b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503

General

Target

b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe
Size

297KB
MD5

712e683132506cde8d540aef47545f6b
SHA1

efcf14d90f8e5139bc8c887c0c9331b94fbe22e7
SHA256

b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503
SHA512

40326621efcbf2492abea5edd5246ddb864c052ac4ecab64891ac05fdb174c3761eaee20593295bc89cb853e5c8bb9285a6e068f6c5f8d0ca3f9f00cedf87c42
SSDEEP

6144:1YeH4vkamjPcJmd02LpRyFk+vbSn56cTse0pADsOjqu:1YeH4PmSsjLpRX+GZ0Mheu

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

izanob.exe

pid process

1368 izanob.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1228 cmd.exe

pid	process
1228	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe

pid	process
1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe
1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

izanob.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	izanob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Izanob = "C:\\Users\\Admin\\AppData\\Roaming\\Syzo\\izanob.exe"	izanob.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe

description	pid	process	target process
PID 1244 set thread context of 1228	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

izanob.exe

pid	process
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe
1368	izanob.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exeizanob.exe

description	pid	process	target process
PID 1244 wrote to memory of 1368	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	izanob.exe
PID 1244 wrote to memory of 1368	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	izanob.exe
PID 1244 wrote to memory of 1368	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	izanob.exe
PID 1244 wrote to memory of 1368	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	izanob.exe
PID 1368 wrote to memory of 1156	1368	izanob.exe	taskhost.exe
PID 1368 wrote to memory of 1156	1368	izanob.exe	taskhost.exe
PID 1368 wrote to memory of 1156	1368	izanob.exe	taskhost.exe
PID 1368 wrote to memory of 1156	1368	izanob.exe	taskhost.exe
PID 1368 wrote to memory of 1156	1368	izanob.exe	taskhost.exe
PID 1368 wrote to memory of 1236	1368	izanob.exe	Dwm.exe
PID 1368 wrote to memory of 1236	1368	izanob.exe	Dwm.exe
PID 1368 wrote to memory of 1236	1368	izanob.exe	Dwm.exe
PID 1368 wrote to memory of 1236	1368	izanob.exe	Dwm.exe
PID 1368 wrote to memory of 1236	1368	izanob.exe	Dwm.exe
PID 1368 wrote to memory of 1272	1368	izanob.exe	Explorer.EXE
PID 1368 wrote to memory of 1272	1368	izanob.exe	Explorer.EXE
PID 1368 wrote to memory of 1272	1368	izanob.exe	Explorer.EXE
PID 1368 wrote to memory of 1272	1368	izanob.exe	Explorer.EXE
PID 1368 wrote to memory of 1272	1368	izanob.exe	Explorer.EXE
PID 1368 wrote to memory of 1244	1368	izanob.exe	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe
PID 1368 wrote to memory of 1244	1368	izanob.exe	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe
PID 1368 wrote to memory of 1244	1368	izanob.exe	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe
PID 1368 wrote to memory of 1244	1368	izanob.exe	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe
PID 1368 wrote to memory of 1244	1368	izanob.exe	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe
PID 1244 wrote to memory of 1228	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe
PID 1244 wrote to memory of 1228	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe
PID 1244 wrote to memory of 1228	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe
PID 1244 wrote to memory of 1228	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe
PID 1244 wrote to memory of 1228	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe
PID 1244 wrote to memory of 1228	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe
PID 1244 wrote to memory of 1228	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe
PID 1244 wrote to memory of 1228	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe
PID 1244 wrote to memory of 1228	1244	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe
PID 1368 wrote to memory of 1952	1368	izanob.exe	conhost.exe
PID 1368 wrote to memory of 1952	1368	izanob.exe	conhost.exe
PID 1368 wrote to memory of 1952	1368	izanob.exe	conhost.exe
PID 1368 wrote to memory of 1952	1368	izanob.exe	conhost.exe
PID 1368 wrote to memory of 1952	1368	izanob.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe
"C:\Users\Admin\AppData\Local\Temp\b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Roaming\Syzo\izanob.exe
"C:\Users\Admin\AppData\Roaming\Syzo\izanob.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\KNQD2B6.bat"
3⤵
- Deletes itself
PID:1228

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1753579364-1329706934861461990-15378150192077980647-1222295059-9895648401793765482"
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KNQD2B6.bat
Filesize
303B

MD5
bc5c8db69d4229ceb7c715e21fa5645a

SHA1
badb64221c6907d1d59199d0c736717dc41e290e

SHA256
ab0188b145784dfa9da317a37bf15538c5c7a2e1b54760e8b2e4a00b4d6fea77

SHA512
48570506e0330f6517a6518387b94320bee8293b4a17bde9dae299e5c7fcf26bce40660aa068c9e2b24f6c1f6d491da30010e2aa2f1c57464365b5e82f2305af

Download Submit
C:\Users\Admin\AppData\Roaming\Syzo\izanob.exe
Filesize
297KB

MD5
878d38f9829102609aa8f36d594964bc

SHA1
2eb0cd6928572ce8227990c058ade4373645b394

SHA256
a39f72650780087de25ecf280a503f29c0653fa6a52c463e37e64d6a5a69ae9f

SHA512
f51a002d52838c75a4490ee66ea89ccb66d339d918d44f79e870cb7ccd20e0d507c4d936c8d381529dcc137e64ce6eece79e86354e960fdae1fd0dbfdcfbf30d

Download Submit
C:\Users\Admin\AppData\Roaming\Syzo\izanob.exe
Filesize
297KB

MD5
878d38f9829102609aa8f36d594964bc

SHA1
2eb0cd6928572ce8227990c058ade4373645b394

SHA256
a39f72650780087de25ecf280a503f29c0653fa6a52c463e37e64d6a5a69ae9f

SHA512
f51a002d52838c75a4490ee66ea89ccb66d339d918d44f79e870cb7ccd20e0d507c4d936c8d381529dcc137e64ce6eece79e86354e960fdae1fd0dbfdcfbf30d

Download Submit
\Users\Admin\AppData\Roaming\Syzo\izanob.exe
Filesize
297KB

MD5
878d38f9829102609aa8f36d594964bc

SHA1
2eb0cd6928572ce8227990c058ade4373645b394

SHA256
a39f72650780087de25ecf280a503f29c0653fa6a52c463e37e64d6a5a69ae9f

SHA512
f51a002d52838c75a4490ee66ea89ccb66d339d918d44f79e870cb7ccd20e0d507c4d936c8d381529dcc137e64ce6eece79e86354e960fdae1fd0dbfdcfbf30d

Download Submit
\Users\Admin\AppData\Roaming\Syzo\izanob.exe
Filesize
297KB

MD5
878d38f9829102609aa8f36d594964bc

SHA1
2eb0cd6928572ce8227990c058ade4373645b394

SHA256
a39f72650780087de25ecf280a503f29c0653fa6a52c463e37e64d6a5a69ae9f

SHA512
f51a002d52838c75a4490ee66ea89ccb66d339d918d44f79e870cb7ccd20e0d507c4d936c8d381529dcc137e64ce6eece79e86354e960fdae1fd0dbfdcfbf30d

Download Submit
memory/1156-67-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1156-70-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1156-68-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1156-69-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1156-65-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1228-102-0x0000000000200000-0x0000000000249000-memory.dmp

Filesize
292KB

Download
memory/1228-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1228-112-0x0000000000200000-0x0000000000249000-memory.dmp

Filesize
292KB

Download
memory/1228-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1228-100-0x0000000000200000-0x0000000000249000-memory.dmp

Filesize
292KB

Download
memory/1228-101-0x0000000000200000-0x0000000000249000-memory.dmp

Filesize
292KB

Download
memory/1228-103-0x0000000000233B6A-mapping.dmp

Download
memory/1228-98-0x0000000000200000-0x0000000000249000-memory.dmp

Filesize
292KB

Download
memory/1228-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1228-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1228-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1228-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1228-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1236-76-0x00000000002D0000-0x0000000000319000-memory.dmp

Filesize
292KB

Download
memory/1236-75-0x00000000002D0000-0x0000000000319000-memory.dmp

Filesize
292KB

Download
memory/1236-74-0x00000000002D0000-0x0000000000319000-memory.dmp

Filesize
292KB

Download
memory/1236-73-0x00000000002D0000-0x0000000000319000-memory.dmp

Filesize
292KB

Download
memory/1244-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1244-86-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1244-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1244-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1244-54-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1244-95-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1244-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1244-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1244-88-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1244-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1244-87-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1244-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1244-85-0x00000000025B0000-0x00000000025F9000-memory.dmp

Filesize
292KB

Download
memory/1244-56-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1272-81-0x0000000002A50000-0x0000000002A99000-memory.dmp

Filesize
292KB

Download
memory/1272-80-0x0000000002A50000-0x0000000002A99000-memory.dmp

Filesize
292KB

Download
memory/1272-79-0x0000000002A50000-0x0000000002A99000-memory.dmp

Filesize
292KB

Download
memory/1272-82-0x0000000002A50000-0x0000000002A99000-memory.dmp

Filesize
292KB

Download
memory/1368-59-0x0000000000000000-mapping.dmp

Download
memory/1368-62-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1952-115-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1952-116-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1952-117-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1952-118-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads