d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a

General

Target

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
Size

306KB
MD5

f3ebfa7620168235291806a159b573ff
SHA1

3dcd61c8efe9a1e4b9eba69da5e288c3103cfb51
SHA256

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a
SHA512

8f191287944d1afd1148a9039068601a5111b4182ef1379b83139c7617a19a3943b7c924d0a5db63d5caab72c2e0cda8f396c7f686dc83ddd86c128bb2e7dcef
SSDEEP

6144:esAAud4378+l4A4qxy/3wyhu1r4/G3MbCr5X79e/cPszxSg:esAIr7SA48UnFOcS5Xac

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

nuygyf.exe

pid process

4752 nuygyf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nuygyf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	nuygyf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nuygyf = "C:\\Users\\Admin\\AppData\\Roaming\\Udoqn\\nuygyf.exe"	nuygyf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe

description	pid	process	target process
PID 4744 set thread context of 2632	4744	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

nuygyf.exe

pid	process
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe
4752	nuygyf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exenuygyf.exe

description	pid	process	target process
PID 4744 wrote to memory of 4752	4744	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	nuygyf.exe
PID 4744 wrote to memory of 4752	4744	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	nuygyf.exe
PID 4744 wrote to memory of 4752	4744	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe	nuygyf.exe
PID 4752 wrote to memory of 2408	4752	nuygyf.exe	sihost.exe
PID 4752 wrote to memory of 2408	4752	nuygyf.exe	sihost.exe
PID 4752 wrote to memory of 2408	4752	nuygyf.exe	sihost.exe
PID 4752 wrote to memory of 2408	4752	nuygyf.exe	sihost.exe
PID 4752 wrote to memory of 2408	4752	nuygyf.exe	sihost.exe
PID 4752 wrote to memory of 2452	4752	nuygyf.exe	svchost.exe
PID 4752 wrote to memory of 2452	4752	nuygyf.exe	svchost.exe
PID 4752 wrote to memory of 2452	4752	nuygyf.exe	svchost.exe
PID 4752 wrote to memory of 2452	4752	nuygyf.exe	svchost.exe
PID 4752 wrote to memory of 2452	4752	nuygyf.exe	svchost.exe
PID 4752 wrote to memory of 2596	4752	nuygyf.exe	taskhostw.exe
PID 4752 wrote to memory of 2596	4752	nuygyf.exe	taskhostw.exe
PID 4752 wrote to memory of 2596	4752	nuygyf.exe	taskhostw.exe
PID 4752 wrote to memory of 2596	4752	nuygyf.exe	taskhostw.exe
PID 4752 wrote to memory of 2596	4752	nuygyf.exe	taskhostw.exe
PID 4752 wrote to memory of 2212	4752	nuygyf.exe	Explorer.EXE
PID 4752 wrote to memory of 2212	4752	nuygyf.exe	Explorer.EXE
PID 4752 wrote to memory of 2212	4752	nuygyf.exe	Explorer.EXE
PID 4752 wrote to memory of 2212	4752	nuygyf.exe	Explorer.EXE
PID 4752 wrote to memory of 2212	4752	nuygyf.exe	Explorer.EXE
PID 4752 wrote to memory of 3084	4752	nuygyf.exe	svchost.exe
PID 4752 wrote to memory of 3084	4752	nuygyf.exe	svchost.exe
PID 4752 wrote to memory of 3084	4752	nuygyf.exe	svchost.exe
PID 4752 wrote to memory of 3084	4752	nuygyf.exe	svchost.exe
PID 4752 wrote to memory of 3084	4752	nuygyf.exe	svchost.exe
PID 4752 wrote to memory of 3276	4752	nuygyf.exe	DllHost.exe
PID 4752 wrote to memory of 3276	4752	nuygyf.exe	DllHost.exe
PID 4752 wrote to memory of 3276	4752	nuygyf.exe	DllHost.exe
PID 4752 wrote to memory of 3276	4752	nuygyf.exe	DllHost.exe
PID 4752 wrote to memory of 3276	4752	nuygyf.exe	DllHost.exe
PID 4752 wrote to memory of 3368	4752	nuygyf.exe	StartMenuExperienceHost.exe
PID 4752 wrote to memory of 3368	4752	nuygyf.exe	StartMenuExperienceHost.exe
PID 4752 wrote to memory of 3368	4752	nuygyf.exe	StartMenuExperienceHost.exe
PID 4752 wrote to memory of 3368	4752	nuygyf.exe	StartMenuExperienceHost.exe
PID 4752 wrote to memory of 3368	4752	nuygyf.exe	StartMenuExperienceHost.exe
PID 4752 wrote to memory of 3436	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 3436	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 3436	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 3436	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 3436	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 3520	4752	nuygyf.exe	SearchApp.exe
PID 4752 wrote to memory of 3520	4752	nuygyf.exe	SearchApp.exe
PID 4752 wrote to memory of 3520	4752	nuygyf.exe	SearchApp.exe
PID 4752 wrote to memory of 3520	4752	nuygyf.exe	SearchApp.exe
PID 4752 wrote to memory of 3520	4752	nuygyf.exe	SearchApp.exe
PID 4752 wrote to memory of 3688	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 3688	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 3688	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 3688	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 3688	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 4548	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 4548	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 4548	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 4548	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 4548	4752	nuygyf.exe	RuntimeBroker.exe
PID 4752 wrote to memory of 4692	4752	nuygyf.exe	backgroundTaskHost.exe
PID 4752 wrote to memory of 4692	4752	nuygyf.exe	backgroundTaskHost.exe
PID 4752 wrote to memory of 4692	4752	nuygyf.exe	backgroundTaskHost.exe
PID 4752 wrote to memory of 4692	4752	nuygyf.exe	backgroundTaskHost.exe
PID 4752 wrote to memory of 4692	4752	nuygyf.exe	backgroundTaskHost.exe
PID 4752 wrote to memory of 4744	4752	nuygyf.exe	d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2408

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2596

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
"C:\Users\Admin\AppData\Local\Temp\d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4744

C:\Users\Admin\AppData\Roaming\Udoqn\nuygyf.exe
"C:\Users\Admin\AppData\Roaming\Udoqn\nuygyf.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\PNWA8F4.bat"
3⤵
PID:2632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2452

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PNWA8F4.bat

Filesize
303B

MD5
5159013a8c6a41bdad5f4592d8cbe91d

SHA1
6ea5d5c7ed26e64029f2d8f5557bc44d95038189

SHA256
12d2ade27cdfd1d86643e374bd95fc4dfe29c86d6e0ad1cc7f496165a1fccda7

SHA512
ca0b238d753cacc5cc2884cbf2d1257629bfd2b8aff2c053f8c2011e0dead7be6afdfc2d2a4c6c173fd1bdf61eb69ee13cf021730f28a57fce7716cf5380273b

Download Submit
C:\Users\Admin\AppData\Roaming\Udoqn\nuygyf.exe

Filesize
306KB

MD5
6dc8aeac4f607ad86e586c8789cc0e6e

SHA1
2fe19588d5c07b44bf9eec5990e68179481e078d

SHA256
5a0ee1257e5653b65d6f750be16f875eaeeee5264b5680d4975e077612119a8f

SHA512
43f9336bd70b7d4ed783a8b161b3bbd19a49deb77491739faa006d03ae2b8c753c11a2ddd221a3ff97736e09df2a1c4f3a5fd375b3e6c214e77bfc557732c30c

Download Submit
C:\Users\Admin\AppData\Roaming\Udoqn\nuygyf.exe

Filesize
306KB

MD5
6dc8aeac4f607ad86e586c8789cc0e6e

SHA1
2fe19588d5c07b44bf9eec5990e68179481e078d

SHA256
5a0ee1257e5653b65d6f750be16f875eaeeee5264b5680d4975e077612119a8f

SHA512
43f9336bd70b7d4ed783a8b161b3bbd19a49deb77491739faa006d03ae2b8c753c11a2ddd221a3ff97736e09df2a1c4f3a5fd375b3e6c214e77bfc557732c30c

Download Submit
memory/2632-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2632-146-0x0000000000D20000-0x0000000000D69000-memory.dmp

Filesize
292KB

Download
memory/2632-156-0x0000000000D20000-0x0000000000D69000-memory.dmp

Filesize
292KB

Download
memory/2632-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2632-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2632-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2632-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2632-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2632-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2632-145-0x0000000000000000-mapping.dmp

Download
memory/4744-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4744-147-0x0000000002670000-0x00000000026B9000-memory.dmp

Filesize
292KB

Download
memory/4744-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4744-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4744-133-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/4744-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4744-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4744-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4744-132-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4752-134-0x0000000000000000-mapping.dmp

Download
memory/4752-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads