60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0

General

Target

60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe
Size

330KB
MD5

05789d739348e1676df6c702061d942b
SHA1

551efdb39a0fbcf7ec9f70b3ad935028dfd84bbd
SHA256

60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0
SHA512

534389b9684b0059f3c960d8fa25dd6830fa634f3d776158c961789c0bbf19a5e8c3c9bcb3bdc68d5631b15e6e70c164ee47af4f06886c97e79c3df66bf47179
SSDEEP

6144:vtEQ7FUgTiyUXe2ZsD9eBVtQRlc12iVkIFzW9TLSDoC3FHvKHM9lnH:vayFBiym920jcc1f9a9XS335vH9l

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

byde.exe

pid process

1792 byde.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

672 cmd.exe

pid	process
672	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe

pid	process
788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe
788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

byde.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\Currentversion\Run	byde.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\{0F2E54C8-3777-AD4D-74EB-E9074BCFCA1A} = "C:\\Users\\Admin\\AppData\\Roaming\\Ysjesu\\byde.exe"	byde.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe

description pid process target process

PID 788 set thread context of 672 788 60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe cmd.exe

description	pid	process	target process
PID 788 set thread context of 672	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Privacy	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

byde.exe

pid	process
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe
1792	byde.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exebyde.exe

pid process

788 60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe
1792 byde.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exebyde.exe

description	pid	process	target process
PID 788 wrote to memory of 1792	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	byde.exe
PID 788 wrote to memory of 1792	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	byde.exe
PID 788 wrote to memory of 1792	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	byde.exe
PID 788 wrote to memory of 1792	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	byde.exe
PID 1792 wrote to memory of 1112	1792	byde.exe	taskhost.exe
PID 1792 wrote to memory of 1112	1792	byde.exe	taskhost.exe
PID 1792 wrote to memory of 1112	1792	byde.exe	taskhost.exe
PID 1792 wrote to memory of 1112	1792	byde.exe	taskhost.exe
PID 1792 wrote to memory of 1112	1792	byde.exe	taskhost.exe
PID 1792 wrote to memory of 1180	1792	byde.exe	Dwm.exe
PID 1792 wrote to memory of 1180	1792	byde.exe	Dwm.exe
PID 1792 wrote to memory of 1180	1792	byde.exe	Dwm.exe
PID 1792 wrote to memory of 1180	1792	byde.exe	Dwm.exe
PID 1792 wrote to memory of 1180	1792	byde.exe	Dwm.exe
PID 1792 wrote to memory of 1220	1792	byde.exe	Explorer.EXE
PID 1792 wrote to memory of 1220	1792	byde.exe	Explorer.EXE
PID 1792 wrote to memory of 1220	1792	byde.exe	Explorer.EXE
PID 1792 wrote to memory of 1220	1792	byde.exe	Explorer.EXE
PID 1792 wrote to memory of 1220	1792	byde.exe	Explorer.EXE
PID 1792 wrote to memory of 788	1792	byde.exe	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe
PID 1792 wrote to memory of 788	1792	byde.exe	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe
PID 1792 wrote to memory of 788	1792	byde.exe	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe
PID 1792 wrote to memory of 788	1792	byde.exe	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe
PID 1792 wrote to memory of 788	1792	byde.exe	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe
PID 788 wrote to memory of 672	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	cmd.exe
PID 788 wrote to memory of 672	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	cmd.exe
PID 788 wrote to memory of 672	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	cmd.exe
PID 788 wrote to memory of 672	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	cmd.exe
PID 788 wrote to memory of 672	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	cmd.exe
PID 788 wrote to memory of 672	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	cmd.exe
PID 788 wrote to memory of 672	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	cmd.exe
PID 788 wrote to memory of 672	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	cmd.exe
PID 788 wrote to memory of 672	788	60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe	cmd.exe
PID 1792 wrote to memory of 920	1792	byde.exe	DllHost.exe
PID 1792 wrote to memory of 920	1792	byde.exe	DllHost.exe
PID 1792 wrote to memory of 920	1792	byde.exe	DllHost.exe
PID 1792 wrote to memory of 920	1792	byde.exe	DllHost.exe
PID 1792 wrote to memory of 920	1792	byde.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe
"C:\Users\Admin\AppData\Local\Temp\60bf4a37b8b8688b8093b969232ffb34a3918f1dc83e73b3cbed8ef5da03c4d0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Roaming\Ysjesu\byde.exe
"C:\Users\Admin\AppData\Roaming\Ysjesu\byde.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpff6b4f8c.bat"
2⤵
- Deletes itself
PID:672

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpff6b4f8c.bat
Filesize
307B

MD5
0edebf7a9ed6607b06d424b17169d135

SHA1
58938696bd43299ecc67386be71f4607edfff84c

SHA256
df17ab4de4df63a70c88f790b0b48108f0441cbf61f6db1aef740428b09784d7

SHA512
46a2b2be3c9ed193becae216c5734a1cd515571486ae9cb49b2ebbd56a54c88bffbc445b5dc9f7c8cc7d3642ba1efaea4cf3e3e4eafb8d8f01fe829cd16a9eee

Download Submit
C:\Users\Admin\AppData\Roaming\Ysjesu\byde.exe
Filesize
330KB

MD5
c6f9da7ba800434fe84418cf4716a932

SHA1
7cf9ddaa4733cde8b23b1856ff8030b9777764d4

SHA256
90dd2df8d8d8d35df9d59e8aef9016ea5a4aa20d1aa49e5efb36b522484db72b

SHA512
7aae1659fa56d877cb8b2b7759721b2fbec56099d42757ebf5cedf5bd53df182841d64e830f8fc63e2823ff4233d9a04f6356abfa651f059e5147e7b21115a13

Download Submit
C:\Users\Admin\AppData\Roaming\Ysjesu\byde.exe
Filesize
330KB

MD5
c6f9da7ba800434fe84418cf4716a932

SHA1
7cf9ddaa4733cde8b23b1856ff8030b9777764d4

SHA256
90dd2df8d8d8d35df9d59e8aef9016ea5a4aa20d1aa49e5efb36b522484db72b

SHA512
7aae1659fa56d877cb8b2b7759721b2fbec56099d42757ebf5cedf5bd53df182841d64e830f8fc63e2823ff4233d9a04f6356abfa651f059e5147e7b21115a13

Download Submit
\Users\Admin\AppData\Roaming\Ysjesu\byde.exe
Filesize
330KB

MD5
c6f9da7ba800434fe84418cf4716a932

SHA1
7cf9ddaa4733cde8b23b1856ff8030b9777764d4

SHA256
90dd2df8d8d8d35df9d59e8aef9016ea5a4aa20d1aa49e5efb36b522484db72b

SHA512
7aae1659fa56d877cb8b2b7759721b2fbec56099d42757ebf5cedf5bd53df182841d64e830f8fc63e2823ff4233d9a04f6356abfa651f059e5147e7b21115a13

Download Submit
\Users\Admin\AppData\Roaming\Ysjesu\byde.exe
Filesize
330KB

MD5
c6f9da7ba800434fe84418cf4716a932

SHA1
7cf9ddaa4733cde8b23b1856ff8030b9777764d4

SHA256
90dd2df8d8d8d35df9d59e8aef9016ea5a4aa20d1aa49e5efb36b522484db72b

SHA512
7aae1659fa56d877cb8b2b7759721b2fbec56099d42757ebf5cedf5bd53df182841d64e830f8fc63e2823ff4233d9a04f6356abfa651f059e5147e7b21115a13

Download Submit
memory/672-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/672-106-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/672-101-0x00000000000671E6-mapping.dmp

Download
memory/672-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/672-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/672-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/788-84-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/788-86-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/788-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/788-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/788-103-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/788-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/788-89-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/788-88-0x0000000000370000-0x00000000003C6000-memory.dmp

Filesize
344KB

Download
memory/788-93-0x00000000004F0000-0x0000000000546000-memory.dmp

Filesize
344KB

Download
memory/788-87-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/788-83-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/788-54-0x0000000074E01000-0x0000000074E03000-memory.dmp

Filesize
8KB

Download
memory/788-85-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/920-112-0x0000000001B20000-0x0000000001B64000-memory.dmp

Filesize
272KB

Download
memory/920-111-0x0000000001B20000-0x0000000001B64000-memory.dmp

Filesize
272KB

Download
memory/920-109-0x0000000001B20000-0x0000000001B64000-memory.dmp

Filesize
272KB

Download
memory/920-110-0x0000000001B20000-0x0000000001B64000-memory.dmp

Filesize
272KB

Download
memory/1112-66-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/1112-68-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/1112-67-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/1112-65-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/1112-63-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/1180-74-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1180-73-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1180-72-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1180-71-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1220-80-0x0000000002A60000-0x0000000002AA4000-memory.dmp

Filesize
272KB

Download
memory/1220-79-0x0000000002A60000-0x0000000002AA4000-memory.dmp

Filesize
272KB

Download
memory/1220-78-0x0000000002A60000-0x0000000002AA4000-memory.dmp

Filesize
272KB

Download
memory/1220-77-0x0000000002A60000-0x0000000002AA4000-memory.dmp

Filesize
272KB

Download
memory/1792-90-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1792-59-0x0000000000000000-mapping.dmp

Download
memory/1792-92-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1792-91-0x00000000003A0000-0x00000000003F6000-memory.dmp

Filesize
344KB

Download
memory/1792-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads