294e44993a7c4009e5fb5590df6ae677fccf045a86af1fbeb1494410f626d164

Analysis

max time kernel
102s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

294e44993a7c4009e5fb5590df6ae677fccf045a86af1fbeb1494410f626d164.exe
Size

192KB
MD5

6bb975f1e0ae62288085df9a9bbbfdc0
SHA1

0352d733871988df9daf4710eb7bbf90dc146d53
SHA256

294e44993a7c4009e5fb5590df6ae677fccf045a86af1fbeb1494410f626d164
SHA512

acdaed1412ac702183bb7e60196807f925fcebd053d5b71d95029f7f42d61062c8f80139ce79f21ace1f7d811edb64c4bf469bd10be49c5e52ce80de91bee6ea
SSDEEP

3072:HhJoS8kLZJSn8WO+SbtOWQLWF42yIr85rKjkjv/ATsuZfl:HfoPwtOWQIbkjv/AwuZ9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4216	uyhrqo.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	uyhrqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\muyhr	uyhrqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\muyhr	uyhrqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	uyhrqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	uyhrqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	uyhrqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\muyhr\\command	uyhrqo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1748	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 5088	2168	294e44993a7c4009e5fb5590df6ae677fccf045a86af1fbeb1494410f626d164.exe	84
PID 2168 wrote to memory of 5088	2168	294e44993a7c4009e5fb5590df6ae677fccf045a86af1fbeb1494410f626d164.exe	84
PID 2168 wrote to memory of 5088	2168	294e44993a7c4009e5fb5590df6ae677fccf045a86af1fbeb1494410f626d164.exe	84
PID 5088 wrote to memory of 4216	5088	cmd.exe	87
PID 5088 wrote to memory of 4216	5088	cmd.exe	87
PID 5088 wrote to memory of 4216	5088	cmd.exe	87
PID 5088 wrote to memory of 1748	5088	cmd.exe	88
PID 5088 wrote to memory of 1748	5088	cmd.exe	88
PID 5088 wrote to memory of 1748	5088	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\294e44993a7c4009e5fb5590df6ae677fccf045a86af1fbeb1494410f626d164.exe
"C:\Users\Admin\AppData\Local\Temp\294e44993a7c4009e5fb5590df6ae677fccf045a86af1fbeb1494410f626d164.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsiikpt.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\uyhrqo.exe
    "C:\Users\Admin\AppData\Local\Temp\uyhrqo.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4216
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tsiikpt.bat

Filesize
124B

MD5
85f9b658ba8550eade5df42e6f075e39

SHA1
3a6b0963e8f5e7ed43fe32b7dd23fd707f85ba67

SHA256
1c0632988bf159a870e40ae9a96e4da89484f5e6f12f4777ba110f2901adfd31

SHA512
21f71023845fa49390cfb2f778a493f45ff53aa0e4c9f51db983abdc1d2613b68a6ee3564329cac04ae2b7d68f208b3137d17bd4185cca384c3bdf7d98372381

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvcuqw.bat

Filesize
188B

MD5
93d52cd571869fbb8b99cafd65af4f70

SHA1
e80c6dbf305beff852c41d43a5a16672776d5326

SHA256
09ba715429ed41d9152bd043cdbdbed6db3fcd932fa1211c87c2ea306d22d48a

SHA512
366a6a9e6dee2fcd3f646db39757d97fafc6912b6a644a85e3f6b3c6238e88c0b0ff1d1357b06e7cecf45b8ce3f183e9980b0957cc1c85a16a0bf55f401f1ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyhrqo.exe

Filesize
144KB

MD5
cafbd7e832d31e6279f9ceb8c60ea14e

SHA1
7a241901846468052bba26d1234b231cd855da44

SHA256
c3d9abd59326e6e3a785db4948bc7967b16df46ae74fe4aef97a72b26383f60f

SHA512
55881fbd0c36144060d107610ced6e5dc431af73f44adcbf7fb0006eb56973869315706723ba969c83132fb9d04595cdd08847acef02dbfd99084d8a8161d861

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyhrqo.exe

Filesize
144KB

MD5
cafbd7e832d31e6279f9ceb8c60ea14e

SHA1
7a241901846468052bba26d1234b231cd855da44

SHA256
c3d9abd59326e6e3a785db4948bc7967b16df46ae74fe4aef97a72b26383f60f

SHA512
55881fbd0c36144060d107610ced6e5dc431af73f44adcbf7fb0006eb56973869315706723ba969c83132fb9d04595cdd08847acef02dbfd99084d8a8161d861

Download Submit