7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171

Analysis

max time kernel
152s
max time network
168s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe
Size

308KB
MD5

66670fefc04ddda430e21aa9f27a5300
SHA1

2a9b8660744e46bc7321cd9d2e6dda0c91027020
SHA256

7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171
SHA512

4d2447faf12b5439024fac1281471380c646c3981f6fd994e348397cacadf638fbb7005436aba8092626cd4e52b67ceca8aa5f7c7ec77f95bdb05202f7abd7fe
SSDEEP

6144:ec9QEcP+wbqVovb83oyN1waZ2Wszxrdi+nrPMToy9xVJB9ld:/9QbJb0onyNaaZ2/1BrksyTVjn

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1508	ywcua.exe

Deletes itself 1 IoCs

pid	Process
1880	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe
1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	ywcua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ywcua = "C:\\Users\\Admin\\AppData\\Roaming\\Eblesu\\ywcua.exe"	ywcua.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1556 set thread context of 1880	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	28

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe
1508	ywcua.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 1508	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	27
PID 1556 wrote to memory of 1508	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	27
PID 1556 wrote to memory of 1508	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	27
PID 1556 wrote to memory of 1508	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	27
PID 1508 wrote to memory of 1124	1508	ywcua.exe	8
PID 1508 wrote to memory of 1124	1508	ywcua.exe	8
PID 1508 wrote to memory of 1124	1508	ywcua.exe	8
PID 1508 wrote to memory of 1124	1508	ywcua.exe	8
PID 1508 wrote to memory of 1124	1508	ywcua.exe	8
PID 1508 wrote to memory of 1232	1508	ywcua.exe	15
PID 1508 wrote to memory of 1232	1508	ywcua.exe	15
PID 1508 wrote to memory of 1232	1508	ywcua.exe	15
PID 1508 wrote to memory of 1232	1508	ywcua.exe	15
PID 1508 wrote to memory of 1232	1508	ywcua.exe	15
PID 1508 wrote to memory of 1288	1508	ywcua.exe	14
PID 1508 wrote to memory of 1288	1508	ywcua.exe	14
PID 1508 wrote to memory of 1288	1508	ywcua.exe	14
PID 1508 wrote to memory of 1288	1508	ywcua.exe	14
PID 1508 wrote to memory of 1288	1508	ywcua.exe	14
PID 1508 wrote to memory of 1556	1508	ywcua.exe	16
PID 1508 wrote to memory of 1556	1508	ywcua.exe	16
PID 1508 wrote to memory of 1556	1508	ywcua.exe	16
PID 1508 wrote to memory of 1556	1508	ywcua.exe	16
PID 1508 wrote to memory of 1556	1508	ywcua.exe	16
PID 1556 wrote to memory of 1880	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	28
PID 1556 wrote to memory of 1880	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	28
PID 1556 wrote to memory of 1880	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	28
PID 1556 wrote to memory of 1880	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	28
PID 1556 wrote to memory of 1880	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	28
PID 1556 wrote to memory of 1880	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	28
PID 1556 wrote to memory of 1880	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	28
PID 1556 wrote to memory of 1880	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	28
PID 1556 wrote to memory of 1880	1556	7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe
  "C:\Users\Admin\AppData\Local\Temp\7733dadd4cd3b77ac1e5197bc33657e2dd7be2faffffbcfd0e772403152d9171.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Users\Admin\AppData\Roaming\Eblesu\ywcua.exe
    "C:\Users\Admin\AppData\Roaming\Eblesu\ywcua.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\PPN899E.bat"
    3⤵
    - Deletes itself
    PID:1880

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PPN899E.bat

Filesize
303B

MD5
8ae9670a54fb90e926fcbe9407623321

SHA1
522f4d821affb7c1923fb99b5188cc79ee4bf493

SHA256
48cfe6781209d1a5ce5ed38e1f1acaf4821b8b20c59ced492962eefbc77760a7

SHA512
110b8851938949f02596284b91539778d26b036d79f2a1bb447164000a4f7886e8eb877ec73ea26f330f1913b68b40a177f51399b804688b8f4aafc0c2781fad

Download Submit
C:\Users\Admin\AppData\Roaming\Eblesu\ywcua.exe

Filesize
308KB

MD5
141a961d008169b1e363aa0567275d7d

SHA1
b57b70af03902aef6897478f7aa86f478a5ec4be

SHA256
0327be4c46a8ba807fbba637adad0de6df5d3a91ce8aeaac1985f4282dc279e5

SHA512
c7077760f215d6b52f8090b7a02f0a60345a3aa4a5f85ddb66a15d0716c81f21627c510a5d7afff473978f37a4fb06130f60e1b10807b13b79af326f27eec09c

Download Submit
C:\Users\Admin\AppData\Roaming\Eblesu\ywcua.exe

Filesize
308KB

MD5
141a961d008169b1e363aa0567275d7d

SHA1
b57b70af03902aef6897478f7aa86f478a5ec4be

SHA256
0327be4c46a8ba807fbba637adad0de6df5d3a91ce8aeaac1985f4282dc279e5

SHA512
c7077760f215d6b52f8090b7a02f0a60345a3aa4a5f85ddb66a15d0716c81f21627c510a5d7afff473978f37a4fb06130f60e1b10807b13b79af326f27eec09c

Download Submit
\Users\Admin\AppData\Roaming\Eblesu\ywcua.exe

Filesize
308KB

MD5
141a961d008169b1e363aa0567275d7d

SHA1
b57b70af03902aef6897478f7aa86f478a5ec4be

SHA256
0327be4c46a8ba807fbba637adad0de6df5d3a91ce8aeaac1985f4282dc279e5

SHA512
c7077760f215d6b52f8090b7a02f0a60345a3aa4a5f85ddb66a15d0716c81f21627c510a5d7afff473978f37a4fb06130f60e1b10807b13b79af326f27eec09c

Download Submit
\Users\Admin\AppData\Roaming\Eblesu\ywcua.exe

Filesize
308KB

MD5
141a961d008169b1e363aa0567275d7d

SHA1
b57b70af03902aef6897478f7aa86f478a5ec4be

SHA256
0327be4c46a8ba807fbba637adad0de6df5d3a91ce8aeaac1985f4282dc279e5

SHA512
c7077760f215d6b52f8090b7a02f0a60345a3aa4a5f85ddb66a15d0716c81f21627c510a5d7afff473978f37a4fb06130f60e1b10807b13b79af326f27eec09c

Download Submit
memory/1124-68-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1124-70-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1124-69-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1124-67-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1124-65-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1232-73-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1232-74-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1232-75-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1232-76-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1288-81-0x00000000025D0000-0x0000000002619000-memory.dmp

Filesize
292KB

Download
memory/1288-82-0x00000000025D0000-0x0000000002619000-memory.dmp

Filesize
292KB

Download
memory/1288-79-0x00000000025D0000-0x0000000002619000-memory.dmp

Filesize
292KB

Download
memory/1288-80-0x00000000025D0000-0x0000000002619000-memory.dmp

Filesize
292KB

Download
memory/1508-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1556-85-0x00000000002E0000-0x0000000000329000-memory.dmp

Filesize
292KB

Download
memory/1556-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1556-86-0x00000000002E0000-0x0000000000329000-memory.dmp

Filesize
292KB

Download
memory/1556-87-0x00000000002E0000-0x0000000000329000-memory.dmp

Filesize
292KB

Download
memory/1556-88-0x00000000002E0000-0x0000000000329000-memory.dmp

Filesize
292KB

Download
memory/1556-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1556-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-95-0x00000000002E0000-0x0000000000329000-memory.dmp

Filesize
292KB

Download
memory/1556-56-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1880-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1880-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1880-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1880-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1880-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1880-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1880-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1880-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1880-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1880-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1880-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1880-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download