49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53

Analysis

max time kernel
151s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 15:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe
Size

363KB
MD5

6c0d9ab42efd836490045c82f28c1161
SHA1

daa9ba175c0581710fa3a1c0ea1670635fb83298
SHA256

49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53
SHA512

6c523048c2ad0db1987c59c46831f831b39371556930b11b01d7655ee4aa67007f19e2bfc2216e4ebcb2f8fb536bce6baea1fdd81d9ccbfbaad28acbbb359202
SSDEEP

6144:3bIAyTXqQJBVJxRbq3gkKJFoXr7ePZ3hH0WO1q800KKwW:6T6S77eoJFeneh80cwW

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	xydo.exe

Deletes itself 1 IoCs

pid	Process
1164	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe
800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	xydo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Izki\\xydo.exe"	xydo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 800 set thread context of 1164	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe
1928	xydo.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe
1928	xydo.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1928	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	28
PID 800 wrote to memory of 1928	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	28
PID 800 wrote to memory of 1928	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	28
PID 800 wrote to memory of 1928	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	28
PID 1928 wrote to memory of 1120	1928	xydo.exe	7
PID 1928 wrote to memory of 1120	1928	xydo.exe	7
PID 1928 wrote to memory of 1120	1928	xydo.exe	7
PID 1928 wrote to memory of 1120	1928	xydo.exe	7
PID 1928 wrote to memory of 1120	1928	xydo.exe	7
PID 1928 wrote to memory of 1176	1928	xydo.exe	15
PID 1928 wrote to memory of 1176	1928	xydo.exe	15
PID 1928 wrote to memory of 1176	1928	xydo.exe	15
PID 1928 wrote to memory of 1176	1928	xydo.exe	15
PID 1928 wrote to memory of 1176	1928	xydo.exe	15
PID 1928 wrote to memory of 1212	1928	xydo.exe	14
PID 1928 wrote to memory of 1212	1928	xydo.exe	14
PID 1928 wrote to memory of 1212	1928	xydo.exe	14
PID 1928 wrote to memory of 1212	1928	xydo.exe	14
PID 1928 wrote to memory of 1212	1928	xydo.exe	14
PID 1928 wrote to memory of 800	1928	xydo.exe	27
PID 1928 wrote to memory of 800	1928	xydo.exe	27
PID 1928 wrote to memory of 800	1928	xydo.exe	27
PID 1928 wrote to memory of 800	1928	xydo.exe	27
PID 1928 wrote to memory of 800	1928	xydo.exe	27
PID 800 wrote to memory of 1164	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	29
PID 800 wrote to memory of 1164	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	29
PID 800 wrote to memory of 1164	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	29
PID 800 wrote to memory of 1164	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	29
PID 800 wrote to memory of 1164	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	29
PID 800 wrote to memory of 1164	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	29
PID 800 wrote to memory of 1164	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	29
PID 800 wrote to memory of 1164	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	29
PID 800 wrote to memory of 1164	800	49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe
  "C:\Users\Admin\AppData\Local\Temp\49c9cb61ab143b1538321e653c95ffc5aff14510976c83ede4356de1dbd76d53.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Users\Admin\AppData\Roaming\Izki\xydo.exe
    "C:\Users\Admin\AppData\Roaming\Izki\xydo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd4645fc6.bat"
    3⤵
    - Deletes itself
    PID:1164

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd4645fc6.bat

Filesize
307B

MD5
ee07afc3e547fd23d877442a6d8bbc59

SHA1
8f5357ee66cb4862e69d821372857a6459a75d95

SHA256
ecd0df95e44ba550f788f0911c2c2706b0de1c20cc2adcc8d49ba2a1f64e8fb6

SHA512
927a6c5c402d49cb9179a31cad184125de343c04ae127b88833d419ad601b6a089799418913c497f898e8b1bb101a99600a7dab5ed53c985c9a23588140fb452

Download Submit
C:\Users\Admin\AppData\Roaming\Izki\xydo.exe

Filesize
363KB

MD5
9c22bb1f84653afde654361b8a061e57

SHA1
6927cfb4a64048c773787f994b604df4c4f4e682

SHA256
e54063819a9722b590b6f2e329703147fe4cedd05302e491cb5311b75214965f

SHA512
e4f2034b1d630243217dfd813ca12835fb7dd9d032ecd3a43aaaa1abf3aabf8f66f92b3eed9150c2d7231d0d0ff04e7119656487bcf32032be26cb1b5ebed284

Download Submit
C:\Users\Admin\AppData\Roaming\Izki\xydo.exe

Filesize
363KB

MD5
9c22bb1f84653afde654361b8a061e57

SHA1
6927cfb4a64048c773787f994b604df4c4f4e682

SHA256
e54063819a9722b590b6f2e329703147fe4cedd05302e491cb5311b75214965f

SHA512
e4f2034b1d630243217dfd813ca12835fb7dd9d032ecd3a43aaaa1abf3aabf8f66f92b3eed9150c2d7231d0d0ff04e7119656487bcf32032be26cb1b5ebed284

Download Submit
\Users\Admin\AppData\Roaming\Izki\xydo.exe

Filesize
363KB

MD5
9c22bb1f84653afde654361b8a061e57

SHA1
6927cfb4a64048c773787f994b604df4c4f4e682

SHA256
e54063819a9722b590b6f2e329703147fe4cedd05302e491cb5311b75214965f

SHA512
e4f2034b1d630243217dfd813ca12835fb7dd9d032ecd3a43aaaa1abf3aabf8f66f92b3eed9150c2d7231d0d0ff04e7119656487bcf32032be26cb1b5ebed284

Download Submit
\Users\Admin\AppData\Roaming\Izki\xydo.exe

Filesize
363KB

MD5
9c22bb1f84653afde654361b8a061e57

SHA1
6927cfb4a64048c773787f994b604df4c4f4e682

SHA256
e54063819a9722b590b6f2e329703147fe4cedd05302e491cb5311b75214965f

SHA512
e4f2034b1d630243217dfd813ca12835fb7dd9d032ecd3a43aaaa1abf3aabf8f66f92b3eed9150c2d7231d0d0ff04e7119656487bcf32032be26cb1b5ebed284

Download Submit
memory/800-89-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/800-93-0x0000000001E40000-0x0000000001EA1000-memory.dmp

Filesize
388KB

Download
memory/800-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/800-103-0x0000000001E40000-0x0000000001E84000-memory.dmp

Filesize
272KB

Download
memory/800-88-0x0000000001BF0000-0x0000000001C51000-memory.dmp

Filesize
388KB

Download
memory/800-87-0x0000000001BA0000-0x0000000001BE4000-memory.dmp

Filesize
272KB

Download
memory/800-86-0x0000000001E40000-0x0000000001E84000-memory.dmp

Filesize
272KB

Download
memory/800-85-0x0000000001E40000-0x0000000001E84000-memory.dmp

Filesize
272KB

Download
memory/800-84-0x0000000001E40000-0x0000000001E84000-memory.dmp

Filesize
272KB

Download
memory/800-83-0x0000000001E40000-0x0000000001E84000-memory.dmp

Filesize
272KB

Download
memory/800-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/800-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/800-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1120-63-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/1120-68-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/1120-65-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/1120-66-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/1120-67-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/1164-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1164-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1164-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1164-106-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1164-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1176-71-0x0000000001B80000-0x0000000001BC4000-memory.dmp

Filesize
272KB

Download
memory/1176-72-0x0000000001B80000-0x0000000001BC4000-memory.dmp

Filesize
272KB

Download
memory/1176-73-0x0000000001B80000-0x0000000001BC4000-memory.dmp

Filesize
272KB

Download
memory/1176-74-0x0000000001B80000-0x0000000001BC4000-memory.dmp

Filesize
272KB

Download
memory/1212-80-0x0000000002930000-0x0000000002974000-memory.dmp

Filesize
272KB

Download
memory/1212-79-0x0000000002930000-0x0000000002974000-memory.dmp

Filesize
272KB

Download
memory/1212-78-0x0000000002930000-0x0000000002974000-memory.dmp

Filesize
272KB

Download
memory/1212-77-0x0000000002930000-0x0000000002974000-memory.dmp

Filesize
272KB

Download
memory/1928-92-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1928-91-0x00000000002D0000-0x0000000000331000-memory.dmp

Filesize
388KB

Download
memory/1928-90-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1928-107-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download