3d445366066d1c084f489995e476abe8e1204fa1918468868c4f90cabd2e5817

General

Target

lab_02_win10x64/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

atycd.exeatycd.exe

pid process

1656 atycd.exe
764 atycd.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

584 cmd.exe

pid	process
1656	atycd.exe
764	atycd.exe

pid	process
584	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

pid	process
840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

atycd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\Currentversion\Run	atycd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	atycd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Eravyce = "C:\\Users\\Admin\\AppData\\Roaming\\Zapate\\atycd.exe"	atycd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exeatycd.exe

description	pid	process	target process
PID 1796 set thread context of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 1656 set thread context of 764	1656	atycd.exe	atycd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Privacy	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

atycd.exe

pid	process
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe
764	atycd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

description	pid	process
Token: SeSecurityPrivilege	840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
Token: SeSecurityPrivilege	840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exeatycd.exe

pid process

1796 a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
1656 atycd.exe

pid	process
1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
1656	atycd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exea380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exeatycd.exeatycd.exe

description	pid	process	target process
PID 1796 wrote to memory of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 1796 wrote to memory of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 1796 wrote to memory of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 1796 wrote to memory of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 1796 wrote to memory of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 1796 wrote to memory of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 1796 wrote to memory of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 1796 wrote to memory of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 1796 wrote to memory of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 1796 wrote to memory of 840	1796	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 840 wrote to memory of 1656	840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	atycd.exe
PID 840 wrote to memory of 1656	840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	atycd.exe
PID 840 wrote to memory of 1656	840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	atycd.exe
PID 840 wrote to memory of 1656	840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	atycd.exe
PID 1656 wrote to memory of 764	1656	atycd.exe	atycd.exe
PID 1656 wrote to memory of 764	1656	atycd.exe	atycd.exe
PID 1656 wrote to memory of 764	1656	atycd.exe	atycd.exe
PID 1656 wrote to memory of 764	1656	atycd.exe	atycd.exe
PID 1656 wrote to memory of 764	1656	atycd.exe	atycd.exe
PID 1656 wrote to memory of 764	1656	atycd.exe	atycd.exe
PID 1656 wrote to memory of 764	1656	atycd.exe	atycd.exe
PID 1656 wrote to memory of 764	1656	atycd.exe	atycd.exe
PID 1656 wrote to memory of 764	1656	atycd.exe	atycd.exe
PID 1656 wrote to memory of 764	1656	atycd.exe	atycd.exe
PID 764 wrote to memory of 1116	764	atycd.exe	taskhost.exe
PID 764 wrote to memory of 1116	764	atycd.exe	taskhost.exe
PID 764 wrote to memory of 1116	764	atycd.exe	taskhost.exe
PID 764 wrote to memory of 1116	764	atycd.exe	taskhost.exe
PID 764 wrote to memory of 1116	764	atycd.exe	taskhost.exe
PID 764 wrote to memory of 1176	764	atycd.exe	Dwm.exe
PID 764 wrote to memory of 1176	764	atycd.exe	Dwm.exe
PID 764 wrote to memory of 1176	764	atycd.exe	Dwm.exe
PID 764 wrote to memory of 1176	764	atycd.exe	Dwm.exe
PID 764 wrote to memory of 1176	764	atycd.exe	Dwm.exe
PID 764 wrote to memory of 1208	764	atycd.exe	Explorer.EXE
PID 764 wrote to memory of 1208	764	atycd.exe	Explorer.EXE
PID 764 wrote to memory of 1208	764	atycd.exe	Explorer.EXE
PID 764 wrote to memory of 1208	764	atycd.exe	Explorer.EXE
PID 764 wrote to memory of 1208	764	atycd.exe	Explorer.EXE
PID 764 wrote to memory of 840	764	atycd.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 764 wrote to memory of 840	764	atycd.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 764 wrote to memory of 840	764	atycd.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 764 wrote to memory of 840	764	atycd.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 764 wrote to memory of 840	764	atycd.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 840 wrote to memory of 584	840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cmd.exe
PID 840 wrote to memory of 584	840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cmd.exe
PID 840 wrote to memory of 584	840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cmd.exe
PID 840 wrote to memory of 584	840	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cmd.exe
PID 764 wrote to memory of 584	764	atycd.exe	cmd.exe
PID 764 wrote to memory of 584	764	atycd.exe	cmd.exe
PID 764 wrote to memory of 584	764	atycd.exe	cmd.exe
PID 764 wrote to memory of 584	764	atycd.exe	cmd.exe
PID 764 wrote to memory of 584	764	atycd.exe	cmd.exe
PID 764 wrote to memory of 1768	764	atycd.exe	DllHost.exe
PID 764 wrote to memory of 1768	764	atycd.exe	DllHost.exe
PID 764 wrote to memory of 1768	764	atycd.exe	DllHost.exe
PID 764 wrote to memory of 1768	764	atycd.exe	DllHost.exe
PID 764 wrote to memory of 1768	764	atycd.exe	DllHost.exe
PID 764 wrote to memory of 1732	764	atycd.exe	DllHost.exe
PID 764 wrote to memory of 1732	764	atycd.exe	DllHost.exe
PID 764 wrote to memory of 1732	764	atycd.exe	DllHost.exe
PID 764 wrote to memory of 1732	764	atycd.exe	DllHost.exe
PID 764 wrote to memory of 1732	764	atycd.exe	DllHost.exe
PID 764 wrote to memory of 1536	764	atycd.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
"C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
"C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe"
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Roaming\Zapate\atycd.exe
"C:\Users\Admin\AppData\Roaming\Zapate\atycd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Roaming\Zapate\atycd.exe
"C:\Users\Admin\AppData\Roaming\Zapate\atycd.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa38ead2b.bat"
4⤵
- Deletes itself
PID:584

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1768

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1732

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1676

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:768

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa38ead2b.bat
MD5
347db784a93ab1cd0951579a1cae24fd

SHA1
15a3bceef41dcb6113ff495ae634ffd0d1da775e

SHA256
5adbff3b3d9e8e6ded8f814ed5d37d3d9cb813def6e63295292c7c2273b1f8ae

SHA512
d7abd6a96cc0017cd8864156e6252e229352cc1fd1e7c01cd04115dfb91486f78b64b24e37e88cbfcfa16df978f52aba24d6c185266966f7f027cb95da354621

Download Submit
C:\Users\Admin\AppData\Roaming\Zapate\atycd.exe
MD5
bb1a9aa63cc1852695f505da38ba513c

SHA1
e28dba2e3c6b3a7472f599c41116a682b6166165

SHA256
e696ac60f5059ab7edefec4bfd9c870804b0460de92ad8caaab2a00ecbc2e619

SHA512
593b520abc5a58912993b426fb2b9fffd39e1151a97971c079fe5ca5c6c007c7e0cfb566fbd0d15c4636af2a1ca18436d2137d201455abdee64b81d4fc471ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Zapate\atycd.exe
MD5
bb1a9aa63cc1852695f505da38ba513c

SHA1
e28dba2e3c6b3a7472f599c41116a682b6166165

SHA256
e696ac60f5059ab7edefec4bfd9c870804b0460de92ad8caaab2a00ecbc2e619

SHA512
593b520abc5a58912993b426fb2b9fffd39e1151a97971c079fe5ca5c6c007c7e0cfb566fbd0d15c4636af2a1ca18436d2137d201455abdee64b81d4fc471ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Zapate\atycd.exe
MD5
bb1a9aa63cc1852695f505da38ba513c

SHA1
e28dba2e3c6b3a7472f599c41116a682b6166165

SHA256
e696ac60f5059ab7edefec4bfd9c870804b0460de92ad8caaab2a00ecbc2e619

SHA512
593b520abc5a58912993b426fb2b9fffd39e1151a97971c079fe5ca5c6c007c7e0cfb566fbd0d15c4636af2a1ca18436d2137d201455abdee64b81d4fc471ab6

Download Submit
\Users\Admin\AppData\Roaming\Zapate\atycd.exe
MD5
bb1a9aa63cc1852695f505da38ba513c

SHA1
e28dba2e3c6b3a7472f599c41116a682b6166165

SHA256
e696ac60f5059ab7edefec4bfd9c870804b0460de92ad8caaab2a00ecbc2e619

SHA512
593b520abc5a58912993b426fb2b9fffd39e1151a97971c079fe5ca5c6c007c7e0cfb566fbd0d15c4636af2a1ca18436d2137d201455abdee64b81d4fc471ab6

Download Submit
\Users\Admin\AppData\Roaming\Zapate\atycd.exe
MD5
bb1a9aa63cc1852695f505da38ba513c

SHA1
e28dba2e3c6b3a7472f599c41116a682b6166165

SHA256
e696ac60f5059ab7edefec4bfd9c870804b0460de92ad8caaab2a00ecbc2e619

SHA512
593b520abc5a58912993b426fb2b9fffd39e1151a97971c079fe5ca5c6c007c7e0cfb566fbd0d15c4636af2a1ca18436d2137d201455abdee64b81d4fc471ab6

Download Submit
memory/584-80-0x0000000000000000-mapping.dmp

Download
memory/764-77-0x000000000042B055-mapping.dmp

Download
memory/840-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/840-64-0x000000000042B055-mapping.dmp

Download
memory/840-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/840-83-0x0000000000440000-0x000000000048F000-memory.dmp

Filesize
316KB

Download
memory/840-84-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1656-69-0x0000000000000000-mapping.dmp

Download
memory/1796-61-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/1796-62-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads