c92fd4c9f0e815d9c2f339c89a9cc603e004ec1bab8c22ae64e7c5ae8f614613

Analysis

max time kernel
207s
max time network
238s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c92fd4c9f0e815d9c2f339c89a9cc603e004ec1bab8c22ae64e7c5ae8f614613.exe
Size

192KB
MD5

90a1a1139fe7af0dada349d23ae16fba
SHA1

1d67c27cc2626425be9cf5d9276ac57c920077f6
SHA256

c92fd4c9f0e815d9c2f339c89a9cc603e004ec1bab8c22ae64e7c5ae8f614613
SHA512

dbe4d8d63453315895129009a3ea74ea74cc770133625f3c09e479214ce7e71d89d6e0dc21f80c42f62658b4575172c06b13bc331ffae955923a989e35a2cd99
SSDEEP

3072:YrcxQ+opEKiCO+J6mintElXmAoX0xv3v1tq+2PdTsuZfw:YIxxoBZm1Sxv3v1tq+ywuZo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3492	yofbtc.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	yofbtc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\lbikt	yofbtc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\lbikt	yofbtc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	yofbtc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	yofbtc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	yofbtc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\lbikt\\command	yofbtc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2388	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 2628	4524	c92fd4c9f0e815d9c2f339c89a9cc603e004ec1bab8c22ae64e7c5ae8f614613.exe	82
PID 4524 wrote to memory of 2628	4524	c92fd4c9f0e815d9c2f339c89a9cc603e004ec1bab8c22ae64e7c5ae8f614613.exe	82
PID 4524 wrote to memory of 2628	4524	c92fd4c9f0e815d9c2f339c89a9cc603e004ec1bab8c22ae64e7c5ae8f614613.exe	82
PID 2628 wrote to memory of 3492	2628	cmd.exe	84
PID 2628 wrote to memory of 3492	2628	cmd.exe	84
PID 2628 wrote to memory of 3492	2628	cmd.exe	84
PID 2628 wrote to memory of 2388	2628	cmd.exe	85
PID 2628 wrote to memory of 2388	2628	cmd.exe	85
PID 2628 wrote to memory of 2388	2628	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\c92fd4c9f0e815d9c2f339c89a9cc603e004ec1bab8c22ae64e7c5ae8f614613.exe
"C:\Users\Admin\AppData\Local\Temp\c92fd4c9f0e815d9c2f339c89a9cc603e004ec1bab8c22ae64e7c5ae8f614613.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pomfxdl.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\yofbtc.exe
    "C:\Users\Admin\AppData\Local\Temp\yofbtc.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:3492
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ddwvzl.bat

Filesize
188B

MD5
44c9018bed584c0906755bd3646b2896

SHA1
122098a0ac50a781102e5404873739c60b41a5e2

SHA256
da58d859a1f40333a2437fccf52fa5b7bdd555dc3e155abee9f581ddceb4d7e3

SHA512
4aad58cf7845cde80d3afbcdfdda6b9de76f0b17bf572f6f40bb793ef340cad1763cbf2c00f3d1976df88a4fead1cf4c1bdb3bd00fd2d2753b2fdef87d7d28a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pomfxdl.bat

Filesize
124B

MD5
78db1b74f1ca113918b109d8a2aae17d

SHA1
796c084978badcd9d6772164970d6445876c84af

SHA256
4f4aae0370746c272ed52d20a0c686286303b8a055e49159e66e3532bce6ffd4

SHA512
388f43c338f74f2bbddb1d1b72a8aa67ed36b20e780def0d0d6e9002b484ba1ccfe9e1fc28fbf24d4bdf25446ab8c385c34dd1198b7fb1217e4ef58fc2b10377

Download Submit
C:\Users\Admin\AppData\Local\Temp\yofbtc.exe

Filesize
144KB

MD5
e00f40d284c2b178a74f4392b3eac470

SHA1
60366ff8521ed2d813f904aa22c93c54173f39a8

SHA256
a135c07cd977af35b745aaec28993f14d150b952f482f4f7d357513808623335

SHA512
a00731e34f3bc01e79a0dd0e462ca6e0b0ac5a671925e05500c8b1286e86a6139155f51cc1430e59035461159e59e293d18c7af1b69024faad461d4a17eeff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\yofbtc.exe

Filesize
144KB

MD5
e00f40d284c2b178a74f4392b3eac470

SHA1
60366ff8521ed2d813f904aa22c93c54173f39a8

SHA256
a135c07cd977af35b745aaec28993f14d150b952f482f4f7d357513808623335

SHA512
a00731e34f3bc01e79a0dd0e462ca6e0b0ac5a671925e05500c8b1286e86a6139155f51cc1430e59035461159e59e293d18c7af1b69024faad461d4a17eeff09

Download Submit