6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa

Analysis

max time kernel
72s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
Size

228KB
MD5

683972d3db620655aeb076a2da1dbad0
SHA1

30911d7ae02aa2760e7d1c11e9929793984d7147
SHA256

6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa
SHA512

4fc097747cedf1a14f885efa02d9a603b4a992ee61e20948de45715b41aecea79619fcb6689b41c14a7c5628accf2e7108c50e52a3e0312cf443253ba669c4f4
SSDEEP

3072:mMuyeoi3/uRmhxJ5avGJSfme2E/7rBPiQKFw7W/m5qZdWABO4dj41v/:mMlrMJ0uJSfDB/tZNU/nVHj41v/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3968	enywo.exe
4668	enywo.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4936 set thread context of 4476	4936	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	82
PID 3968 set thread context of 4668	3968	enywo.exe	84

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4668	enywo.exe
4668	enywo.exe
4668	enywo.exe
4668	enywo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4476	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4936	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
3968	enywo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4476	4936	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	82
PID 4936 wrote to memory of 4476	4936	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	82
PID 4936 wrote to memory of 4476	4936	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	82
PID 4936 wrote to memory of 4476	4936	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	82
PID 4936 wrote to memory of 4476	4936	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	82
PID 4936 wrote to memory of 4476	4936	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	82
PID 4936 wrote to memory of 4476	4936	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	82
PID 4936 wrote to memory of 4476	4936	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	82
PID 4476 wrote to memory of 3968	4476	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	83
PID 4476 wrote to memory of 3968	4476	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	83
PID 4476 wrote to memory of 3968	4476	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	83
PID 3968 wrote to memory of 4668	3968	enywo.exe	84
PID 3968 wrote to memory of 4668	3968	enywo.exe	84
PID 3968 wrote to memory of 4668	3968	enywo.exe	84
PID 3968 wrote to memory of 4668	3968	enywo.exe	84
PID 3968 wrote to memory of 4668	3968	enywo.exe	84
PID 3968 wrote to memory of 4668	3968	enywo.exe	84
PID 3968 wrote to memory of 4668	3968	enywo.exe	84
PID 3968 wrote to memory of 4668	3968	enywo.exe	84
PID 4476 wrote to memory of 3984	4476	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	85
PID 4476 wrote to memory of 3984	4476	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	85
PID 4476 wrote to memory of 3984	4476	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	85
PID 4668 wrote to memory of 5020	4668	enywo.exe	87
PID 4668 wrote to memory of 5020	4668	enywo.exe	87
PID 4668 wrote to memory of 5020	4668	enywo.exe	87
PID 4668 wrote to memory of 5020	4668	enywo.exe	87
PID 4668 wrote to memory of 5020	4668	enywo.exe	87
PID 4668 wrote to memory of 5020	4668	enywo.exe	87
PID 4668 wrote to memory of 5020	4668	enywo.exe	87
PID 4668 wrote to memory of 5020	4668	enywo.exe	87
PID 4668 wrote to memory of 5020	4668	enywo.exe	87
PID 4668 wrote to memory of 5020	4668	enywo.exe	87
PID 4668 wrote to memory of 2516	4668	enywo.exe	32
PID 4668 wrote to memory of 2516	4668	enywo.exe	32
PID 4668 wrote to memory of 2516	4668	enywo.exe	32
PID 4668 wrote to memory of 2516	4668	enywo.exe	32
PID 4668 wrote to memory of 2516	4668	enywo.exe	32
PID 4668 wrote to memory of 2516	4668	enywo.exe	32
PID 4668 wrote to memory of 2516	4668	enywo.exe	32
PID 4668 wrote to memory of 2528	4668	enywo.exe	35
PID 4668 wrote to memory of 2528	4668	enywo.exe	35
PID 4668 wrote to memory of 2528	4668	enywo.exe	35
PID 4668 wrote to memory of 2528	4668	enywo.exe	35
PID 4668 wrote to memory of 2528	4668	enywo.exe	35
PID 4668 wrote to memory of 2528	4668	enywo.exe	35
PID 4668 wrote to memory of 2528	4668	enywo.exe	35
PID 4668 wrote to memory of 2636	4668	enywo.exe	49
PID 4668 wrote to memory of 2636	4668	enywo.exe	49
PID 4668 wrote to memory of 2636	4668	enywo.exe	49
PID 4668 wrote to memory of 2636	4668	enywo.exe	49
PID 4668 wrote to memory of 2636	4668	enywo.exe	49
PID 4668 wrote to memory of 2636	4668	enywo.exe	49
PID 4668 wrote to memory of 2636	4668	enywo.exe	49
PID 4668 wrote to memory of 2596	4668	enywo.exe	54
PID 4668 wrote to memory of 2596	4668	enywo.exe	54
PID 4668 wrote to memory of 2596	4668	enywo.exe	54
PID 4668 wrote to memory of 2596	4668	enywo.exe	54
PID 4668 wrote to memory of 2596	4668	enywo.exe	54
PID 4668 wrote to memory of 2596	4668	enywo.exe	54
PID 4668 wrote to memory of 2596	4668	enywo.exe	54
PID 4668 wrote to memory of 944	4668	enywo.exe	55
PID 4668 wrote to memory of 944	4668	enywo.exe	55
PID 4668 wrote to memory of 944	4668	enywo.exe	55
PID 4668 wrote to memory of 944	4668	enywo.exe	55

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2528

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2636

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2596
- C:\Users\Admin\AppData\Local\Temp\6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
  "C:\Users\Admin\AppData\Local\Temp\6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
    C:\Users\Admin\AppData\Local\Temp\6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Roaming\Xoest\enywo.exe
      "C:\Users\Admin\AppData\Roaming\Xoest\enywo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Users\Admin\AppData\Roaming\Xoest\enywo.exe
        
        C:\Users\Admin\AppData\Roaming\Xoest\enywo.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4668
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        
        PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp428e5caf.bat"
      4⤵
      PID:3984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3472

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3964

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4724

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp428e5caf.bat

Filesize
307B

MD5
e5714340ac9d3e8a3772529861aea058

SHA1
88ef6e32f54f8bd3965d801bacffd3d219e646d4

SHA256
f85d85b2a1b92e3ae026798c1419bdbd2625f4f52c1b8bbe10e8845fe5320cda

SHA512
218dbeb5b682e1467717a032d591dc8cdc62e431347eac4a19d65728266b3b6510387fa3276f71d3fc1eff0753f40cf325424b77c91c493c4af9c003c3074668

Download Submit
C:\Users\Admin\AppData\Roaming\Xoest\enywo.exe

Filesize
228KB

MD5
d7007bbcd4fe6ff9794f4f5fcf1785a9

SHA1
59d45ad2035d904cc087300af585d285f3167f29

SHA256
cc6014fe96ce74004856d9bae92d709aba395678fddbc68c8ecec8f576a11602

SHA512
503b4ddbaed6d5c328ac5b632c68f364b8906f7e3617901ce87ea6eaa5fd9dee5f572915f17fe3b2de1b18ba5be944dcf3187a7c19e099e723ca1c509a7a34e8

Download Submit
C:\Users\Admin\AppData\Roaming\Xoest\enywo.exe

Filesize
228KB

MD5
d7007bbcd4fe6ff9794f4f5fcf1785a9

SHA1
59d45ad2035d904cc087300af585d285f3167f29

SHA256
cc6014fe96ce74004856d9bae92d709aba395678fddbc68c8ecec8f576a11602

SHA512
503b4ddbaed6d5c328ac5b632c68f364b8906f7e3617901ce87ea6eaa5fd9dee5f572915f17fe3b2de1b18ba5be944dcf3187a7c19e099e723ca1c509a7a34e8

Download Submit
C:\Users\Admin\AppData\Roaming\Xoest\enywo.exe

Filesize
228KB

MD5
d7007bbcd4fe6ff9794f4f5fcf1785a9

SHA1
59d45ad2035d904cc087300af585d285f3167f29

SHA256
cc6014fe96ce74004856d9bae92d709aba395678fddbc68c8ecec8f576a11602

SHA512
503b4ddbaed6d5c328ac5b632c68f364b8906f7e3617901ce87ea6eaa5fd9dee5f572915f17fe3b2de1b18ba5be944dcf3187a7c19e099e723ca1c509a7a34e8

Download Submit
memory/4476-139-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4476-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4476-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4668-151-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4668-152-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4936-137-0x0000000000AB0000-0x0000000000AB4000-memory.dmp

Filesize
16KB

Download
memory/5020-153-0x00000000010E0000-0x000000000110C000-memory.dmp

Filesize
176KB

Download