Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe
Resource
win10v2004-20220722-en
General
-
Target
561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe
-
Size
772KB
-
MD5
3702f63230e2cfd3e0b343fad2234e6b
-
SHA1
4c5e6575c2364cda2ec3010180542f7dcc458c8d
-
SHA256
561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635
-
SHA512
0bfbfa33f170e029a71d6ccac581b9cdff4cd3db1f043375d547f801643980292a85c139c2e3bd2d72ed043400f688f15832182fc9a9660961d7f75dbc2a22e1
Malware Config
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 2 IoCs
Processes:
ouytresx.exekcuuyg.exepid process 4396 ouytresx.exe 5028 kcuuyg.exe -
Creates a Windows Service
-
Drops file in System32 directory 2 IoCs
Processes:
ouytresx.exedescription ioc process File created C:\Windows\SysWOW64\kcuuyg.exe ouytresx.exe File opened for modification C:\Windows\SysWOW64\kcuuyg.exe ouytresx.exe -
Drops file in Windows directory 1 IoCs
Processes:
561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exedescription ioc process File created C:\Windows\ouytresx.exe 561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
kcuuyg.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kcuuyg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz kcuuyg.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
kcuuyg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft kcuuyg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie kcuuyg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" kcuuyg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum kcuuyg.exe Key created \REGISTRY\USER\.DEFAULT\Software kcuuyg.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
kcuuyg.exepid process 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe 5028 kcuuyg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exepid process 2084 561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exeouytresx.exekcuuyg.exepid process 2084 561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe 2084 561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe 4396 ouytresx.exe 5028 kcuuyg.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exedescription pid process target process PID 2084 wrote to memory of 4396 2084 561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe ouytresx.exe PID 2084 wrote to memory of 4396 2084 561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe ouytresx.exe PID 2084 wrote to memory of 4396 2084 561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe ouytresx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe"C:\Users\Admin\AppData\Local\Temp\561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\ouytresx.exeC:\Windows\ouytresx.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\kcuuyg.exeC:\Windows\SysWOW64\kcuuyg.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\kcuuyg.exeFilesize
72KB
MD5954ebf4e1d54326ed5c2bae097dbd664
SHA1bdeda24d1de38a71eb5c72c1fb4f2ba44168fbe5
SHA256f88b7491e614c42f8c78d6ba14f43e79b75d04d4f1da70ee5dd0ba177da20808
SHA512da06533019075cb31ce790d42e82ab4f8e23a3e2734b815c91e7bf4e42b3f36f2c677d8aacd419cb6667fb6777433050c8daf3698631bc522b2fae89f7f14076
-
C:\Windows\SysWOW64\kcuuyg.exeFilesize
72KB
MD5954ebf4e1d54326ed5c2bae097dbd664
SHA1bdeda24d1de38a71eb5c72c1fb4f2ba44168fbe5
SHA256f88b7491e614c42f8c78d6ba14f43e79b75d04d4f1da70ee5dd0ba177da20808
SHA512da06533019075cb31ce790d42e82ab4f8e23a3e2734b815c91e7bf4e42b3f36f2c677d8aacd419cb6667fb6777433050c8daf3698631bc522b2fae89f7f14076
-
C:\Windows\ouytresx.exeFilesize
72KB
MD5954ebf4e1d54326ed5c2bae097dbd664
SHA1bdeda24d1de38a71eb5c72c1fb4f2ba44168fbe5
SHA256f88b7491e614c42f8c78d6ba14f43e79b75d04d4f1da70ee5dd0ba177da20808
SHA512da06533019075cb31ce790d42e82ab4f8e23a3e2734b815c91e7bf4e42b3f36f2c677d8aacd419cb6667fb6777433050c8daf3698631bc522b2fae89f7f14076
-
C:\Windows\ouytresx.exeFilesize
72KB
MD5954ebf4e1d54326ed5c2bae097dbd664
SHA1bdeda24d1de38a71eb5c72c1fb4f2ba44168fbe5
SHA256f88b7491e614c42f8c78d6ba14f43e79b75d04d4f1da70ee5dd0ba177da20808
SHA512da06533019075cb31ce790d42e82ab4f8e23a3e2734b815c91e7bf4e42b3f36f2c677d8aacd419cb6667fb6777433050c8daf3698631bc522b2fae89f7f14076
-
memory/2084-132-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4396-133-0x0000000000000000-mapping.dmp
-
memory/4396-136-0x0000000010000000-0x0000000010008000-memory.dmpFilesize
32KB