Analysis
-
max time kernel
169s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 10:20
Static task
static1
Behavioral task
behavioral1
Sample
6abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd.exe
Resource
win10v2004-20220812-en
General
-
Target
6abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd.exe
-
Size
22KB
-
MD5
292bb8ccc16540210ea0b147748757a6
-
SHA1
06854d1f0bcd938a3748ac146db43ab503f2179a
-
SHA256
6abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd
-
SHA512
b49356e0b5b12e85c6e7e32241c0c827d3a39f3209796fe9555213dcbaf58122d42e299c819ad5216cf18aec0b0a22def529f055e38e186353012431033c307a
-
SSDEEP
384:0YImhoWVkxT5GEZpw4/fYzlvbWDUCElU8f6DW9TeVOtD1/lNcoOOuK+cyH:RDqxT5Jgaie4tpH1yH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3484 tyhhyg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\tyhhyg.exe 6abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd.exe File opened for modification C:\Windows\SysWOW64\tyhhyg.exe 6abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tyhhyg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tyhhyg.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1972 6abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd.exe"C:\Users\Admin\AppData\Local\Temp\6abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
PID:1972
-
C:\Windows\SysWOW64\tyhhyg.exeC:\Windows\SysWOW64\tyhhyg.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3484
Network
-
Remote address:8.8.8.8:53Requestyk.j22g.comIN AResponseyk.j22g.comIN A188.114.96.0yk.j22g.comIN A188.114.97.0
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestyk.j22g.comIN AResponseyk.j22g.comIN A188.114.96.0yk.j22g.comIN A188.114.97.0
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
Remote address:8.8.8.8:53Requestan.a89n.comIN AResponse
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
57 B 89 B 1 1
DNS Request
yk.j22g.com
DNS Response
188.114.96.0188.114.97.0
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 89 B 1 1
DNS Request
yk.j22g.com
DNS Response
188.114.96.0188.114.97.0
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
-
57 B 130 B 1 1
DNS Request
an.a89n.com
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5292bb8ccc16540210ea0b147748757a6
SHA106854d1f0bcd938a3748ac146db43ab503f2179a
SHA2566abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd
SHA512b49356e0b5b12e85c6e7e32241c0c827d3a39f3209796fe9555213dcbaf58122d42e299c819ad5216cf18aec0b0a22def529f055e38e186353012431033c307a
-
Filesize
22KB
MD5292bb8ccc16540210ea0b147748757a6
SHA106854d1f0bcd938a3748ac146db43ab503f2179a
SHA2566abb89f0b7a246d736bf4f69fd6db17b72cfeb82af0a1931880b37b6fb2ff8cd
SHA512b49356e0b5b12e85c6e7e32241c0c827d3a39f3209796fe9555213dcbaf58122d42e299c819ad5216cf18aec0b0a22def529f055e38e186353012431033c307a