c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
Size

133KB
MD5

a26dace927c4f2c237124d7ca3113590
SHA1

5860cceb800ba77c81709ec9a8d44fdbad44e1f8
SHA256

c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb
SHA512

2601855306709934f47daa3022e00785c3516fe798ce5ac0940f22221342747c1dcc6afd173d23af589e65b8617fab8b0322f080eb34b43d5f2141d3a39072df
SSDEEP

3072:u0v4Yb2eruGgAaeXWhTj+fe6ja3GmoT4d8y8HafOafaqcIJLCY2:Jvrb22uGLbWhTjYe6TTmZRzSqpO

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3700	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.tmp
4548	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm
452	YZH.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022dde-136.dat	upx
behavioral2/files/0x0002000000022dde-137.dat	upx
behavioral2/files/0x0001000000022de4-139.dat	upx
behavioral2/files/0x0001000000022de4-140.dat	upx
behavioral2/memory/1792-141-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4548-142-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/452-143-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4548-144-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1792-145-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/452-146-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SoftWare\Microsoft\Windows\CurrentVersion\Run	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YZH = "C:\\Windows\\YZH.exe"	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	YZH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YZH = "C:\\Windows\\YZH.exe"	YZH.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SoftWare\Microsoft\Windows\CurrentVersion\Run	YZH.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YZH = "C:\\Windows\\YZH.exe"	YZH.exe
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YZH = "C:\\Windows\\YZH.exe"	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened (read-only)	\??\B:	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\YZH.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm
File opened for modification	C:\Windows\YZH.exe	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm
File created	C:\Windows\YZH.exe	YZH.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
1792	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe
452	YZH.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
452	YZH.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3700	1792	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe	83
PID 1792 wrote to memory of 3700	1792	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe	83
PID 1792 wrote to memory of 3700	1792	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe	83
PID 1792 wrote to memory of 4548	1792	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe	84
PID 1792 wrote to memory of 4548	1792	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe	84
PID 1792 wrote to memory of 4548	1792	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe	84
PID 4548 wrote to memory of 452	4548	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm	85
PID 4548 wrote to memory of 452	4548	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm	85
PID 4548 wrote to memory of 452	4548	c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm	85

C:\Users\Admin\AppData\Local\Temp\c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe
"C:\Users\Admin\AppData\Local\Temp\c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.tmp
  C:\Users\Admin\AppData\Local\Temp\c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.tmp
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Users\Admin\AppData\Local\Temp\c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm
  C:\Users\Admin\AppData\Local\Temp\c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm /zhj
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\YZH.exe
    C:\Windows\YZH.exe /zhj
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm

Filesize
117KB

MD5
f11c10b2f3dea621c4560b6e2a2c4bde

SHA1
8288713ae27477e6728110d3bd19bf2002fd7f43

SHA256
ac70d99a804e630f9b19491539a714bff3470dbc6e59c9bf18ae7b5750737ae9

SHA512
7a3d33a9567ea21cdee672049182cd17a591f6abca39eeef41420729db2bfae33e81f3bac571f1befcf3c5457acfdd7e17e203f7bd70f63a57ee4ac115afac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.mm

Filesize
117KB

MD5
f11c10b2f3dea621c4560b6e2a2c4bde

SHA1
8288713ae27477e6728110d3bd19bf2002fd7f43

SHA256
ac70d99a804e630f9b19491539a714bff3470dbc6e59c9bf18ae7b5750737ae9

SHA512
7a3d33a9567ea21cdee672049182cd17a591f6abca39eeef41420729db2bfae33e81f3bac571f1befcf3c5457acfdd7e17e203f7bd70f63a57ee4ac115afac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.tmp

Filesize
15KB

MD5
74b9fa2afaf60b7f4e2a952e77b9dc6c

SHA1
b3a14d8c38f41a146df619976f09011da7c9c5ee

SHA256
44e2ecd9699c64d1eeeda36f6cef807e9abfb8091a6a23e9725058d3f2d81a5e

SHA512
8390d615aca34b4d64fd135d36327aab859728698f496aadfdecc78175146fdfe92534e28ce37d9644277e7d5d8885ba1353e17ff2f2447ef799e584ad305264

Download Submit
C:\Users\Admin\AppData\Local\Temp\c319143ddec6a15ad920cf216dee262ce3f2b8cfbe8d3d49fbfc5b928f3a77cb.tmp

Filesize
15KB

MD5
74b9fa2afaf60b7f4e2a952e77b9dc6c

SHA1
b3a14d8c38f41a146df619976f09011da7c9c5ee

SHA256
44e2ecd9699c64d1eeeda36f6cef807e9abfb8091a6a23e9725058d3f2d81a5e

SHA512
8390d615aca34b4d64fd135d36327aab859728698f496aadfdecc78175146fdfe92534e28ce37d9644277e7d5d8885ba1353e17ff2f2447ef799e584ad305264

Download Submit
C:\Windows\YZH.exe

Filesize
117KB

MD5
f11c10b2f3dea621c4560b6e2a2c4bde

SHA1
8288713ae27477e6728110d3bd19bf2002fd7f43

SHA256
ac70d99a804e630f9b19491539a714bff3470dbc6e59c9bf18ae7b5750737ae9

SHA512
7a3d33a9567ea21cdee672049182cd17a591f6abca39eeef41420729db2bfae33e81f3bac571f1befcf3c5457acfdd7e17e203f7bd70f63a57ee4ac115afac07

Download Submit
C:\Windows\YZH.exe

Filesize
117KB

MD5
f11c10b2f3dea621c4560b6e2a2c4bde

SHA1
8288713ae27477e6728110d3bd19bf2002fd7f43

SHA256
ac70d99a804e630f9b19491539a714bff3470dbc6e59c9bf18ae7b5750737ae9

SHA512
7a3d33a9567ea21cdee672049182cd17a591f6abca39eeef41420729db2bfae33e81f3bac571f1befcf3c5457acfdd7e17e203f7bd70f63a57ee4ac115afac07

Download Submit
memory/452-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1792-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1792-145-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4548-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4548-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download