7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04

General

Target

7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
Size

278KB
MD5

4eed0b3a6f50357026d5aea58dd59391
SHA1

ebd88e5f0be0033c49b6105272864469535cc459
SHA256

7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04
SHA512

76f84fe95e1e2a67e0739f609db235fa5894efb9ea06c4cf0905955b21fbee7fc612061e117323433b65bc7b268f9b0cfae316eef36eb771cf60e1ba3791c032
SSDEEP

6144:ZYk7R3xF3BEuTP0PvdA8r1erABpxEJPlLsiJEwpClkSm4krOLS:ZYeB0uT8Hq6erABvuPl5GRkkS

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

alyr.exe

pid process

1952 alyr.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

520 cmd.exe

pid	process
520	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe

pid	process
1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

alyr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	alyr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Wouhl\\alyr.exe"	alyr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe

description pid process target process

PID 1976 set thread context of 520 1976 7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe cmd.exe

description	pid	process	target process
PID 1976 set thread context of 520	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

alyr.exe

pid	process
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe
1952	alyr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe

description	pid	process
Token: SeSecurityPrivilege	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
Token: SeSecurityPrivilege	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
Token: SeSecurityPrivilege	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exealyr.exe

pid process

1976 7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
1952 alyr.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exealyr.exe

description	pid	process	target process
PID 1976 wrote to memory of 1952	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	alyr.exe
PID 1976 wrote to memory of 1952	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	alyr.exe
PID 1976 wrote to memory of 1952	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	alyr.exe
PID 1976 wrote to memory of 1952	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	alyr.exe
PID 1952 wrote to memory of 1124	1952	alyr.exe	taskhost.exe
PID 1952 wrote to memory of 1124	1952	alyr.exe	taskhost.exe
PID 1952 wrote to memory of 1124	1952	alyr.exe	taskhost.exe
PID 1952 wrote to memory of 1124	1952	alyr.exe	taskhost.exe
PID 1952 wrote to memory of 1124	1952	alyr.exe	taskhost.exe
PID 1952 wrote to memory of 1168	1952	alyr.exe	Dwm.exe
PID 1952 wrote to memory of 1168	1952	alyr.exe	Dwm.exe
PID 1952 wrote to memory of 1168	1952	alyr.exe	Dwm.exe
PID 1952 wrote to memory of 1168	1952	alyr.exe	Dwm.exe
PID 1952 wrote to memory of 1168	1952	alyr.exe	Dwm.exe
PID 1952 wrote to memory of 1232	1952	alyr.exe	Explorer.EXE
PID 1952 wrote to memory of 1232	1952	alyr.exe	Explorer.EXE
PID 1952 wrote to memory of 1232	1952	alyr.exe	Explorer.EXE
PID 1952 wrote to memory of 1232	1952	alyr.exe	Explorer.EXE
PID 1952 wrote to memory of 1232	1952	alyr.exe	Explorer.EXE
PID 1952 wrote to memory of 1976	1952	alyr.exe	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
PID 1952 wrote to memory of 1976	1952	alyr.exe	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
PID 1952 wrote to memory of 1976	1952	alyr.exe	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
PID 1952 wrote to memory of 1976	1952	alyr.exe	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
PID 1952 wrote to memory of 1976	1952	alyr.exe	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
PID 1976 wrote to memory of 520	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	cmd.exe
PID 1976 wrote to memory of 520	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	cmd.exe
PID 1976 wrote to memory of 520	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	cmd.exe
PID 1976 wrote to memory of 520	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	cmd.exe
PID 1976 wrote to memory of 520	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	cmd.exe
PID 1976 wrote to memory of 520	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	cmd.exe
PID 1976 wrote to memory of 520	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	cmd.exe
PID 1976 wrote to memory of 520	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	cmd.exe
PID 1976 wrote to memory of 520	1976	7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe
"C:\Users\Admin\AppData\Local\Temp\7b76c17c1e6a9fabe541335c809bf31c9b9c657c07691a2104ecd53e8a413f04.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Roaming\Wouhl\alyr.exe
"C:\Users\Admin\AppData\Roaming\Wouhl\alyr.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp08ce6a1a.bat"
3⤵
- Deletes itself
PID:520

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp08ce6a1a.bat

Filesize
307B

MD5
e53c36e99074f8b197230078992b539a

SHA1
d6d179a5485f82070db1d06e07bd8b90787a64d2

SHA256
c011385526ad9f98b7701cc405e364a92b3fb6d9bf4c43d27bb479b9d9112075

SHA512
14d0ba75c471a806a24fa2c46cf8bc8370c3d83bfd4778903f4ae980920774ea705ee21cba3c8ad3143bc7c07b2c047e7147a7c082e71f6e5fb0a15cbf8a161e

Download Submit
C:\Users\Admin\AppData\Roaming\Wouhl\alyr.exe

Filesize
278KB

MD5
63866df24f1a986468ec0854c37415de

SHA1
e5c54b0998f65544c4ce6cccd2d61ae4d0464bb1

SHA256
5a962169d14b800f8adb5be2478a1bed4d17dfe6a9b33c8e1daa424a5f5bf25e

SHA512
d984c7fc4f3b2dc3cab94d3b7a3e2d69cbf0768c97db71f0c38d37cc215d1bafd9efba3ad6f21f71ea069c92862e560c904b6394b57de17606c81b405263d376

Download Submit
C:\Users\Admin\AppData\Roaming\Wouhl\alyr.exe

Filesize
278KB

MD5
63866df24f1a986468ec0854c37415de

SHA1
e5c54b0998f65544c4ce6cccd2d61ae4d0464bb1

SHA256
5a962169d14b800f8adb5be2478a1bed4d17dfe6a9b33c8e1daa424a5f5bf25e

SHA512
d984c7fc4f3b2dc3cab94d3b7a3e2d69cbf0768c97db71f0c38d37cc215d1bafd9efba3ad6f21f71ea069c92862e560c904b6394b57de17606c81b405263d376

Download Submit
C:\Users\Admin\AppData\Roaming\Xeuvu\acaxm.azx

Filesize
398B

MD5
d8aab75e91759416a2daf93bd8b4d438

SHA1
530591df9cf07135efc852fdcefe6d52b3bc241b

SHA256
42dcd999e5b535655b757e2b5fab3b4f24b6c50787f00cf8e95d1b41de8f5b57

SHA512
8e10be3d92ce50aa96678a006fbb774708439b0054670cc2249f6c2e656a507a16f244f559e1c39a2b96c55c0f9c214d0048668347a09b3e3c187d63c74e4b98

Download Submit
\Users\Admin\AppData\Roaming\Wouhl\alyr.exe

Filesize
278KB

MD5
63866df24f1a986468ec0854c37415de

SHA1
e5c54b0998f65544c4ce6cccd2d61ae4d0464bb1

SHA256
5a962169d14b800f8adb5be2478a1bed4d17dfe6a9b33c8e1daa424a5f5bf25e

SHA512
d984c7fc4f3b2dc3cab94d3b7a3e2d69cbf0768c97db71f0c38d37cc215d1bafd9efba3ad6f21f71ea069c92862e560c904b6394b57de17606c81b405263d376

Download Submit
\Users\Admin\AppData\Roaming\Wouhl\alyr.exe

Filesize
278KB

MD5
63866df24f1a986468ec0854c37415de

SHA1
e5c54b0998f65544c4ce6cccd2d61ae4d0464bb1

SHA256
5a962169d14b800f8adb5be2478a1bed4d17dfe6a9b33c8e1daa424a5f5bf25e

SHA512
d984c7fc4f3b2dc3cab94d3b7a3e2d69cbf0768c97db71f0c38d37cc215d1bafd9efba3ad6f21f71ea069c92862e560c904b6394b57de17606c81b405263d376

Download Submit
memory/520-99-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/520-106-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/520-101-0x00000000000720A5-mapping.dmp

Download
memory/520-96-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/520-100-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/520-98-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/1124-66-0x0000000001CA0000-0x0000000001CE1000-memory.dmp

Filesize
260KB

Download
memory/1124-68-0x0000000001CA0000-0x0000000001CE1000-memory.dmp

Filesize
260KB

Download
memory/1124-67-0x0000000001CA0000-0x0000000001CE1000-memory.dmp

Filesize
260KB

Download
memory/1124-65-0x0000000001CA0000-0x0000000001CE1000-memory.dmp

Filesize
260KB

Download
memory/1124-63-0x0000000001CA0000-0x0000000001CE1000-memory.dmp

Filesize
260KB

Download
memory/1168-72-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1168-76-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1168-74-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1168-78-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1232-83-0x00000000026E0000-0x0000000002721000-memory.dmp

Filesize
260KB

Download
memory/1232-86-0x00000000026E0000-0x0000000002721000-memory.dmp

Filesize
260KB

Download
memory/1232-85-0x00000000026E0000-0x0000000002721000-memory.dmp

Filesize
260KB

Download
memory/1232-84-0x00000000026E0000-0x0000000002721000-memory.dmp

Filesize
260KB

Download
memory/1952-81-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1952-59-0x0000000000000000-mapping.dmp

Download
memory/1952-77-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1952-79-0x00000000004C0000-0x000000000050A000-memory.dmp

Filesize
296KB

Download
memory/1976-54-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download
memory/1976-90-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1976-92-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1976-91-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1976-75-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1976-73-0x0000000000380000-0x00000000003CA000-memory.dmp

Filesize
296KB

Download
memory/1976-71-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/1976-89-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1976-103-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1976-102-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads