00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781

Analysis

max time kernel
152s
max time network
189s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe
Size

537KB
MD5

678624d681138314f82827cadbf309c2
SHA1

6a287d5119fd09792df4d77f162fa4d1c47b1144
SHA256

00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781
SHA512

7171cdff97b59a8369cd3eab96e6a5a25cdad8bcc0d8c6973e6350f9c2d8304ad7bdc8427e17d64552c46608749378e677d1c2e1601479640c13cdfa456c125b
SSDEEP

12288:byIwlgn+C5IxJ845HYV5sxOH/ccccccceBS:bYleav84a5sxKS

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
944	yhkawi.exe

Deletes itself 1 IoCs

pid	Process
468	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	yhkawi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Ipedmi\\yhkawi.exe"	yhkawi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1256 set thread context of 468	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	29

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe
944	yhkawi.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe
944	yhkawi.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 944	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	28
PID 1256 wrote to memory of 944	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	28
PID 1256 wrote to memory of 944	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	28
PID 1256 wrote to memory of 944	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	28
PID 944 wrote to memory of 1120	944	yhkawi.exe	14
PID 944 wrote to memory of 1120	944	yhkawi.exe	14
PID 944 wrote to memory of 1120	944	yhkawi.exe	14
PID 944 wrote to memory of 1120	944	yhkawi.exe	14
PID 944 wrote to memory of 1120	944	yhkawi.exe	14
PID 944 wrote to memory of 1176	944	yhkawi.exe	13
PID 944 wrote to memory of 1176	944	yhkawi.exe	13
PID 944 wrote to memory of 1176	944	yhkawi.exe	13
PID 944 wrote to memory of 1176	944	yhkawi.exe	13
PID 944 wrote to memory of 1176	944	yhkawi.exe	13
PID 944 wrote to memory of 1204	944	yhkawi.exe	12
PID 944 wrote to memory of 1204	944	yhkawi.exe	12
PID 944 wrote to memory of 1204	944	yhkawi.exe	12
PID 944 wrote to memory of 1204	944	yhkawi.exe	12
PID 944 wrote to memory of 1204	944	yhkawi.exe	12
PID 944 wrote to memory of 1256	944	yhkawi.exe	15
PID 944 wrote to memory of 1256	944	yhkawi.exe	15
PID 944 wrote to memory of 1256	944	yhkawi.exe	15
PID 944 wrote to memory of 1256	944	yhkawi.exe	15
PID 944 wrote to memory of 1256	944	yhkawi.exe	15
PID 1256 wrote to memory of 468	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	29
PID 1256 wrote to memory of 468	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	29
PID 1256 wrote to memory of 468	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	29
PID 1256 wrote to memory of 468	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	29
PID 1256 wrote to memory of 468	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	29
PID 1256 wrote to memory of 468	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	29
PID 1256 wrote to memory of 468	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	29
PID 1256 wrote to memory of 468	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	29
PID 1256 wrote to memory of 468	1256	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe
  "C:\Users\Admin\AppData\Local\Temp\00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Roaming\Ipedmi\yhkawi.exe
    "C:\Users\Admin\AppData\Roaming\Ipedmi\yhkawi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdeb13216.bat"
    3⤵
    - Deletes itself
    PID:468

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpdeb13216.bat

Filesize
307B

MD5
11d13b0d97c9a59c0a93268eaffd9f31

SHA1
604a3972994761aca8f9584027585aa2c692808e

SHA256
5ec2c18fa7257d80a97d7ca0ea846bc4d6f309ebd5aecd3b22da69a19a240b08

SHA512
a990093d9ae92a3a8ec8ec719d4f5dfdcf92f5f3ebef1ac4b1195344f0a22f8d1f783e264c3974c4e1fe34b25992f4df0328fc41243c1aeaf1e120c39641641d

Download Submit
C:\Users\Admin\AppData\Roaming\Ipedmi\yhkawi.exe

Filesize
537KB

MD5
9eacbb37bd1980f118c061f6cd420350

SHA1
d9ce7e5c5aecbf250b4c2944dd910983d91f47bd

SHA256
e5ec37014c0c6087ee7345a040125ea4b81529519d1a4af58592116cb65cd383

SHA512
063704a9a5b88bd2eb627a8561aae493889cce57a627b09ad65f9df08bc7b15188459346ac3066cf65fa4dce1afb875a3b8bb9c1307ecc103b751852487436ed

Download Submit
C:\Users\Admin\AppData\Roaming\Ipedmi\yhkawi.exe

Filesize
537KB

MD5
9eacbb37bd1980f118c061f6cd420350

SHA1
d9ce7e5c5aecbf250b4c2944dd910983d91f47bd

SHA256
e5ec37014c0c6087ee7345a040125ea4b81529519d1a4af58592116cb65cd383

SHA512
063704a9a5b88bd2eb627a8561aae493889cce57a627b09ad65f9df08bc7b15188459346ac3066cf65fa4dce1afb875a3b8bb9c1307ecc103b751852487436ed

Download Submit
\Users\Admin\AppData\Roaming\Ipedmi\yhkawi.exe

Filesize
537KB

MD5
9eacbb37bd1980f118c061f6cd420350

SHA1
d9ce7e5c5aecbf250b4c2944dd910983d91f47bd

SHA256
e5ec37014c0c6087ee7345a040125ea4b81529519d1a4af58592116cb65cd383

SHA512
063704a9a5b88bd2eb627a8561aae493889cce57a627b09ad65f9df08bc7b15188459346ac3066cf65fa4dce1afb875a3b8bb9c1307ecc103b751852487436ed

Download Submit
memory/468-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/468-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/468-113-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/468-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/468-97-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/468-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/468-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/468-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/468-101-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/468-100-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/468-99-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/944-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-88-0x0000000000310000-0x000000000035C000-memory.dmp

Filesize
304KB

Download
memory/944-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1120-62-0x00000000004A0000-0x00000000004EC000-memory.dmp

Filesize
304KB

Download
memory/1120-64-0x00000000004A0000-0x00000000004EC000-memory.dmp

Filesize
304KB

Download
memory/1120-65-0x00000000004A0000-0x00000000004EC000-memory.dmp

Filesize
304KB

Download
memory/1120-67-0x00000000004A0000-0x00000000004EC000-memory.dmp

Filesize
304KB

Download
memory/1120-66-0x00000000004A0000-0x00000000004EC000-memory.dmp

Filesize
304KB

Download
memory/1176-70-0x0000000001B50000-0x0000000001B9C000-memory.dmp

Filesize
304KB

Download
memory/1176-71-0x0000000001B50000-0x0000000001B9C000-memory.dmp

Filesize
304KB

Download
memory/1176-72-0x0000000001B50000-0x0000000001B9C000-memory.dmp

Filesize
304KB

Download
memory/1176-73-0x0000000001B50000-0x0000000001B9C000-memory.dmp

Filesize
304KB

Download
memory/1204-79-0x0000000002950000-0x000000000299C000-memory.dmp

Filesize
304KB

Download
memory/1204-78-0x0000000002950000-0x000000000299C000-memory.dmp

Filesize
304KB

Download
memory/1204-77-0x0000000002950000-0x000000000299C000-memory.dmp

Filesize
304KB

Download
memory/1204-76-0x0000000002950000-0x000000000299C000-memory.dmp

Filesize
304KB

Download
memory/1256-103-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1256-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1256-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1256-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1256-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1256-85-0x00000000004E0000-0x000000000052C000-memory.dmp

Filesize
304KB

Download
memory/1256-104-0x00000000004E0000-0x000000000052C000-memory.dmp

Filesize
304KB

Download
memory/1256-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1256-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1256-87-0x00000000004E0000-0x000000000052C000-memory.dmp

Filesize
304KB

Download
memory/1256-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1256-84-0x0000000000350000-0x000000000039C000-memory.dmp

Filesize
304KB

Download
memory/1256-82-0x00000000004E0000-0x000000000052C000-memory.dmp

Filesize
304KB

Download
memory/1256-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1256-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1256-83-0x00000000004E0000-0x000000000052C000-memory.dmp

Filesize
304KB

Download