67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
Size

75KB
MD5

65d05269c8ed2a2c71376fbe3ae740f0
SHA1

6d5fab16ffcddee7c55be06c74bde9eab0ff1bc6
SHA256

67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e
SHA512

120a18cf857713e13ff5f553c722e169c8c4b0cc52dff715e21c9513543044f00d3e525374a4bf7ec4b8582d6b1ad7abc7de7f7579745cf7aec3451a39d413fa
SSDEEP

1536:Of8Rk+51yRVnQdUfyHRjuR2BHUBVZOXX2E/FZL7/:iaTy7Qd2yHRmuHULTE/FV7/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
972	nyrtuc.exe

Loads dropped DLL 1 IoCs

pid	Process
972	nyrtuc.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	nyrtuc.exe
File opened (read-only)	\??\K:	nyrtuc.exe
File opened (read-only)	\??\X:	nyrtuc.exe
File opened (read-only)	\??\Y:	nyrtuc.exe
File opened (read-only)	\??\F:	nyrtuc.exe
File opened (read-only)	\??\J:	nyrtuc.exe
File opened (read-only)	\??\P:	nyrtuc.exe
File opened (read-only)	\??\Q:	nyrtuc.exe
File opened (read-only)	\??\T:	nyrtuc.exe
File opened (read-only)	\??\W:	nyrtuc.exe
File opened (read-only)	\??\O:	nyrtuc.exe
File opened (read-only)	\??\S:	nyrtuc.exe
File opened (read-only)	\??\V:	nyrtuc.exe
File opened (read-only)	\??\R:	nyrtuc.exe
File opened (read-only)	\??\U:	nyrtuc.exe
File opened (read-only)	\??\E:	nyrtuc.exe
File opened (read-only)	\??\G:	nyrtuc.exe
File opened (read-only)	\??\H:	nyrtuc.exe
File opened (read-only)	\??\L:	nyrtuc.exe
File opened (read-only)	\??\M:	nyrtuc.exe
File opened (read-only)	\??\N:	nyrtuc.exe
File opened (read-only)	\??\Z:	nyrtuc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nyrtuc.exe	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
File opened for modification	C:\Windows\SysWOW64\nyrtuc.exe	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
File created	C:\Windows\SysWOW64\gei33.dll	nyrtuc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lpk.dll	nyrtuc.exe
File opened for modification	C:\Program Files\7-Zip\lpk.dll	nyrtuc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
972	nyrtuc.exe

Suspicious behavior: MapViewOfSection 43 IoCs

pid	Process
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe
972	nyrtuc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
Token: SeDebugPrivilege	972	nyrtuc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 368	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	5
PID 900 wrote to memory of 368	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	5
PID 900 wrote to memory of 368	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	5
PID 900 wrote to memory of 368	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	5
PID 900 wrote to memory of 368	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	5
PID 900 wrote to memory of 368	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	5
PID 900 wrote to memory of 368	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	5
PID 900 wrote to memory of 380	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	4
PID 900 wrote to memory of 380	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	4
PID 900 wrote to memory of 380	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	4
PID 900 wrote to memory of 380	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	4
PID 900 wrote to memory of 380	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	4
PID 900 wrote to memory of 380	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	4
PID 900 wrote to memory of 380	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	4
PID 900 wrote to memory of 420	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	3
PID 900 wrote to memory of 420	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	3
PID 900 wrote to memory of 420	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	3
PID 900 wrote to memory of 420	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	3
PID 900 wrote to memory of 420	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	3
PID 900 wrote to memory of 420	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	3
PID 900 wrote to memory of 420	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	3
PID 900 wrote to memory of 464	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	2
PID 900 wrote to memory of 464	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	2
PID 900 wrote to memory of 464	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	2
PID 900 wrote to memory of 464	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	2
PID 900 wrote to memory of 464	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	2
PID 900 wrote to memory of 464	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	2
PID 900 wrote to memory of 464	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	2
PID 900 wrote to memory of 480	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	1
PID 900 wrote to memory of 480	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	1
PID 900 wrote to memory of 480	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	1
PID 900 wrote to memory of 480	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	1
PID 900 wrote to memory of 480	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	1
PID 900 wrote to memory of 480	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	1
PID 900 wrote to memory of 480	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	1
PID 900 wrote to memory of 488	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	8
PID 900 wrote to memory of 488	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	8
PID 900 wrote to memory of 488	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	8
PID 900 wrote to memory of 488	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	8
PID 900 wrote to memory of 488	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	8
PID 900 wrote to memory of 488	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	8
PID 900 wrote to memory of 488	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	8
PID 900 wrote to memory of 588	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	17
PID 900 wrote to memory of 588	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	17
PID 900 wrote to memory of 588	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	17
PID 900 wrote to memory of 588	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	17
PID 900 wrote to memory of 588	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	17
PID 900 wrote to memory of 588	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	17
PID 900 wrote to memory of 588	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	17
PID 900 wrote to memory of 664	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	9
PID 900 wrote to memory of 664	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	9
PID 900 wrote to memory of 664	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	9
PID 900 wrote to memory of 664	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	9
PID 900 wrote to memory of 664	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	9
PID 900 wrote to memory of 664	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	9
PID 900 wrote to memory of 664	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	9
PID 900 wrote to memory of 740	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	10
PID 900 wrote to memory of 740	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	10
PID 900 wrote to memory of 740	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	10
PID 900 wrote to memory of 740	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	10
PID 900 wrote to memory of 740	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	10
PID 900 wrote to memory of 740	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	10
PID 900 wrote to memory of 740	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	10
PID 900 wrote to memory of 796	900	67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe	16

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:740
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:832
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:292
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:272
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1028
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:872
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:1764
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:796
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1396
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1260
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:680
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1804
- C:\Windows\SysWOW64\nyrtuc.exe
  C:\Windows\SysWOW64\nyrtuc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:972

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1424
- C:\Users\Admin\AppData\Local\Temp\67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
  "C:\Users\Admin\AppData\Local\Temp\67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\NYRTUC.EXE

Filesize
75KB

MD5
65d05269c8ed2a2c71376fbe3ae740f0

SHA1
6d5fab16ffcddee7c55be06c74bde9eab0ff1bc6

SHA256
67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e

SHA512
120a18cf857713e13ff5f553c722e169c8c4b0cc52dff715e21c9513543044f00d3e525374a4bf7ec4b8582d6b1ad7abc7de7f7579745cf7aec3451a39d413fa

Download Submit
C:\Windows\SysWOW64\nyrtuc.exe

Filesize
75KB

MD5
65d05269c8ed2a2c71376fbe3ae740f0

SHA1
6d5fab16ffcddee7c55be06c74bde9eab0ff1bc6

SHA256
67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e

SHA512
120a18cf857713e13ff5f553c722e169c8c4b0cc52dff715e21c9513543044f00d3e525374a4bf7ec4b8582d6b1ad7abc7de7f7579745cf7aec3451a39d413fa

Download Submit
\Windows\SysWOW64\gei33.dll

Filesize
84KB

MD5
4ec8aa41321a32ff157d1a4c6808d301

SHA1
f266be7a588232faf55d7367de3bbec0b44e7416

SHA256
eb4b825d6e6335952fcf9eb93a0e3808cc4955345d688909a781cca7f9a8f918

SHA512
e66ff26be4a0a2f521830a0914280772b3ba617b185ba8ead6c60d48e7f75d20da0c2014f5ed0f3d97c60f9d8e2eec5dab867f275fd48cf7dd2faa89df79c5b9

Download Submit
memory/900-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/900-56-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/972-57-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/972-60-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/972-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download