89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe
Size

330KB
MD5

074b01e83285b20eafc271a3d1fed283
SHA1

b410b0733e6d9adcbf14bcb009235d05465f97ac
SHA256

89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9
SHA512

8cde8e4e7d87367e9df729f3dc662e947cd86b7dfd896d0c4bbccfe25b5bd07ddeee767966673274f43581127c32fa65c6ca07f8b2f17a78255a9fe9c04925a9
SSDEEP

6144:wU1tnxKApiXZcKgGEoi9P7DGXfszPxuRiIdn+:Xtn4A2+KjEL9z6cPxqiC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4648	ydubr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\Currentversion\Run	ydubr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{32C81FC9-556D-BCA0-B82C-F77E75D9ED7C} = "C:\\Users\\Admin\\AppData\\Roaming\\Olqoon\\ydubr.exe"	ydubr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4540 set thread context of 1652	4540	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	82

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe
4648	ydubr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4648	4540	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	81
PID 4540 wrote to memory of 4648	4540	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	81
PID 4540 wrote to memory of 4648	4540	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	81
PID 4648 wrote to memory of 2312	4648	ydubr.exe	76
PID 4648 wrote to memory of 2312	4648	ydubr.exe	76
PID 4648 wrote to memory of 2312	4648	ydubr.exe	76
PID 4648 wrote to memory of 2312	4648	ydubr.exe	76
PID 4648 wrote to memory of 2312	4648	ydubr.exe	76
PID 4648 wrote to memory of 2340	4648	ydubr.exe	75
PID 4648 wrote to memory of 2340	4648	ydubr.exe	75
PID 4648 wrote to memory of 2340	4648	ydubr.exe	75
PID 4648 wrote to memory of 2340	4648	ydubr.exe	75
PID 4648 wrote to memory of 2340	4648	ydubr.exe	75
PID 4648 wrote to memory of 2396	4648	ydubr.exe	39
PID 4648 wrote to memory of 2396	4648	ydubr.exe	39
PID 4648 wrote to memory of 2396	4648	ydubr.exe	39
PID 4648 wrote to memory of 2396	4648	ydubr.exe	39
PID 4648 wrote to memory of 2396	4648	ydubr.exe	39
PID 4648 wrote to memory of 3068	4648	ydubr.exe	43
PID 4648 wrote to memory of 3068	4648	ydubr.exe	43
PID 4648 wrote to memory of 3068	4648	ydubr.exe	43
PID 4648 wrote to memory of 3068	4648	ydubr.exe	43
PID 4648 wrote to memory of 3068	4648	ydubr.exe	43
PID 4648 wrote to memory of 2632	4648	ydubr.exe	68
PID 4648 wrote to memory of 2632	4648	ydubr.exe	68
PID 4648 wrote to memory of 2632	4648	ydubr.exe	68
PID 4648 wrote to memory of 2632	4648	ydubr.exe	68
PID 4648 wrote to memory of 2632	4648	ydubr.exe	68
PID 4648 wrote to memory of 3236	4648	ydubr.exe	67
PID 4648 wrote to memory of 3236	4648	ydubr.exe	67
PID 4648 wrote to memory of 3236	4648	ydubr.exe	67
PID 4648 wrote to memory of 3236	4648	ydubr.exe	67
PID 4648 wrote to memory of 3236	4648	ydubr.exe	67
PID 4648 wrote to memory of 3328	4648	ydubr.exe	44
PID 4648 wrote to memory of 3328	4648	ydubr.exe	44
PID 4648 wrote to memory of 3328	4648	ydubr.exe	44
PID 4648 wrote to memory of 3328	4648	ydubr.exe	44
PID 4648 wrote to memory of 3328	4648	ydubr.exe	44
PID 4648 wrote to memory of 3408	4648	ydubr.exe	45
PID 4648 wrote to memory of 3408	4648	ydubr.exe	45
PID 4648 wrote to memory of 3408	4648	ydubr.exe	45
PID 4648 wrote to memory of 3408	4648	ydubr.exe	45
PID 4648 wrote to memory of 3408	4648	ydubr.exe	45
PID 4648 wrote to memory of 3496	4648	ydubr.exe	66
PID 4648 wrote to memory of 3496	4648	ydubr.exe	66
PID 4648 wrote to memory of 3496	4648	ydubr.exe	66
PID 4648 wrote to memory of 3496	4648	ydubr.exe	66
PID 4648 wrote to memory of 3496	4648	ydubr.exe	66
PID 4648 wrote to memory of 3648	4648	ydubr.exe	65
PID 4648 wrote to memory of 3648	4648	ydubr.exe	65
PID 4648 wrote to memory of 3648	4648	ydubr.exe	65
PID 4648 wrote to memory of 3648	4648	ydubr.exe	65
PID 4648 wrote to memory of 3648	4648	ydubr.exe	65
PID 4648 wrote to memory of 4716	4648	ydubr.exe	47
PID 4648 wrote to memory of 4716	4648	ydubr.exe	47
PID 4648 wrote to memory of 4716	4648	ydubr.exe	47
PID 4648 wrote to memory of 4716	4648	ydubr.exe	47
PID 4648 wrote to memory of 4716	4648	ydubr.exe	47
PID 4648 wrote to memory of 4540	4648	ydubr.exe	80
PID 4648 wrote to memory of 4540	4648	ydubr.exe	80
PID 4648 wrote to memory of 4540	4648	ydubr.exe	80
PID 4648 wrote to memory of 4540	4648	ydubr.exe	80
PID 4648 wrote to memory of 4540	4648	ydubr.exe	80
PID 4540 wrote to memory of 1652	4540	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	82

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2396

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3068
- C:\Users\Admin\AppData\Local\Temp\89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe
  "C:\Users\Admin\AppData\Local\Temp\89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Roaming\Olqoon\ydubr.exe
    "C:\Users\Admin\AppData\Roaming\Olqoon\ydubr.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp52864388.bat"
    3⤵
    PID:1652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3328

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3648

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2340

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp52864388.bat

Filesize
307B

MD5
c43511cadaab78b803fad11c87c90de6

SHA1
76a8f8f0269ecc17edeb8128ae67f8a00a4f29e6

SHA256
471c64614df3740ce2bd314416b466853e042c0911a23c7577c6e95f282c2c06

SHA512
861951f4a1e0e14cbcc57a9727ddee111e1563583d0cc88e181f820d0a1bb5afdc1b89d5c836d6cb634844db4f21856a60ebe92cb163221c4530efe77bd7beda

Download Submit
C:\Users\Admin\AppData\Roaming\Olqoon\ydubr.exe

Filesize
330KB

MD5
3a922861aea064443ee172313b8a7397

SHA1
31eeabec2f831f3b0e41c0d8c765954a03cee3f4

SHA256
ec13de8c72a6cca12db860f3294cf10376208997bde1b942c7f338babf5992a3

SHA512
6b952452fa4ac78b69b49db952b1b0fbc90d99af6b62376b71f3e74be48855594df256b586c1e020fb00399c2853bf70c4851800dcc65ea65ac34dcbee9b478e

Download Submit
C:\Users\Admin\AppData\Roaming\Olqoon\ydubr.exe

Filesize
330KB

MD5
3a922861aea064443ee172313b8a7397

SHA1
31eeabec2f831f3b0e41c0d8c765954a03cee3f4

SHA256
ec13de8c72a6cca12db860f3294cf10376208997bde1b942c7f338babf5992a3

SHA512
6b952452fa4ac78b69b49db952b1b0fbc90d99af6b62376b71f3e74be48855594df256b586c1e020fb00399c2853bf70c4851800dcc65ea65ac34dcbee9b478e

Download Submit
memory/1652-156-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-160-0x0000000000520000-0x0000000000567000-memory.dmp

Filesize
284KB

Download
memory/1652-158-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-157-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-149-0x0000000000520000-0x0000000000567000-memory.dmp

Filesize
284KB

Download
memory/4540-145-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4540-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4540-150-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4540-151-0x00000000022C0000-0x0000000002307000-memory.dmp

Filesize
284KB

Download
memory/4540-146-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4540-138-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4540-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4540-147-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4540-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4540-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4540-137-0x0000000002210000-0x0000000002257000-memory.dmp

Filesize
284KB

Download
memory/4540-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4648-161-0x0000000000620000-0x0000000000667000-memory.dmp

Filesize
284KB

Download
memory/4648-162-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4648-163-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download