44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe
Size

305KB
MD5

a11c8b82f008c0170f71445cd85ac740
SHA1

9660b1325b9a33680d921d00c45aa9fa42c3cb48
SHA256

44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59
SHA512

38906b54df6b54e2740fa8c450240e6c8fa2c3f7a27b9d5cf8ce4b85c1dfe16455b8489fc69c7907c4f25497abcff5f01019f1671a410e1625cfa697090c1d91
SSDEEP

3072:XvVQD8/32kHMel6XewWpTGcIdmxX8XbBVtosPKCwt6ufdcp0qKFyD0u+W+CyDGH5:/Q8/32X1ywmxsNKC0hdvFyIuQSynx+r

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1688	voryi.exe

Deletes itself 1 IoCs

pid	Process
1476	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe
2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	voryi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Nuoc\\voryi.exe"	voryi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1476	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe
1688	voryi.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1688	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	27
PID 2024 wrote to memory of 1688	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	27
PID 2024 wrote to memory of 1688	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	27
PID 2024 wrote to memory of 1688	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	27
PID 1688 wrote to memory of 1232	1688	voryi.exe	17
PID 1688 wrote to memory of 1232	1688	voryi.exe	17
PID 1688 wrote to memory of 1232	1688	voryi.exe	17
PID 1688 wrote to memory of 1232	1688	voryi.exe	17
PID 1688 wrote to memory of 1232	1688	voryi.exe	17
PID 1688 wrote to memory of 1328	1688	voryi.exe	16
PID 1688 wrote to memory of 1328	1688	voryi.exe	16
PID 1688 wrote to memory of 1328	1688	voryi.exe	16
PID 1688 wrote to memory of 1328	1688	voryi.exe	16
PID 1688 wrote to memory of 1328	1688	voryi.exe	16
PID 1688 wrote to memory of 1368	1688	voryi.exe	15
PID 1688 wrote to memory of 1368	1688	voryi.exe	15
PID 1688 wrote to memory of 1368	1688	voryi.exe	15
PID 1688 wrote to memory of 1368	1688	voryi.exe	15
PID 1688 wrote to memory of 1368	1688	voryi.exe	15
PID 1688 wrote to memory of 2024	1688	voryi.exe	26
PID 1688 wrote to memory of 2024	1688	voryi.exe	26
PID 1688 wrote to memory of 2024	1688	voryi.exe	26
PID 1688 wrote to memory of 2024	1688	voryi.exe	26
PID 1688 wrote to memory of 2024	1688	voryi.exe	26
PID 2024 wrote to memory of 1476	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	28
PID 2024 wrote to memory of 1476	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	28
PID 2024 wrote to memory of 1476	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	28
PID 2024 wrote to memory of 1476	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	28
PID 2024 wrote to memory of 1476	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	28
PID 2024 wrote to memory of 1476	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	28
PID 2024 wrote to memory of 1476	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	28
PID 2024 wrote to memory of 1476	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	28
PID 2024 wrote to memory of 1476	2024	44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe
  "C:\Users\Admin\AppData\Local\Temp\44900d907785e6eab71a08753cfc21f11658fe01c4535f75d1dd366b64defa59.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\Nuoc\voryi.exe
    "C:\Users\Admin\AppData\Roaming\Nuoc\voryi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp51d3635e.bat"
    3⤵
    - Deletes itself
    PID:1476

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp51d3635e.bat

Filesize
307B

MD5
77694095ea2fb6fd2de57d2704eb8ff4

SHA1
656078ad0d47c45207b2cdac2ecfb8d3e066b6e2

SHA256
edf4301142acb2506d4deae705df3f364ca53899f0c6a3e85ff64df16694a599

SHA512
0f0025d2e457fa3f249981eeb6d275f8c62d8a0c48bc21a082a976ca413ba2a43b0d006e7328d10471002c810db37092bb213985d021a147450a04bc4f56f840

Download Submit
C:\Users\Admin\AppData\Roaming\Nuoc\voryi.exe

Filesize
305KB

MD5
2c496bd6791775a9afb0beb0fa06266c

SHA1
931e01ae033ec3b40d06f7bd6af415c11dbdc4f4

SHA256
9159a1510b35f52f21b9fc3f44aa12b8675fc33cf99c47a6e6f7c2bb86dac853

SHA512
e4988369029c7ebcd0062a2186ed0ffd466d50350a807af6d7050bd5540a683c246bf48544a627dfb8e5b142bcaf9f2bcee4954ef098b5a133b089729b9b0dfd

Download Submit
C:\Users\Admin\AppData\Roaming\Nuoc\voryi.exe

Filesize
305KB

MD5
2c496bd6791775a9afb0beb0fa06266c

SHA1
931e01ae033ec3b40d06f7bd6af415c11dbdc4f4

SHA256
9159a1510b35f52f21b9fc3f44aa12b8675fc33cf99c47a6e6f7c2bb86dac853

SHA512
e4988369029c7ebcd0062a2186ed0ffd466d50350a807af6d7050bd5540a683c246bf48544a627dfb8e5b142bcaf9f2bcee4954ef098b5a133b089729b9b0dfd

Download Submit
\Users\Admin\AppData\Roaming\Nuoc\voryi.exe

Filesize
305KB

MD5
2c496bd6791775a9afb0beb0fa06266c

SHA1
931e01ae033ec3b40d06f7bd6af415c11dbdc4f4

SHA256
9159a1510b35f52f21b9fc3f44aa12b8675fc33cf99c47a6e6f7c2bb86dac853

SHA512
e4988369029c7ebcd0062a2186ed0ffd466d50350a807af6d7050bd5540a683c246bf48544a627dfb8e5b142bcaf9f2bcee4954ef098b5a133b089729b9b0dfd

Download Submit
\Users\Admin\AppData\Roaming\Nuoc\voryi.exe

Filesize
305KB

MD5
2c496bd6791775a9afb0beb0fa06266c

SHA1
931e01ae033ec3b40d06f7bd6af415c11dbdc4f4

SHA256
9159a1510b35f52f21b9fc3f44aa12b8675fc33cf99c47a6e6f7c2bb86dac853

SHA512
e4988369029c7ebcd0062a2186ed0ffd466d50350a807af6d7050bd5540a683c246bf48544a627dfb8e5b142bcaf9f2bcee4954ef098b5a133b089729b9b0dfd

Download Submit
memory/1232-69-0x0000000001BE0000-0x0000000001C28000-memory.dmp

Filesize
288KB

Download
memory/1232-65-0x0000000001BE0000-0x0000000001C28000-memory.dmp

Filesize
288KB

Download
memory/1232-67-0x0000000001BE0000-0x0000000001C28000-memory.dmp

Filesize
288KB

Download
memory/1232-68-0x0000000001BE0000-0x0000000001C28000-memory.dmp

Filesize
288KB

Download
memory/1232-70-0x0000000001BE0000-0x0000000001C28000-memory.dmp

Filesize
288KB

Download
memory/1328-73-0x00000000002A0000-0x00000000002E8000-memory.dmp

Filesize
288KB

Download
memory/1328-74-0x00000000002A0000-0x00000000002E8000-memory.dmp

Filesize
288KB

Download
memory/1328-75-0x00000000002A0000-0x00000000002E8000-memory.dmp

Filesize
288KB

Download
memory/1328-76-0x00000000002A0000-0x00000000002E8000-memory.dmp

Filesize
288KB

Download
memory/1368-81-0x0000000002910000-0x0000000002958000-memory.dmp

Filesize
288KB

Download
memory/1368-82-0x0000000002910000-0x0000000002958000-memory.dmp

Filesize
288KB

Download
memory/1368-80-0x0000000002910000-0x0000000002958000-memory.dmp

Filesize
288KB

Download
memory/1368-79-0x0000000002910000-0x0000000002958000-memory.dmp

Filesize
288KB

Download
memory/1476-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1476-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1476-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1476-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1476-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1476-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1476-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1476-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1476-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1476-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1476-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1476-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/2024-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2024-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2024-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2024-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2024-103-0x0000000002290000-0x00000000022D8000-memory.dmp

Filesize
288KB

Download
memory/2024-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2024-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2024-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/2024-88-0x0000000002290000-0x00000000022D8000-memory.dmp

Filesize
288KB

Download
memory/2024-87-0x0000000002290000-0x00000000022D8000-memory.dmp

Filesize
288KB

Download
memory/2024-86-0x0000000002290000-0x00000000022D8000-memory.dmp

Filesize
288KB

Download
memory/2024-85-0x0000000002290000-0x00000000022D8000-memory.dmp

Filesize
288KB

Download
memory/2024-54-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2024-56-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download