24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228

Analysis

max time kernel
150s
max time network
166s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe
Size

339KB
MD5

06a8f6130141860d668167a90d1018e2
SHA1

81419fd283d6a1a5838862ff440b196b4477884e
SHA256

24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228
SHA512

7f5fdf97c314596a20236707049f7dbff17a4396797225ef13469ea9dda6097bec5dd7b48f9be4c68a3e37ceef168a8f788f7a825c4ae93030661c61c7312577
SSDEEP

6144:rXH0Z7/jkBNDpJyBNCoHyXWIpEWMTN7fNeSE9mcOANiLUKC:rXajMN1E5HXlp1E9iAsLC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
968	ryjy.exe

Deletes itself 1 IoCs

pid	Process
1172	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	ryjy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Egosf\\ryjy.exe"	ryjy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 288 set thread context of 1172	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	28

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe
968	ryjy.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe
968	ryjy.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 968	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	27
PID 288 wrote to memory of 968	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	27
PID 288 wrote to memory of 968	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	27
PID 288 wrote to memory of 968	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	27
PID 968 wrote to memory of 1128	968	ryjy.exe	6
PID 968 wrote to memory of 1128	968	ryjy.exe	6
PID 968 wrote to memory of 1128	968	ryjy.exe	6
PID 968 wrote to memory of 1128	968	ryjy.exe	6
PID 968 wrote to memory of 1128	968	ryjy.exe	6
PID 968 wrote to memory of 1204	968	ryjy.exe	13
PID 968 wrote to memory of 1204	968	ryjy.exe	13
PID 968 wrote to memory of 1204	968	ryjy.exe	13
PID 968 wrote to memory of 1204	968	ryjy.exe	13
PID 968 wrote to memory of 1204	968	ryjy.exe	13
PID 968 wrote to memory of 1268	968	ryjy.exe	7
PID 968 wrote to memory of 1268	968	ryjy.exe	7
PID 968 wrote to memory of 1268	968	ryjy.exe	7
PID 968 wrote to memory of 1268	968	ryjy.exe	7
PID 968 wrote to memory of 1268	968	ryjy.exe	7
PID 968 wrote to memory of 288	968	ryjy.exe	22
PID 968 wrote to memory of 288	968	ryjy.exe	22
PID 968 wrote to memory of 288	968	ryjy.exe	22
PID 968 wrote to memory of 288	968	ryjy.exe	22
PID 968 wrote to memory of 288	968	ryjy.exe	22
PID 288 wrote to memory of 1172	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	28
PID 288 wrote to memory of 1172	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	28
PID 288 wrote to memory of 1172	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	28
PID 288 wrote to memory of 1172	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	28
PID 288 wrote to memory of 1172	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	28
PID 288 wrote to memory of 1172	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	28
PID 288 wrote to memory of 1172	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	28
PID 288 wrote to memory of 1172	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	28
PID 288 wrote to memory of 1172	288	24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe
  "C:\Users\Admin\AppData\Local\Temp\24b0525d45c18ead9d05c129d8f25ed7f8a1754218c35a8c8993246dc1c69228.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Users\Admin\AppData\Roaming\Egosf\ryjy.exe
    "C:\Users\Admin\AppData\Roaming\Egosf\ryjy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp47b0daf5.bat"
    3⤵
    - Deletes itself
    PID:1172

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp47b0daf5.bat

Filesize
307B

MD5
d2bd8b3ae1402f3bb1d2310cb3502c42

SHA1
9ab1ee22446d6b53117be5b4e39034300267ef42

SHA256
cc36d16429971a83527d91e04064bcbf8db7d3ef8e66abc643668cbba2d11f6c

SHA512
9c9409116695bdfcec51832924343ecf405837651b7aaa685f64101cca7480a4913b398cfdb9624e243e1dd41e92688e4603388d2d882f3e028c3f9a48e7e264

Download Submit
C:\Users\Admin\AppData\Roaming\Egosf\ryjy.exe

Filesize
339KB

MD5
0d1646ccd004612a5278bff727f59100

SHA1
dc8173d4fcf8c14b4750d6c0cb6599e629f5e21f

SHA256
ddbcca24cf69854b07d3548697af87fbb1249e3d63b1e5ddc43fef0820af8735

SHA512
9f7d08d4b1e44e5d7d0abbd5eeb62bb7b016aa78b1b352885a0d55e30797a06f37027ff552855035acbb16480fbae9bb443d0c9c5e60fb0ea2c473405c5203e6

Download Submit
C:\Users\Admin\AppData\Roaming\Egosf\ryjy.exe

Filesize
339KB

MD5
0d1646ccd004612a5278bff727f59100

SHA1
dc8173d4fcf8c14b4750d6c0cb6599e629f5e21f

SHA256
ddbcca24cf69854b07d3548697af87fbb1249e3d63b1e5ddc43fef0820af8735

SHA512
9f7d08d4b1e44e5d7d0abbd5eeb62bb7b016aa78b1b352885a0d55e30797a06f37027ff552855035acbb16480fbae9bb443d0c9c5e60fb0ea2c473405c5203e6

Download Submit
\Users\Admin\AppData\Roaming\Egosf\ryjy.exe

Filesize
339KB

MD5
0d1646ccd004612a5278bff727f59100

SHA1
dc8173d4fcf8c14b4750d6c0cb6599e629f5e21f

SHA256
ddbcca24cf69854b07d3548697af87fbb1249e3d63b1e5ddc43fef0820af8735

SHA512
9f7d08d4b1e44e5d7d0abbd5eeb62bb7b016aa78b1b352885a0d55e30797a06f37027ff552855035acbb16480fbae9bb443d0c9c5e60fb0ea2c473405c5203e6

Download Submit
memory/288-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/288-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/288-55-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/288-56-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/288-83-0x0000000000490000-0x00000000004DD000-memory.dmp

Filesize
308KB

Download
memory/288-84-0x0000000000490000-0x00000000004DD000-memory.dmp

Filesize
308KB

Download
memory/288-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/288-100-0x0000000000490000-0x00000000004DD000-memory.dmp

Filesize
308KB

Download
memory/288-98-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/288-97-0x00000000002A0000-0x00000000002ED000-memory.dmp

Filesize
308KB

Download
memory/288-85-0x0000000000490000-0x00000000004DD000-memory.dmp

Filesize
308KB

Download
memory/288-82-0x0000000000490000-0x00000000004DD000-memory.dmp

Filesize
308KB

Download
memory/288-86-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/968-101-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/968-99-0x00000000004B0000-0x00000000004FD000-memory.dmp

Filesize
308KB

Download
memory/1128-66-0x0000000001E60000-0x0000000001EAD000-memory.dmp

Filesize
308KB

Download
memory/1128-65-0x0000000001E60000-0x0000000001EAD000-memory.dmp

Filesize
308KB

Download
memory/1128-62-0x0000000001E60000-0x0000000001EAD000-memory.dmp

Filesize
308KB

Download
memory/1128-64-0x0000000001E60000-0x0000000001EAD000-memory.dmp

Filesize
308KB

Download
memory/1128-67-0x0000000001E60000-0x0000000001EAD000-memory.dmp

Filesize
308KB

Download
memory/1172-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1172-91-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/1172-93-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/1172-94-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/1172-95-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/1172-108-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/1172-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1172-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1172-103-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1204-73-0x0000000001D60000-0x0000000001DAD000-memory.dmp

Filesize
308KB

Download
memory/1204-72-0x0000000001D60000-0x0000000001DAD000-memory.dmp

Filesize
308KB

Download
memory/1204-70-0x0000000001D60000-0x0000000001DAD000-memory.dmp

Filesize
308KB

Download
memory/1204-71-0x0000000001D60000-0x0000000001DAD000-memory.dmp

Filesize
308KB

Download
memory/1268-76-0x0000000002920000-0x000000000296D000-memory.dmp

Filesize
308KB

Download
memory/1268-77-0x0000000002920000-0x000000000296D000-memory.dmp

Filesize
308KB

Download
memory/1268-78-0x0000000002920000-0x000000000296D000-memory.dmp

Filesize
308KB

Download
memory/1268-79-0x0000000002920000-0x000000000296D000-memory.dmp

Filesize
308KB

Download