05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9

General

Target

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
Size

936KB
MD5

56da937f9def50b05b6cc712c0f5c34b
SHA1

5b2338345e3e2181fbb07f803444598dccf14826
SHA256

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9
SHA512

1250a38d04b8e621455c374b3790fbaae6a777ea21a909e7a8b04d20a1c6897e9e4f753d89c5a0389e1513d500627dc7dcc64661dd80add46a11e9079bd0a014
SSDEEP

24576:ithEVaPqLE8HjAHdAHgXrpHfaRo8nj49hS0X:6EVUcpHUHdT

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

zefiy.exezefiy.exe

pid process

1292 zefiy.exe
5052 zefiy.exe

pid	process
1292	zefiy.exe
5052	zefiy.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/384-132-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/384-136-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Kuank\zefiy.exe	upx
C:\Users\Admin\AppData\Roaming\Kuank\zefiy.exe	upx
C:\Users\Admin\AppData\Roaming\Kuank\zefiy.exe	upx
behavioral2/memory/1292-145-0x0000000000400000-0x00000000004D6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zefiy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\Currentversion\Run	zefiy.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	zefiy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ycrybypyso = "C:\\Users\\Admin\\AppData\\Roaming\\Kuank\\zefiy.exe"	zefiy.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/384-132-0x0000000000400000-0x00000000004D6000-memory.dmp	autoit_exe
behavioral2/memory/384-136-0x0000000000400000-0x00000000004D6000-memory.dmp	autoit_exe
behavioral2/memory/1292-145-0x0000000000400000-0x00000000004D6000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exezefiy.exe

description	pid	process	target process
PID 384 set thread context of 3960	384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 1292 set thread context of 5052	1292	zefiy.exe	zefiy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

zefiy.exe

pid	process
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe
5052	zefiy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe

description	pid	process
Token: SeSecurityPrivilege	3960	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
Token: SeSecurityPrivilege	3960	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exezefiy.exe

pid	process
384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
1292	zefiy.exe
1292	zefiy.exe
1292	zefiy.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exezefiy.exe

pid	process
384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
1292	zefiy.exe
1292	zefiy.exe
1292	zefiy.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exezefiy.exezefiy.exe

description	pid	process	target process
PID 384 wrote to memory of 3960	384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 384 wrote to memory of 3960	384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 384 wrote to memory of 3960	384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 384 wrote to memory of 3960	384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 384 wrote to memory of 3960	384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 384 wrote to memory of 3960	384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 384 wrote to memory of 3960	384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 384 wrote to memory of 3960	384	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
PID 3960 wrote to memory of 1292	3960	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	zefiy.exe
PID 3960 wrote to memory of 1292	3960	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	zefiy.exe
PID 3960 wrote to memory of 1292	3960	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	zefiy.exe
PID 1292 wrote to memory of 5052	1292	zefiy.exe	zefiy.exe
PID 1292 wrote to memory of 5052	1292	zefiy.exe	zefiy.exe
PID 1292 wrote to memory of 5052	1292	zefiy.exe	zefiy.exe
PID 1292 wrote to memory of 5052	1292	zefiy.exe	zefiy.exe
PID 1292 wrote to memory of 5052	1292	zefiy.exe	zefiy.exe
PID 1292 wrote to memory of 5052	1292	zefiy.exe	zefiy.exe
PID 1292 wrote to memory of 5052	1292	zefiy.exe	zefiy.exe
PID 1292 wrote to memory of 5052	1292	zefiy.exe	zefiy.exe
PID 5052 wrote to memory of 2336	5052	zefiy.exe	sihost.exe
PID 5052 wrote to memory of 2336	5052	zefiy.exe	sihost.exe
PID 5052 wrote to memory of 2336	5052	zefiy.exe	sihost.exe
PID 5052 wrote to memory of 2336	5052	zefiy.exe	sihost.exe
PID 5052 wrote to memory of 2336	5052	zefiy.exe	sihost.exe
PID 5052 wrote to memory of 2376	5052	zefiy.exe	svchost.exe
PID 5052 wrote to memory of 2376	5052	zefiy.exe	svchost.exe
PID 5052 wrote to memory of 2376	5052	zefiy.exe	svchost.exe
PID 5052 wrote to memory of 2376	5052	zefiy.exe	svchost.exe
PID 5052 wrote to memory of 2376	5052	zefiy.exe	svchost.exe
PID 3960 wrote to memory of 4028	3960	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	cmd.exe
PID 3960 wrote to memory of 4028	3960	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	cmd.exe
PID 3960 wrote to memory of 4028	3960	05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe	cmd.exe
PID 5052 wrote to memory of 2608	5052	zefiy.exe	taskhostw.exe
PID 5052 wrote to memory of 2608	5052	zefiy.exe	taskhostw.exe
PID 5052 wrote to memory of 2608	5052	zefiy.exe	taskhostw.exe
PID 5052 wrote to memory of 2608	5052	zefiy.exe	taskhostw.exe
PID 5052 wrote to memory of 2608	5052	zefiy.exe	taskhostw.exe
PID 5052 wrote to memory of 2724	5052	zefiy.exe	Explorer.EXE
PID 5052 wrote to memory of 2724	5052	zefiy.exe	Explorer.EXE
PID 5052 wrote to memory of 2724	5052	zefiy.exe	Explorer.EXE
PID 5052 wrote to memory of 2724	5052	zefiy.exe	Explorer.EXE
PID 5052 wrote to memory of 2724	5052	zefiy.exe	Explorer.EXE
PID 5052 wrote to memory of 3096	5052	zefiy.exe	svchost.exe
PID 5052 wrote to memory of 3096	5052	zefiy.exe	svchost.exe
PID 5052 wrote to memory of 3096	5052	zefiy.exe	svchost.exe
PID 5052 wrote to memory of 3096	5052	zefiy.exe	svchost.exe
PID 5052 wrote to memory of 3096	5052	zefiy.exe	svchost.exe
PID 5052 wrote to memory of 3292	5052	zefiy.exe	DllHost.exe
PID 5052 wrote to memory of 3292	5052	zefiy.exe	DllHost.exe
PID 5052 wrote to memory of 3292	5052	zefiy.exe	DllHost.exe
PID 5052 wrote to memory of 3292	5052	zefiy.exe	DllHost.exe
PID 5052 wrote to memory of 3292	5052	zefiy.exe	DllHost.exe
PID 5052 wrote to memory of 3444	5052	zefiy.exe	StartMenuExperienceHost.exe
PID 5052 wrote to memory of 3444	5052	zefiy.exe	StartMenuExperienceHost.exe
PID 5052 wrote to memory of 3444	5052	zefiy.exe	StartMenuExperienceHost.exe
PID 5052 wrote to memory of 3444	5052	zefiy.exe	StartMenuExperienceHost.exe
PID 5052 wrote to memory of 3444	5052	zefiy.exe	StartMenuExperienceHost.exe
PID 5052 wrote to memory of 3524	5052	zefiy.exe	RuntimeBroker.exe
PID 5052 wrote to memory of 3524	5052	zefiy.exe	RuntimeBroker.exe
PID 5052 wrote to memory of 3524	5052	zefiy.exe	RuntimeBroker.exe
PID 5052 wrote to memory of 3524	5052	zefiy.exe	RuntimeBroker.exe
PID 5052 wrote to memory of 3524	5052	zefiy.exe	RuntimeBroker.exe
PID 5052 wrote to memory of 3608	5052	zefiy.exe	SearchApp.exe
PID 5052 wrote to memory of 3608	5052	zefiy.exe	SearchApp.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3608

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3444

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
"C:\Users\Admin\AppData\Local\Temp\05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe
"C:\Users\Admin\AppData\Local\Temp\05c3d9e3294dec9348ed4d6b0f1c1b0c8bc95520d55e0c1e3c56c780470c66f9.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Roaming\Kuank\zefiy.exe
"C:\Users\Admin\AppData\Roaming\Kuank\zefiy.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Roaming\Kuank\zefiy.exe
"C:\Users\Admin\AppData\Roaming\Kuank\zefiy.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpee173d2b.bat"
4⤵
PID:4028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3080

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpee173d2b.bat

Filesize
307B

MD5
401cafadf394968e082a82df0d867e25

SHA1
b5abe7e10dc58daeab003db41447d98970cca7e6

SHA256
6edb10f0d9e06fa58ef9a1b31cc78abad5b2ce66ccd9c1b4751a2920bb0a73f0

SHA512
0ae4b9950c8a57c29ee17f27a690ebb48c5d80505d5927609f9d7bd86985b3dd801281c6e4aa31cd910c146fe6381a99c54fc30ff4bb5402d81962a1c5682e5d

Download Submit
C:\Users\Admin\AppData\Roaming\Kuank\zefiy.exe

Filesize
936KB

MD5
fe360606a5d53ecd196d2d152fbe30d6

SHA1
41ea2a2ee1aa65ff2b061713f7e188e2fa9fcd76

SHA256
7b814c21c25d6bd98de92b3c90c1a7e557d76f538769da109607c7d4cf4008ca

SHA512
77a6d95da5e271d8577aa9cdf072ceea62478f157cf178c576cf764c0130195ffcd858ae4127ce78fc8f713b3e59ca6af031ee393e0bc861bc6ad4ac0932b7a4

Download Submit
C:\Users\Admin\AppData\Roaming\Kuank\zefiy.exe

Filesize
936KB

MD5
fe360606a5d53ecd196d2d152fbe30d6

SHA1
41ea2a2ee1aa65ff2b061713f7e188e2fa9fcd76

SHA256
7b814c21c25d6bd98de92b3c90c1a7e557d76f538769da109607c7d4cf4008ca

SHA512
77a6d95da5e271d8577aa9cdf072ceea62478f157cf178c576cf764c0130195ffcd858ae4127ce78fc8f713b3e59ca6af031ee393e0bc861bc6ad4ac0932b7a4

Download Submit
C:\Users\Admin\AppData\Roaming\Kuank\zefiy.exe

Filesize
936KB

MD5
fe360606a5d53ecd196d2d152fbe30d6

SHA1
41ea2a2ee1aa65ff2b061713f7e188e2fa9fcd76

SHA256
7b814c21c25d6bd98de92b3c90c1a7e557d76f538769da109607c7d4cf4008ca

SHA512
77a6d95da5e271d8577aa9cdf072ceea62478f157cf178c576cf764c0130195ffcd858ae4127ce78fc8f713b3e59ca6af031ee393e0bc861bc6ad4ac0932b7a4

Download Submit
memory/384-136-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/384-132-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1292-138-0x0000000000000000-mapping.dmp

Download
memory/1292-145-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3960-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3960-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3960-133-0x0000000000000000-mapping.dmp

Download
memory/3960-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4028-146-0x0000000000000000-mapping.dmp

Download
memory/4028-150-0x00000000012D0000-0x000000000130B000-memory.dmp

Filesize
236KB

Download
memory/5052-141-0x0000000000000000-mapping.dmp

Download
memory/5052-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5052-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads