487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9

Analysis

max time kernel
152s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe
Size

299KB
MD5

a132be0619f7fea081a5c962e4f974dc
SHA1

d1ea32838d36f93ba04ad3ce53692a594265235f
SHA256

487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9
SHA512

3a9842d2d475b63af79e42860e95ebea3248806d2d5873d723d3b5a92966d99069347fac81546f4c0fe641c11be59b415d7b126426df28e8ed8fe73430bb3b36
SSDEEP

6144:xw5Wn/SGtXqT75YJN8TnAFe2laWx9Kx6dbHZFKrmxIHq8ChwDJrBMaI:aIftXw60EFR59KxybHjymWqbgBMa

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
976	izyj.exe

Deletes itself 1 IoCs

pid	Process
1312	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe
1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	izyj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Mewyi\\izyj.exe"	izyj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 1312	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	29

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe
976	izyj.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 976	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	28
PID 1980 wrote to memory of 976	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	28
PID 1980 wrote to memory of 976	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	28
PID 1980 wrote to memory of 976	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	28
PID 976 wrote to memory of 1276	976	izyj.exe	16
PID 976 wrote to memory of 1276	976	izyj.exe	16
PID 976 wrote to memory of 1276	976	izyj.exe	16
PID 976 wrote to memory of 1276	976	izyj.exe	16
PID 976 wrote to memory of 1276	976	izyj.exe	16
PID 976 wrote to memory of 1356	976	izyj.exe	15
PID 976 wrote to memory of 1356	976	izyj.exe	15
PID 976 wrote to memory of 1356	976	izyj.exe	15
PID 976 wrote to memory of 1356	976	izyj.exe	15
PID 976 wrote to memory of 1356	976	izyj.exe	15
PID 976 wrote to memory of 1404	976	izyj.exe	8
PID 976 wrote to memory of 1404	976	izyj.exe	8
PID 976 wrote to memory of 1404	976	izyj.exe	8
PID 976 wrote to memory of 1404	976	izyj.exe	8
PID 976 wrote to memory of 1404	976	izyj.exe	8
PID 976 wrote to memory of 1980	976	izyj.exe	24
PID 976 wrote to memory of 1980	976	izyj.exe	24
PID 976 wrote to memory of 1980	976	izyj.exe	24
PID 976 wrote to memory of 1980	976	izyj.exe	24
PID 976 wrote to memory of 1980	976	izyj.exe	24
PID 1980 wrote to memory of 1312	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	29
PID 1980 wrote to memory of 1312	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	29
PID 1980 wrote to memory of 1312	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	29
PID 1980 wrote to memory of 1312	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	29
PID 1980 wrote to memory of 1312	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	29
PID 1980 wrote to memory of 1312	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	29
PID 1980 wrote to memory of 1312	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	29
PID 1980 wrote to memory of 1312	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	29
PID 1980 wrote to memory of 1312	1980	487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1404
- C:\Users\Admin\AppData\Local\Temp\487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe
  "C:\Users\Admin\AppData\Local\Temp\487043e29cf70efa780ecee31ad99437c2d1aa65ee5ed207c7c88182ea1a58f9.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Roaming\Mewyi\izyj.exe
    "C:\Users\Admin\AppData\Roaming\Mewyi\izyj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp08ed59c4.bat"
    3⤵
    - Deletes itself
    PID:1312

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1356

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp08ed59c4.bat

Filesize
307B

MD5
cca359e23d03c6f76208451e1831538b

SHA1
9bc831f32c9fd822d37ef9a6c93d10f791ee3ccd

SHA256
54dc406aaf9b51784aad0c4a14d5cd00d255eef832b9982bdbb219036cbcf629

SHA512
8b217ec81429d281643202cdab3d53e5ee56683aceb470599368aa1615aafc878630f25efab6a35c672222731aafac0675396237a14ea2005aafe42b63dd1bba

Download Submit
C:\Users\Admin\AppData\Roaming\Mewyi\izyj.exe

Filesize
299KB

MD5
0be1e092ee5a64b153a41465cd86040d

SHA1
fdf4be677fb04448eccd797c7945c3795629d692

SHA256
940a4337f851342c1e7222f80eb523eaaccd311bfd7b3474445de58969dacb7d

SHA512
6f64725eda35282e0370c7937972dfd87d595dc74c36e69192e18a36f3a8319abcc4070a9074f4035a2749fbabe3fc4f87cd1a8ad134966d3f77fbb38c7c832b

Download Submit
C:\Users\Admin\AppData\Roaming\Mewyi\izyj.exe

Filesize
299KB

MD5
0be1e092ee5a64b153a41465cd86040d

SHA1
fdf4be677fb04448eccd797c7945c3795629d692

SHA256
940a4337f851342c1e7222f80eb523eaaccd311bfd7b3474445de58969dacb7d

SHA512
6f64725eda35282e0370c7937972dfd87d595dc74c36e69192e18a36f3a8319abcc4070a9074f4035a2749fbabe3fc4f87cd1a8ad134966d3f77fbb38c7c832b

Download Submit
\Users\Admin\AppData\Roaming\Mewyi\izyj.exe

Filesize
299KB

MD5
0be1e092ee5a64b153a41465cd86040d

SHA1
fdf4be677fb04448eccd797c7945c3795629d692

SHA256
940a4337f851342c1e7222f80eb523eaaccd311bfd7b3474445de58969dacb7d

SHA512
6f64725eda35282e0370c7937972dfd87d595dc74c36e69192e18a36f3a8319abcc4070a9074f4035a2749fbabe3fc4f87cd1a8ad134966d3f77fbb38c7c832b

Download Submit
\Users\Admin\AppData\Roaming\Mewyi\izyj.exe

Filesize
299KB

MD5
0be1e092ee5a64b153a41465cd86040d

SHA1
fdf4be677fb04448eccd797c7945c3795629d692

SHA256
940a4337f851342c1e7222f80eb523eaaccd311bfd7b3474445de58969dacb7d

SHA512
6f64725eda35282e0370c7937972dfd87d595dc74c36e69192e18a36f3a8319abcc4070a9074f4035a2749fbabe3fc4f87cd1a8ad134966d3f77fbb38c7c832b

Download Submit
memory/1276-69-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1276-70-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1276-65-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1276-67-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1276-68-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1312-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-115-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1312-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1312-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1356-76-0x0000000001C70000-0x0000000001CB8000-memory.dmp

Filesize
288KB

Download
memory/1356-75-0x0000000001C70000-0x0000000001CB8000-memory.dmp

Filesize
288KB

Download
memory/1356-74-0x0000000001C70000-0x0000000001CB8000-memory.dmp

Filesize
288KB

Download
memory/1356-73-0x0000000001C70000-0x0000000001CB8000-memory.dmp

Filesize
288KB

Download
memory/1404-82-0x0000000002150000-0x0000000002198000-memory.dmp

Filesize
288KB

Download
memory/1404-81-0x0000000002150000-0x0000000002198000-memory.dmp

Filesize
288KB

Download
memory/1404-80-0x0000000002150000-0x0000000002198000-memory.dmp

Filesize
288KB

Download
memory/1404-79-0x0000000002150000-0x0000000002198000-memory.dmp

Filesize
288KB

Download
memory/1980-85-0x00000000004B0000-0x00000000004F8000-memory.dmp

Filesize
288KB

Download
memory/1980-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1980-102-0x00000000004B0000-0x0000000000501000-memory.dmp

Filesize
324KB

Download
memory/1980-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1980-104-0x00000000004B0000-0x00000000004F8000-memory.dmp

Filesize
288KB

Download
memory/1980-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1980-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1980-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1980-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1980-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1980-88-0x00000000004B0000-0x00000000004F8000-memory.dmp

Filesize
288KB

Download
memory/1980-87-0x00000000004B0000-0x00000000004F8000-memory.dmp

Filesize
288KB

Download
memory/1980-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1980-86-0x00000000004B0000-0x00000000004F8000-memory.dmp

Filesize
288KB

Download
memory/1980-56-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download