3d445366066d1c084f489995e476abe8e1204fa1918468868c4f90cabd2e5817

General

Target

lab_02_win10x64/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

cisyt.execisyt.exe

pid process

660 cisyt.exe
1116 cisyt.exe

pid	process
660	cisyt.exe
1116	cisyt.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cisyt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\Currentversion\Run	cisyt.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	cisyt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Owuzogidag = "C:\\Users\\Admin\\AppData\\Roaming\\Aqgoqu\\cisyt.exe"	cisyt.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.execisyt.exe

description	pid	process	target process
PID 4044 set thread context of 188	4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 660 set thread context of 1116	660	cisyt.exe	cisyt.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

cisyt.exe

pid	process
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe
1116	cisyt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

description	pid	process
Token: SeSecurityPrivilege	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
Token: SeSecurityPrivilege	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.execisyt.exe

pid process

4044 a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
660 cisyt.exe

pid	process
4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
660	cisyt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exea380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.execisyt.execisyt.exe

description	pid	process	target process
PID 4044 wrote to memory of 188	4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 4044 wrote to memory of 188	4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 4044 wrote to memory of 188	4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 4044 wrote to memory of 188	4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 4044 wrote to memory of 188	4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 4044 wrote to memory of 188	4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 4044 wrote to memory of 188	4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 4044 wrote to memory of 188	4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 4044 wrote to memory of 188	4044	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
PID 188 wrote to memory of 660	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cisyt.exe
PID 188 wrote to memory of 660	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cisyt.exe
PID 188 wrote to memory of 660	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cisyt.exe
PID 660 wrote to memory of 1116	660	cisyt.exe	cisyt.exe
PID 660 wrote to memory of 1116	660	cisyt.exe	cisyt.exe
PID 660 wrote to memory of 1116	660	cisyt.exe	cisyt.exe
PID 660 wrote to memory of 1116	660	cisyt.exe	cisyt.exe
PID 660 wrote to memory of 1116	660	cisyt.exe	cisyt.exe
PID 660 wrote to memory of 1116	660	cisyt.exe	cisyt.exe
PID 660 wrote to memory of 1116	660	cisyt.exe	cisyt.exe
PID 660 wrote to memory of 1116	660	cisyt.exe	cisyt.exe
PID 660 wrote to memory of 1116	660	cisyt.exe	cisyt.exe
PID 1116 wrote to memory of 2436	1116	cisyt.exe	svchost.exe
PID 1116 wrote to memory of 2436	1116	cisyt.exe	svchost.exe
PID 1116 wrote to memory of 2436	1116	cisyt.exe	svchost.exe
PID 1116 wrote to memory of 2436	1116	cisyt.exe	svchost.exe
PID 1116 wrote to memory of 2436	1116	cisyt.exe	svchost.exe
PID 188 wrote to memory of 1872	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cmd.exe
PID 188 wrote to memory of 1872	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cmd.exe
PID 188 wrote to memory of 1872	188	a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe	cmd.exe
PID 1116 wrote to memory of 2460	1116	cisyt.exe	sihost.exe
PID 1116 wrote to memory of 2460	1116	cisyt.exe	sihost.exe
PID 1116 wrote to memory of 2460	1116	cisyt.exe	sihost.exe
PID 1116 wrote to memory of 2460	1116	cisyt.exe	sihost.exe
PID 1116 wrote to memory of 2460	1116	cisyt.exe	sihost.exe
PID 1116 wrote to memory of 2704	1116	cisyt.exe	taskhostw.exe
PID 1116 wrote to memory of 2704	1116	cisyt.exe	taskhostw.exe
PID 1116 wrote to memory of 2704	1116	cisyt.exe	taskhostw.exe
PID 1116 wrote to memory of 2704	1116	cisyt.exe	taskhostw.exe
PID 1116 wrote to memory of 2704	1116	cisyt.exe	taskhostw.exe
PID 1116 wrote to memory of 2764	1116	cisyt.exe	Explorer.EXE
PID 1116 wrote to memory of 2764	1116	cisyt.exe	Explorer.EXE
PID 1116 wrote to memory of 2764	1116	cisyt.exe	Explorer.EXE
PID 1116 wrote to memory of 2764	1116	cisyt.exe	Explorer.EXE
PID 1116 wrote to memory of 2764	1116	cisyt.exe	Explorer.EXE
PID 1116 wrote to memory of 3356	1116	cisyt.exe	ShellExperienceHost.exe
PID 1116 wrote to memory of 3356	1116	cisyt.exe	ShellExperienceHost.exe
PID 1116 wrote to memory of 3356	1116	cisyt.exe	ShellExperienceHost.exe
PID 1116 wrote to memory of 3356	1116	cisyt.exe	ShellExperienceHost.exe
PID 1116 wrote to memory of 3356	1116	cisyt.exe	ShellExperienceHost.exe
PID 1116 wrote to memory of 3368	1116	cisyt.exe	SearchUI.exe
PID 1116 wrote to memory of 3368	1116	cisyt.exe	SearchUI.exe
PID 1116 wrote to memory of 3368	1116	cisyt.exe	SearchUI.exe
PID 1116 wrote to memory of 3368	1116	cisyt.exe	SearchUI.exe
PID 1116 wrote to memory of 3368	1116	cisyt.exe	SearchUI.exe
PID 1116 wrote to memory of 3580	1116	cisyt.exe	RuntimeBroker.exe
PID 1116 wrote to memory of 3580	1116	cisyt.exe	RuntimeBroker.exe
PID 1116 wrote to memory of 3580	1116	cisyt.exe	RuntimeBroker.exe
PID 1116 wrote to memory of 3580	1116	cisyt.exe	RuntimeBroker.exe
PID 1116 wrote to memory of 3580	1116	cisyt.exe	RuntimeBroker.exe
PID 1116 wrote to memory of 3836	1116	cisyt.exe	DllHost.exe
PID 1116 wrote to memory of 3836	1116	cisyt.exe	DllHost.exe
PID 1116 wrote to memory of 3836	1116	cisyt.exe	DllHost.exe
PID 1116 wrote to memory of 3836	1116	cisyt.exe	DllHost.exe
PID 1116 wrote to memory of 3836	1116	cisyt.exe	DllHost.exe

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3580

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3368

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
"C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
"C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188

C:\Users\Admin\AppData\Roaming\Aqgoqu\cisyt.exe
"C:\Users\Admin\AppData\Roaming\Aqgoqu\cisyt.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Roaming\Aqgoqu\cisyt.exe
"C:\Users\Admin\AppData\Roaming\Aqgoqu\cisyt.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf5357bc0.bat"
4⤵
PID:1872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3748

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2704

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpf5357bc0.bat

MD5
45a9a3d63951dee6715b88211fee852b

SHA1
0de965b7daf6220857bc25cbc858159e0b0368ce

SHA256
bb3a3e89dcfff19e875db4c2d1e5c4d315d3539db3270c60ddd9e46fe65c6f8f

SHA512
a3930704b5dddde601989e9e62f7057a4a4a3d6b851912e44949f84d93fc56e1dfa1ee9bd40ce59539a82de793033a6b2517e880ed09c60359fcf497164b0bed

Download Submit
C:\Users\Admin\AppData\Roaming\Aqgoqu\cisyt.exe

MD5
a8bf719a32ea1e65d8067e165d9e5bb8

SHA1
dc4efc0fc0ef9b54df5c96ca2640564fd71ed17a

SHA256
2b94ae9b3b3db2aa2f015a9d37a5b5d9b7eeb9d35687fe6c97f12fef302ab637

SHA512
0b428243570a7db271e7c1c3f2d9777ac14d3b5dd1f9957eacb6df49555b95f0f1daa324b1a66851cdd0476adcd7352cd405d2829b9fe01bd52717f09aff0bb8

Download Submit
C:\Users\Admin\AppData\Roaming\Aqgoqu\cisyt.exe

MD5
a8bf719a32ea1e65d8067e165d9e5bb8

SHA1
dc4efc0fc0ef9b54df5c96ca2640564fd71ed17a

SHA256
2b94ae9b3b3db2aa2f015a9d37a5b5d9b7eeb9d35687fe6c97f12fef302ab637

SHA512
0b428243570a7db271e7c1c3f2d9777ac14d3b5dd1f9957eacb6df49555b95f0f1daa324b1a66851cdd0476adcd7352cd405d2829b9fe01bd52717f09aff0bb8

Download Submit
C:\Users\Admin\AppData\Roaming\Aqgoqu\cisyt.exe

MD5
a8bf719a32ea1e65d8067e165d9e5bb8

SHA1
dc4efc0fc0ef9b54df5c96ca2640564fd71ed17a

SHA256
2b94ae9b3b3db2aa2f015a9d37a5b5d9b7eeb9d35687fe6c97f12fef302ab637

SHA512
0b428243570a7db271e7c1c3f2d9777ac14d3b5dd1f9957eacb6df49555b95f0f1daa324b1a66851cdd0476adcd7352cd405d2829b9fe01bd52717f09aff0bb8

Download Submit
memory/188-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/188-118-0x000000000042B055-mapping.dmp

Download
memory/188-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/660-120-0x0000000000000000-mapping.dmp

Download
memory/1116-127-0x000000000042B055-mapping.dmp

Download
memory/1872-129-0x0000000000000000-mapping.dmp

Download
memory/1872-132-0x0000000003120000-0x000000000315B000-memory.dmp

Filesize
236KB

Download
memory/4044-116-0x00000000020F0000-0x0000000002110000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads