3d445366066d1c084f489995e476abe8e1204fa1918468868c4f90cabd2e5817

General

Target

lab_02_win10x64/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

kubyo.exekubyo.exe

pid process

2264 kubyo.exe
1900 kubyo.exe

pid	process
2264	kubyo.exe
1900	kubyo.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kubyo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\Currentversion\Run	kubyo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	kubyo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kipiqaa = "C:\\Users\\Admin\\AppData\\Roaming\\Anoco\\kubyo.exe"	kubyo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exekubyo.exe

description	pid	process	target process
PID 3948 set thread context of 188	3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 2264 set thread context of 1900	2264	kubyo.exe	kubyo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kubyo.exe

pid	process
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe
1900	kubyo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

description	pid	process
Token: SeSecurityPrivilege	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
Token: SeSecurityPrivilege	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exekubyo.exe

pid process

3948 a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
2264 kubyo.exe

pid	process
3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
2264	kubyo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exea380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exekubyo.exekubyo.exe

description	pid	process	target process
PID 3948 wrote to memory of 188	3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 3948 wrote to memory of 188	3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 3948 wrote to memory of 188	3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 3948 wrote to memory of 188	3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 3948 wrote to memory of 188	3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 3948 wrote to memory of 188	3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 3948 wrote to memory of 188	3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 3948 wrote to memory of 188	3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 3948 wrote to memory of 188	3948	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 188 wrote to memory of 2264	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	kubyo.exe
PID 188 wrote to memory of 2264	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	kubyo.exe
PID 188 wrote to memory of 2264	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	kubyo.exe
PID 2264 wrote to memory of 1900	2264	kubyo.exe	kubyo.exe
PID 2264 wrote to memory of 1900	2264	kubyo.exe	kubyo.exe
PID 2264 wrote to memory of 1900	2264	kubyo.exe	kubyo.exe
PID 2264 wrote to memory of 1900	2264	kubyo.exe	kubyo.exe
PID 2264 wrote to memory of 1900	2264	kubyo.exe	kubyo.exe
PID 2264 wrote to memory of 1900	2264	kubyo.exe	kubyo.exe
PID 2264 wrote to memory of 1900	2264	kubyo.exe	kubyo.exe
PID 2264 wrote to memory of 1900	2264	kubyo.exe	kubyo.exe
PID 2264 wrote to memory of 1900	2264	kubyo.exe	kubyo.exe
PID 188 wrote to memory of 4052	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cmd.exe
PID 188 wrote to memory of 4052	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cmd.exe
PID 188 wrote to memory of 4052	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cmd.exe
PID 1900 wrote to memory of 2332	1900	kubyo.exe	sihost.exe
PID 1900 wrote to memory of 2332	1900	kubyo.exe	sihost.exe
PID 1900 wrote to memory of 2332	1900	kubyo.exe	sihost.exe
PID 1900 wrote to memory of 2332	1900	kubyo.exe	sihost.exe
PID 1900 wrote to memory of 2332	1900	kubyo.exe	sihost.exe
PID 1900 wrote to memory of 2356	1900	kubyo.exe	svchost.exe
PID 1900 wrote to memory of 2356	1900	kubyo.exe	svchost.exe
PID 1900 wrote to memory of 2356	1900	kubyo.exe	svchost.exe
PID 1900 wrote to memory of 2356	1900	kubyo.exe	svchost.exe
PID 1900 wrote to memory of 2356	1900	kubyo.exe	svchost.exe
PID 1900 wrote to memory of 2724	1900	kubyo.exe	taskhostw.exe
PID 1900 wrote to memory of 2724	1900	kubyo.exe	taskhostw.exe
PID 1900 wrote to memory of 2724	1900	kubyo.exe	taskhostw.exe
PID 1900 wrote to memory of 2724	1900	kubyo.exe	taskhostw.exe
PID 1900 wrote to memory of 2724	1900	kubyo.exe	taskhostw.exe
PID 1900 wrote to memory of 3016	1900	kubyo.exe	Explorer.EXE
PID 1900 wrote to memory of 3016	1900	kubyo.exe	Explorer.EXE
PID 1900 wrote to memory of 3016	1900	kubyo.exe	Explorer.EXE
PID 1900 wrote to memory of 3016	1900	kubyo.exe	Explorer.EXE
PID 1900 wrote to memory of 3016	1900	kubyo.exe	Explorer.EXE
PID 1900 wrote to memory of 3220	1900	kubyo.exe	ShellExperienceHost.exe
PID 1900 wrote to memory of 3220	1900	kubyo.exe	ShellExperienceHost.exe
PID 1900 wrote to memory of 3220	1900	kubyo.exe	ShellExperienceHost.exe
PID 1900 wrote to memory of 3220	1900	kubyo.exe	ShellExperienceHost.exe
PID 1900 wrote to memory of 3220	1900	kubyo.exe	ShellExperienceHost.exe
PID 1900 wrote to memory of 3240	1900	kubyo.exe	SearchUI.exe
PID 1900 wrote to memory of 3240	1900	kubyo.exe	SearchUI.exe
PID 1900 wrote to memory of 3240	1900	kubyo.exe	SearchUI.exe
PID 1900 wrote to memory of 3240	1900	kubyo.exe	SearchUI.exe
PID 1900 wrote to memory of 3240	1900	kubyo.exe	SearchUI.exe
PID 1900 wrote to memory of 3444	1900	kubyo.exe	RuntimeBroker.exe
PID 1900 wrote to memory of 3444	1900	kubyo.exe	RuntimeBroker.exe
PID 1900 wrote to memory of 3444	1900	kubyo.exe	RuntimeBroker.exe
PID 1900 wrote to memory of 3444	1900	kubyo.exe	RuntimeBroker.exe
PID 1900 wrote to memory of 3444	1900	kubyo.exe	RuntimeBroker.exe
PID 1900 wrote to memory of 3740	1900	kubyo.exe	DllHost.exe
PID 1900 wrote to memory of 3740	1900	kubyo.exe	DllHost.exe
PID 1900 wrote to memory of 3740	1900	kubyo.exe	DllHost.exe
PID 1900 wrote to memory of 3740	1900	kubyo.exe	DllHost.exe
PID 1900 wrote to memory of 3740	1900	kubyo.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
"C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
"C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188

C:\Users\Admin\AppData\Roaming\Anoco\kubyo.exe
"C:\Users\Admin\AppData\Roaming\Anoco\kubyo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Roaming\Anoco\kubyo.exe
"C:\Users\Admin\AppData\Roaming\Anoco\kubyo.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf1d32dae.bat"
4⤵
PID:4052

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3220

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2356

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2332

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
PID:3760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpf1d32dae.bat
MD5
4bcd0822e301eaf7303abf3f8c47ce1a

SHA1
4f8a33253a84e8c7af5b9d85d075fa1b94851df0

SHA256
640b2a17efb77d4808e9ac43bd2e965015685b2f9fc6f33bd08c9658b1eb6cb4

SHA512
9ed3a5fa756956282e8a9931dbccc4aa4216a4e9ad7fe143dee8c71ce48f4a9acdba572969c49924d7c6cf2114c14cfc4cc8fed5c5ddd93b7b410ac8c3c12299

Download Submit
C:\Users\Admin\AppData\Roaming\Anoco\kubyo.exe
MD5
60a6ff1e35ac2e722a8c39eb50d8e641

SHA1
6e9d71ab69274efedaf6408485457061b882c4c9

SHA256
a87cee9db905314a9a0c0da538e709714b930196ab1602d46ed5339e2e9bc1b6

SHA512
2d0d30fe4b65fa6caac82ee36a23266c9b9a9bbdedb2ac61f9929721767224407548a00fbaa7c9e532a91930f4fa63914974a9c7fa735b26f06705c2db5e7a92

Download Submit
C:\Users\Admin\AppData\Roaming\Anoco\kubyo.exe
MD5
60a6ff1e35ac2e722a8c39eb50d8e641

SHA1
6e9d71ab69274efedaf6408485457061b882c4c9

SHA256
a87cee9db905314a9a0c0da538e709714b930196ab1602d46ed5339e2e9bc1b6

SHA512
2d0d30fe4b65fa6caac82ee36a23266c9b9a9bbdedb2ac61f9929721767224407548a00fbaa7c9e532a91930f4fa63914974a9c7fa735b26f06705c2db5e7a92

Download Submit
C:\Users\Admin\AppData\Roaming\Anoco\kubyo.exe
MD5
60a6ff1e35ac2e722a8c39eb50d8e641

SHA1
6e9d71ab69274efedaf6408485457061b882c4c9

SHA256
a87cee9db905314a9a0c0da538e709714b930196ab1602d46ed5339e2e9bc1b6

SHA512
2d0d30fe4b65fa6caac82ee36a23266c9b9a9bbdedb2ac61f9929721767224407548a00fbaa7c9e532a91930f4fa63914974a9c7fa735b26f06705c2db5e7a92

Download Submit
memory/188-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/188-118-0x000000000042B055-mapping.dmp

Download
memory/188-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1900-127-0x000000000042B055-mapping.dmp

Download
memory/2264-120-0x0000000000000000-mapping.dmp

Download
memory/3948-116-0x0000000002980000-0x00000000029A0000-memory.dmp

Filesize
128KB

Download
memory/4052-129-0x0000000000000000-mapping.dmp

Download
memory/4052-132-0x0000000000630000-0x000000000077A000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads