9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe
Size

654KB
MD5

6a5a5a8edbbfd9935fe267fa68d8dc50
SHA1

81b5fd7ede7bd3fe0144ec1c857cc13e480904d2
SHA256

9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c
SHA512

b909c5c4745a1ed19efb9a4b19247c2df8a1ad2c3bfedd4ba400060fed74f0a65260778694a802bdb803c6a06943feea4823d4b2c2b03a0190d23a4c8d011240
SSDEEP

12288:B+m9zsNwJY8a2Pg9MknRqIxpa2Pg9MknRqIxM:BR9zyQ2wYMknRqIOwYMknRqI2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1176	yxir.exe

Deletes itself 1 IoCs

pid	Process
552	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	yxir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Uxuv\\yxir.exe"	yxir.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 552	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	27

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe
1176	yxir.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe
1176	yxir.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1176	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	26
PID 1112 wrote to memory of 1176	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	26
PID 1112 wrote to memory of 1176	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	26
PID 1112 wrote to memory of 1176	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	26
PID 1176 wrote to memory of 1300	1176	yxir.exe	9
PID 1176 wrote to memory of 1300	1176	yxir.exe	9
PID 1176 wrote to memory of 1300	1176	yxir.exe	9
PID 1176 wrote to memory of 1300	1176	yxir.exe	9
PID 1176 wrote to memory of 1300	1176	yxir.exe	9
PID 1176 wrote to memory of 1404	1176	yxir.exe	15
PID 1176 wrote to memory of 1404	1176	yxir.exe	15
PID 1176 wrote to memory of 1404	1176	yxir.exe	15
PID 1176 wrote to memory of 1404	1176	yxir.exe	15
PID 1176 wrote to memory of 1404	1176	yxir.exe	15
PID 1176 wrote to memory of 1444	1176	yxir.exe	10
PID 1176 wrote to memory of 1444	1176	yxir.exe	10
PID 1176 wrote to memory of 1444	1176	yxir.exe	10
PID 1176 wrote to memory of 1444	1176	yxir.exe	10
PID 1176 wrote to memory of 1444	1176	yxir.exe	10
PID 1176 wrote to memory of 1112	1176	yxir.exe	25
PID 1176 wrote to memory of 1112	1176	yxir.exe	25
PID 1176 wrote to memory of 1112	1176	yxir.exe	25
PID 1176 wrote to memory of 1112	1176	yxir.exe	25
PID 1176 wrote to memory of 1112	1176	yxir.exe	25
PID 1112 wrote to memory of 552	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	27
PID 1112 wrote to memory of 552	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	27
PID 1112 wrote to memory of 552	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	27
PID 1112 wrote to memory of 552	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	27
PID 1112 wrote to memory of 552	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	27
PID 1112 wrote to memory of 552	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	27
PID 1112 wrote to memory of 552	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	27
PID 1112 wrote to memory of 552	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	27
PID 1112 wrote to memory of 552	1112	9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe	27

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe
  "C:\Users\Admin\AppData\Local\Temp\9ba15b1ef7904a5a42d7e87ad34c44be03f861a7b8a08b6004e73e5a5d21a06c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Roaming\Uxuv\yxir.exe
    "C:\Users\Admin\AppData\Roaming\Uxuv\yxir.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp36790f65.bat"
    3⤵
    - Deletes itself
    PID:552

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp36790f65.bat

Filesize
307B

MD5
a6488f81ae4bc2e5a4ab3ce16b86d6e1

SHA1
7b2d54545a089ad7599b6019ea5eb2a34367174f

SHA256
263667af682c59a965e454c3cb343603406834427d06361919002f774e96a376

SHA512
f9a56f8edbd32b5513a682b0a53024ed122eb5a63e24fdc06e315a3ada289b0c8e543e46170af8fdaf452d2037a529490dee059b67c1c0e6243fba91c9babc12

Download Submit
C:\Users\Admin\AppData\Roaming\Uxuv\yxir.exe

Filesize
654KB

MD5
ec6828cf91e4af3be674df91d078cdb2

SHA1
1217d6535a766c863b76a2f559763f8c6d7d503e

SHA256
2fc20dc1f92ad1ddd18c3ad4d865308771fdd4d994ad1d84768002f74327aba6

SHA512
01e74d52f62d6c2c84dd6a6a779bd1ab9c23d2472058d6e81e4daa93d46b1dd1664817e71710fae2f8821ea3f77ff3c11d67d36ee8a4bb2a8fe312789987b134

Download Submit
C:\Users\Admin\AppData\Roaming\Uxuv\yxir.exe

Filesize
654KB

MD5
ec6828cf91e4af3be674df91d078cdb2

SHA1
1217d6535a766c863b76a2f559763f8c6d7d503e

SHA256
2fc20dc1f92ad1ddd18c3ad4d865308771fdd4d994ad1d84768002f74327aba6

SHA512
01e74d52f62d6c2c84dd6a6a779bd1ab9c23d2472058d6e81e4daa93d46b1dd1664817e71710fae2f8821ea3f77ff3c11d67d36ee8a4bb2a8fe312789987b134

Download Submit
\Users\Admin\AppData\Roaming\Uxuv\yxir.exe

Filesize
654KB

MD5
ec6828cf91e4af3be674df91d078cdb2

SHA1
1217d6535a766c863b76a2f559763f8c6d7d503e

SHA256
2fc20dc1f92ad1ddd18c3ad4d865308771fdd4d994ad1d84768002f74327aba6

SHA512
01e74d52f62d6c2c84dd6a6a779bd1ab9c23d2472058d6e81e4daa93d46b1dd1664817e71710fae2f8821ea3f77ff3c11d67d36ee8a4bb2a8fe312789987b134

Download Submit
memory/552-99-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/552-98-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/552-100-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/552-111-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/552-96-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/552-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/552-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/552-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/552-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/552-105-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/1112-76-0x0000000000340000-0x000000000038D000-memory.dmp

Filesize
308KB

Download
memory/1112-55-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1112-102-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1112-78-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1112-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1112-103-0x00000000004B0000-0x00000000004FD000-memory.dmp

Filesize
308KB

Download
memory/1112-80-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1112-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1112-56-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1112-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1112-87-0x00000000004B0000-0x00000000004FD000-memory.dmp

Filesize
308KB

Download
memory/1112-88-0x00000000004B0000-0x00000000004FD000-memory.dmp

Filesize
308KB

Download
memory/1112-89-0x00000000004B0000-0x00000000004FD000-memory.dmp

Filesize
308KB

Download
memory/1112-90-0x00000000004B0000-0x00000000004FD000-memory.dmp

Filesize
308KB

Download
memory/1112-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1176-84-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1176-82-0x00000000002D0000-0x000000000031D000-memory.dmp

Filesize
308KB

Download
memory/1300-67-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/1300-66-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/1300-65-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/1300-64-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/1300-62-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/1404-73-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1404-72-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1404-71-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1404-70-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1444-83-0x0000000002530000-0x000000000257D000-memory.dmp

Filesize
308KB

Download
memory/1444-81-0x0000000002530000-0x000000000257D000-memory.dmp

Filesize
308KB

Download
memory/1444-77-0x0000000002530000-0x000000000257D000-memory.dmp

Filesize
308KB

Download
memory/1444-79-0x0000000002530000-0x000000000257D000-memory.dmp

Filesize
308KB

Download