a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe
Size

300KB
MD5

a20120062a1ddb5abf58c674ad023660
SHA1

33c042aaf21b64229a3ee8fa00390f96c67a9714
SHA256

a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b
SHA512

539a89f245ceb6ec9cfc520fd0d982cc3f25c61f3862013e112d3d98bfa5cc7ad1334672ca2ce329c3a08d1b8662ab2a6a4a8f58c75285602408f7c63a2e55cb
SSDEEP

6144:UlSWnu93+NLuC6vKljOuf+DrIhoG5L/hztBOMygTikuu:AGq6vKQDEi6J9

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	awtavo.exe

Deletes itself 1 IoCs

pid	Process
1104	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe
1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	awtavo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Kuycbi\\awtavo.exe"	awtavo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 1104	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe
2032	awtavo.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2032	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	27
PID 1348 wrote to memory of 2032	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	27
PID 1348 wrote to memory of 2032	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	27
PID 1348 wrote to memory of 2032	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	27
PID 2032 wrote to memory of 1068	2032	awtavo.exe	18
PID 2032 wrote to memory of 1068	2032	awtavo.exe	18
PID 2032 wrote to memory of 1068	2032	awtavo.exe	18
PID 2032 wrote to memory of 1068	2032	awtavo.exe	18
PID 2032 wrote to memory of 1068	2032	awtavo.exe	18
PID 2032 wrote to memory of 1164	2032	awtavo.exe	16
PID 2032 wrote to memory of 1164	2032	awtavo.exe	16
PID 2032 wrote to memory of 1164	2032	awtavo.exe	16
PID 2032 wrote to memory of 1164	2032	awtavo.exe	16
PID 2032 wrote to memory of 1164	2032	awtavo.exe	16
PID 2032 wrote to memory of 1208	2032	awtavo.exe	15
PID 2032 wrote to memory of 1208	2032	awtavo.exe	15
PID 2032 wrote to memory of 1208	2032	awtavo.exe	15
PID 2032 wrote to memory of 1208	2032	awtavo.exe	15
PID 2032 wrote to memory of 1208	2032	awtavo.exe	15
PID 2032 wrote to memory of 1348	2032	awtavo.exe	26
PID 2032 wrote to memory of 1348	2032	awtavo.exe	26
PID 2032 wrote to memory of 1348	2032	awtavo.exe	26
PID 2032 wrote to memory of 1348	2032	awtavo.exe	26
PID 2032 wrote to memory of 1348	2032	awtavo.exe	26
PID 1348 wrote to memory of 1104	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	28
PID 1348 wrote to memory of 1104	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	28
PID 1348 wrote to memory of 1104	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	28
PID 1348 wrote to memory of 1104	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	28
PID 1348 wrote to memory of 1104	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	28
PID 1348 wrote to memory of 1104	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	28
PID 1348 wrote to memory of 1104	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	28
PID 1348 wrote to memory of 1104	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	28
PID 1348 wrote to memory of 1104	1348	a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe
  "C:\Users\Admin\AppData\Local\Temp\a250e5c0152c27b19be7a907c8d8ba856b1fced391d4cc680e5cd2fc6913823b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Roaming\Kuycbi\awtavo.exe
    "C:\Users\Admin\AppData\Roaming\Kuycbi\awtavo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfba18cea.bat"
    3⤵
    - Deletes itself
    PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfba18cea.bat

Filesize
307B

MD5
a438056e9b87e98d5be4a60b4f0459a1

SHA1
0a45e0936c62acbcf0ceecd0e0578b91c0da87b0

SHA256
97089e5ac1b2b9cd8b62c3c5c8fb4c4e7eecfb482e20c135bde2fd41e21c307d

SHA512
84ed95ea7b2c5fff6c93f44335da7ba65d8d4890529f75d5556de0e978f820570a392200c0941b0332e970c239504ed12231607fcd295def63f2a86943c7e588

Download Submit
C:\Users\Admin\AppData\Roaming\Kuycbi\awtavo.exe

Filesize
300KB

MD5
dcf95b379361a2c34dd58ad10b188afd

SHA1
bf91da89c4ecad4b0014816e903267a8cb6fcca6

SHA256
45e7d1490fde91e0aef20bd528ced411134014433795aabeda0ea68f1993a4fe

SHA512
34124d0a77fe4f502a8be411125cf1155c4caed59a801951720d767e5129e85d4bc142cb0f59971c3ef4706580661b950d2f3d80f0d0e1171d1dab15c2a83329

Download Submit
C:\Users\Admin\AppData\Roaming\Kuycbi\awtavo.exe

Filesize
300KB

MD5
dcf95b379361a2c34dd58ad10b188afd

SHA1
bf91da89c4ecad4b0014816e903267a8cb6fcca6

SHA256
45e7d1490fde91e0aef20bd528ced411134014433795aabeda0ea68f1993a4fe

SHA512
34124d0a77fe4f502a8be411125cf1155c4caed59a801951720d767e5129e85d4bc142cb0f59971c3ef4706580661b950d2f3d80f0d0e1171d1dab15c2a83329

Download Submit
\Users\Admin\AppData\Roaming\Kuycbi\awtavo.exe

Filesize
300KB

MD5
dcf95b379361a2c34dd58ad10b188afd

SHA1
bf91da89c4ecad4b0014816e903267a8cb6fcca6

SHA256
45e7d1490fde91e0aef20bd528ced411134014433795aabeda0ea68f1993a4fe

SHA512
34124d0a77fe4f502a8be411125cf1155c4caed59a801951720d767e5129e85d4bc142cb0f59971c3ef4706580661b950d2f3d80f0d0e1171d1dab15c2a83329

Download Submit
\Users\Admin\AppData\Roaming\Kuycbi\awtavo.exe

Filesize
300KB

MD5
dcf95b379361a2c34dd58ad10b188afd

SHA1
bf91da89c4ecad4b0014816e903267a8cb6fcca6

SHA256
45e7d1490fde91e0aef20bd528ced411134014433795aabeda0ea68f1993a4fe

SHA512
34124d0a77fe4f502a8be411125cf1155c4caed59a801951720d767e5129e85d4bc142cb0f59971c3ef4706580661b950d2f3d80f0d0e1171d1dab15c2a83329

Download Submit
memory/1068-68-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1068-70-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1068-69-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1068-65-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1068-67-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1104-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1104-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1104-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1104-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1104-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1104-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1164-76-0x0000000001CC0000-0x0000000001D08000-memory.dmp

Filesize
288KB

Download
memory/1164-75-0x0000000001CC0000-0x0000000001D08000-memory.dmp

Filesize
288KB

Download
memory/1164-74-0x0000000001CC0000-0x0000000001D08000-memory.dmp

Filesize
288KB

Download
memory/1164-73-0x0000000001CC0000-0x0000000001D08000-memory.dmp

Filesize
288KB

Download
memory/1208-81-0x0000000002AA0000-0x0000000002AE8000-memory.dmp

Filesize
288KB

Download
memory/1208-82-0x0000000002AA0000-0x0000000002AE8000-memory.dmp

Filesize
288KB

Download
memory/1208-79-0x0000000002AA0000-0x0000000002AE8000-memory.dmp

Filesize
288KB

Download
memory/1208-80-0x0000000002AA0000-0x0000000002AE8000-memory.dmp

Filesize
288KB

Download
memory/1348-103-0x0000000001E60000-0x0000000001EA8000-memory.dmp

Filesize
288KB

Download
memory/1348-85-0x0000000001E60000-0x0000000001EA8000-memory.dmp

Filesize
288KB

Download
memory/1348-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1348-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-88-0x0000000001E60000-0x0000000001EA8000-memory.dmp

Filesize
288KB

Download
memory/1348-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-87-0x0000000001E60000-0x0000000001EA8000-memory.dmp

Filesize
288KB

Download
memory/1348-86-0x0000000001E60000-0x0000000001EA8000-memory.dmp

Filesize
288KB

Download
memory/1348-56-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1348-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download