21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24

Analysis

max time kernel
152s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
Size

388KB
MD5

73f7b9c101b90e2dac28bd32c29aca80
SHA1

a17b7e465412b7364f38ee9b44357ee475b86b5d
SHA256

21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24
SHA512

49ab3916e55b9c83e100c609fad1571df7bffa7b327747c108fa3c061d0c71c7dd0e11f58b150edd2433243c3a66ba4f9209f4d7dc353045765db58f4fa37755
SSDEEP

6144:r1QOfKY6okmXBP1+EV/7XpzqAfveLO1/tjJNy4:xi69d+OT5zqA+E44

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4280	ixheh.exe
5052	ixheh.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\Currentversion\Run	ixheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	ixheh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Efilismuu = "C:\\Users\\Admin\\AppData\\Roaming\\Zagon\\ixheh.exe"	ixheh.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 320 set thread context of 3304	320	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	81
PID 4280 set thread context of 5052	4280	ixheh.exe	83

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe
5052	ixheh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3304	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
Token: SeSecurityPrivilege	3304	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
320	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
4280	ixheh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 3304	320	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	81
PID 320 wrote to memory of 3304	320	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	81
PID 320 wrote to memory of 3304	320	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	81
PID 320 wrote to memory of 3304	320	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	81
PID 320 wrote to memory of 3304	320	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	81
PID 320 wrote to memory of 3304	320	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	81
PID 320 wrote to memory of 3304	320	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	81
PID 320 wrote to memory of 3304	320	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	81
PID 3304 wrote to memory of 4280	3304	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	82
PID 3304 wrote to memory of 4280	3304	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	82
PID 3304 wrote to memory of 4280	3304	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	82
PID 4280 wrote to memory of 5052	4280	ixheh.exe	83
PID 4280 wrote to memory of 5052	4280	ixheh.exe	83
PID 4280 wrote to memory of 5052	4280	ixheh.exe	83
PID 4280 wrote to memory of 5052	4280	ixheh.exe	83
PID 4280 wrote to memory of 5052	4280	ixheh.exe	83
PID 4280 wrote to memory of 5052	4280	ixheh.exe	83
PID 4280 wrote to memory of 5052	4280	ixheh.exe	83
PID 4280 wrote to memory of 5052	4280	ixheh.exe	83
PID 5052 wrote to memory of 2308	5052	ixheh.exe	52
PID 5052 wrote to memory of 2308	5052	ixheh.exe	52
PID 5052 wrote to memory of 2308	5052	ixheh.exe	52
PID 5052 wrote to memory of 2308	5052	ixheh.exe	52
PID 5052 wrote to memory of 2308	5052	ixheh.exe	52
PID 3304 wrote to memory of 1376	3304	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	84
PID 3304 wrote to memory of 1376	3304	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	84
PID 3304 wrote to memory of 1376	3304	21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe	84
PID 5052 wrote to memory of 2328	5052	ixheh.exe	51
PID 5052 wrote to memory of 2328	5052	ixheh.exe	51
PID 5052 wrote to memory of 2328	5052	ixheh.exe	51
PID 5052 wrote to memory of 2328	5052	ixheh.exe	51
PID 5052 wrote to memory of 2328	5052	ixheh.exe	51
PID 5052 wrote to memory of 2416	5052	ixheh.exe	50
PID 5052 wrote to memory of 2416	5052	ixheh.exe	50
PID 5052 wrote to memory of 2416	5052	ixheh.exe	50
PID 5052 wrote to memory of 2416	5052	ixheh.exe	50
PID 5052 wrote to memory of 2416	5052	ixheh.exe	50
PID 5052 wrote to memory of 2424	5052	ixheh.exe	41
PID 5052 wrote to memory of 2424	5052	ixheh.exe	41
PID 5052 wrote to memory of 2424	5052	ixheh.exe	41
PID 5052 wrote to memory of 2424	5052	ixheh.exe	41
PID 5052 wrote to memory of 2424	5052	ixheh.exe	41
PID 5052 wrote to memory of 2948	5052	ixheh.exe	40
PID 5052 wrote to memory of 2948	5052	ixheh.exe	40
PID 5052 wrote to memory of 2948	5052	ixheh.exe	40
PID 5052 wrote to memory of 2948	5052	ixheh.exe	40
PID 5052 wrote to memory of 2948	5052	ixheh.exe	40
PID 5052 wrote to memory of 3244	5052	ixheh.exe	16
PID 5052 wrote to memory of 3244	5052	ixheh.exe	16
PID 5052 wrote to memory of 3244	5052	ixheh.exe	16
PID 5052 wrote to memory of 3244	5052	ixheh.exe	16
PID 5052 wrote to memory of 3244	5052	ixheh.exe	16
PID 5052 wrote to memory of 3352	5052	ixheh.exe	18
PID 5052 wrote to memory of 3352	5052	ixheh.exe	18
PID 5052 wrote to memory of 3352	5052	ixheh.exe	18
PID 5052 wrote to memory of 3352	5052	ixheh.exe	18
PID 5052 wrote to memory of 3352	5052	ixheh.exe	18
PID 5052 wrote to memory of 3456	5052	ixheh.exe	17
PID 5052 wrote to memory of 3456	5052	ixheh.exe	17
PID 5052 wrote to memory of 3456	5052	ixheh.exe	17
PID 5052 wrote to memory of 3456	5052	ixheh.exe	17
PID 5052 wrote to memory of 3456	5052	ixheh.exe	17
PID 5052 wrote to memory of 3552	5052	ixheh.exe	39
PID 5052 wrote to memory of 3552	5052	ixheh.exe	39

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3352

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2948

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2424
- C:\Users\Admin\AppData\Local\Temp\21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
  "C:\Users\Admin\AppData\Local\Temp\21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe
    "C:\Users\Admin\AppData\Local\Temp\21cdb55b60d39ab7718e4e6e592dacb9c3273f6e367d8c126fdf21f90e01dc24.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Users\Admin\AppData\Roaming\Zagon\ixheh.exe
      "C:\Users\Admin\AppData\Roaming\Zagon\ixheh.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Users\Admin\AppData\Roaming\Zagon\ixheh.exe
        
        "C:\Users\Admin\AppData\Roaming\Zagon\ixheh.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5a3a2654.bat"
      4⤵
      PID:1376
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5012

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2328

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5a3a2654.bat

Filesize
307B

MD5
8181245b32ee61bd5d7c7db13f4b23e1

SHA1
c914025f48d952a5942ea5b2c20a7afa5e2bbcfc

SHA256
ff4c340d19b6299bd7a81b928e43ca14451fe387061924d47d51bc5b3f75c5bf

SHA512
d149d06d123864f40e9c79ca87046431a9f7fad17decfa0401103043d1b429036c6d90d393c6e0e384465c6b41dacee697369703faf058701f2f92c42f2936bf

Download Submit
C:\Users\Admin\AppData\Roaming\Zagon\ixheh.exe

Filesize
388KB

MD5
47ee363ff3c9265059b13b0cf336726e

SHA1
fd65569003ccb2b99e4ff8c00bce495d56dabaad

SHA256
8782d715ea09586196d8414ffdd50c56413b4a3614d9ce68361dc403a6675cbc

SHA512
e3f05626166400dd449542284a0925d9451c9d0d8d26da4d6bcc2be4fec79c66ee9d971a5a941dbec0bf7fec65fe344699fe221b0f0da388e3665396ccfe46a2

Download Submit
C:\Users\Admin\AppData\Roaming\Zagon\ixheh.exe

Filesize
388KB

MD5
47ee363ff3c9265059b13b0cf336726e

SHA1
fd65569003ccb2b99e4ff8c00bce495d56dabaad

SHA256
8782d715ea09586196d8414ffdd50c56413b4a3614d9ce68361dc403a6675cbc

SHA512
e3f05626166400dd449542284a0925d9451c9d0d8d26da4d6bcc2be4fec79c66ee9d971a5a941dbec0bf7fec65fe344699fe221b0f0da388e3665396ccfe46a2

Download Submit
C:\Users\Admin\AppData\Roaming\Zagon\ixheh.exe

Filesize
388KB

MD5
47ee363ff3c9265059b13b0cf336726e

SHA1
fd65569003ccb2b99e4ff8c00bce495d56dabaad

SHA256
8782d715ea09586196d8414ffdd50c56413b4a3614d9ce68361dc403a6675cbc

SHA512
e3f05626166400dd449542284a0925d9451c9d0d8d26da4d6bcc2be4fec79c66ee9d971a5a941dbec0bf7fec65fe344699fe221b0f0da388e3665396ccfe46a2

Download Submit
memory/1376-150-0x0000000000E30000-0x0000000000E6B000-memory.dmp

Filesize
236KB

Download
memory/1376-152-0x0000000000E30000-0x0000000000E6B000-memory.dmp

Filesize
236KB

Download
memory/3304-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3304-149-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3304-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5052-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5052-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download