b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503

General

Target

b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe
Size

297KB
MD5

712e683132506cde8d540aef47545f6b
SHA1

efcf14d90f8e5139bc8c887c0c9331b94fbe22e7
SHA256

b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503
SHA512

40326621efcbf2492abea5edd5246ddb864c052ac4ecab64891ac05fdb174c3761eaee20593295bc89cb853e5c8bb9285a6e068f6c5f8d0ca3f9f00cedf87c42
SSDEEP

6144:1YeH4vkamjPcJmd02LpRyFk+vbSn56cTse0pADsOjqu:1YeH4PmSsjLpRX+GZ0Mheu

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vulyp.exe

pid process

3376 vulyp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vulyp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run	vulyp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vulyp = "C:\\Users\\Admin\\AppData\\Roaming\\Ekdoy\\vulyp.exe"	vulyp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe

description	pid	process	target process
PID 4704 set thread context of 4404	4704	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

vulyp.exe

pid	process
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe
3376	vulyp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exevulyp.exe

description	pid	process	target process
PID 4704 wrote to memory of 3376	4704	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	vulyp.exe
PID 4704 wrote to memory of 3376	4704	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	vulyp.exe
PID 4704 wrote to memory of 3376	4704	b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe	vulyp.exe
PID 3376 wrote to memory of 2432	3376	vulyp.exe	sihost.exe
PID 3376 wrote to memory of 2432	3376	vulyp.exe	sihost.exe
PID 3376 wrote to memory of 2432	3376	vulyp.exe	sihost.exe
PID 3376 wrote to memory of 2432	3376	vulyp.exe	sihost.exe
PID 3376 wrote to memory of 2432	3376	vulyp.exe	sihost.exe
PID 3376 wrote to memory of 2488	3376	vulyp.exe	svchost.exe
PID 3376 wrote to memory of 2488	3376	vulyp.exe	svchost.exe
PID 3376 wrote to memory of 2488	3376	vulyp.exe	svchost.exe
PID 3376 wrote to memory of 2488	3376	vulyp.exe	svchost.exe
PID 3376 wrote to memory of 2488	3376	vulyp.exe	svchost.exe
PID 3376 wrote to memory of 2756	3376	vulyp.exe	taskhostw.exe
PID 3376 wrote to memory of 2756	3376	vulyp.exe	taskhostw.exe
PID 3376 wrote to memory of 2756	3376	vulyp.exe	taskhostw.exe
PID 3376 wrote to memory of 2756	3376	vulyp.exe	taskhostw.exe
PID 3376 wrote to memory of 2756	3376	vulyp.exe	taskhostw.exe
PID 3376 wrote to memory of 2380	3376	vulyp.exe	Explorer.EXE
PID 3376 wrote to memory of 2380	3376	vulyp.exe	Explorer.EXE
PID 3376 wrote to memory of 2380	3376	vulyp.exe	Explorer.EXE
PID 3376 wrote to memory of 2380	3376	vulyp.exe	Explorer.EXE
PID 3376 wrote to memory of 2380	3376	vulyp.exe	Explorer.EXE
PID 3376 wrote to memory of 2020	3376	vulyp.exe	svchost.exe
PID 3376 wrote to memory of 2020	3376	vulyp.exe	svchost.exe
PID 3376 wrote to memory of 2020	3376	vulyp.exe	svchost.exe
PID 3376 wrote to memory of 2020	3376	vulyp.exe	svchost.exe
PID 3376 wrote to memory of 2020	3376	vulyp.exe	svchost.exe
PID 3376 wrote to memory of 3252	3376	vulyp.exe	DllHost.exe
PID 3376 wrote to memory of 3252	3376	vulyp.exe	DllHost.exe
PID 3376 wrote to memory of 3252	3376	vulyp.exe	DllHost.exe
PID 3376 wrote to memory of 3252	3376	vulyp.exe	DllHost.exe
PID 3376 wrote to memory of 3252	3376	vulyp.exe	DllHost.exe
PID 3376 wrote to memory of 3356	3376	vulyp.exe	StartMenuExperienceHost.exe
PID 3376 wrote to memory of 3356	3376	vulyp.exe	StartMenuExperienceHost.exe
PID 3376 wrote to memory of 3356	3376	vulyp.exe	StartMenuExperienceHost.exe
PID 3376 wrote to memory of 3356	3376	vulyp.exe	StartMenuExperienceHost.exe
PID 3376 wrote to memory of 3356	3376	vulyp.exe	StartMenuExperienceHost.exe
PID 3376 wrote to memory of 3420	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3420	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3420	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3420	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3420	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3500	3376	vulyp.exe	SearchApp.exe
PID 3376 wrote to memory of 3500	3376	vulyp.exe	SearchApp.exe
PID 3376 wrote to memory of 3500	3376	vulyp.exe	SearchApp.exe
PID 3376 wrote to memory of 3500	3376	vulyp.exe	SearchApp.exe
PID 3376 wrote to memory of 3500	3376	vulyp.exe	SearchApp.exe
PID 3376 wrote to memory of 3660	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3660	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3660	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3660	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3660	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3932	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3932	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3932	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3932	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3932	3376	vulyp.exe	RuntimeBroker.exe
PID 3376 wrote to memory of 3040	3376	vulyp.exe	backgroundTaskHost.exe
PID 3376 wrote to memory of 3040	3376	vulyp.exe	backgroundTaskHost.exe
PID 3376 wrote to memory of 3040	3376	vulyp.exe	backgroundTaskHost.exe
PID 3376 wrote to memory of 3040	3376	vulyp.exe	backgroundTaskHost.exe
PID 3376 wrote to memory of 3040	3376	vulyp.exe	backgroundTaskHost.exe
PID 3376 wrote to memory of 4368	3376	vulyp.exe	backgroundTaskHost.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2020

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe
"C:\Users\Admin\AppData\Local\Temp\b7165eeb944a86fcfc89897e75bd6223cb308266d9d7fc08ba26400d217a3503.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Roaming\Ekdoy\vulyp.exe
"C:\Users\Admin\AppData\Roaming\Ekdoy\vulyp.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\YSTD3B9.bat"
3⤵
PID:4404

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2756

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4368

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3660

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2488

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2432

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4100

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1980

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YSTD3B9.bat
Filesize
303B

MD5
f97e8051ac7e5db86dc570937c3db39a

SHA1
d297583b03eaae171883428c4fb27232662543c8

SHA256
2b21da7b8360be17f023be30d7d7c5d04a842c7e3c4422b88dca485a79f33b99

SHA512
92c3885a024c1bd8c8bba5e6e1445c9a75ea1cbebfbcba179003e88086addc7af3663dbe1c60eafcda2d7aee8ed4fa6d7ce1c11a22e0281519519e68f072aca0

Download Submit
C:\Users\Admin\AppData\Roaming\Ekdoy\vulyp.exe
Filesize
297KB

MD5
1c3ef8380db34858fa6b97b1e9c0f4e1

SHA1
e7bfef6e7bb1214428faee29edb4e9f1388e1953

SHA256
60a83a470b65d3a3bd86da3cdc08ec1bfc740913e2e6171e47ab22cda89bab67

SHA512
c30b2b5867d87ed1197519094b062deb5e7459dfd50f69b3aa740caeec2e1dcc2f7c990fa327fd9ffbf7332d3e421ca0095053b5b249bea4c4d5958b6c704c5b

Download Submit
C:\Users\Admin\AppData\Roaming\Ekdoy\vulyp.exe
Filesize
297KB

MD5
1c3ef8380db34858fa6b97b1e9c0f4e1

SHA1
e7bfef6e7bb1214428faee29edb4e9f1388e1953

SHA256
60a83a470b65d3a3bd86da3cdc08ec1bfc740913e2e6171e47ab22cda89bab67

SHA512
c30b2b5867d87ed1197519094b062deb5e7459dfd50f69b3aa740caeec2e1dcc2f7c990fa327fd9ffbf7332d3e421ca0095053b5b249bea4c4d5958b6c704c5b

Download Submit
memory/3376-137-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3376-134-0x0000000000000000-mapping.dmp

Download
memory/4404-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4404-156-0x0000000001200000-0x0000000001249000-memory.dmp

Filesize
292KB

Download
memory/4404-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4404-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4404-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4404-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4404-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4404-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4404-146-0x0000000000000000-mapping.dmp

Download
memory/4404-147-0x0000000001200000-0x0000000001249000-memory.dmp

Filesize
292KB

Download
memory/4704-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4704-145-0x0000000002220000-0x0000000002269000-memory.dmp

Filesize
292KB

Download
memory/4704-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4704-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4704-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4704-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4704-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4704-132-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4704-133-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads