176aa358c7a76f136df80d4.exe

description	pid	process
Token: SeSecurityPrivilege	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
Token: SeSecurityPrivilege	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
Token: SeSecurityPrivilege	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
Token: SeSecurityPrivilege	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

eef4326b6839f48f8176aa358c7a76f136df80d4.exeugypf.exe

pid process

1652 eef4326b6839f48f8176aa358c7a76f136df80d4.exe
1616 ugypf.exe

pid	process
1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
1616	ugypf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eef4326b6839f48f8176aa358c7a76f136df80d4.exeeef4326b6839f48f8176aa358c7a76f136df80d4.exeugypf.exeugypf.exe

description	pid	process	target process
PID 1652 wrote to memory of 1392	1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1652 wrote to memory of 1392	1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1652 wrote to memory of 1392	1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1652 wrote to memory of 1392	1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1652 wrote to memory of 1392	1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1652 wrote to memory of 1392	1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1652 wrote to memory of 1392	1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1652 wrote to memory of 1392	1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1652 wrote to memory of 1392	1652	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1392 wrote to memory of 1616	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	ugypf.exe
PID 1392 wrote to memory of 1616	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	ugypf.exe
PID 1392 wrote to memory of 1616	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	ugypf.exe
PID 1392 wrote to memory of 1616	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	ugypf.exe
PID 1616 wrote to memory of 1628	1616	ugypf.exe	ugypf.exe
PID 1616 wrote to memory of 1628	1616	ugypf.exe	ugypf.exe
PID 1616 wrote to memory of 1628	1616	ugypf.exe	ugypf.exe
PID 1616 wrote to memory of 1628	1616	ugypf.exe	ugypf.exe
PID 1616 wrote to memory of 1628	1616	ugypf.exe	ugypf.exe
PID 1616 wrote to memory of 1628	1616	ugypf.exe	ugypf.exe
PID 1616 wrote to memory of 1628	1616	ugypf.exe	ugypf.exe
PID 1616 wrote to memory of 1628	1616	ugypf.exe	ugypf.exe
PID 1616 wrote to memory of 1628	1616	ugypf.exe	ugypf.exe
PID 1628 wrote to memory of 1124	1628	ugypf.exe	taskhost.exe
PID 1628 wrote to memory of 1124	1628	ugypf.exe	taskhost.exe
PID 1628 wrote to memory of 1124	1628	ugypf.exe	taskhost.exe
PID 1628 wrote to memory of 1124	1628	ugypf.exe	taskhost.exe
PID 1628 wrote to memory of 1124	1628	ugypf.exe	taskhost.exe
PID 1628 wrote to memory of 1184	1628	ugypf.exe	Dwm.exe
PID 1628 wrote to memory of 1184	1628	ugypf.exe	Dwm.exe
PID 1628 wrote to memory of 1184	1628	ugypf.exe	Dwm.exe
PID 1628 wrote to memory of 1184	1628	ugypf.exe	Dwm.exe
PID 1628 wrote to memory of 1184	1628	ugypf.exe	Dwm.exe
PID 1628 wrote to memory of 1220	1628	ugypf.exe	Explorer.EXE
PID 1628 wrote to memory of 1220	1628	ugypf.exe	Explorer.EXE
PID 1628 wrote to memory of 1220	1628	ugypf.exe	Explorer.EXE
PID 1628 wrote to memory of 1220	1628	ugypf.exe	Explorer.EXE
PID 1628 wrote to memory of 1220	1628	ugypf.exe	Explorer.EXE
PID 1628 wrote to memory of 1392	1628	ugypf.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1628 wrote to memory of 1392	1628	ugypf.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1628 wrote to memory of 1392	1628	ugypf.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1628 wrote to memory of 1392	1628	ugypf.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1628 wrote to memory of 1392	1628	ugypf.exe	eef4326b6839f48f8176aa358c7a76f136df80d4.exe
PID 1392 wrote to memory of 908	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	cmd.exe
PID 1392 wrote to memory of 908	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	cmd.exe
PID 1392 wrote to memory of 908	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	cmd.exe
PID 1392 wrote to memory of 908	1392	eef4326b6839f48f8176aa358c7a76f136df80d4.exe	cmd.exe
PID 1628 wrote to memory of 908	1628	ugypf.exe	cmd.exe
PID 1628 wrote to memory of 908	1628	ugypf.exe	cmd.exe
PID 1628 wrote to memory of 908	1628	ugypf.exe	cmd.exe
PID 1628 wrote to memory of 908	1628	ugypf.exe	cmd.exe
PID 1628 wrote to memory of 908	1628	ugypf.exe	cmd.exe
PID 1628 wrote to memory of 864	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 864	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 864	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 864	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 864	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 112	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 112	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 112	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 112	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 112	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 1360	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 1360	1628	ugypf.exe	DllHost.exe
PID 1628 wrote to memory of 1360	1628	ugypf.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\eef4326b6839f48f8176aa358c7a76f136df80d4.exe
"C:\Users\Admin\AppData\Local\Temp\eef4326b6839f48f8176aa358c7a76f136df80d4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\eef4326b6839f48f8176aa358c7a76f136df80d4.exe
"C:\Users\Admin\AppData\Local\Temp\eef4326b6839f48f8176aa358c7a76f136df80d4.exe"
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Roaming\Ahroe\ugypf.exe
"C:\Users\Admin\AppData\Roaming\Ahroe\ugypf.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Roaming\Ahroe\ugypf.exe
"C:\Users\Admin\AppData\Roaming\Ahroe\ugypf.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf1a81d2b.bat"
4⤵
- Deletes itself
PID:908

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpf1a81d2b.bat
MD5
cb4994997688edf9e9f64d9ba76b86bc

SHA1
82d2e6ab1ab874e7b7534897018bf283f2cd95e1

SHA256
f3f75aba3d3191a08aa0b3cfb006abc82aad015f195451474cfc03c0c532f7cd

SHA512
bde029ae620b0fac03b8936c938796448cd9ce6a3c902d056ed8c854b1e1f0983f33a64d46f2a0dc8608dd3d5e02eeddc71ded98b6dcb82122c57807f285bb2f

Download Submit
C:\Users\Admin\AppData\Roaming\Ahroe\ugypf.exe
MD5
b230b81837ac00df535fe1994a7840fa

SHA1
76f603db0563e823d95d2c0bb1ce7c183e80d682

SHA256
4aab677d47e33e0921f1e24f30f56b1b214c2b53c1111a5e174e8249a5b01b61

SHA512
ded376b13fe40745f56ea4c8db46d4dddcc9b934e50070b55952c28ea430e63da9bec772c30318ef9a5d997b04346ea84291a1c18943b212d9967d4bcc594c3d

Download Submit
C:\Users\Admin\AppData\Roaming\Ahroe\ugypf.exe
MD5
b230b81837ac00df535fe1994a7840fa

SHA1
76f603db0563e823d95d2c0bb1ce7c183e80d682

SHA256
4aab677d47e33e0921f1e24f30f56b1b214c2b53c1111a5e174e8249a5b01b61

SHA512
ded376b13fe40745f56ea4c8db46d4dddcc9b934e50070b55952c28ea430e63da9bec772c30318ef9a5d997b04346ea84291a1c18943b212d9967d4bcc594c3d

Download Submit
C:\Users\Admin\AppData\Roaming\Ahroe\ugypf.exe
MD5
b230b81837ac00df535fe1994a7840fa

SHA1
76f603db0563e823d95d2c0bb1ce7c183e80d682

SHA256
4aab677d47e33e0921f1e24f30f56b1b214c2b53c1111a5e174e8249a5b01b61

SHA512
ded376b13fe40745f56ea4c8db46d4dddcc9b934e50070b55952c28ea430e63da9bec772c30318ef9a5d997b04346ea84291a1c18943b212d9967d4bcc594c3d

Download Submit
C:\Users\Admin\AppData\Roaming\Ucgoa\raiwo.ase
MD5
e948fc86f7b9238ef304ecac41e63939

SHA1
219a880bd52d469d855295a710bb8e96c6582103

SHA256
8757e89edd6968f4389b54c14c4359b7949c7146b70a5ee287c6019a1bd2a5da

SHA512
941ff30b1635e1688c666a6a94c0825cf6e00e2d6e2b6e66252ed26b64f23c2544cefc293519d11d13ba45d0a2828e1826841790fc0d8d3c250aaf35e2c677f7

Download Submit
\Users\Admin\AppData\Roaming\Ahroe\ugypf.exe
MD5
b230b81837ac00df535fe1994a7840fa

SHA1
76f603db0563e823d95d2c0bb1ce7c183e80d682

SHA256
4aab677d47e33e0921f1e24f30f56b1b214c2b53c1111a5e174e8249a5b01b61

SHA512
ded376b13fe40745f56ea4c8db46d4dddcc9b934e50070b55952c28ea430e63da9bec772c30318ef9a5d997b04346ea84291a1c18943b212d9967d4bcc594c3d

Download Submit
\Users\Admin\AppData\Roaming\Ahroe\ugypf.exe
MD5
b230b81837ac00df535fe1994a7840fa

SHA1
76f603db0563e823d95d2c0bb1ce7c183e80d682

SHA256
4aab677d47e33e0921f1e24f30f56b1b214c2b53c1111a5e174e8249a5b01b61

SHA512
ded376b13fe40745f56ea4c8db46d4dddcc9b934e50070b55952c28ea430e63da9bec772c30318ef9a5d997b04346ea84291a1c18943b212d9967d4bcc594c3d

Download Submit
memory/908-84-0x0000000000000000-mapping.dmp

Download
memory/1392-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1392-86-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1392-85-0x0000000000380000-0x00000000003D0000-memory.dmp

Filesize
320KB

Download
memory/1392-64-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1392-62-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1392-63-0x0000000000432055-mapping.dmp

Download
memory/1616-71-0x0000000000000000-mapping.dmp

Download
memory/1628-77-0x0000000000432055-mapping.dmp

Download
memory/1652-67-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1652-65-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1652-66-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads