00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781

Analysis

max time kernel
157s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe
Size

537KB
MD5

678624d681138314f82827cadbf309c2
SHA1

6a287d5119fd09792df4d77f162fa4d1c47b1144
SHA256

00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781
SHA512

7171cdff97b59a8369cd3eab96e6a5a25cdad8bcc0d8c6973e6350f9c2d8304ad7bdc8427e17d64552c46608749378e677d1c2e1601479640c13cdfa456c125b
SSDEEP

12288:byIwlgn+C5IxJ845HYV5sxOH/ccccccceBS:bYleav84a5sxKS

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4704	ixesku.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\Currentversion\Run	ixesku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{176762F4-556D-BCA0-3AE4-8903F7119301} = "C:\\Users\\Admin\\AppData\\Roaming\\Ewiz\\ixesku.exe"	ixesku.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 4236	4796	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	82

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe
4704	ixesku.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4704	4796	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	81
PID 4796 wrote to memory of 4704	4796	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	81
PID 4796 wrote to memory of 4704	4796	00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe	81
PID 4704 wrote to memory of 2420	4704	ixesku.exe	37
PID 4704 wrote to memory of 2420	4704	ixesku.exe	37
PID 4704 wrote to memory of 2420	4704	ixesku.exe	37
PID 4704 wrote to memory of 2420	4704	ixesku.exe	37
PID 4704 wrote to memory of 2420	4704	ixesku.exe	37
PID 4704 wrote to memory of 2452	4704	ixesku.exe	36
PID 4704 wrote to memory of 2452	4704	ixesku.exe	36
PID 4704 wrote to memory of 2452	4704	ixesku.exe	36
PID 4704 wrote to memory of 2452	4704	ixesku.exe	36
PID 4704 wrote to memory of 2452	4704	ixesku.exe	36
PID 4704 wrote to memory of 2660	4704	ixesku.exe	41
PID 4704 wrote to memory of 2660	4704	ixesku.exe	41
PID 4704 wrote to memory of 2660	4704	ixesku.exe	41
PID 4704 wrote to memory of 2660	4704	ixesku.exe	41
PID 4704 wrote to memory of 2660	4704	ixesku.exe	41
PID 4704 wrote to memory of 2576	4704	ixesku.exe	54
PID 4704 wrote to memory of 2576	4704	ixesku.exe	54
PID 4704 wrote to memory of 2576	4704	ixesku.exe	54
PID 4704 wrote to memory of 2576	4704	ixesku.exe	54
PID 4704 wrote to memory of 2576	4704	ixesku.exe	54
PID 4704 wrote to memory of 3100	4704	ixesku.exe	55
PID 4704 wrote to memory of 3100	4704	ixesku.exe	55
PID 4704 wrote to memory of 3100	4704	ixesku.exe	55
PID 4704 wrote to memory of 3100	4704	ixesku.exe	55
PID 4704 wrote to memory of 3100	4704	ixesku.exe	55
PID 4704 wrote to memory of 3312	4704	ixesku.exe	57
PID 4704 wrote to memory of 3312	4704	ixesku.exe	57
PID 4704 wrote to memory of 3312	4704	ixesku.exe	57
PID 4704 wrote to memory of 3312	4704	ixesku.exe	57
PID 4704 wrote to memory of 3312	4704	ixesku.exe	57
PID 4704 wrote to memory of 3400	4704	ixesku.exe	56
PID 4704 wrote to memory of 3400	4704	ixesku.exe	56
PID 4704 wrote to memory of 3400	4704	ixesku.exe	56
PID 4704 wrote to memory of 3400	4704	ixesku.exe	56
PID 4704 wrote to memory of 3400	4704	ixesku.exe	56
PID 4704 wrote to memory of 3468	4704	ixesku.exe	58
PID 4704 wrote to memory of 3468	4704	ixesku.exe	58
PID 4704 wrote to memory of 3468	4704	ixesku.exe	58
PID 4704 wrote to memory of 3468	4704	ixesku.exe	58
PID 4704 wrote to memory of 3468	4704	ixesku.exe	58
PID 4704 wrote to memory of 3560	4704	ixesku.exe	59
PID 4704 wrote to memory of 3560	4704	ixesku.exe	59
PID 4704 wrote to memory of 3560	4704	ixesku.exe	59
PID 4704 wrote to memory of 3560	4704	ixesku.exe	59
PID 4704 wrote to memory of 3560	4704	ixesku.exe	59
PID 4704 wrote to memory of 3700	4704	ixesku.exe	60
PID 4704 wrote to memory of 3700	4704	ixesku.exe	60
PID 4704 wrote to memory of 3700	4704	ixesku.exe	60
PID 4704 wrote to memory of 3700	4704	ixesku.exe	60
PID 4704 wrote to memory of 3700	4704	ixesku.exe	60
PID 4704 wrote to memory of 4560	4704	ixesku.exe	64
PID 4704 wrote to memory of 4560	4704	ixesku.exe	64
PID 4704 wrote to memory of 4560	4704	ixesku.exe	64
PID 4704 wrote to memory of 4560	4704	ixesku.exe	64
PID 4704 wrote to memory of 4560	4704	ixesku.exe	64
PID 4704 wrote to memory of 1484	4704	ixesku.exe	77
PID 4704 wrote to memory of 1484	4704	ixesku.exe	77
PID 4704 wrote to memory of 1484	4704	ixesku.exe	77
PID 4704 wrote to memory of 1484	4704	ixesku.exe	77
PID 4704 wrote to memory of 1484	4704	ixesku.exe	77
PID 4704 wrote to memory of 3968	4704	ixesku.exe	75

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2452

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2420

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2660

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe
  "C:\Users\Admin\AppData\Local\Temp\00d9d0d4316954933bbca30c96dbb983c5a2671c5ce64f76f16e0a963c6e1781.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Roaming\Ewiz\ixesku.exe
    "C:\Users\Admin\AppData\Roaming\Ewiz\ixesku.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd98b200a.bat"
    3⤵
    PID:4236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3400

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3312

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3468

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3560

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4560

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3968

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd98b200a.bat

Filesize
307B

MD5
60baccd5ac5f938556d6495a3f26154e

SHA1
edfd2b3f80a4200f748c2b8f3f0319238f4f6d09

SHA256
7c997bf3f71289b9b3d88acf8e29052081dc7dc6e2e3392dfa04aa25e04e8326

SHA512
9bd4735578a7e88b3003866ee7814117d85778ae48fd66e9c0bf2b3943d01539100e0e1341c7f0db93918978779b9590cda50d181507a6f9f0cdb711dda5f01d

Download Submit
C:\Users\Admin\AppData\Roaming\Ewiz\ixesku.exe

Filesize
537KB

MD5
aaafdc7bba9812f9d2bbd6e74d767b97

SHA1
4ce695022e2514251ce280ea2aa550fd2018447b

SHA256
5538c8f69e31d9ea5cd0bb2b4431e38186c31a30d3ac2be2bf75e2cd833aced7

SHA512
8b5e6337d4e02d85154b43b4ae07abd895d0606236a80642d59e230ca4b39f7aea0fc1e8fcb7899805e4326bf6856b7b7af9ce281b534788b0342d57aa995f22

Download Submit
C:\Users\Admin\AppData\Roaming\Ewiz\ixesku.exe

Filesize
537KB

MD5
aaafdc7bba9812f9d2bbd6e74d767b97

SHA1
4ce695022e2514251ce280ea2aa550fd2018447b

SHA256
5538c8f69e31d9ea5cd0bb2b4431e38186c31a30d3ac2be2bf75e2cd833aced7

SHA512
8b5e6337d4e02d85154b43b4ae07abd895d0606236a80642d59e230ca4b39f7aea0fc1e8fcb7899805e4326bf6856b7b7af9ce281b534788b0342d57aa995f22

Download Submit
memory/4236-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4236-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4236-155-0x0000000000510000-0x000000000055C000-memory.dmp

Filesize
304KB

Download
memory/4236-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4236-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4236-145-0x0000000000510000-0x000000000055C000-memory.dmp

Filesize
304KB

Download
memory/4236-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4236-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4704-158-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4704-157-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4704-156-0x0000000002000000-0x000000000204C000-memory.dmp

Filesize
304KB

Download
memory/4796-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4796-147-0x0000000002340000-0x000000000238C000-memory.dmp

Filesize
304KB

Download
memory/4796-133-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4796-146-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4796-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4796-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4796-132-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4796-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4796-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4796-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4796-134-0x0000000002270000-0x00000000022BC000-memory.dmp

Filesize
304KB

Download