e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3

Analysis

max time kernel
151s
max time network
169s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe
Size

333KB
MD5

0d618d4200080848e2018bd8af4e2d70
SHA1

347dab9387e4d5dc6306b5a5fe7a72b84dcff36e
SHA256

e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3
SHA512

87f4fb2e18df2a94fd511f538f1fa0ff5475fd6e44d0144045204a55c22fe17c87a6e232c73b39620cb992eecdfd922185458d041a194376bd2f0cf39fa63c67
SSDEEP

6144:5sOXev74zue74KwdTueIr6SLFdVB43K7H9DSbqLtFF3bJnznBnOniy:50te8luvzZdMeAgddzBOiy

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1456	cycegy.exe

Deletes itself 1 IoCs

pid	Process
652	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	cycegy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Udulcy\\cycegy.exe"	cycegy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 668 set thread context of 652	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	29

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe
1456	cycegy.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe
1456	cycegy.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1456	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	28
PID 668 wrote to memory of 1456	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	28
PID 668 wrote to memory of 1456	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	28
PID 668 wrote to memory of 1456	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	28
PID 1456 wrote to memory of 1192	1456	cycegy.exe	17
PID 1456 wrote to memory of 1192	1456	cycegy.exe	17
PID 1456 wrote to memory of 1192	1456	cycegy.exe	17
PID 1456 wrote to memory of 1192	1456	cycegy.exe	17
PID 1456 wrote to memory of 1192	1456	cycegy.exe	17
PID 1456 wrote to memory of 1272	1456	cycegy.exe	9
PID 1456 wrote to memory of 1272	1456	cycegy.exe	9
PID 1456 wrote to memory of 1272	1456	cycegy.exe	9
PID 1456 wrote to memory of 1272	1456	cycegy.exe	9
PID 1456 wrote to memory of 1272	1456	cycegy.exe	9
PID 1456 wrote to memory of 1324	1456	cycegy.exe	16
PID 1456 wrote to memory of 1324	1456	cycegy.exe	16
PID 1456 wrote to memory of 1324	1456	cycegy.exe	16
PID 1456 wrote to memory of 1324	1456	cycegy.exe	16
PID 1456 wrote to memory of 1324	1456	cycegy.exe	16
PID 1456 wrote to memory of 668	1456	cycegy.exe	21
PID 1456 wrote to memory of 668	1456	cycegy.exe	21
PID 1456 wrote to memory of 668	1456	cycegy.exe	21
PID 1456 wrote to memory of 668	1456	cycegy.exe	21
PID 1456 wrote to memory of 668	1456	cycegy.exe	21
PID 668 wrote to memory of 652	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	29
PID 668 wrote to memory of 652	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	29
PID 668 wrote to memory of 652	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	29
PID 668 wrote to memory of 652	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	29
PID 668 wrote to memory of 652	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	29
PID 668 wrote to memory of 652	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	29
PID 668 wrote to memory of 652	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	29
PID 668 wrote to memory of 652	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	29
PID 668 wrote to memory of 652	668	e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe	29

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1272

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe
  "C:\Users\Admin\AppData\Local\Temp\e933a36f504731dcbfa5ec020c3ed54a7606dd8cf62246bc34f91a2545f95ab3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Users\Admin\AppData\Roaming\Udulcy\cycegy.exe
    "C:\Users\Admin\AppData\Roaming\Udulcy\cycegy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp611791d6.bat"
    3⤵
    - Deletes itself
    PID:652

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp611791d6.bat

Filesize
307B

MD5
1b6a4ae77054246e2a843d2a20f8cbb8

SHA1
535ce295c479c35350bec6f1b005b8571a735d4b

SHA256
ee3e191a81f5c2331e4fb1acbdcafd5045d0b681a75e013c44b7e351b7a2cfd6

SHA512
cb5721fec9ecbb9f69fff5b5c3423ea534048a0da105c4b13df86363c9d8a9f5bcafd9b7bb9bca95ec177956a8004744434871a744fdf3d6c8d6fb64de610a65

Download Submit
C:\Users\Admin\AppData\Roaming\Udulcy\cycegy.exe

Filesize
333KB

MD5
082cf7c897c35aff7726bba026b85f5c

SHA1
9ea3d0e81fc605cb93403dc4405e161903bc95ce

SHA256
53eefa9e857f6daa09c227c7d6e75eed0a3998eb50617c309384ec5dc8b0344e

SHA512
5079a7793fc8fb5177f8e23caf3455c8b51d6913cf9be875820fb3e6f19459d23cf791786a22f3e42149aae506ffcac26d182b3b99981f5dd01cdaca445d7bf3

Download Submit
C:\Users\Admin\AppData\Roaming\Udulcy\cycegy.exe

Filesize
333KB

MD5
082cf7c897c35aff7726bba026b85f5c

SHA1
9ea3d0e81fc605cb93403dc4405e161903bc95ce

SHA256
53eefa9e857f6daa09c227c7d6e75eed0a3998eb50617c309384ec5dc8b0344e

SHA512
5079a7793fc8fb5177f8e23caf3455c8b51d6913cf9be875820fb3e6f19459d23cf791786a22f3e42149aae506ffcac26d182b3b99981f5dd01cdaca445d7bf3

Download Submit
\Users\Admin\AppData\Roaming\Udulcy\cycegy.exe

Filesize
333KB

MD5
082cf7c897c35aff7726bba026b85f5c

SHA1
9ea3d0e81fc605cb93403dc4405e161903bc95ce

SHA256
53eefa9e857f6daa09c227c7d6e75eed0a3998eb50617c309384ec5dc8b0344e

SHA512
5079a7793fc8fb5177f8e23caf3455c8b51d6913cf9be875820fb3e6f19459d23cf791786a22f3e42149aae506ffcac26d182b3b99981f5dd01cdaca445d7bf3

Download Submit
memory/652-98-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/652-114-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/652-94-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/652-96-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/652-97-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/652-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/652-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/652-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/652-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/652-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/652-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/668-105-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/668-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/668-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/668-102-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/668-99-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/668-83-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/668-84-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/668-85-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/668-86-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/668-104-0x0000000000290000-0x00000000002D6000-memory.dmp

Filesize
280KB

Download
memory/668-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/668-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/668-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/668-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/668-56-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/668-57-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/668-55-0x0000000000290000-0x00000000002D6000-memory.dmp

Filesize
280KB

Download
memory/1192-68-0x0000000001FE0000-0x0000000002026000-memory.dmp

Filesize
280KB

Download
memory/1192-67-0x0000000001FE0000-0x0000000002026000-memory.dmp

Filesize
280KB

Download
memory/1192-63-0x0000000001FE0000-0x0000000002026000-memory.dmp

Filesize
280KB

Download
memory/1192-65-0x0000000001FE0000-0x0000000002026000-memory.dmp

Filesize
280KB

Download
memory/1192-66-0x0000000001FE0000-0x0000000002026000-memory.dmp

Filesize
280KB

Download
memory/1272-72-0x0000000000340000-0x0000000000386000-memory.dmp

Filesize
280KB

Download
memory/1272-74-0x0000000000340000-0x0000000000386000-memory.dmp

Filesize
280KB

Download
memory/1272-73-0x0000000000340000-0x0000000000386000-memory.dmp

Filesize
280KB

Download
memory/1272-71-0x0000000000340000-0x0000000000386000-memory.dmp

Filesize
280KB

Download
memory/1324-77-0x0000000002910000-0x0000000002956000-memory.dmp

Filesize
280KB

Download
memory/1324-80-0x0000000002910000-0x0000000002956000-memory.dmp

Filesize
280KB

Download
memory/1324-78-0x0000000002910000-0x0000000002956000-memory.dmp

Filesize
280KB

Download
memory/1324-79-0x0000000002910000-0x0000000002956000-memory.dmp

Filesize
280KB

Download
memory/1456-100-0x0000000001BD0000-0x0000000001C16000-memory.dmp

Filesize
280KB

Download
memory/1456-101-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1456-115-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download