d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b

Analysis

max time kernel
174s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe
Size

325KB
MD5

07552d52f2ff73a35055b8bf568bb0ce
SHA1

5ec12ddb31c9e61a2d8b53ecc28f70bf31585e0a
SHA256

d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b
SHA512

a2a79a10f4cd4ad007ede8631b6ed81803bc32f8c0d4353bd65d74fef4383c9b90b3c441e71cd9dc0e66abe9e0a5ef936646d72aa8714f4ab57a1c7293254d7d
SSDEEP

6144:re3NlYQGajdevHlCRM2k1Pt+LCJ8kOp4x1mMwO9eGGxMbaCw3ovUnl:63XtRjd8Ft2kT+LBXpDMjefxOaCw3oal

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4940	usex.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\Currentversion\Run	usex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{176762F4-556D-BCA0-3AE4-8903F7119301} = "C:\\Users\\Admin\\AppData\\Roaming\\Inedwu\\usex.exe"	usex.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5044 set thread context of 456	5044	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	80

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe
4940	usex.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4940	5044	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	79
PID 5044 wrote to memory of 4940	5044	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	79
PID 5044 wrote to memory of 4940	5044	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	79
PID 4940 wrote to memory of 2452	4940	usex.exe	44
PID 4940 wrote to memory of 2452	4940	usex.exe	44
PID 4940 wrote to memory of 2452	4940	usex.exe	44
PID 4940 wrote to memory of 2452	4940	usex.exe	44
PID 4940 wrote to memory of 2452	4940	usex.exe	44
PID 4940 wrote to memory of 2468	4940	usex.exe	77
PID 4940 wrote to memory of 2468	4940	usex.exe	77
PID 4940 wrote to memory of 2468	4940	usex.exe	77
PID 4940 wrote to memory of 2468	4940	usex.exe	77
PID 4940 wrote to memory of 2468	4940	usex.exe	77
PID 4940 wrote to memory of 2768	4940	usex.exe	72
PID 4940 wrote to memory of 2768	4940	usex.exe	72
PID 4940 wrote to memory of 2768	4940	usex.exe	72
PID 4940 wrote to memory of 2768	4940	usex.exe	72
PID 4940 wrote to memory of 2768	4940	usex.exe	72
PID 4940 wrote to memory of 2720	4940	usex.exe	47
PID 4940 wrote to memory of 2720	4940	usex.exe	47
PID 4940 wrote to memory of 2720	4940	usex.exe	47
PID 4940 wrote to memory of 2720	4940	usex.exe	47
PID 4940 wrote to memory of 2720	4940	usex.exe	47
PID 4940 wrote to memory of 3012	4940	usex.exe	70
PID 4940 wrote to memory of 3012	4940	usex.exe	70
PID 4940 wrote to memory of 3012	4940	usex.exe	70
PID 4940 wrote to memory of 3012	4940	usex.exe	70
PID 4940 wrote to memory of 3012	4940	usex.exe	70
PID 4940 wrote to memory of 3252	4940	usex.exe	69
PID 4940 wrote to memory of 3252	4940	usex.exe	69
PID 4940 wrote to memory of 3252	4940	usex.exe	69
PID 4940 wrote to memory of 3252	4940	usex.exe	69
PID 4940 wrote to memory of 3252	4940	usex.exe	69
PID 4940 wrote to memory of 3344	4940	usex.exe	68
PID 4940 wrote to memory of 3344	4940	usex.exe	68
PID 4940 wrote to memory of 3344	4940	usex.exe	68
PID 4940 wrote to memory of 3344	4940	usex.exe	68
PID 4940 wrote to memory of 3344	4940	usex.exe	68
PID 4940 wrote to memory of 3412	4940	usex.exe	48
PID 4940 wrote to memory of 3412	4940	usex.exe	48
PID 4940 wrote to memory of 3412	4940	usex.exe	48
PID 4940 wrote to memory of 3412	4940	usex.exe	48
PID 4940 wrote to memory of 3412	4940	usex.exe	48
PID 4940 wrote to memory of 3496	4940	usex.exe	67
PID 4940 wrote to memory of 3496	4940	usex.exe	67
PID 4940 wrote to memory of 3496	4940	usex.exe	67
PID 4940 wrote to memory of 3496	4940	usex.exe	67
PID 4940 wrote to memory of 3496	4940	usex.exe	67
PID 4940 wrote to memory of 3696	4940	usex.exe	66
PID 4940 wrote to memory of 3696	4940	usex.exe	66
PID 4940 wrote to memory of 3696	4940	usex.exe	66
PID 4940 wrote to memory of 3696	4940	usex.exe	66
PID 4940 wrote to memory of 3696	4940	usex.exe	66
PID 4940 wrote to memory of 4560	4940	usex.exe	63
PID 4940 wrote to memory of 4560	4940	usex.exe	63
PID 4940 wrote to memory of 4560	4940	usex.exe	63
PID 4940 wrote to memory of 4560	4940	usex.exe	63
PID 4940 wrote to memory of 4560	4940	usex.exe	63
PID 4940 wrote to memory of 5044	4940	usex.exe	78
PID 4940 wrote to memory of 5044	4940	usex.exe	78
PID 4940 wrote to memory of 5044	4940	usex.exe	78
PID 4940 wrote to memory of 5044	4940	usex.exe	78
PID 4940 wrote to memory of 5044	4940	usex.exe	78
PID 5044 wrote to memory of 456	5044	d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe	80

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2452

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2720
- C:\Users\Admin\AppData\Local\Temp\d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe
  "C:\Users\Admin\AppData\Local\Temp\d087f8846f93e267d75ce6ac7c37808b9021015ae9743d942879e0cb121a360b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Roaming\Inedwu\usex.exe
    "C:\Users\Admin\AppData\Roaming\Inedwu\usex.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfa82e2e5.bat"
    3⤵
    PID:456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4560

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3012

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfa82e2e5.bat

Filesize
307B

MD5
822ce3618106d1b9e900e1fa7f073eba

SHA1
085d1ef8d16e639c40a4eea0ec7084d78136cad4

SHA256
14d60da02a90b19ffdbdeb06894eaf2a5288115d6e0a40800abf68676286097c

SHA512
9585829aff04c537c307126a70c2d8d0890184c7e82d341687d85776c7737fd9fab93cdf5c2c37cbb5fa64c7222aec0459c96655d5fb40d0766072aa7d034870

Download Submit
C:\Users\Admin\AppData\Roaming\Inedwu\usex.exe

Filesize
325KB

MD5
592646b3e434d41a47278eb366b73385

SHA1
11c2a51842f46731a19612a194346d6fb80247fa

SHA256
996c417a8cede3dea04aa70d7206799b0d306f988706c5733ea03d0825432ec5

SHA512
901135cc8e94a137733b29c44d297f6dac4f163705adb44a52c29694cb35f49e3edccaa16b0a5ea5aff8952aedb30175858785459b231c1bb246d964b8a45933

Download Submit
C:\Users\Admin\AppData\Roaming\Inedwu\usex.exe

Filesize
325KB

MD5
592646b3e434d41a47278eb366b73385

SHA1
11c2a51842f46731a19612a194346d6fb80247fa

SHA256
996c417a8cede3dea04aa70d7206799b0d306f988706c5733ea03d0825432ec5

SHA512
901135cc8e94a137733b29c44d297f6dac4f163705adb44a52c29694cb35f49e3edccaa16b0a5ea5aff8952aedb30175858785459b231c1bb246d964b8a45933

Download Submit
memory/456-155-0x0000000000740000-0x0000000000786000-memory.dmp

Filesize
280KB

Download
memory/456-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-158-0x0000000000740000-0x0000000000786000-memory.dmp

Filesize
280KB

Download
memory/456-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/456-144-0x0000000000740000-0x0000000000786000-memory.dmp

Filesize
280KB

Download
memory/4940-156-0x00000000020F0000-0x0000000002136000-memory.dmp

Filesize
280KB

Download
memory/4940-159-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4940-157-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5044-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5044-147-0x00000000022E0000-0x0000000002326000-memory.dmp

Filesize
280KB

Download
memory/5044-145-0x0000000002240000-0x0000000002286000-memory.dmp

Filesize
280KB

Download
memory/5044-146-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5044-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5044-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5044-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5044-132-0x0000000002240000-0x0000000002286000-memory.dmp

Filesize
280KB

Download
memory/5044-138-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5044-133-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5044-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download