ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe
Size

198KB
MD5

034a4f8fde7d761e2f4f96be43ebae40
SHA1

4c3ddb3a1fbd19f050ba1b613fcb1d0569e66979
SHA256

ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c
SHA512

80b5cd37ddcfaa597bd0e1986fc6ec0489eec4d73f04705775490d25b0aa91bd997fd936364a3734cebafdaadbe42f81b65bb68f370845394b76ca040234a7b2
SSDEEP

3072:HBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikd+u26LOUp:HK5ArKjbAxXSaegUqGeGpBohMoK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4344	Byteokup.exe
2080	HOSTicpl.exe
4952	~8179.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipcoexer = "C:\\Users\\Admin\\AppData\\Roaming\\dvdpuirt\\Byteokup.exe"	ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HOSTicpl.exe	ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4344	Byteokup.exe
4344	Byteokup.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2080	HOSTicpl.exe
2416	Explorer.EXE
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2080	HOSTicpl.exe
2416	Explorer.EXE
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2080	HOSTicpl.exe
2416	Explorer.EXE
2416	Explorer.EXE
2080	HOSTicpl.exe
2080	HOSTicpl.exe
2416	Explorer.EXE
2416	Explorer.EXE
2080	HOSTicpl.exe
2080	HOSTicpl.exe
2416	Explorer.EXE
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe
2416	Explorer.EXE
2080	HOSTicpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2416	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 4344	2472	ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe	82
PID 2472 wrote to memory of 4344	2472	ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe	82
PID 2472 wrote to memory of 4344	2472	ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe	82
PID 4344 wrote to memory of 4952	4344	Byteokup.exe	84
PID 4344 wrote to memory of 4952	4344	Byteokup.exe	84
PID 2472 wrote to memory of 4900	2472	ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe	85
PID 2472 wrote to memory of 4900	2472	ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe	85
PID 2472 wrote to memory of 4900	2472	ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe	85
PID 4952 wrote to memory of 2416	4952	~8179.tmp	47
PID 4900 wrote to memory of 2064	4900	cmd.exe	87
PID 4900 wrote to memory of 2064	4900	cmd.exe	87
PID 4900 wrote to memory of 2064	4900	cmd.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2064	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2416
- C:\Users\Admin\AppData\Local\Temp\ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe
  "C:\Users\Admin\AppData\Local\Temp\ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Roaming\dvdpuirt\Byteokup.exe
    "C:\Users\Admin\AppData\Roaming\dvdpuirt\Byteokup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\~8179.tmp
      "C:\Users\Admin\AppData\Local\Temp\~8179.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    /C 240550312.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c.exe"
      4⤵
      Views/modifies file attributes
      PID:2064

C:\Windows\SysWOW64\HOSTicpl.exe
C:\Windows\SysWOW64\HOSTicpl.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240550312.cmd

Filesize
291B

MD5
2dc3794ce6c90e59220c0dd7fdcb000c

SHA1
7b9b1357b9d650ee4343046047cfb9e5aade3b07

SHA256
2e3f9dddffbe722c5dd0bae8048436ba333f5b6af1480625e3db2e064aa44385

SHA512
ecc6d66d89691ad0f09bc3a7fd4e9ca5081a50a6a34af3261d9972c319551502c539ec64ecbbef9835c5f798822cae0667d0b229ce4fa5d11f87c491c74bb4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8179.tmp

Filesize
6KB

MD5
442f0cf17e7305409f582a71d06cf33a

SHA1
d70fe722c23eaefc1825bba2a46e18bec9baff5b

SHA256
fb67053c0238f21e4bd597572542bb8c1b6f2cfc151a004d84f74ef9fe16c038

SHA512
904fc95f31780cb120cbc043bcaeadfac3e8a3fec2704806ed425258b1a202fe7aa00c5fa3b8c4974cf8916e983409d933bc2c13b02fe9b1e02099c77b8508d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8179.tmp

Filesize
6KB

MD5
442f0cf17e7305409f582a71d06cf33a

SHA1
d70fe722c23eaefc1825bba2a46e18bec9baff5b

SHA256
fb67053c0238f21e4bd597572542bb8c1b6f2cfc151a004d84f74ef9fe16c038

SHA512
904fc95f31780cb120cbc043bcaeadfac3e8a3fec2704806ed425258b1a202fe7aa00c5fa3b8c4974cf8916e983409d933bc2c13b02fe9b1e02099c77b8508d0

Download Submit
C:\Users\Admin\AppData\Roaming\dvdpuirt\Byteokup.exe

Filesize
172KB

MD5
b04fac3373c66e63a2905088aad2d353

SHA1
1aad4a9a5004dd3aeb4cde6b330696def92f75b3

SHA256
afee1d2b1c6c0980dd0454a83256fef73b59998d6fb8f9ceec98698f577cade2

SHA512
dfb7d5ff011f0c3b391cf0a67c5854e8a8f119b5cf7d1341acd1fd94e7ef8d37d41b5b619ac1e168e1b9f21157405420a3f9f201f016179c021d5178fcb2ef2e

Download Submit
C:\Users\Admin\AppData\Roaming\dvdpuirt\Byteokup.exe

Filesize
172KB

MD5
b04fac3373c66e63a2905088aad2d353

SHA1
1aad4a9a5004dd3aeb4cde6b330696def92f75b3

SHA256
afee1d2b1c6c0980dd0454a83256fef73b59998d6fb8f9ceec98698f577cade2

SHA512
dfb7d5ff011f0c3b391cf0a67c5854e8a8f119b5cf7d1341acd1fd94e7ef8d37d41b5b619ac1e168e1b9f21157405420a3f9f201f016179c021d5178fcb2ef2e

Download Submit
C:\Windows\SysWOW64\HOSTicpl.exe

Filesize
198KB

MD5
034a4f8fde7d761e2f4f96be43ebae40

SHA1
4c3ddb3a1fbd19f050ba1b613fcb1d0569e66979

SHA256
ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c

SHA512
80b5cd37ddcfaa597bd0e1986fc6ec0489eec4d73f04705775490d25b0aa91bd997fd936364a3734cebafdaadbe42f81b65bb68f370845394b76ca040234a7b2

Download Submit
C:\Windows\SysWOW64\HOSTicpl.exe

Filesize
198KB

MD5
034a4f8fde7d761e2f4f96be43ebae40

SHA1
4c3ddb3a1fbd19f050ba1b613fcb1d0569e66979

SHA256
ae117a81d595bafbfd989a6cea283cae9b4fff75960f2d73ed2539adbc2b3b6c

SHA512
80b5cd37ddcfaa597bd0e1986fc6ec0489eec4d73f04705775490d25b0aa91bd997fd936364a3734cebafdaadbe42f81b65bb68f370845394b76ca040234a7b2

Download Submit
memory/2064-143-0x0000000000000000-mapping.dmp

Download
memory/2080-144-0x0000000000880000-0x00000000008C4000-memory.dmp

Filesize
272KB

Download
memory/2416-145-0x0000000003210000-0x0000000003251000-memory.dmp

Filesize
260KB

Download
memory/2472-132-0x0000000000ED0000-0x0000000000F14000-memory.dmp

Filesize
272KB

Download
memory/4344-133-0x0000000000000000-mapping.dmp

Download
memory/4900-141-0x0000000000000000-mapping.dmp

Download
memory/4952-138-0x0000000000000000-mapping.dmp

Download