a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523

Analysis

max time kernel
152s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe
Size

304KB
MD5

6535027dc744b7948659706907ba5f20
SHA1

60c262b9644be36bb9c941fd7c6ba274e02c2ae2
SHA256

a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523
SHA512

ec2d8e5771eb13af779035cef01514b578ebdb126cca2bca91068005ce76b20c9aef3d13d542cf83bd003409bfe3686b59d5b4bcfd1dea4ce98be656d163d9d6
SSDEEP

6144:8cP+wbqVxSVN8tMdEfOjthSDwcz0pziDfjDaND:DJb04sWIzmYfCND

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1948	kyesg.exe

Deletes itself 1 IoCs

pid	Process
1540	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe
1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	kyesg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kyesg = "C:\\Users\\Admin\\AppData\\Roaming\\Zaugx\\kyesg.exe"	kyesg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1540	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	29

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe
1948	kyesg.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1948	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	28
PID 1636 wrote to memory of 1948	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	28
PID 1636 wrote to memory of 1948	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	28
PID 1636 wrote to memory of 1948	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	28
PID 1948 wrote to memory of 1120	1948	kyesg.exe	15
PID 1948 wrote to memory of 1120	1948	kyesg.exe	15
PID 1948 wrote to memory of 1120	1948	kyesg.exe	15
PID 1948 wrote to memory of 1120	1948	kyesg.exe	15
PID 1948 wrote to memory of 1120	1948	kyesg.exe	15
PID 1948 wrote to memory of 1164	1948	kyesg.exe	9
PID 1948 wrote to memory of 1164	1948	kyesg.exe	9
PID 1948 wrote to memory of 1164	1948	kyesg.exe	9
PID 1948 wrote to memory of 1164	1948	kyesg.exe	9
PID 1948 wrote to memory of 1164	1948	kyesg.exe	9
PID 1948 wrote to memory of 1196	1948	kyesg.exe	12
PID 1948 wrote to memory of 1196	1948	kyesg.exe	12
PID 1948 wrote to memory of 1196	1948	kyesg.exe	12
PID 1948 wrote to memory of 1196	1948	kyesg.exe	12
PID 1948 wrote to memory of 1196	1948	kyesg.exe	12
PID 1948 wrote to memory of 1636	1948	kyesg.exe	27
PID 1948 wrote to memory of 1636	1948	kyesg.exe	27
PID 1948 wrote to memory of 1636	1948	kyesg.exe	27
PID 1948 wrote to memory of 1636	1948	kyesg.exe	27
PID 1948 wrote to memory of 1636	1948	kyesg.exe	27
PID 1636 wrote to memory of 1540	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	29
PID 1636 wrote to memory of 1540	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	29
PID 1636 wrote to memory of 1540	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	29
PID 1636 wrote to memory of 1540	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	29
PID 1636 wrote to memory of 1540	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	29
PID 1636 wrote to memory of 1540	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	29
PID 1636 wrote to memory of 1540	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	29
PID 1636 wrote to memory of 1540	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	29
PID 1636 wrote to memory of 1540	1636	a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe	29

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe
  "C:\Users\Admin\AppData\Local\Temp\a127e09a548a05765b4cf553ae6a92148a52254d6990f5bc1daeb06b0b3fa523.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Roaming\Zaugx\kyesg.exe
    "C:\Users\Admin\AppData\Roaming\Zaugx\kyesg.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\GQI72C5.bat"
    3⤵
    - Deletes itself
    PID:1540

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GQI72C5.bat

Filesize
303B

MD5
259e4fce9d65ce0bdd596c7057f648c2

SHA1
625ec7bcec17260abc3f67d05f9b416832c2ec4e

SHA256
af3f6ef815ac4c9d548058bd9f80c9c21a2fde6e7b76aec8b5bbd70481ec1ea5

SHA512
a97130d8300a87879cc9453b80c9d196dd63df8c042e79d841a44d15ce5b39db2b1609c1b7b5cc2c990598e88795d8161338c8f55702718c72719c421457716c

Download Submit
C:\Users\Admin\AppData\Roaming\Zaugx\kyesg.exe

Filesize
304KB

MD5
b91afc8bd4674d6c082e3d626419110e

SHA1
57bb6afb84bb013084d95ada16f57457a0f69035

SHA256
291d0a2407efc92dcc68dccf4bade2d50231dc733c0ab05a1c1b4785481532c0

SHA512
5cf60a82187e0e291213df9a213a83d51f61e92775fd2fd8519d6e47c359f434632a7fbcb8aeb9c187632c59542d699cd9abb748c9a2e1b023ae793739f93c96

Download Submit
C:\Users\Admin\AppData\Roaming\Zaugx\kyesg.exe

Filesize
304KB

MD5
b91afc8bd4674d6c082e3d626419110e

SHA1
57bb6afb84bb013084d95ada16f57457a0f69035

SHA256
291d0a2407efc92dcc68dccf4bade2d50231dc733c0ab05a1c1b4785481532c0

SHA512
5cf60a82187e0e291213df9a213a83d51f61e92775fd2fd8519d6e47c359f434632a7fbcb8aeb9c187632c59542d699cd9abb748c9a2e1b023ae793739f93c96

Download Submit
\Users\Admin\AppData\Roaming\Zaugx\kyesg.exe

Filesize
304KB

MD5
b91afc8bd4674d6c082e3d626419110e

SHA1
57bb6afb84bb013084d95ada16f57457a0f69035

SHA256
291d0a2407efc92dcc68dccf4bade2d50231dc733c0ab05a1c1b4785481532c0

SHA512
5cf60a82187e0e291213df9a213a83d51f61e92775fd2fd8519d6e47c359f434632a7fbcb8aeb9c187632c59542d699cd9abb748c9a2e1b023ae793739f93c96

Download Submit
\Users\Admin\AppData\Roaming\Zaugx\kyesg.exe

Filesize
304KB

MD5
b91afc8bd4674d6c082e3d626419110e

SHA1
57bb6afb84bb013084d95ada16f57457a0f69035

SHA256
291d0a2407efc92dcc68dccf4bade2d50231dc733c0ab05a1c1b4785481532c0

SHA512
5cf60a82187e0e291213df9a213a83d51f61e92775fd2fd8519d6e47c359f434632a7fbcb8aeb9c187632c59542d699cd9abb748c9a2e1b023ae793739f93c96

Download Submit
memory/1120-65-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1120-67-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1120-68-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1120-69-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1120-70-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1164-75-0x0000000001CB0000-0x0000000001CF9000-memory.dmp

Filesize
292KB

Download
memory/1164-73-0x0000000001CB0000-0x0000000001CF9000-memory.dmp

Filesize
292KB

Download
memory/1164-76-0x0000000001CB0000-0x0000000001CF9000-memory.dmp

Filesize
292KB

Download
memory/1164-74-0x0000000001CB0000-0x0000000001CF9000-memory.dmp

Filesize
292KB

Download
memory/1196-82-0x0000000002200000-0x0000000002249000-memory.dmp

Filesize
292KB

Download
memory/1196-79-0x0000000002200000-0x0000000002249000-memory.dmp

Filesize
292KB

Download
memory/1196-81-0x0000000002200000-0x0000000002249000-memory.dmp

Filesize
292KB

Download
memory/1196-80-0x0000000002200000-0x0000000002249000-memory.dmp

Filesize
292KB

Download
memory/1540-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1540-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1540-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1540-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1540-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1636-86-0x0000000002570000-0x00000000025B9000-memory.dmp

Filesize
292KB

Download
memory/1636-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-103-0x0000000002570000-0x00000000025B9000-memory.dmp

Filesize
292KB

Download
memory/1636-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-88-0x0000000002570000-0x00000000025B9000-memory.dmp

Filesize
292KB

Download
memory/1636-87-0x0000000002570000-0x00000000025B9000-memory.dmp

Filesize
292KB

Download
memory/1636-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1636-54-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1636-85-0x0000000002570000-0x00000000025B9000-memory.dmp

Filesize
292KB

Download
memory/1636-56-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1948-62-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download