432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61

Analysis

max time kernel
152s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe
Size

310KB
MD5

81a0b80ee5f5ee1e75b1ae74563f2750
SHA1

5f34eea99d796b5c9e7102eabc51b52951d5aed6
SHA256

432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61
SHA512

dab60f1d859741c49f2aa8fec5a2d35f29fcffb9fd3995f6e4d48097ef4eb713853927b5e95ac3010245a1a1551d58bc31e9755fff5cddf146c662f64dd9469d
SSDEEP

6144:n5gmYsN9JqVvmBkQArkr6EcgSzFuq/fStmYEu5mlkZNexor+2T:59FN9JgEk1kr6EcpuU6tmYEuk6HeU+G

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	dyix.exe

Deletes itself 1 IoCs

pid	Process
1312	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe
1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	dyix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Owge\\dyix.exe"	dyix.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 1312	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe
2008	dyix.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2008	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	27
PID 1708 wrote to memory of 2008	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	27
PID 1708 wrote to memory of 2008	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	27
PID 1708 wrote to memory of 2008	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	27
PID 2008 wrote to memory of 1260	2008	dyix.exe	5
PID 2008 wrote to memory of 1260	2008	dyix.exe	5
PID 2008 wrote to memory of 1260	2008	dyix.exe	5
PID 2008 wrote to memory of 1260	2008	dyix.exe	5
PID 2008 wrote to memory of 1260	2008	dyix.exe	5
PID 2008 wrote to memory of 1364	2008	dyix.exe	12
PID 2008 wrote to memory of 1364	2008	dyix.exe	12
PID 2008 wrote to memory of 1364	2008	dyix.exe	12
PID 2008 wrote to memory of 1364	2008	dyix.exe	12
PID 2008 wrote to memory of 1364	2008	dyix.exe	12
PID 2008 wrote to memory of 1420	2008	dyix.exe	11
PID 2008 wrote to memory of 1420	2008	dyix.exe	11
PID 2008 wrote to memory of 1420	2008	dyix.exe	11
PID 2008 wrote to memory of 1420	2008	dyix.exe	11
PID 2008 wrote to memory of 1420	2008	dyix.exe	11
PID 2008 wrote to memory of 1708	2008	dyix.exe	14
PID 2008 wrote to memory of 1708	2008	dyix.exe	14
PID 2008 wrote to memory of 1708	2008	dyix.exe	14
PID 2008 wrote to memory of 1708	2008	dyix.exe	14
PID 2008 wrote to memory of 1708	2008	dyix.exe	14
PID 1708 wrote to memory of 1312	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	28
PID 1708 wrote to memory of 1312	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	28
PID 1708 wrote to memory of 1312	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	28
PID 1708 wrote to memory of 1312	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	28
PID 1708 wrote to memory of 1312	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	28
PID 1708 wrote to memory of 1312	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	28
PID 1708 wrote to memory of 1312	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	28
PID 1708 wrote to memory of 1312	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	28
PID 1708 wrote to memory of 1312	1708	432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1420
- C:\Users\Admin\AppData\Local\Temp\432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe
  "C:\Users\Admin\AppData\Local\Temp\432b328a6bb68dda5ed8160313f2b4a270d9bcdb2305f60f608e72cff0b73c61.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Roaming\Owge\dyix.exe
    "C:\Users\Admin\AppData\Roaming\Owge\dyix.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdba20a3e.bat"
    3⤵
    - Deletes itself
    PID:1312

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpdba20a3e.bat

Filesize
307B

MD5
f07ed99a5778141aa88b29e6eca5b87d

SHA1
ca770ae6fc25612d1603d911a56724cce5cfed9e

SHA256
fc92641f238c35193cdd2c356988a0d4b573b4e5283ffae6e2e38d55fc5b87e7

SHA512
9b13396e82ffbae49e04eb3d5f5d2166dfb3e429e6f596b3d5130275df4c883d449f562632604981ce1c20a5e670c3c094de22ccd8e37f4daab50d05b3aacbe5

Download Submit
C:\Users\Admin\AppData\Roaming\Owge\dyix.exe

Filesize
310KB

MD5
bb6bc71c2f44290ef8f88bb85569396d

SHA1
96f32e88e705aa275202672dfde8fd905c8d5c63

SHA256
627b5e70f89ea6572413af69213fbe74652877e2e69dc49ddb69b0a751dd4600

SHA512
6a0f3b7c62a9eb4a2588e44b7a3daea9c0a0114efcffd1c06b62fe67ff42ae69b66f641bcea3d6a20d123bc5d3dbb46f2d034567b77e4f76d9e843fba45bdbb6

Download Submit
C:\Users\Admin\AppData\Roaming\Owge\dyix.exe

Filesize
310KB

MD5
bb6bc71c2f44290ef8f88bb85569396d

SHA1
96f32e88e705aa275202672dfde8fd905c8d5c63

SHA256
627b5e70f89ea6572413af69213fbe74652877e2e69dc49ddb69b0a751dd4600

SHA512
6a0f3b7c62a9eb4a2588e44b7a3daea9c0a0114efcffd1c06b62fe67ff42ae69b66f641bcea3d6a20d123bc5d3dbb46f2d034567b77e4f76d9e843fba45bdbb6

Download Submit
\Users\Admin\AppData\Roaming\Owge\dyix.exe

Filesize
310KB

MD5
bb6bc71c2f44290ef8f88bb85569396d

SHA1
96f32e88e705aa275202672dfde8fd905c8d5c63

SHA256
627b5e70f89ea6572413af69213fbe74652877e2e69dc49ddb69b0a751dd4600

SHA512
6a0f3b7c62a9eb4a2588e44b7a3daea9c0a0114efcffd1c06b62fe67ff42ae69b66f641bcea3d6a20d123bc5d3dbb46f2d034567b77e4f76d9e843fba45bdbb6

Download Submit
\Users\Admin\AppData\Roaming\Owge\dyix.exe

Filesize
310KB

MD5
bb6bc71c2f44290ef8f88bb85569396d

SHA1
96f32e88e705aa275202672dfde8fd905c8d5c63

SHA256
627b5e70f89ea6572413af69213fbe74652877e2e69dc49ddb69b0a751dd4600

SHA512
6a0f3b7c62a9eb4a2588e44b7a3daea9c0a0114efcffd1c06b62fe67ff42ae69b66f641bcea3d6a20d123bc5d3dbb46f2d034567b77e4f76d9e843fba45bdbb6

Download Submit
memory/1260-68-0x0000000002000000-0x0000000002048000-memory.dmp

Filesize
288KB

Download
memory/1260-70-0x0000000002000000-0x0000000002048000-memory.dmp

Filesize
288KB

Download
memory/1260-69-0x0000000002000000-0x0000000002048000-memory.dmp

Filesize
288KB

Download
memory/1260-65-0x0000000002000000-0x0000000002048000-memory.dmp

Filesize
288KB

Download
memory/1260-67-0x0000000002000000-0x0000000002048000-memory.dmp

Filesize
288KB

Download
memory/1312-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-114-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-102-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-98-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1364-76-0x0000000001AE0000-0x0000000001B28000-memory.dmp

Filesize
288KB

Download
memory/1364-75-0x0000000001AE0000-0x0000000001B28000-memory.dmp

Filesize
288KB

Download
memory/1364-74-0x0000000001AE0000-0x0000000001B28000-memory.dmp

Filesize
288KB

Download
memory/1364-73-0x0000000001AE0000-0x0000000001B28000-memory.dmp

Filesize
288KB

Download
memory/1420-82-0x00000000026B0000-0x00000000026F8000-memory.dmp

Filesize
288KB

Download
memory/1420-81-0x00000000026B0000-0x00000000026F8000-memory.dmp

Filesize
288KB

Download
memory/1420-79-0x00000000026B0000-0x00000000026F8000-memory.dmp

Filesize
288KB

Download
memory/1420-80-0x00000000026B0000-0x00000000026F8000-memory.dmp

Filesize
288KB

Download
memory/1708-88-0x0000000000330000-0x0000000000378000-memory.dmp

Filesize
288KB

Download
memory/1708-87-0x0000000000330000-0x0000000000378000-memory.dmp

Filesize
288KB

Download
memory/1708-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1708-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-104-0x0000000000330000-0x0000000000378000-memory.dmp

Filesize
288KB

Download
memory/1708-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-86-0x0000000000330000-0x0000000000378000-memory.dmp

Filesize
288KB

Download
memory/1708-85-0x0000000000330000-0x0000000000378000-memory.dmp

Filesize
288KB

Download
memory/1708-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-95-0x0000000000330000-0x0000000000383000-memory.dmp

Filesize
332KB

Download
memory/1708-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download