860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751

General

Target

860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
Size

1.2MB
MD5

53a07fcd121e32daef642e84c383f7bf
SHA1

7f5b36dcc8d9271ca693f2fc6b3e6cb0cc6aa1af
SHA256

860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751
SHA512

543ba5ab9de46fe51c619f57128d40b0c22a0797490767e53dc6e32f59de7787145772d97a582be5d9114359834610edcac470dff599b74477a60b3e0a4fd6ee
SSDEEP

12288:iaxmJzOerLwYUFppGKQI1d5ruBYGdsoM8JyiemecY2pyTpPUJFdV7:iUmljvwH7Hb5q2zoM2yi/ecY3SXn7

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

biyxa.exebiyxa.exe

pid process

4116 biyxa.exe
4344 biyxa.exe

pid	process
4116	biyxa.exe
4344	biyxa.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

biyxa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\Currentversion\Run	biyxa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	biyxa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Riurvab = "C:\\Users\\Admin\\AppData\\Roaming\\Yrbo\\biyxa.exe"	biyxa.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exebiyxa.exe

description	pid	process	target process
PID 2300 set thread context of 4356	2300	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
PID 4116 set thread context of 4344	4116	biyxa.exe	biyxa.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

biyxa.exe

pid	process
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe
4344	biyxa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe

description	pid	process
Token: SeSecurityPrivilege	4356	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
Token: SeSecurityPrivilege	4356	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exebiyxa.exe

pid process

2300 860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
4116 biyxa.exe

pid	process
2300	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
4116	biyxa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exebiyxa.exebiyxa.exe

description	pid	process	target process
PID 2300 wrote to memory of 4356	2300	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
PID 2300 wrote to memory of 4356	2300	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
PID 2300 wrote to memory of 4356	2300	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
PID 2300 wrote to memory of 4356	2300	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
PID 2300 wrote to memory of 4356	2300	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
PID 2300 wrote to memory of 4356	2300	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
PID 2300 wrote to memory of 4356	2300	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
PID 2300 wrote to memory of 4356	2300	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
PID 4356 wrote to memory of 4116	4356	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	biyxa.exe
PID 4356 wrote to memory of 4116	4356	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	biyxa.exe
PID 4356 wrote to memory of 4116	4356	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	biyxa.exe
PID 4116 wrote to memory of 4344	4116	biyxa.exe	biyxa.exe
PID 4116 wrote to memory of 4344	4116	biyxa.exe	biyxa.exe
PID 4116 wrote to memory of 4344	4116	biyxa.exe	biyxa.exe
PID 4116 wrote to memory of 4344	4116	biyxa.exe	biyxa.exe
PID 4116 wrote to memory of 4344	4116	biyxa.exe	biyxa.exe
PID 4116 wrote to memory of 4344	4116	biyxa.exe	biyxa.exe
PID 4116 wrote to memory of 4344	4116	biyxa.exe	biyxa.exe
PID 4116 wrote to memory of 4344	4116	biyxa.exe	biyxa.exe
PID 4356 wrote to memory of 2472	4356	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	cmd.exe
PID 4356 wrote to memory of 2472	4356	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	cmd.exe
PID 4356 wrote to memory of 2472	4356	860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe	cmd.exe
PID 4344 wrote to memory of 2340	4344	biyxa.exe	sihost.exe
PID 4344 wrote to memory of 2340	4344	biyxa.exe	sihost.exe
PID 4344 wrote to memory of 2340	4344	biyxa.exe	sihost.exe
PID 4344 wrote to memory of 2340	4344	biyxa.exe	sihost.exe
PID 4344 wrote to memory of 2340	4344	biyxa.exe	sihost.exe
PID 4344 wrote to memory of 2356	4344	biyxa.exe	svchost.exe
PID 4344 wrote to memory of 2356	4344	biyxa.exe	svchost.exe
PID 4344 wrote to memory of 2356	4344	biyxa.exe	svchost.exe
PID 4344 wrote to memory of 2356	4344	biyxa.exe	svchost.exe
PID 4344 wrote to memory of 2356	4344	biyxa.exe	svchost.exe
PID 4344 wrote to memory of 2496	4344	biyxa.exe	taskhostw.exe
PID 4344 wrote to memory of 2496	4344	biyxa.exe	taskhostw.exe
PID 4344 wrote to memory of 2496	4344	biyxa.exe	taskhostw.exe
PID 4344 wrote to memory of 2496	4344	biyxa.exe	taskhostw.exe
PID 4344 wrote to memory of 2496	4344	biyxa.exe	taskhostw.exe
PID 4344 wrote to memory of 2940	4344	biyxa.exe	Explorer.EXE
PID 4344 wrote to memory of 2940	4344	biyxa.exe	Explorer.EXE
PID 4344 wrote to memory of 2940	4344	biyxa.exe	Explorer.EXE
PID 4344 wrote to memory of 2940	4344	biyxa.exe	Explorer.EXE
PID 4344 wrote to memory of 2940	4344	biyxa.exe	Explorer.EXE
PID 4344 wrote to memory of 760	4344	biyxa.exe	svchost.exe
PID 4344 wrote to memory of 760	4344	biyxa.exe	svchost.exe
PID 4344 wrote to memory of 760	4344	biyxa.exe	svchost.exe
PID 4344 wrote to memory of 760	4344	biyxa.exe	svchost.exe
PID 4344 wrote to memory of 760	4344	biyxa.exe	svchost.exe
PID 4344 wrote to memory of 3244	4344	biyxa.exe	DllHost.exe
PID 4344 wrote to memory of 3244	4344	biyxa.exe	DllHost.exe
PID 4344 wrote to memory of 3244	4344	biyxa.exe	DllHost.exe
PID 4344 wrote to memory of 3244	4344	biyxa.exe	DllHost.exe
PID 4344 wrote to memory of 3244	4344	biyxa.exe	DllHost.exe
PID 4344 wrote to memory of 3332	4344	biyxa.exe	StartMenuExperienceHost.exe
PID 4344 wrote to memory of 3332	4344	biyxa.exe	StartMenuExperienceHost.exe
PID 4344 wrote to memory of 3332	4344	biyxa.exe	StartMenuExperienceHost.exe
PID 4344 wrote to memory of 3332	4344	biyxa.exe	StartMenuExperienceHost.exe
PID 4344 wrote to memory of 3332	4344	biyxa.exe	StartMenuExperienceHost.exe
PID 4344 wrote to memory of 3396	4344	biyxa.exe	RuntimeBroker.exe
PID 4344 wrote to memory of 3396	4344	biyxa.exe	RuntimeBroker.exe
PID 4344 wrote to memory of 3396	4344	biyxa.exe	RuntimeBroker.exe
PID 4344 wrote to memory of 3396	4344	biyxa.exe	RuntimeBroker.exe
PID 4344 wrote to memory of 3396	4344	biyxa.exe	RuntimeBroker.exe
PID 4344 wrote to memory of 3496	4344	biyxa.exe	SearchApp.exe
PID 4344 wrote to memory of 3496	4344	biyxa.exe	SearchApp.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3396

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
"C:\Users\Admin\AppData\Local\Temp\860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe
"C:\Users\Admin\AppData\Local\Temp\860753698777c8ea193d95d92ce3d3e6f8572a69dca9295005047f2b1d168751.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Users\Admin\AppData\Roaming\Yrbo\biyxa.exe
"C:\Users\Admin\AppData\Roaming\Yrbo\biyxa.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Roaming\Yrbo\biyxa.exe
"C:\Users\Admin\AppData\Roaming\Yrbo\biyxa.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp757ada43.bat"
4⤵
PID:2472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1564

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp757ada43.bat

Filesize
307B

MD5
1b4df178914b138d1d2413be19796566

SHA1
b67d3c3377b9c4c1a6d6b3a410e4f04d72097f33

SHA256
b8b0dc09ff4f5ec0a6bf2c5d16dd2396f17eb6a7336cacfc36e182682193f62f

SHA512
86ebd4eea4e5dcbd18c8432d92f291c07f13a6ac68528147b91891e6ec7f4342927d3ab8e901f2e09a1dc5b742927c7e135778861f9b2bf7acd1e8a1e442191c

Download Submit
C:\Users\Admin\AppData\Roaming\Yrbo\biyxa.exe

Filesize
1.2MB

MD5
1799c67d0313487d342de3758965118e

SHA1
b2962c096db1535ead3db3ba013457723486ab26

SHA256
546460156bc5192ff6bf441d61f3eec1f2647767292a7f0d0b478748c5f0459c

SHA512
8071fd91de41f470d109bf58532757fc220621cc04076b1461914301cd93ed97296410bef52daab8b63e617d6fd2dc73d2dc6af19b24ac1eb912bd4ac782b54b

Download Submit
C:\Users\Admin\AppData\Roaming\Yrbo\biyxa.exe

Filesize
1.2MB

MD5
1799c67d0313487d342de3758965118e

SHA1
b2962c096db1535ead3db3ba013457723486ab26

SHA256
546460156bc5192ff6bf441d61f3eec1f2647767292a7f0d0b478748c5f0459c

SHA512
8071fd91de41f470d109bf58532757fc220621cc04076b1461914301cd93ed97296410bef52daab8b63e617d6fd2dc73d2dc6af19b24ac1eb912bd4ac782b54b

Download Submit
C:\Users\Admin\AppData\Roaming\Yrbo\biyxa.exe

Filesize
1.2MB

MD5
1799c67d0313487d342de3758965118e

SHA1
b2962c096db1535ead3db3ba013457723486ab26

SHA256
546460156bc5192ff6bf441d61f3eec1f2647767292a7f0d0b478748c5f0459c

SHA512
8071fd91de41f470d109bf58532757fc220621cc04076b1461914301cd93ed97296410bef52daab8b63e617d6fd2dc73d2dc6af19b24ac1eb912bd4ac782b54b

Download Submit
memory/2300-135-0x00000000007A6000-0x00000000007AB000-memory.dmp

Filesize
20KB

Download
memory/2300-134-0x00000000007A6000-0x00000000007AB000-memory.dmp

Filesize
20KB

Download
memory/2472-155-0x0000000000910000-0x000000000094B000-memory.dmp

Filesize
236KB

Download
memory/2472-152-0x0000000000000000-mapping.dmp

Download
memory/4116-140-0x0000000000000000-mapping.dmp

Download
memory/4116-146-0x00000000006C5000-0x00000000006CA000-memory.dmp

Filesize
20KB

Download
memory/4116-147-0x00000000006C5000-0x00000000006CA000-memory.dmp

Filesize
20KB

Download
memory/4344-148-0x0000000000000000-mapping.dmp

Download
memory/4344-156-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4356-139-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4356-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4356-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4356-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4356-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads