d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe
Size

325KB
MD5

07552d52f2ff73a35055b8bf568bb0ce
SHA1

5ec12ddb31c9e61a2d8b53ecc28f70bf31585e0a
SHA256

d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b
SHA512

a2a79a10f4cd4ad007ede8631b6ed81803bc32f8c0d4353bd65d74fef4383c9b90b3c441e71cd9dc0e66abe9e0a5ef936646d72aa8714f4ab57a1c7293254d7d
SSDEEP

6144:re3NlYQGajdevHlCRM2k1Pt+LCJ8kOp4x1mMwO9eGGxMbaCw3ovUnl:63XtRjd8Ft2kT+LBXpDMjefxOaCw3oal

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1592	ecybt.exe

Deletes itself 1 IoCs

pid	Process
1472	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	ecybt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Baevd\\ecybt.exe"	ecybt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1416 set thread context of 1472	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	27

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe
1592	ecybt.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe
1592	ecybt.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1592	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	26
PID 1416 wrote to memory of 1592	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	26
PID 1416 wrote to memory of 1592	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	26
PID 1416 wrote to memory of 1592	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	26
PID 1416 wrote to memory of 1592	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	26
PID 1416 wrote to memory of 1592	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	26
PID 1416 wrote to memory of 1592	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	26
PID 1592 wrote to memory of 1124	1592	ecybt.exe	15
PID 1592 wrote to memory of 1124	1592	ecybt.exe	15
PID 1592 wrote to memory of 1124	1592	ecybt.exe	15
PID 1592 wrote to memory of 1124	1592	ecybt.exe	15
PID 1592 wrote to memory of 1124	1592	ecybt.exe	15
PID 1592 wrote to memory of 1208	1592	ecybt.exe	14
PID 1592 wrote to memory of 1208	1592	ecybt.exe	14
PID 1592 wrote to memory of 1208	1592	ecybt.exe	14
PID 1592 wrote to memory of 1208	1592	ecybt.exe	14
PID 1592 wrote to memory of 1208	1592	ecybt.exe	14
PID 1592 wrote to memory of 1248	1592	ecybt.exe	9
PID 1592 wrote to memory of 1248	1592	ecybt.exe	9
PID 1592 wrote to memory of 1248	1592	ecybt.exe	9
PID 1592 wrote to memory of 1248	1592	ecybt.exe	9
PID 1592 wrote to memory of 1248	1592	ecybt.exe	9
PID 1592 wrote to memory of 1416	1592	ecybt.exe	25
PID 1592 wrote to memory of 1416	1592	ecybt.exe	25
PID 1592 wrote to memory of 1416	1592	ecybt.exe	25
PID 1592 wrote to memory of 1416	1592	ecybt.exe	25
PID 1592 wrote to memory of 1416	1592	ecybt.exe	25
PID 1416 wrote to memory of 1472	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	27
PID 1416 wrote to memory of 1472	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	27
PID 1416 wrote to memory of 1472	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	27
PID 1416 wrote to memory of 1472	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	27
PID 1416 wrote to memory of 1472	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	27
PID 1416 wrote to memory of 1472	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	27
PID 1416 wrote to memory of 1472	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	27
PID 1416 wrote to memory of 1472	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	27
PID 1416 wrote to memory of 1472	1416	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe
  "C:\Users\Admin\AppData\Local\Temp\d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Roaming\Baevd\ecybt.exe
    "C:\Users\Admin\AppData\Roaming\Baevd\ecybt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp722baadd.bat"
    3⤵
    - Deletes itself
    PID:1472

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1208

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp722baadd.bat

Filesize
307B

MD5
e52b6068ccb46bb0a15b79926d30f389

SHA1
9a101525ca7f84efb551cf8ea28bdcf19db3b0f3

SHA256
b03b9c6d55f8554d72151e0e87e367d20a5015acdf0eae90f3405d639f449c8b

SHA512
94c31cf55ba5017b6536decc5b6e62453ec11d783d43e5c88ccca3692d0c8a42b794ba7be7500293877b0386edb3b610f67b6377eca6855571eeae24d30feb09

Download Submit
C:\Users\Admin\AppData\Roaming\Baevd\ecybt.exe

Filesize
325KB

MD5
0f72c931845cc593ec91a91ea429fb28

SHA1
4c22323cce09ed9d554738211c3a6b23395c1c5e

SHA256
290173ca3ea98d1100fd62a81999bfcb49e101681391d3e46e6fd8d4d11c153a

SHA512
23f630f52169bbadb588afc6aed289de618b142be37ff2d2b7e70037d07caa10388a3c5f9d35a42a0c26e84519bf7d6b1c10b2b13e60e986ca787e7e2c9a7ab1

Download Submit
C:\Users\Admin\AppData\Roaming\Baevd\ecybt.exe

Filesize
325KB

MD5
0f72c931845cc593ec91a91ea429fb28

SHA1
4c22323cce09ed9d554738211c3a6b23395c1c5e

SHA256
290173ca3ea98d1100fd62a81999bfcb49e101681391d3e46e6fd8d4d11c153a

SHA512
23f630f52169bbadb588afc6aed289de618b142be37ff2d2b7e70037d07caa10388a3c5f9d35a42a0c26e84519bf7d6b1c10b2b13e60e986ca787e7e2c9a7ab1

Download Submit
\Users\Admin\AppData\Roaming\Baevd\ecybt.exe

Filesize
325KB

MD5
0f72c931845cc593ec91a91ea429fb28

SHA1
4c22323cce09ed9d554738211c3a6b23395c1c5e

SHA256
290173ca3ea98d1100fd62a81999bfcb49e101681391d3e46e6fd8d4d11c153a

SHA512
23f630f52169bbadb588afc6aed289de618b142be37ff2d2b7e70037d07caa10388a3c5f9d35a42a0c26e84519bf7d6b1c10b2b13e60e986ca787e7e2c9a7ab1

Download Submit
memory/1124-68-0x0000000001C20000-0x0000000001C66000-memory.dmp

Filesize
280KB

Download
memory/1124-64-0x0000000001C20000-0x0000000001C66000-memory.dmp

Filesize
280KB

Download
memory/1124-66-0x0000000001C20000-0x0000000001C66000-memory.dmp

Filesize
280KB

Download
memory/1124-67-0x0000000001C20000-0x0000000001C66000-memory.dmp

Filesize
280KB

Download
memory/1124-69-0x0000000001C20000-0x0000000001C66000-memory.dmp

Filesize
280KB

Download
memory/1208-75-0x0000000001C80000-0x0000000001CC6000-memory.dmp

Filesize
280KB

Download
memory/1208-72-0x0000000001C80000-0x0000000001CC6000-memory.dmp

Filesize
280KB

Download
memory/1208-73-0x0000000001C80000-0x0000000001CC6000-memory.dmp

Filesize
280KB

Download
memory/1208-74-0x0000000001C80000-0x0000000001CC6000-memory.dmp

Filesize
280KB

Download
memory/1248-78-0x0000000002680000-0x00000000026C6000-memory.dmp

Filesize
280KB

Download
memory/1248-79-0x0000000002680000-0x00000000026C6000-memory.dmp

Filesize
280KB

Download
memory/1248-80-0x0000000002680000-0x00000000026C6000-memory.dmp

Filesize
280KB

Download
memory/1248-81-0x0000000002680000-0x00000000026C6000-memory.dmp

Filesize
280KB

Download
memory/1416-86-0x0000000002260000-0x00000000022A6000-memory.dmp

Filesize
280KB

Download
memory/1416-101-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1416-58-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1416-57-0x0000000001BE0000-0x0000000001C26000-memory.dmp

Filesize
280KB

Download
memory/1416-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1416-84-0x0000000002260000-0x00000000022A6000-memory.dmp

Filesize
280KB

Download
memory/1416-85-0x0000000002260000-0x00000000022A6000-memory.dmp

Filesize
280KB

Download
memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1416-87-0x0000000002260000-0x00000000022A6000-memory.dmp

Filesize
280KB

Download
memory/1416-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-56-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1416-102-0x0000000002260000-0x00000000022A6000-memory.dmp

Filesize
280KB

Download
memory/1472-98-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1472-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1472-97-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1472-111-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1472-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1472-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1472-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1472-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1472-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1472-99-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1472-95-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1592-112-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/1592-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1592-114-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download