566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c

General

Target

566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe
Size

305KB
MD5

51537b5808ea847e1959f46a6f5ea4f0
SHA1

6ee4d5f8fc6004b280cb61b111dedf2e77d6e515
SHA256

566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c
SHA512

5d7d9d539b5700dddcd31267e1e028bbd094d6536d6bf38311c38a720a338469b76f61783d3ac8d962a871b0651b36534ae10b7c664cb8731b76de21c3ee5b6a

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Zeus GameOver Connectivity Check
suricata: ET MALWARE Possible Zeus GameOver Connectivity Check
suricata
Executes dropped EXE 1 IoCs

Processes:

ahyrhi.exe

pid process

1992 ahyrhi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

576 cmd.exe

pid	process
576	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe

pid	process
1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe
1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ahyrhi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\Currentversion\Run	ahyrhi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\{0BF324C8-53B1-AD4D-EE29-B639FD989524} = "C:\\Users\\Admin\\AppData\\Roaming\\Ruqima\\ahyrhi.exe"	ahyrhi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe

description pid process target process

PID 1644 set thread context of 576 1644 566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe cmd.exe

description	pid	process	target process
PID 1644 set thread context of 576	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

ahyrhi.exe

pid	process
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe
1992	ahyrhi.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exeahyrhi.exe

description	pid	process	target process
PID 1644 wrote to memory of 1992	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	ahyrhi.exe
PID 1644 wrote to memory of 1992	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	ahyrhi.exe
PID 1644 wrote to memory of 1992	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	ahyrhi.exe
PID 1644 wrote to memory of 1992	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	ahyrhi.exe
PID 1992 wrote to memory of 1112	1992	ahyrhi.exe	taskhost.exe
PID 1992 wrote to memory of 1112	1992	ahyrhi.exe	taskhost.exe
PID 1992 wrote to memory of 1112	1992	ahyrhi.exe	taskhost.exe
PID 1992 wrote to memory of 1112	1992	ahyrhi.exe	taskhost.exe
PID 1992 wrote to memory of 1112	1992	ahyrhi.exe	taskhost.exe
PID 1992 wrote to memory of 1264	1992	ahyrhi.exe	Dwm.exe
PID 1992 wrote to memory of 1264	1992	ahyrhi.exe	Dwm.exe
PID 1992 wrote to memory of 1264	1992	ahyrhi.exe	Dwm.exe
PID 1992 wrote to memory of 1264	1992	ahyrhi.exe	Dwm.exe
PID 1992 wrote to memory of 1264	1992	ahyrhi.exe	Dwm.exe
PID 1992 wrote to memory of 1368	1992	ahyrhi.exe	Explorer.EXE
PID 1992 wrote to memory of 1368	1992	ahyrhi.exe	Explorer.EXE
PID 1992 wrote to memory of 1368	1992	ahyrhi.exe	Explorer.EXE
PID 1992 wrote to memory of 1368	1992	ahyrhi.exe	Explorer.EXE
PID 1992 wrote to memory of 1368	1992	ahyrhi.exe	Explorer.EXE
PID 1992 wrote to memory of 1644	1992	ahyrhi.exe	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe
PID 1992 wrote to memory of 1644	1992	ahyrhi.exe	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe
PID 1992 wrote to memory of 1644	1992	ahyrhi.exe	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe
PID 1992 wrote to memory of 1644	1992	ahyrhi.exe	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe
PID 1992 wrote to memory of 1644	1992	ahyrhi.exe	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe
PID 1644 wrote to memory of 576	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	cmd.exe
PID 1644 wrote to memory of 576	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	cmd.exe
PID 1644 wrote to memory of 576	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	cmd.exe
PID 1644 wrote to memory of 576	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	cmd.exe
PID 1644 wrote to memory of 576	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	cmd.exe
PID 1644 wrote to memory of 576	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	cmd.exe
PID 1644 wrote to memory of 576	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	cmd.exe
PID 1644 wrote to memory of 576	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	cmd.exe
PID 1644 wrote to memory of 576	1644	566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe	cmd.exe
PID 1992 wrote to memory of 1104	1992	ahyrhi.exe	DllHost.exe
PID 1992 wrote to memory of 1104	1992	ahyrhi.exe	DllHost.exe
PID 1992 wrote to memory of 1104	1992	ahyrhi.exe	DllHost.exe
PID 1992 wrote to memory of 1104	1992	ahyrhi.exe	DllHost.exe
PID 1992 wrote to memory of 1104	1992	ahyrhi.exe	DllHost.exe
PID 1992 wrote to memory of 1208	1992	ahyrhi.exe	DllHost.exe
PID 1992 wrote to memory of 1208	1992	ahyrhi.exe	DllHost.exe
PID 1992 wrote to memory of 1208	1992	ahyrhi.exe	DllHost.exe
PID 1992 wrote to memory of 1208	1992	ahyrhi.exe	DllHost.exe
PID 1992 wrote to memory of 1208	1992	ahyrhi.exe	DllHost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1264

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe
"C:\Users\Admin\AppData\Local\Temp\566e7516bcf131afa1b7c4b9374adda4f248b31811dace4757f3d36226553e0c.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Roaming\Ruqima\ahyrhi.exe
"C:\Users\Admin\AppData\Roaming\Ruqima\ahyrhi.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpff12fe74.bat"
3⤵
- Deletes itself
PID:576

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1104

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpff12fe74.bat
Filesize
307B

MD5
cb68a97cea61499d7b134d4e43b0f9f0

SHA1
9d3a944b55222f22ed0fb83ee92687f3a5a946cf

SHA256
3071a891a3a483be7cdd7b278db7b2dda284c7aa9dfd5168073a32744df627fc

SHA512
e267d55e58ad4e7941e73ee1e7db0f28324e32ef9eedc22f560811c020da8d23a1f53473994ab5a8ad6056d1841bd2dadf78870b91e132e7d7c2cc339ed670f6

Download Submit
C:\Users\Admin\AppData\Roaming\Ruqima\ahyrhi.exe
Filesize
305KB

MD5
c9d3330e75a5885dbf80bb75bddff884

SHA1
0812bbfa2ffcf6b603d0eca3de5181c5598979e5

SHA256
53ccbfa66e4eb9d3f7f56c9c3bfa495f86fbdae348b0d22c385269eec74b5286

SHA512
0832624d66d710c2a01cf060a02bc24e2e3f0907fd95ecb4117e1cc2880757462a158145d7f8ee79b9642b41181377f0ba8ac0f5349dfd11cd6c94f78e48a05c

Download Submit
C:\Users\Admin\AppData\Roaming\Ruqima\ahyrhi.exe
Filesize
305KB

MD5
c9d3330e75a5885dbf80bb75bddff884

SHA1
0812bbfa2ffcf6b603d0eca3de5181c5598979e5

SHA256
53ccbfa66e4eb9d3f7f56c9c3bfa495f86fbdae348b0d22c385269eec74b5286

SHA512
0832624d66d710c2a01cf060a02bc24e2e3f0907fd95ecb4117e1cc2880757462a158145d7f8ee79b9642b41181377f0ba8ac0f5349dfd11cd6c94f78e48a05c

Download Submit
\Users\Admin\AppData\Roaming\Ruqima\ahyrhi.exe
Filesize
305KB

MD5
c9d3330e75a5885dbf80bb75bddff884

SHA1
0812bbfa2ffcf6b603d0eca3de5181c5598979e5

SHA256
53ccbfa66e4eb9d3f7f56c9c3bfa495f86fbdae348b0d22c385269eec74b5286

SHA512
0832624d66d710c2a01cf060a02bc24e2e3f0907fd95ecb4117e1cc2880757462a158145d7f8ee79b9642b41181377f0ba8ac0f5349dfd11cd6c94f78e48a05c

Download Submit
\Users\Admin\AppData\Roaming\Ruqima\ahyrhi.exe
Filesize
305KB

MD5
c9d3330e75a5885dbf80bb75bddff884

SHA1
0812bbfa2ffcf6b603d0eca3de5181c5598979e5

SHA256
53ccbfa66e4eb9d3f7f56c9c3bfa495f86fbdae348b0d22c385269eec74b5286

SHA512
0832624d66d710c2a01cf060a02bc24e2e3f0907fd95ecb4117e1cc2880757462a158145d7f8ee79b9642b41181377f0ba8ac0f5349dfd11cd6c94f78e48a05c

Download Submit
memory/576-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/576-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/576-98-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/576-99-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/576-96-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/576-100-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/576-102-0x000000000005BB88-mapping.dmp

Download
memory/576-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/576-112-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/576-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/576-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/576-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-116-0x0000000000210000-0x000000000025C000-memory.dmp

Filesize
304KB

Download
memory/1104-118-0x0000000000210000-0x000000000025C000-memory.dmp

Filesize
304KB

Download
memory/1104-115-0x0000000000210000-0x000000000025C000-memory.dmp

Filesize
304KB

Download
memory/1104-117-0x0000000000210000-0x000000000025C000-memory.dmp

Filesize
304KB

Download
memory/1112-70-0x0000000001C60000-0x0000000001CAC000-memory.dmp

Filesize
304KB

Download
memory/1112-65-0x0000000001C60000-0x0000000001CAC000-memory.dmp

Filesize
304KB

Download
memory/1112-69-0x0000000001C60000-0x0000000001CAC000-memory.dmp

Filesize
304KB

Download
memory/1112-68-0x0000000001C60000-0x0000000001CAC000-memory.dmp

Filesize
304KB

Download
memory/1112-67-0x0000000001C60000-0x0000000001CAC000-memory.dmp

Filesize
304KB

Download
memory/1208-121-0x0000000003B50000-0x0000000003B9C000-memory.dmp

Filesize
304KB

Download
memory/1208-122-0x0000000003B50000-0x0000000003B9C000-memory.dmp

Filesize
304KB

Download
memory/1208-123-0x0000000003B50000-0x0000000003B9C000-memory.dmp

Filesize
304KB

Download
memory/1208-124-0x0000000003B50000-0x0000000003B9C000-memory.dmp

Filesize
304KB

Download
memory/1264-75-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1264-73-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1264-76-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1264-74-0x0000000000120000-0x000000000016C000-memory.dmp

Filesize
304KB

Download
memory/1368-82-0x00000000021A0000-0x00000000021EC000-memory.dmp

Filesize
304KB

Download
memory/1368-81-0x00000000021A0000-0x00000000021EC000-memory.dmp

Filesize
304KB

Download
memory/1368-80-0x00000000021A0000-0x00000000021EC000-memory.dmp

Filesize
304KB

Download
memory/1368-79-0x00000000021A0000-0x00000000021EC000-memory.dmp

Filesize
304KB

Download
memory/1644-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1644-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1644-101-0x0000000000370000-0x00000000003BF000-memory.dmp

Filesize
316KB

Download
memory/1644-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1644-85-0x0000000000370000-0x00000000003BC000-memory.dmp

Filesize
304KB

Download
memory/1644-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1644-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1644-103-0x0000000000370000-0x00000000003BC000-memory.dmp

Filesize
304KB

Download
memory/1644-86-0x0000000000370000-0x00000000003BC000-memory.dmp

Filesize
304KB

Download
memory/1644-87-0x0000000000370000-0x00000000003BC000-memory.dmp

Filesize
304KB

Download
memory/1644-56-0x0000000000401000-0x0000000000445000-memory.dmp

Filesize
272KB

Download
memory/1644-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1644-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1644-88-0x0000000000370000-0x00000000003BC000-memory.dmp

Filesize
304KB

Download
memory/1992-59-0x0000000000000000-mapping.dmp

Download
memory/1992-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads