fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d

General

Target

fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe
Size

351KB
MD5

91458c7086ecdae7abbee181188e7ff7
SHA1

e64f8cb987608820db4ee6fbd098fd14034afc61
SHA256

fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d
SHA512

aff041910a6e7cf1ca5011c770eda1790672eef7e36eb2412044b37751786d3a707ab2ca11ccc2adf6dc36244d61364610159530f189512a5d282e96818fdea5
SSDEEP

6144:Qajim2UMkGolvCnITy0LBBL0NKrGWBGk9uhzRs1VQMpLEGBL3cxZo:Qamm2SGolvCFUBLnrGWBZc9qQ5GBbczo

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vygi.exe

pid process

1120 vygi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1964 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe

pid process

1448 fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe

pid	process
1964	cmd.exe

pid	process
1448	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{E8090743-545D-BCC9-67C5-EE9E71C1B2C4} = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ynihs\\vygi.exe\""	explorer.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\7AD269E3-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

vygi.exeexplorer.exe

pid	process
1120	vygi.exe
1120	vygi.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vygi.exe

pid process

1120 vygi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1448	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe
Token: SeManageVolumePrivilege	472	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

472 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

472 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

472 WinMail.exe

pid	process
472	WinMail.exe

pid	process
472	WinMail.exe

pid	process
472	WinMail.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exevygi.exeexplorer.exe

description	pid	process	target process
PID 1448 wrote to memory of 1120	1448	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	vygi.exe
PID 1448 wrote to memory of 1120	1448	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	vygi.exe
PID 1448 wrote to memory of 1120	1448	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	vygi.exe
PID 1448 wrote to memory of 1120	1448	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	vygi.exe
PID 1120 wrote to memory of 1100	1120	vygi.exe	explorer.exe
PID 1120 wrote to memory of 1100	1120	vygi.exe	explorer.exe
PID 1120 wrote to memory of 1100	1120	vygi.exe	explorer.exe
PID 1120 wrote to memory of 1100	1120	vygi.exe	explorer.exe
PID 1100 wrote to memory of 1392	1100	explorer.exe	Explorer.EXE
PID 1100 wrote to memory of 1392	1100	explorer.exe	Explorer.EXE
PID 1100 wrote to memory of 1392	1100	explorer.exe	Explorer.EXE
PID 1448 wrote to memory of 1964	1448	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	cmd.exe
PID 1448 wrote to memory of 1964	1448	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	cmd.exe
PID 1448 wrote to memory of 1964	1448	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	cmd.exe
PID 1448 wrote to memory of 1964	1448	fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe
"C:\Users\Admin\AppData\Local\Temp\fd5620d90043a3d2a8cefc0226fb0ed1dd1e2a1ea3657bb80e166f71c0df965d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Roaming\Ynihs\vygi.exe
"C:\Users\Admin\AppData\Roaming\Ynihs\vygi.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpabaa0bd9.bat"
3⤵
- Deletes itself
PID:1964

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpabaa0bd9.bat

Filesize
307B

MD5
1a7e7caf945ba8f0229087445523a278

SHA1
c3e3faa74ae234ec77065a90fa98e0ae42d3401b

SHA256
c7df7722818f8868e4f00fcc6ed19f77910cf855f76bb5973df10bc678bbad3b

SHA512
a85d407c452808096b18f493813d0f4a1966c870a715ebcc2ee69a0aec717212b63b3d1d980e49a6421498f49966a15e4f7af3afb0acddf073666b77dbb1576e

Download Submit
C:\Users\Admin\AppData\Roaming\Ynihs\vygi.exe

Filesize
351KB

MD5
6e444d7801e687633c96ad4594b1056d

SHA1
c313776dde75bab4ae90ab3b4d762bea9819d9ed

SHA256
943861a48a8f7b8dc8f4b71b53f6ad4997cf06adfe2286ab24b3aadfe9597a74

SHA512
413f6f9b262a4d61a35c67943a1270f11b946ff37d6ad203b01841851805bb2e65e3865f75e93107c54222535de4bf454ffc6c7b52c4a26ce7f3b7385a558b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Ynihs\vygi.exe

Filesize
351KB

MD5
6e444d7801e687633c96ad4594b1056d

SHA1
c313776dde75bab4ae90ab3b4d762bea9819d9ed

SHA256
943861a48a8f7b8dc8f4b71b53f6ad4997cf06adfe2286ab24b3aadfe9597a74

SHA512
413f6f9b262a4d61a35c67943a1270f11b946ff37d6ad203b01841851805bb2e65e3865f75e93107c54222535de4bf454ffc6c7b52c4a26ce7f3b7385a558b2d

Download Submit
\Users\Admin\AppData\Roaming\Ynihs\vygi.exe

Filesize
351KB

MD5
6e444d7801e687633c96ad4594b1056d

SHA1
c313776dde75bab4ae90ab3b4d762bea9819d9ed

SHA256
943861a48a8f7b8dc8f4b71b53f6ad4997cf06adfe2286ab24b3aadfe9597a74

SHA512
413f6f9b262a4d61a35c67943a1270f11b946ff37d6ad203b01841851805bb2e65e3865f75e93107c54222535de4bf454ffc6c7b52c4a26ce7f3b7385a558b2d

Download Submit
memory/472-69-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/472-77-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/472-71-0x0000000001F70000-0x0000000001F80000-memory.dmp

Filesize
64KB

Download
memory/472-70-0x000007FEF6431000-0x000007FEF6433000-memory.dmp

Filesize
8KB

Download
memory/1100-83-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1100-66-0x0000000000000000-mapping.dmp

Download
memory/1100-68-0x0000000074711000-0x0000000074713000-memory.dmp

Filesize
8KB

Download
memory/1100-86-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1120-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1120-62-0x0000000002170000-0x0000000002205000-memory.dmp

Filesize
596KB

Download
memory/1120-59-0x0000000000000000-mapping.dmp

Download
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1448-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1448-55-0x0000000002270000-0x0000000002305000-memory.dmp

Filesize
596KB

Download
memory/1964-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads