Overview

overview

8

Static

static

a49f4356f0...32.exe

windows7-x64

8

a49f4356f0...32.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    169s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2022 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a49f4356f0bd0114da3a2acc83dcb81d7973a252321f80b373445f5864d54c32.exe

  • Size

    333KB

  • MD5

    908948fc6d622c80f3dcda8fa0c70ab0

  • SHA1

    04ea92fd20e49f04e277113543f2595bafe06f11

  • SHA256

    a49f4356f0bd0114da3a2acc83dcb81d7973a252321f80b373445f5864d54c32

  • SHA512

    58c794be6b67f365d80058623d56510674dd27d0d036cf2a45dbaf16f5f42c0d765ec1d83d9049acc2bc08d96edcb195940fc513fb684076979e53b397c0fc2a

  • SSDEEP

    6144:9xF74x5b59oicM83lIPUdJ4+n+IW+xdY2DDQdsiyfxPh4eUT/1XPGL1qm2v527Qn:qx519otM83Nx+IZTbD7iy5kThGLY

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3440
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4752
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        1⤵
          PID:3960
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:4624
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3660
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:3532
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:3368
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  1⤵
                    PID:3272
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                    1⤵
                      PID:3080
                    • C:\Windows\Explorer.EXE
                      C:\Windows\Explorer.EXE
                      1⤵
                        PID:2832
                        • C:\Users\Admin\AppData\Local\Temp\a49f4356f0bd0114da3a2acc83dcb81d7973a252321f80b373445f5864d54c32.exe
                          "C:\Users\Admin\AppData\Local\Temp\a49f4356f0bd0114da3a2acc83dcb81d7973a252321f80b373445f5864d54c32.exe"
                          2⤵
                          • Suspicious use of SetThreadContext
                          • Suspicious use of WriteProcessMemory
                          PID:4980
                          • C:\Users\Admin\AppData\Roaming\Vyoc\dyish.exe
                            "C:\Users\Admin\AppData\Roaming\Vyoc\dyish.exe"
                            3⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:3468
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4dc042e4.bat"
                            3⤵
                              PID:3060
                        • C:\Windows\system32\taskhostw.exe
                          taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                          1⤵
                            PID:2524
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                            1⤵
                              PID:2376
                            • C:\Windows\system32\sihost.exe
                              sihost.exe
                              1⤵
                                PID:2356

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\tmp4dc042e4.bat
                                Filesize

                                307B

                                MD5

                                89575aa50a57475c17f568f6ccf55c30

                                SHA1

                                25a64f6b0a8933d75d9176ed906bdcfa79883d26

                                SHA256

                                e1a1fcf87bddbc162efdbeb2857b207ff87a3a2a8d453b90ec30d55c470f7e48

                                SHA512

                                11481d2d4ba9a855336d3f4f95425f29ddf0fe10f339a02e474c547f6fa5afa468614652d48d5562eb5e7dc3d17eac89f4b792fb67e2e1348aed24f7948e94d7

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Vyoc\dyish.exe
                                Filesize

                                333KB

                                MD5

                                dc94e308ddee0de39ccf3a8aab4c3daa

                                SHA1

                                7dec14b3c31aca837d6b83d580d4558eb282b65b

                                SHA256

                                4127cec50480d67d9813acf9159fae0fac5525cf130eda8846b06c743315bd4d

                                SHA512

                                95d20bf9c75c01132984d5d741882d3fce052560f852f53a19cfc041b32ad3c20744f7e5cb8d9e6046e89cbde99440dc111c0345551d2a03fe4f761b3caad1a9

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Vyoc\dyish.exe
                                Filesize

                                333KB

                                MD5

                                dc94e308ddee0de39ccf3a8aab4c3daa

                                SHA1

                                7dec14b3c31aca837d6b83d580d4558eb282b65b

                                SHA256

                                4127cec50480d67d9813acf9159fae0fac5525cf130eda8846b06c743315bd4d

                                SHA512

                                95d20bf9c75c01132984d5d741882d3fce052560f852f53a19cfc041b32ad3c20744f7e5cb8d9e6046e89cbde99440dc111c0345551d2a03fe4f761b3caad1a9

                                Download Submit

                              • memory/3060-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3060-157-0x0000000001370000-0x00000000013BC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/3060-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3060-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3060-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3060-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3060-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3060-146-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3060-147-0x0000000001370000-0x00000000013BC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/3468-134-0x0000000000000000-mapping.dmp

                                Download

                              • memory/3468-158-0x0000000000400000-0x0000000000456000-memory.dmp

                                Filesize

                                344KB

                                Download

                              • memory/3468-139-0x0000000001FB0000-0x0000000001FFC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/3468-140-0x0000000000400000-0x0000000000456000-memory.dmp

                                Filesize

                                344KB

                                Download

                              • memory/4980-138-0x0000000000400000-0x0000000000456000-memory.dmp

                                Filesize

                                344KB

                                Download

                              • memory/4980-149-0x00000000022B0000-0x00000000022FC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/4980-148-0x0000000000400000-0x000000000044C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/4980-145-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4980-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4980-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4980-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4980-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4980-132-0x0000000000400000-0x000000000044C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/4980-137-0x0000000000770000-0x00000000007BC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/4980-133-0x0000000000400000-0x000000000044C000-memory.dmp

                                Filesize

                                304KB

                                Download