05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9

General

Target

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
Size

936KB
MD5

56da937f9def50b05b6cc712c0f5c34b
SHA1

5b2338345e3e2181fbb07f803444598dccf14826
SHA256

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9
SHA512

1250a38d04b8e621455c374b3790fbaae6a777ea21a909e7a8b04d20a1c6897e9e4f753d89c5a0389e1513d500627dc7dcc64661dd80add46a11e9079bd0a014
SSDEEP

24576:ithEVaPqLE8HjAHdAHgXrpHfaRo8nj49hS0X:6EVUcpHUHdT

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

avyht.exeavyht.exe

pid process

576 avyht.exe
320 avyht.exe

pid	process
576	avyht.exe
320	avyht.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1492-65-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Mezir\avyht.exe	upx
C:\Users\Admin\AppData\Roaming\Mezir\avyht.exe	upx
C:\Users\Admin\AppData\Roaming\Mezir\avyht.exe	upx
behavioral1/memory/576-73-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Mezir\avyht.exe	upx
behavioral1/memory/576-85-0x0000000000400000-0x00000000004D6000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

560 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe

pid process

1152 05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe

pid	process
560	cmd.exe

pid	process
1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1492-65-0x0000000000400000-0x00000000004D6000-memory.dmp	autoit_exe
behavioral1/memory/576-73-0x0000000000400000-0x00000000004D6000-memory.dmp	autoit_exe
behavioral1/memory/576-85-0x0000000000400000-0x00000000004D6000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exeavyht.exe

description	pid	process	target process
PID 1492 set thread context of 1152	1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 576 set thread context of 320	576	avyht.exe	avyht.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

avyht.exe

pid process

320 avyht.exe

pid	process
320	avyht.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe

description	pid	process
Token: SeSecurityPrivilege	1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
Token: SeSecurityPrivilege	1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exeavyht.exe

pid	process
1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
576	avyht.exe
576	avyht.exe
576	avyht.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exeavyht.exe

pid	process
1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
576	avyht.exe
576	avyht.exe
576	avyht.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exeavyht.exe

description	pid	process	target process
PID 1492 wrote to memory of 1152	1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 1492 wrote to memory of 1152	1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 1492 wrote to memory of 1152	1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 1492 wrote to memory of 1152	1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 1492 wrote to memory of 1152	1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 1492 wrote to memory of 1152	1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 1492 wrote to memory of 1152	1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 1492 wrote to memory of 1152	1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 1492 wrote to memory of 1152	1492	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 1152 wrote to memory of 576	1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	avyht.exe
PID 1152 wrote to memory of 576	1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	avyht.exe
PID 1152 wrote to memory of 576	1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	avyht.exe
PID 1152 wrote to memory of 576	1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	avyht.exe
PID 576 wrote to memory of 320	576	avyht.exe	avyht.exe
PID 576 wrote to memory of 320	576	avyht.exe	avyht.exe
PID 576 wrote to memory of 320	576	avyht.exe	avyht.exe
PID 576 wrote to memory of 320	576	avyht.exe	avyht.exe
PID 576 wrote to memory of 320	576	avyht.exe	avyht.exe
PID 576 wrote to memory of 320	576	avyht.exe	avyht.exe
PID 576 wrote to memory of 320	576	avyht.exe	avyht.exe
PID 576 wrote to memory of 320	576	avyht.exe	avyht.exe
PID 576 wrote to memory of 320	576	avyht.exe	avyht.exe
PID 1152 wrote to memory of 560	1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	cmd.exe
PID 1152 wrote to memory of 560	1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	cmd.exe
PID 1152 wrote to memory of 560	1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	cmd.exe
PID 1152 wrote to memory of 560	1152	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
"C:\Users\Admin\AppData\Local\Temp\05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
"C:\Users\Admin\AppData\Local\Temp\05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\Mezir\avyht.exe
"C:\Users\Admin\AppData\Roaming\Mezir\avyht.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Roaming\Mezir\avyht.exe
"C:\Users\Admin\AppData\Roaming\Mezir\avyht.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd5bd792a.bat"
3⤵
- Deletes itself
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd5bd792a.bat

Filesize
307B

MD5
d1230dba6d69c0e4f9c09287e7121eb1

SHA1
7a7860aaffc6a7f1e7c7057ce99ec9b9cf977ca6

SHA256
d5b3b402efde9f7d5cf2dcb659650f338a802e21e312bd3deda06eee6fba0187

SHA512
a138aa181e00b121c56a9cbb8b02eba4ca73201941e2eaebe0ce4e67197d0ffdd7ba28ba12700dc1f4ed83c1722e25a6784b093f272354ec2b2f786725b6fdf4

Download Submit
C:\Users\Admin\AppData\Roaming\Mezir\avyht.exe

Filesize
936KB

MD5
6b4e8f0773cd8d430b77d6859bf28a30

SHA1
8f2eda2ebecb077df9a8978b6bd8a9cc7f22a216

SHA256
11aa6a01c308995572feb22d9697fccbc65fe164c12718113ee80f6db1691f2b

SHA512
d24cdc589503495b1ff62875910d64951f0b8a4c41224adbf0e9463ff65ee91499bfae1f4bee5b5241f4856dc8e88a715732e4cb254bd23a77ed19252290872b

Download Submit
C:\Users\Admin\AppData\Roaming\Mezir\avyht.exe

Filesize
936KB

MD5
6b4e8f0773cd8d430b77d6859bf28a30

SHA1
8f2eda2ebecb077df9a8978b6bd8a9cc7f22a216

SHA256
11aa6a01c308995572feb22d9697fccbc65fe164c12718113ee80f6db1691f2b

SHA512
d24cdc589503495b1ff62875910d64951f0b8a4c41224adbf0e9463ff65ee91499bfae1f4bee5b5241f4856dc8e88a715732e4cb254bd23a77ed19252290872b

Download Submit
C:\Users\Admin\AppData\Roaming\Mezir\avyht.exe

Filesize
936KB

MD5
6b4e8f0773cd8d430b77d6859bf28a30

SHA1
8f2eda2ebecb077df9a8978b6bd8a9cc7f22a216

SHA256
11aa6a01c308995572feb22d9697fccbc65fe164c12718113ee80f6db1691f2b

SHA512
d24cdc589503495b1ff62875910d64951f0b8a4c41224adbf0e9463ff65ee91499bfae1f4bee5b5241f4856dc8e88a715732e4cb254bd23a77ed19252290872b

Download Submit
\Users\Admin\AppData\Roaming\Mezir\avyht.exe

Filesize
936KB

MD5
6b4e8f0773cd8d430b77d6859bf28a30

SHA1
8f2eda2ebecb077df9a8978b6bd8a9cc7f22a216

SHA256
11aa6a01c308995572feb22d9697fccbc65fe164c12718113ee80f6db1691f2b

SHA512
d24cdc589503495b1ff62875910d64951f0b8a4c41224adbf0e9463ff65ee91499bfae1f4bee5b5241f4856dc8e88a715732e4cb254bd23a77ed19252290872b

Download Submit
memory/320-81-0x000000000042B055-mapping.dmp

Download
memory/320-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/560-87-0x0000000000000000-mapping.dmp

Download
memory/576-68-0x0000000000000000-mapping.dmp

Download
memory/576-85-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/576-73-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1152-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1152-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1152-72-0x0000000002610000-0x00000000026E6000-memory.dmp

Filesize
856KB

Download
memory/1152-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1152-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1152-62-0x000000000042B055-mapping.dmp

Download
memory/1152-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1152-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1152-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-65-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads