1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe
Size

301KB
MD5

0d38fc262de04e9ef52bd26b3b066f3d
SHA1

379e20b29b7360f46fe81281d555db9b8e7bae99
SHA256

1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc
SHA512

7be4314b63c330d9a0acfb6c116720fb37867e61060c1e65db4abe569739e752642ea668eb56ca771303df87e722f8f1ef500f7daa411c96ad47790fddea3d35
SSDEEP

6144:6SJc2RbV18X5Jo0Azz0nRixjWBotLVFIYoE6+Nc1k:lJc2NVFEn8VKN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1780	zudoyl.exe

Deletes itself 1 IoCs

pid	Process
540	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe
1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Evovel\\zudoyl.exe"	zudoyl.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	zudoyl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1416 set thread context of 540	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe
1780	zudoyl.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1780	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	27
PID 1416 wrote to memory of 1780	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	27
PID 1416 wrote to memory of 1780	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	27
PID 1416 wrote to memory of 1780	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	27
PID 1780 wrote to memory of 1160	1780	zudoyl.exe	20
PID 1780 wrote to memory of 1160	1780	zudoyl.exe	20
PID 1780 wrote to memory of 1160	1780	zudoyl.exe	20
PID 1780 wrote to memory of 1160	1780	zudoyl.exe	20
PID 1780 wrote to memory of 1160	1780	zudoyl.exe	20
PID 1780 wrote to memory of 1244	1780	zudoyl.exe	13
PID 1780 wrote to memory of 1244	1780	zudoyl.exe	13
PID 1780 wrote to memory of 1244	1780	zudoyl.exe	13
PID 1780 wrote to memory of 1244	1780	zudoyl.exe	13
PID 1780 wrote to memory of 1244	1780	zudoyl.exe	13
PID 1780 wrote to memory of 1284	1780	zudoyl.exe	19
PID 1780 wrote to memory of 1284	1780	zudoyl.exe	19
PID 1780 wrote to memory of 1284	1780	zudoyl.exe	19
PID 1780 wrote to memory of 1284	1780	zudoyl.exe	19
PID 1780 wrote to memory of 1284	1780	zudoyl.exe	19
PID 1780 wrote to memory of 1416	1780	zudoyl.exe	26
PID 1780 wrote to memory of 1416	1780	zudoyl.exe	26
PID 1780 wrote to memory of 1416	1780	zudoyl.exe	26
PID 1780 wrote to memory of 1416	1780	zudoyl.exe	26
PID 1780 wrote to memory of 1416	1780	zudoyl.exe	26
PID 1416 wrote to memory of 540	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	28
PID 1416 wrote to memory of 540	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	28
PID 1416 wrote to memory of 540	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	28
PID 1416 wrote to memory of 540	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	28
PID 1416 wrote to memory of 540	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	28
PID 1416 wrote to memory of 540	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	28
PID 1416 wrote to memory of 540	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	28
PID 1416 wrote to memory of 540	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	28
PID 1416 wrote to memory of 540	1416	1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe	28

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1244

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe
  "C:\Users\Admin\AppData\Local\Temp\1fa2605f1c7c018477f4d785e0f709eb41b007c53fdcc81342dface9b590b6dc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Roaming\Evovel\zudoyl.exe
    "C:\Users\Admin\AppData\Roaming\Evovel\zudoyl.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9c766e80.bat"
    3⤵
    - Deletes itself
    PID:540

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9c766e80.bat

Filesize
307B

MD5
f1e304770095d9070ca66fa35667e735

SHA1
428e0a2bac803a01ad4f5646962413874be58f8a

SHA256
5b36b70725fe16dc8c82fba27e8d4eee637344260dae6766aba89bb095d21dee

SHA512
087734c443e8593ff35fde0c63911a197d2960887b69dba84fb232715f85e9958cc2a72b2a52aac739a3ca8316cc450262e37fc1529a711fde50ec53b6f7d4ef

Download Submit
C:\Users\Admin\AppData\Roaming\Evovel\zudoyl.exe

Filesize
301KB

MD5
d0180684d3cc92509600403355b196ef

SHA1
ccc2adc5553abb56c1105fb9aaabb278a9d94e4d

SHA256
9575d7539a7107da8781ec65da05d314839c6e0b418f6750cf03220c61aabb32

SHA512
317aec64a7ccb0d6d43d6842732e5e9d80c59f765c9d7c83a50a3b2a45a3ddcd313eebcf9e22f9bc9880da143875c1ea5a7004b2495f3324f7d69569a65088a2

Download Submit
C:\Users\Admin\AppData\Roaming\Evovel\zudoyl.exe

Filesize
301KB

MD5
d0180684d3cc92509600403355b196ef

SHA1
ccc2adc5553abb56c1105fb9aaabb278a9d94e4d

SHA256
9575d7539a7107da8781ec65da05d314839c6e0b418f6750cf03220c61aabb32

SHA512
317aec64a7ccb0d6d43d6842732e5e9d80c59f765c9d7c83a50a3b2a45a3ddcd313eebcf9e22f9bc9880da143875c1ea5a7004b2495f3324f7d69569a65088a2

Download Submit
\Users\Admin\AppData\Roaming\Evovel\zudoyl.exe

Filesize
301KB

MD5
d0180684d3cc92509600403355b196ef

SHA1
ccc2adc5553abb56c1105fb9aaabb278a9d94e4d

SHA256
9575d7539a7107da8781ec65da05d314839c6e0b418f6750cf03220c61aabb32

SHA512
317aec64a7ccb0d6d43d6842732e5e9d80c59f765c9d7c83a50a3b2a45a3ddcd313eebcf9e22f9bc9880da143875c1ea5a7004b2495f3324f7d69569a65088a2

Download Submit
\Users\Admin\AppData\Roaming\Evovel\zudoyl.exe

Filesize
301KB

MD5
d0180684d3cc92509600403355b196ef

SHA1
ccc2adc5553abb56c1105fb9aaabb278a9d94e4d

SHA256
9575d7539a7107da8781ec65da05d314839c6e0b418f6750cf03220c61aabb32

SHA512
317aec64a7ccb0d6d43d6842732e5e9d80c59f765c9d7c83a50a3b2a45a3ddcd313eebcf9e22f9bc9880da143875c1ea5a7004b2495f3324f7d69569a65088a2

Download Submit
memory/540-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/540-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/540-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/540-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/540-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/540-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1160-68-0x0000000001DE0000-0x0000000001E28000-memory.dmp

Filesize
288KB

Download
memory/1160-65-0x0000000001DE0000-0x0000000001E28000-memory.dmp

Filesize
288KB

Download
memory/1160-69-0x0000000001DE0000-0x0000000001E28000-memory.dmp

Filesize
288KB

Download
memory/1160-70-0x0000000001DE0000-0x0000000001E28000-memory.dmp

Filesize
288KB

Download
memory/1160-67-0x0000000001DE0000-0x0000000001E28000-memory.dmp

Filesize
288KB

Download
memory/1244-76-0x00000000001C0000-0x0000000000208000-memory.dmp

Filesize
288KB

Download
memory/1244-73-0x00000000001C0000-0x0000000000208000-memory.dmp

Filesize
288KB

Download
memory/1244-74-0x00000000001C0000-0x0000000000208000-memory.dmp

Filesize
288KB

Download
memory/1244-75-0x00000000001C0000-0x0000000000208000-memory.dmp

Filesize
288KB

Download
memory/1284-80-0x0000000002A00000-0x0000000002A48000-memory.dmp

Filesize
288KB

Download
memory/1284-81-0x0000000002A00000-0x0000000002A48000-memory.dmp

Filesize
288KB

Download
memory/1284-82-0x0000000002A00000-0x0000000002A48000-memory.dmp

Filesize
288KB

Download
memory/1284-79-0x0000000002A00000-0x0000000002A48000-memory.dmp

Filesize
288KB

Download
memory/1416-103-0x0000000001F90000-0x0000000001FD8000-memory.dmp

Filesize
288KB

Download
memory/1416-87-0x0000000001F90000-0x0000000001FD8000-memory.dmp

Filesize
288KB

Download
memory/1416-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-88-0x0000000001F90000-0x0000000001FD8000-memory.dmp

Filesize
288KB

Download
memory/1416-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1416-86-0x0000000001F90000-0x0000000001FD8000-memory.dmp

Filesize
288KB

Download
memory/1416-85-0x0000000001F90000-0x0000000001FD8000-memory.dmp

Filesize
288KB

Download
memory/1416-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1416-54-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1416-56-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download