fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5

Analysis

max time kernel
153s
max time network
166s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe
Size

170KB
MD5

500b64f3dd8333e68b96a7d828f43cfb
SHA1

58f590346a6cd5f77289fbdc330eebe522250c18
SHA256

fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5
SHA512

741788633dd06e8577b322e2d70af37cee1b14ecfb3c1ccdb13f8fe3cbb3bce34fa586cd09704d422d100e841f401fb03e0d013a84205451c63a116332267e2e
SSDEEP

3072:dt1fvMe5jjXVuh0BIifW531K8ju3c3qERubQSzUJUT+T2UkGtx1iUr42A:d/vMI8duW531K8ba0SCJLtx1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1828	vyhyq.exe

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe
692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	vyhyq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Uccyt\\vyhyq.exe"	vyhyq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 1716	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe
692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe
1828	vyhyq.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe
Token: SeSecurityPrivilege	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe
Token: SeSecurityPrivilege	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 1828	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	27
PID 692 wrote to memory of 1828	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	27
PID 692 wrote to memory of 1828	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	27
PID 692 wrote to memory of 1828	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	27
PID 1828 wrote to memory of 1112	1828	vyhyq.exe	19
PID 1828 wrote to memory of 1112	1828	vyhyq.exe	19
PID 1828 wrote to memory of 1112	1828	vyhyq.exe	19
PID 1828 wrote to memory of 1112	1828	vyhyq.exe	19
PID 1828 wrote to memory of 1112	1828	vyhyq.exe	19
PID 1828 wrote to memory of 1172	1828	vyhyq.exe	18
PID 1828 wrote to memory of 1172	1828	vyhyq.exe	18
PID 1828 wrote to memory of 1172	1828	vyhyq.exe	18
PID 1828 wrote to memory of 1172	1828	vyhyq.exe	18
PID 1828 wrote to memory of 1172	1828	vyhyq.exe	18
PID 1828 wrote to memory of 1212	1828	vyhyq.exe	12
PID 1828 wrote to memory of 1212	1828	vyhyq.exe	12
PID 1828 wrote to memory of 1212	1828	vyhyq.exe	12
PID 1828 wrote to memory of 1212	1828	vyhyq.exe	12
PID 1828 wrote to memory of 1212	1828	vyhyq.exe	12
PID 1828 wrote to memory of 692	1828	vyhyq.exe	26
PID 1828 wrote to memory of 692	1828	vyhyq.exe	26
PID 1828 wrote to memory of 692	1828	vyhyq.exe	26
PID 1828 wrote to memory of 692	1828	vyhyq.exe	26
PID 1828 wrote to memory of 692	1828	vyhyq.exe	26
PID 692 wrote to memory of 1716	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	28
PID 692 wrote to memory of 1716	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	28
PID 692 wrote to memory of 1716	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	28
PID 692 wrote to memory of 1716	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	28
PID 692 wrote to memory of 1716	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	28
PID 692 wrote to memory of 1716	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	28
PID 692 wrote to memory of 1716	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	28
PID 692 wrote to memory of 1716	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	28
PID 692 wrote to memory of 1716	692	fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe
  "C:\Users\Admin\AppData\Local\Temp\fca4c3b287b4d368f61f67ededfa0ff9bc1161c48788e8e84d33fe96cf3ebff5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Users\Admin\AppData\Roaming\Uccyt\vyhyq.exe
    "C:\Users\Admin\AppData\Roaming\Uccyt\vyhyq.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0d0fa598.bat"
    3⤵
    - Deletes itself
    PID:1716

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0d0fa598.bat

Filesize
307B

MD5
2ed3f23f951f54f13beb239a8c88a196

SHA1
0bc164e1c7dec0ffdd994af197586744da18fb8e

SHA256
27a4c52f7fc49c8835b8b0bd975443a459f7efc31cf347de52815ee3f56e9f06

SHA512
9b76f57ec41cb4ef1738577ca663c741576a7a165183e038a8558bb46bd61bd842dbddc0f41baa2399d977e483974c04ead3ae66a87cd571858cd1c533f8a2cc

Download Submit
C:\Users\Admin\AppData\Roaming\Igysaz\ippyy.upy

Filesize
398B

MD5
766d27adb7fddad0ca1669aecf0f0107

SHA1
38a99845e7c8abe9ed3c10b188cebfb59c8b69d8

SHA256
661ddc77e67cd7f80389f8642d20434f747c9c6c20e8eef20d3b4e43b07d1b29

SHA512
0ba44f99c1a9232d50cfa4601c543a9b6dd9b68444f2a211ed69f9020b42265f392b1846a781a525032339ca8222c418979ef2b9e7c3075e4420846ad19d76ee

Download Submit
C:\Users\Admin\AppData\Roaming\Uccyt\vyhyq.exe

Filesize
170KB

MD5
d257fbfbeac5ea488c05423c0324b18c

SHA1
b73962b4a3980d575f885fc724952cd990005b8d

SHA256
b3f2c2d4c621b440b7bfebd16860542d51eab264eb64b44975eb7f3ef58683c1

SHA512
7f432943760225d3fa0141154c5d000cca8c6d59e4886a35a86e8dbeb5749730cacaee3fd0d25d97cb0d04ec8d41f3143e7b4c30530b8c8a24798ac196a12e57

Download Submit
C:\Users\Admin\AppData\Roaming\Uccyt\vyhyq.exe

Filesize
170KB

MD5
d257fbfbeac5ea488c05423c0324b18c

SHA1
b73962b4a3980d575f885fc724952cd990005b8d

SHA256
b3f2c2d4c621b440b7bfebd16860542d51eab264eb64b44975eb7f3ef58683c1

SHA512
7f432943760225d3fa0141154c5d000cca8c6d59e4886a35a86e8dbeb5749730cacaee3fd0d25d97cb0d04ec8d41f3143e7b4c30530b8c8a24798ac196a12e57

Download Submit
\Users\Admin\AppData\Roaming\Uccyt\vyhyq.exe

Filesize
170KB

MD5
d257fbfbeac5ea488c05423c0324b18c

SHA1
b73962b4a3980d575f885fc724952cd990005b8d

SHA256
b3f2c2d4c621b440b7bfebd16860542d51eab264eb64b44975eb7f3ef58683c1

SHA512
7f432943760225d3fa0141154c5d000cca8c6d59e4886a35a86e8dbeb5749730cacaee3fd0d25d97cb0d04ec8d41f3143e7b4c30530b8c8a24798ac196a12e57

Download Submit
\Users\Admin\AppData\Roaming\Uccyt\vyhyq.exe

Filesize
170KB

MD5
d257fbfbeac5ea488c05423c0324b18c

SHA1
b73962b4a3980d575f885fc724952cd990005b8d

SHA256
b3f2c2d4c621b440b7bfebd16860542d51eab264eb64b44975eb7f3ef58683c1

SHA512
7f432943760225d3fa0141154c5d000cca8c6d59e4886a35a86e8dbeb5749730cacaee3fd0d25d97cb0d04ec8d41f3143e7b4c30530b8c8a24798ac196a12e57

Download Submit
memory/692-100-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/692-56-0x0000000000200000-0x00000000002FE000-memory.dmp

Filesize
1016KB

Download
memory/692-60-0x0000000000200000-0x00000000002FE000-memory.dmp

Filesize
1016KB

Download
memory/692-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/692-55-0x0000000000520000-0x0000000000581000-memory.dmp

Filesize
388KB

Download
memory/692-98-0x0000000000200000-0x00000000002FE000-memory.dmp

Filesize
1016KB

Download
memory/692-84-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/692-89-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/692-87-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/692-86-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/692-85-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/1112-64-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/1112-69-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/1112-66-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/1112-68-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/1112-67-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/1172-75-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1172-74-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1172-73-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1172-72-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1212-80-0x0000000002B10000-0x0000000002B45000-memory.dmp

Filesize
212KB

Download
memory/1212-81-0x0000000002B10000-0x0000000002B45000-memory.dmp

Filesize
212KB

Download
memory/1212-78-0x0000000002B10000-0x0000000002B45000-memory.dmp

Filesize
212KB

Download
memory/1212-79-0x0000000002B10000-0x0000000002B45000-memory.dmp

Filesize
212KB

Download
memory/1716-93-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/1716-96-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/1716-95-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/1716-97-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/1716-104-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/1828-88-0x0000000000950000-0x0000000000A4E000-memory.dmp

Filesize
1016KB

Download
memory/1828-99-0x0000000000950000-0x0000000000A4E000-memory.dmp

Filesize
1016KB

Download