dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
Size

234KB
MD5

228e58f796e7835549f6e075e7a9da81
SHA1

7d5aff02a94c32dd860823efdbbf896049004351
SHA256

dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466
SHA512

b53dee006a03f0245ef98b4681f70f13d478fc27079b106ddf44ff76c06bf3521bed226cc4129c5f8c306af283908625048b62ab1ab68eb81e69531d90375927
SSDEEP

6144:yEK6XbRw6rXobqBoCygkSKyF1h+8T+nLcCG://XbS6piCwSKsCY9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
364	amubq.exe
1752	amubq.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 632 set thread context of 2144	632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	80
PID 364 set thread context of 1752	364	amubq.exe	82

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1752	amubq.exe
1752	amubq.exe
1752	amubq.exe
1752	amubq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2144	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
364	amubq.exe
364	amubq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 2144	632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	80
PID 632 wrote to memory of 2144	632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	80
PID 632 wrote to memory of 2144	632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	80
PID 632 wrote to memory of 2144	632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	80
PID 632 wrote to memory of 2144	632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	80
PID 632 wrote to memory of 2144	632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	80
PID 632 wrote to memory of 2144	632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	80
PID 632 wrote to memory of 2144	632	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	80
PID 2144 wrote to memory of 364	2144	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	81
PID 2144 wrote to memory of 364	2144	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	81
PID 2144 wrote to memory of 364	2144	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	81
PID 364 wrote to memory of 1752	364	amubq.exe	82
PID 364 wrote to memory of 1752	364	amubq.exe	82
PID 364 wrote to memory of 1752	364	amubq.exe	82
PID 364 wrote to memory of 1752	364	amubq.exe	82
PID 364 wrote to memory of 1752	364	amubq.exe	82
PID 364 wrote to memory of 1752	364	amubq.exe	82
PID 364 wrote to memory of 1752	364	amubq.exe	82
PID 364 wrote to memory of 1752	364	amubq.exe	82
PID 2144 wrote to memory of 4900	2144	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	83
PID 2144 wrote to memory of 4900	2144	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	83
PID 2144 wrote to memory of 4900	2144	dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe	83
PID 1752 wrote to memory of 4836	1752	amubq.exe	85
PID 1752 wrote to memory of 4836	1752	amubq.exe	85
PID 1752 wrote to memory of 4836	1752	amubq.exe	85
PID 1752 wrote to memory of 4836	1752	amubq.exe	85
PID 1752 wrote to memory of 4836	1752	amubq.exe	85
PID 1752 wrote to memory of 4836	1752	amubq.exe	85
PID 1752 wrote to memory of 4836	1752	amubq.exe	85
PID 1752 wrote to memory of 4836	1752	amubq.exe	85
PID 1752 wrote to memory of 2772	1752	amubq.exe	49
PID 1752 wrote to memory of 2772	1752	amubq.exe	49
PID 1752 wrote to memory of 2772	1752	amubq.exe	49
PID 1752 wrote to memory of 2772	1752	amubq.exe	49
PID 1752 wrote to memory of 2772	1752	amubq.exe	49
PID 1752 wrote to memory of 2808	1752	amubq.exe	21
PID 1752 wrote to memory of 2808	1752	amubq.exe	21
PID 1752 wrote to memory of 2808	1752	amubq.exe	21
PID 1752 wrote to memory of 2808	1752	amubq.exe	21
PID 1752 wrote to memory of 2808	1752	amubq.exe	21
PID 1752 wrote to memory of 2924	1752	amubq.exe	47
PID 1752 wrote to memory of 2924	1752	amubq.exe	47
PID 1752 wrote to memory of 2924	1752	amubq.exe	47
PID 1752 wrote to memory of 2924	1752	amubq.exe	47
PID 1752 wrote to memory of 2924	1752	amubq.exe	47
PID 1752 wrote to memory of 1040	1752	amubq.exe	46
PID 1752 wrote to memory of 1040	1752	amubq.exe	46
PID 1752 wrote to memory of 1040	1752	amubq.exe	46
PID 1752 wrote to memory of 1040	1752	amubq.exe	46
PID 1752 wrote to memory of 1040	1752	amubq.exe	46
PID 1752 wrote to memory of 3080	1752	amubq.exe	22
PID 1752 wrote to memory of 3080	1752	amubq.exe	22
PID 1752 wrote to memory of 3080	1752	amubq.exe	22
PID 1752 wrote to memory of 3080	1752	amubq.exe	22
PID 1752 wrote to memory of 3080	1752	amubq.exe	22
PID 1752 wrote to memory of 3292	1752	amubq.exe	45
PID 1752 wrote to memory of 3292	1752	amubq.exe	45
PID 1752 wrote to memory of 3292	1752	amubq.exe	45
PID 1752 wrote to memory of 3292	1752	amubq.exe	45
PID 1752 wrote to memory of 3292	1752	amubq.exe	45
PID 1752 wrote to memory of 3380	1752	amubq.exe	24
PID 1752 wrote to memory of 3380	1752	amubq.exe	24
PID 1752 wrote to memory of 3380	1752	amubq.exe	24
PID 1752 wrote to memory of 3380	1752	amubq.exe	24

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4616

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
  "C:\Users\Admin\AppData\Local\Temp\dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
    C:\Users\Admin\AppData\Local\Temp\dfa5ce86f0b45fa508cdcf2db4664c3c620686da12535fccdc68daba96522466.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Roaming\Myruky\amubq.exe
      "C:\Users\Admin\AppData\Roaming\Myruky\amubq.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Users\Admin\AppData\Roaming\Myruky\amubq.exe
        
        C:\Users\Admin\AppData\Roaming\Myruky\amubq.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        
        PID:4836
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb648037c.bat"
      4⤵
      PID:4900

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2924

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb648037c.bat

Filesize
307B

MD5
158b1239da91f3efefddc9bc990ef78f

SHA1
881a38ca7e4887bfb97f91272a4c0c351a51f039

SHA256
79a71558d13506c23256071c392f690ddf1a32a5ffb745cbf6d46700f05ee8b4

SHA512
b5fe6234de6cd4daffe927afdb88ed84dcd942f8e5f08ff118057b8b3fe1522044a7f958a977b8884b3b94d7dc14e934be9b3a40a466ab331013043e56801aa4

Download Submit
C:\Users\Admin\AppData\Roaming\Myruky\amubq.exe

Filesize
234KB

MD5
7d0744b7a1ccc73f4da6c2f4a5e3e12a

SHA1
74ede2ee351ef21b3482ac44cbfcf50bf33529b5

SHA256
744b425b81e7f6c3d39398729b39e19c7ae1066837b38f9f860e61413b3889e7

SHA512
ffa2c608e3af2f498e57c36d1d39e0bb1a68d3745826a25e671c85ed168402f293737abf13cdc95b399debf7ea3e39c8a375aa82579012d80e39deb514262e6d

Download Submit
C:\Users\Admin\AppData\Roaming\Myruky\amubq.exe

Filesize
234KB

MD5
7d0744b7a1ccc73f4da6c2f4a5e3e12a

SHA1
74ede2ee351ef21b3482ac44cbfcf50bf33529b5

SHA256
744b425b81e7f6c3d39398729b39e19c7ae1066837b38f9f860e61413b3889e7

SHA512
ffa2c608e3af2f498e57c36d1d39e0bb1a68d3745826a25e671c85ed168402f293737abf13cdc95b399debf7ea3e39c8a375aa82579012d80e39deb514262e6d

Download Submit
C:\Users\Admin\AppData\Roaming\Myruky\amubq.exe

Filesize
234KB

MD5
7d0744b7a1ccc73f4da6c2f4a5e3e12a

SHA1
74ede2ee351ef21b3482ac44cbfcf50bf33529b5

SHA256
744b425b81e7f6c3d39398729b39e19c7ae1066837b38f9f860e61413b3889e7

SHA512
ffa2c608e3af2f498e57c36d1d39e0bb1a68d3745826a25e671c85ed168402f293737abf13cdc95b399debf7ea3e39c8a375aa82579012d80e39deb514262e6d

Download Submit
memory/632-135-0x00000000021F0000-0x00000000021F4000-memory.dmp

Filesize
16KB

Download
memory/1752-148-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2144-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2144-146-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2144-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4836-149-0x0000000000910000-0x0000000000940000-memory.dmp

Filesize
192KB

Download