8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe
Size

355KB
MD5

11f552e658b00d4a05a2881c1ae83b81
SHA1

e191e0c6839d6655ea3da377a70638f4e69d7490
SHA256

8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7
SHA512

ccb6283fcc4db118478911b82cf48cfe75e13f46c265953992510ac0b04ddebc5b4cb094e9aed08a8d03a02c40c95de97cdbec296b8917ee60058fa0baaa8c4b
SSDEEP

6144:5kH1CNBlRqTDxpUMgZZjUytUTNotV//0C2F/RZ5sG82zp2LhfbMXifzPIPDAZ:NvlRqTDxpUMgnjIytF//2F/RZ5820Ltr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1080	tugy.exe

Deletes itself 1 IoCs

pid	Process
2016	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	tugy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Ekixz\\tugy.exe"	tugy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 2016	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	28

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe
1080	tugy.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe
1080	tugy.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1080	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	27
PID 1148 wrote to memory of 1080	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	27
PID 1148 wrote to memory of 1080	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	27
PID 1148 wrote to memory of 1080	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	27
PID 1080 wrote to memory of 1228	1080	tugy.exe	13
PID 1080 wrote to memory of 1228	1080	tugy.exe	13
PID 1080 wrote to memory of 1228	1080	tugy.exe	13
PID 1080 wrote to memory of 1228	1080	tugy.exe	13
PID 1080 wrote to memory of 1228	1080	tugy.exe	13
PID 1080 wrote to memory of 1320	1080	tugy.exe	15
PID 1080 wrote to memory of 1320	1080	tugy.exe	15
PID 1080 wrote to memory of 1320	1080	tugy.exe	15
PID 1080 wrote to memory of 1320	1080	tugy.exe	15
PID 1080 wrote to memory of 1320	1080	tugy.exe	15
PID 1080 wrote to memory of 1380	1080	tugy.exe	14
PID 1080 wrote to memory of 1380	1080	tugy.exe	14
PID 1080 wrote to memory of 1380	1080	tugy.exe	14
PID 1080 wrote to memory of 1380	1080	tugy.exe	14
PID 1080 wrote to memory of 1380	1080	tugy.exe	14
PID 1080 wrote to memory of 1148	1080	tugy.exe	26
PID 1080 wrote to memory of 1148	1080	tugy.exe	26
PID 1080 wrote to memory of 1148	1080	tugy.exe	26
PID 1080 wrote to memory of 1148	1080	tugy.exe	26
PID 1080 wrote to memory of 1148	1080	tugy.exe	26
PID 1148 wrote to memory of 2016	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	28
PID 1148 wrote to memory of 2016	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	28
PID 1148 wrote to memory of 2016	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	28
PID 1148 wrote to memory of 2016	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	28
PID 1148 wrote to memory of 2016	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	28
PID 1148 wrote to memory of 2016	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	28
PID 1148 wrote to memory of 2016	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	28
PID 1148 wrote to memory of 2016	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	28
PID 1148 wrote to memory of 2016	1148	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe
  "C:\Users\Admin\AppData\Local\Temp\8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Roaming\Ekixz\tugy.exe
    "C:\Users\Admin\AppData\Roaming\Ekixz\tugy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbcfe73e2.bat"
    3⤵
    - Deletes itself
    PID:2016

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbcfe73e2.bat

Filesize
307B

MD5
734692f6a2035bf1407ebb1118516432

SHA1
42d5cec8b308d07c0cd092726514f93fd0852ccc

SHA256
0fdfea520b88c44b0a5a04432274ee05d662c130ec783381a78dd1e42337d69a

SHA512
31d7f1a94d42a71bc794e8e7464fbbbf60418cdd9791643d4a8a73955ee3c14696129b114d0110f58b042def3ad9137eac877526a6b01f2f3d92710ef665d6cf

Download Submit
C:\Users\Admin\AppData\Roaming\Ekixz\tugy.exe

Filesize
355KB

MD5
b7b399f6ee16883b05a2837c3479de67

SHA1
7f56281f8040ddbaedc29cccc67b0db0cf3df1c4

SHA256
6e6e151e45cec553e208180a8dbeb519fa361ae42697012d064e7b0624042297

SHA512
e71a040004c27b69c60786807a63926dee3a2766e0e788246b3031ec6854fc512bb441c1f07a0f3231729c800f710b2b2334dec4517c8a066404576a1b2cad40

Download Submit
C:\Users\Admin\AppData\Roaming\Ekixz\tugy.exe

Filesize
355KB

MD5
b7b399f6ee16883b05a2837c3479de67

SHA1
7f56281f8040ddbaedc29cccc67b0db0cf3df1c4

SHA256
6e6e151e45cec553e208180a8dbeb519fa361ae42697012d064e7b0624042297

SHA512
e71a040004c27b69c60786807a63926dee3a2766e0e788246b3031ec6854fc512bb441c1f07a0f3231729c800f710b2b2334dec4517c8a066404576a1b2cad40

Download Submit
\Users\Admin\AppData\Roaming\Ekixz\tugy.exe

Filesize
355KB

MD5
b7b399f6ee16883b05a2837c3479de67

SHA1
7f56281f8040ddbaedc29cccc67b0db0cf3df1c4

SHA256
6e6e151e45cec553e208180a8dbeb519fa361ae42697012d064e7b0624042297

SHA512
e71a040004c27b69c60786807a63926dee3a2766e0e788246b3031ec6854fc512bb441c1f07a0f3231729c800f710b2b2334dec4517c8a066404576a1b2cad40

Download Submit
memory/1080-101-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1080-118-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1080-102-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1148-106-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1148-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-103-0x0000000001E80000-0x0000000001EC7000-memory.dmp

Filesize
284KB

Download
memory/1148-57-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1148-100-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1148-105-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1148-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1148-55-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1148-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-83-0x0000000001E80000-0x0000000001EC7000-memory.dmp

Filesize
284KB

Download
memory/1148-84-0x0000000001E80000-0x0000000001EC7000-memory.dmp

Filesize
284KB

Download
memory/1148-85-0x0000000001E80000-0x0000000001EC7000-memory.dmp

Filesize
284KB

Download
memory/1148-86-0x0000000001E80000-0x0000000001EC7000-memory.dmp

Filesize
284KB

Download
memory/1148-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1228-65-0x0000000001C70000-0x0000000001CB7000-memory.dmp

Filesize
284KB

Download
memory/1228-66-0x0000000001C70000-0x0000000001CB7000-memory.dmp

Filesize
284KB

Download
memory/1228-67-0x0000000001C70000-0x0000000001CB7000-memory.dmp

Filesize
284KB

Download
memory/1228-63-0x0000000001C70000-0x0000000001CB7000-memory.dmp

Filesize
284KB

Download
memory/1228-68-0x0000000001C70000-0x0000000001CB7000-memory.dmp

Filesize
284KB

Download
memory/1320-73-0x0000000001B10000-0x0000000001B57000-memory.dmp

Filesize
284KB

Download
memory/1320-72-0x0000000001B10000-0x0000000001B57000-memory.dmp

Filesize
284KB

Download
memory/1320-71-0x0000000001B10000-0x0000000001B57000-memory.dmp

Filesize
284KB

Download
memory/1320-74-0x0000000001B10000-0x0000000001B57000-memory.dmp

Filesize
284KB

Download
memory/1380-80-0x00000000025E0000-0x0000000002627000-memory.dmp

Filesize
284KB

Download
memory/1380-77-0x00000000025E0000-0x0000000002627000-memory.dmp

Filesize
284KB

Download
memory/1380-78-0x00000000025E0000-0x0000000002627000-memory.dmp

Filesize
284KB

Download
memory/1380-79-0x00000000025E0000-0x0000000002627000-memory.dmp

Filesize
284KB

Download
memory/2016-95-0x0000000000170000-0x00000000001B7000-memory.dmp

Filesize
284KB

Download
memory/2016-97-0x0000000000170000-0x00000000001B7000-memory.dmp

Filesize
284KB

Download
memory/2016-108-0x0000000000170000-0x00000000001B7000-memory.dmp

Filesize
284KB

Download
memory/2016-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2016-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2016-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2016-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2016-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2016-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2016-115-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2016-99-0x0000000000170000-0x00000000001B7000-memory.dmp

Filesize
284KB

Download
memory/2016-117-0x0000000000170000-0x00000000001B7000-memory.dmp

Filesize
284KB

Download
memory/2016-98-0x0000000000170000-0x00000000001B7000-memory.dmp

Filesize
284KB

Download