76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe
Size

302KB
MD5

f49fddc40d0c5673c8f4ff7f870f7174
SHA1

c497c9a5cc3325061c481b13e37917b1b80d7034
SHA256

76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851
SHA512

97ae3315df4211bd7211160018394631c391d93234c3926c3ebc4e9373b0b7f7179e04402d45d258b51f8a0796d700f441d49fdb8397d63b4cd2a2198841eddb
SSDEEP

6144:J5a/QdTpaguyeUhNzdDXMf7bG88eMfaDehkVQDR5Tr:/agVaWeUhXQGfxaqDL

Score

9^/10

persistence

Malware Config

Signatures

Molebox Virtualization software 3 IoCs

Detects file using Molebox Virtualization software.

resource	yara_rule
behavioral2/files/0x0007000000022f4a-139.dat	molebox
behavioral2/files/0x0007000000022f4a-140.dat	molebox
behavioral2/files/0x0007000000022f4a-144.dat	molebox

Executes dropped EXE 2 IoCs

pid	Process
2628	byivna.exe
4980	byivna.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	byivna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{4CDAB5F0-556D-BCA0-9C47-614551B27B47} = "C:\\Users\\Admin\\AppData\\Roaming\\Uzan\\byivna.exe"	byivna.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4100 set thread context of 3240	4100	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	85
PID 2628 set thread context of 4980	2628	byivna.exe	90

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe
4980	byivna.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3240	4100	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	85
PID 4100 wrote to memory of 3240	4100	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	85
PID 4100 wrote to memory of 3240	4100	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	85
PID 4100 wrote to memory of 3240	4100	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	85
PID 4100 wrote to memory of 3240	4100	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	85
PID 4100 wrote to memory of 3240	4100	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	85
PID 4100 wrote to memory of 3240	4100	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	85
PID 4100 wrote to memory of 3240	4100	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	85
PID 3240 wrote to memory of 2628	3240	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	87
PID 3240 wrote to memory of 2628	3240	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	87
PID 3240 wrote to memory of 2628	3240	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	87
PID 2628 wrote to memory of 4980	2628	byivna.exe	90
PID 2628 wrote to memory of 4980	2628	byivna.exe	90
PID 2628 wrote to memory of 4980	2628	byivna.exe	90
PID 2628 wrote to memory of 4980	2628	byivna.exe	90
PID 2628 wrote to memory of 4980	2628	byivna.exe	90
PID 2628 wrote to memory of 4980	2628	byivna.exe	90
PID 2628 wrote to memory of 4980	2628	byivna.exe	90
PID 2628 wrote to memory of 4980	2628	byivna.exe	90
PID 4980 wrote to memory of 2360	4980	byivna.exe	66
PID 4980 wrote to memory of 2360	4980	byivna.exe	66
PID 4980 wrote to memory of 2360	4980	byivna.exe	66
PID 4980 wrote to memory of 2360	4980	byivna.exe	66
PID 4980 wrote to memory of 2360	4980	byivna.exe	66
PID 4980 wrote to memory of 2376	4980	byivna.exe	65
PID 4980 wrote to memory of 2376	4980	byivna.exe	65
PID 4980 wrote to memory of 2376	4980	byivna.exe	65
PID 4980 wrote to memory of 2376	4980	byivna.exe	65
PID 4980 wrote to memory of 2376	4980	byivna.exe	65
PID 4980 wrote to memory of 2476	4980	byivna.exe	28
PID 4980 wrote to memory of 2476	4980	byivna.exe	28
PID 4980 wrote to memory of 2476	4980	byivna.exe	28
PID 4980 wrote to memory of 2476	4980	byivna.exe	28
PID 4980 wrote to memory of 2476	4980	byivna.exe	28
PID 4980 wrote to memory of 3020	4980	byivna.exe	56
PID 4980 wrote to memory of 3020	4980	byivna.exe	56
PID 4980 wrote to memory of 3020	4980	byivna.exe	56
PID 4980 wrote to memory of 3020	4980	byivna.exe	56
PID 4980 wrote to memory of 3020	4980	byivna.exe	56
PID 4980 wrote to memory of 2420	4980	byivna.exe	55
PID 4980 wrote to memory of 2420	4980	byivna.exe	55
PID 4980 wrote to memory of 2420	4980	byivna.exe	55
PID 4980 wrote to memory of 2420	4980	byivna.exe	55
PID 4980 wrote to memory of 2420	4980	byivna.exe	55
PID 4980 wrote to memory of 3244	4980	byivna.exe	54
PID 3240 wrote to memory of 1316	3240	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	91
PID 3240 wrote to memory of 1316	3240	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	91
PID 3240 wrote to memory of 1316	3240	76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe	91
PID 4980 wrote to memory of 3244	4980	byivna.exe	54
PID 4980 wrote to memory of 3244	4980	byivna.exe	54
PID 4980 wrote to memory of 3244	4980	byivna.exe	54
PID 4980 wrote to memory of 3244	4980	byivna.exe	54
PID 4980 wrote to memory of 3344	4980	byivna.exe	53
PID 4980 wrote to memory of 3344	4980	byivna.exe	53
PID 4980 wrote to memory of 3344	4980	byivna.exe	53
PID 4980 wrote to memory of 3344	4980	byivna.exe	53
PID 4980 wrote to memory of 3344	4980	byivna.exe	53
PID 4980 wrote to memory of 3408	4980	byivna.exe	52
PID 4980 wrote to memory of 3408	4980	byivna.exe	52
PID 4980 wrote to memory of 3408	4980	byivna.exe	52
PID 4980 wrote to memory of 3408	4980	byivna.exe	52
PID 4980 wrote to memory of 3408	4980	byivna.exe	52
PID 4980 wrote to memory of 3488	4980	byivna.exe	30
PID 4980 wrote to memory of 3488	4980	byivna.exe	30

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2476

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe
  "C:\Users\Admin\AppData\Local\Temp\76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe
    "C:\Users\Admin\AppData\Local\Temp\76a67bf7c89c3d40366d9ee2b04f38ed07e5eea35f3e7fe6cd3416184446f851.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Users\Admin\AppData\Roaming\Uzan\byivna.exe
      "C:\Users\Admin\AppData\Roaming\Uzan\byivna.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Users\Admin\AppData\Roaming\Uzan\byivna.exe
        
        "C:\Users\Admin\AppData\Roaming\Uzan\byivna.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbdfa591b.bat"
      4⤵
      PID:1316
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbdfa591b.bat

Filesize
307B

MD5
9a18d828c5ec93ea67fd13b2d109faf7

SHA1
bb6344c78817be0d4879b8d6073a39e608610d09

SHA256
c77d450fe830d7807dcd9d05c3b627333def29109b0eb416683221a4f65adb14

SHA512
0b9e8e742d32d5529b471fa5d8ade54db9b58a44eeb844eaa7eb3d352243317430edaa9b05929562b7508673dc970ac8cc8e23c69d52d24dab149d9409785b3d

Download Submit
C:\Users\Admin\AppData\Roaming\Uzan\byivna.exe

Filesize
302KB

MD5
5894fd08364aef19dea93ad41e3f1e77

SHA1
91061824a2545d03159b24680555f5470cf73e32

SHA256
1f47ef4527810256f0608e4996c31064d55b7e72fd0c9ffde56ec8e535a74b48

SHA512
1553a4b18a64510499e62261f0651decfc65ba6bb94b14c56d1fd92876be20952756f424cb6b95741d1514d233645b0a73f91cd0980284af404e88a73cfe05b7

Download Submit
C:\Users\Admin\AppData\Roaming\Uzan\byivna.exe

Filesize
302KB

MD5
5894fd08364aef19dea93ad41e3f1e77

SHA1
91061824a2545d03159b24680555f5470cf73e32

SHA256
1f47ef4527810256f0608e4996c31064d55b7e72fd0c9ffde56ec8e535a74b48

SHA512
1553a4b18a64510499e62261f0651decfc65ba6bb94b14c56d1fd92876be20952756f424cb6b95741d1514d233645b0a73f91cd0980284af404e88a73cfe05b7

Download Submit
C:\Users\Admin\AppData\Roaming\Uzan\byivna.exe

Filesize
302KB

MD5
5894fd08364aef19dea93ad41e3f1e77

SHA1
91061824a2545d03159b24680555f5470cf73e32

SHA256
1f47ef4527810256f0608e4996c31064d55b7e72fd0c9ffde56ec8e535a74b48

SHA512
1553a4b18a64510499e62261f0651decfc65ba6bb94b14c56d1fd92876be20952756f424cb6b95741d1514d233645b0a73f91cd0980284af404e88a73cfe05b7

Download Submit
memory/1316-151-0x0000000000890000-0x00000000008D7000-memory.dmp

Filesize
284KB

Download
memory/2628-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2628-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3240-137-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3240-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3240-134-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3240-150-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4100-132-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4100-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4980-148-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4980-146-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4980-152-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download