ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe
Size

351KB
MD5

0881b6b804dc273e3db47068fc2c50df
SHA1

4a720c0d101da6f5c9511a236b6ac55bbdb33655
SHA256

ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97
SHA512

09956f7deed4ef84725f786a6e06853b381261af9820a0039a90f1e0ddc310c8bffcaab5c7ffe65271b99e00e425818364420e71f1c938044201d1abddf38693
SSDEEP

6144:5j6xvRw4yWlSIB+qSHuMK+Uu8J8RCf6GVAn69y/TNj6h3Jo/Yf:xC5SsfMK+UhJ3f60XkTN5w

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
576	yliq.exe

Deletes itself 1 IoCs

pid	Process
456	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	yliq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Zaniip\\yliq.exe"	yliq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 456	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	27

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe
576	yliq.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe
576	yliq.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 576	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	26
PID 1928 wrote to memory of 576	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	26
PID 1928 wrote to memory of 576	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	26
PID 1928 wrote to memory of 576	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	26
PID 1928 wrote to memory of 576	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	26
PID 1928 wrote to memory of 576	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	26
PID 1928 wrote to memory of 576	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	26
PID 576 wrote to memory of 1236	576	yliq.exe	11
PID 576 wrote to memory of 1236	576	yliq.exe	11
PID 576 wrote to memory of 1236	576	yliq.exe	11
PID 576 wrote to memory of 1236	576	yliq.exe	11
PID 576 wrote to memory of 1236	576	yliq.exe	11
PID 576 wrote to memory of 1348	576	yliq.exe	10
PID 576 wrote to memory of 1348	576	yliq.exe	10
PID 576 wrote to memory of 1348	576	yliq.exe	10
PID 576 wrote to memory of 1348	576	yliq.exe	10
PID 576 wrote to memory of 1348	576	yliq.exe	10
PID 576 wrote to memory of 1400	576	yliq.exe	9
PID 576 wrote to memory of 1400	576	yliq.exe	9
PID 576 wrote to memory of 1400	576	yliq.exe	9
PID 576 wrote to memory of 1400	576	yliq.exe	9
PID 576 wrote to memory of 1400	576	yliq.exe	9
PID 576 wrote to memory of 1928	576	yliq.exe	14
PID 576 wrote to memory of 1928	576	yliq.exe	14
PID 576 wrote to memory of 1928	576	yliq.exe	14
PID 576 wrote to memory of 1928	576	yliq.exe	14
PID 576 wrote to memory of 1928	576	yliq.exe	14
PID 1928 wrote to memory of 456	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	27
PID 1928 wrote to memory of 456	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	27
PID 1928 wrote to memory of 456	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	27
PID 1928 wrote to memory of 456	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	27
PID 1928 wrote to memory of 456	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	27
PID 1928 wrote to memory of 456	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	27
PID 1928 wrote to memory of 456	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	27
PID 1928 wrote to memory of 456	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	27
PID 1928 wrote to memory of 456	1928	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe
  "C:\Users\Admin\AppData\Local\Temp\ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Roaming\Zaniip\yliq.exe
    "C:\Users\Admin\AppData\Roaming\Zaniip\yliq.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp866dec8c.bat"
    3⤵
    - Deletes itself
    PID:456

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1348

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp866dec8c.bat

Filesize
307B

MD5
5f5282c8d94c8212a2af71f72d1dbac1

SHA1
c128c99f0bf853a8788d5c9ff71d0a3ba8aabb79

SHA256
51ad3c4880ec514aed7372d67600ed78860c84a59f04225d805b9ab3a2e6d689

SHA512
54c0e0fd54ce75cc15a949fb028914ca7e4f2e4581b7da07b131fa9dd5c47df27bc4695b057833d1075c5ebfdd88ae83e1e16def35d75babce1695fb819f97af

Download Submit
C:\Users\Admin\AppData\Roaming\Zaniip\yliq.exe

Filesize
351KB

MD5
e849f26c09e67299723d3377558ff7c8

SHA1
11ef73e5c4f37b4328d913055c06f5896276b076

SHA256
6fb90fd4be5baf4e8a789c83ba2a0e4d464f3180958b14ea9592c1e691ddf647

SHA512
272513864f043acbe1299cc0009be3d5dfda535cd244b4d0277b9128c45b891ca2415e2fe5e074aabb8327b9bff810d4b8e91adaaf06a43b4b569d0f610e79e7

Download Submit
C:\Users\Admin\AppData\Roaming\Zaniip\yliq.exe

Filesize
351KB

MD5
e849f26c09e67299723d3377558ff7c8

SHA1
11ef73e5c4f37b4328d913055c06f5896276b076

SHA256
6fb90fd4be5baf4e8a789c83ba2a0e4d464f3180958b14ea9592c1e691ddf647

SHA512
272513864f043acbe1299cc0009be3d5dfda535cd244b4d0277b9128c45b891ca2415e2fe5e074aabb8327b9bff810d4b8e91adaaf06a43b4b569d0f610e79e7

Download Submit
\Users\Admin\AppData\Roaming\Zaniip\yliq.exe

Filesize
351KB

MD5
e849f26c09e67299723d3377558ff7c8

SHA1
11ef73e5c4f37b4328d913055c06f5896276b076

SHA256
6fb90fd4be5baf4e8a789c83ba2a0e4d464f3180958b14ea9592c1e691ddf647

SHA512
272513864f043acbe1299cc0009be3d5dfda535cd244b4d0277b9128c45b891ca2415e2fe5e074aabb8327b9bff810d4b8e91adaaf06a43b4b569d0f610e79e7

Download Submit
memory/456-116-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/456-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-100-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/456-98-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/456-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-96-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/456-99-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/456-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/576-117-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/576-102-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/576-101-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1236-66-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1236-64-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1236-69-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1236-68-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1236-67-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1348-73-0x0000000000120000-0x0000000000167000-memory.dmp

Filesize
284KB

Download
memory/1348-75-0x0000000000120000-0x0000000000167000-memory.dmp

Filesize
284KB

Download
memory/1348-74-0x0000000000120000-0x0000000000167000-memory.dmp

Filesize
284KB

Download
memory/1348-72-0x0000000000120000-0x0000000000167000-memory.dmp

Filesize
284KB

Download
memory/1400-81-0x0000000002610000-0x0000000002657000-memory.dmp

Filesize
284KB

Download
memory/1400-80-0x0000000002610000-0x0000000002657000-memory.dmp

Filesize
284KB

Download
memory/1400-79-0x0000000002610000-0x0000000002657000-memory.dmp

Filesize
284KB

Download
memory/1400-78-0x0000000002610000-0x0000000002657000-memory.dmp

Filesize
284KB

Download
memory/1928-86-0x0000000001F40000-0x0000000001F87000-memory.dmp

Filesize
284KB

Download
memory/1928-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1928-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1928-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1928-103-0x0000000001F40000-0x0000000001F9A000-memory.dmp

Filesize
360KB

Download
memory/1928-105-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1928-106-0x0000000001F40000-0x0000000001F87000-memory.dmp

Filesize
284KB

Download
memory/1928-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1928-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1928-87-0x0000000001F40000-0x0000000001F87000-memory.dmp

Filesize
284KB

Download
memory/1928-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1928-85-0x0000000001F40000-0x0000000001F87000-memory.dmp

Filesize
284KB

Download
memory/1928-84-0x0000000001F40000-0x0000000001F87000-memory.dmp

Filesize
284KB

Download
memory/1928-58-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1928-57-0x00000000002E0000-0x0000000000327000-memory.dmp

Filesize
284KB

Download
memory/1928-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1928-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download