88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a

General

Target

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
Size

314KB
MD5

88cec7ee32c69ec345641457b99fa642
SHA1

2319981e0ddcd42473b66e8140b4da21bf174de5
SHA256

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a
SHA512

7994f1042a8d0c2eab589cff94ca6429dddcae73d4b8d6118f172175e329b6af6bdf7ee6be077873099a1021b84e73d0c8182ec757997974a2191e8de89afb27
SSDEEP

6144:ljGfV+EP4+FT+U0jLL/RmRxjuJHXI0u0+4c3+L:1GfV+U+U0jP5mRxCHX6T3K

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

inyzp.exeinyzp.exe

pid process

3160 inyzp.exe
3328 inyzp.exe

pid	process
3160	inyzp.exe
3328	inyzp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exeinyzp.exe

description	pid	process	target process
PID 4572 set thread context of 3728	4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 3160 set thread context of 3328	3160	inyzp.exe	inyzp.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exeinyzp.exeinyzp.exe

pid	process
4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
3160	inyzp.exe
3160	inyzp.exe
3160	inyzp.exe
3160	inyzp.exe
3328	inyzp.exe
3328	inyzp.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

inyzp.exe

pid process

3328 inyzp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe

description pid process

Token: SeSecurityPrivilege 3728 88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe

pid	process
3328	inyzp.exe

description	pid	process
Token: SeSecurityPrivilege	3728	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exeinyzp.exeinyzp.exe

description	pid	process	target process
PID 4572 wrote to memory of 3728	4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 4572 wrote to memory of 3728	4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 4572 wrote to memory of 3728	4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 4572 wrote to memory of 3728	4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 4572 wrote to memory of 3728	4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 4572 wrote to memory of 3728	4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 4572 wrote to memory of 3728	4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 4572 wrote to memory of 3728	4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 4572 wrote to memory of 3728	4572	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 3728 wrote to memory of 3160	3728	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	inyzp.exe
PID 3728 wrote to memory of 3160	3728	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	inyzp.exe
PID 3728 wrote to memory of 3160	3728	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	inyzp.exe
PID 3160 wrote to memory of 3328	3160	inyzp.exe	inyzp.exe
PID 3160 wrote to memory of 3328	3160	inyzp.exe	inyzp.exe
PID 3160 wrote to memory of 3328	3160	inyzp.exe	inyzp.exe
PID 3160 wrote to memory of 3328	3160	inyzp.exe	inyzp.exe
PID 3160 wrote to memory of 3328	3160	inyzp.exe	inyzp.exe
PID 3160 wrote to memory of 3328	3160	inyzp.exe	inyzp.exe
PID 3160 wrote to memory of 3328	3160	inyzp.exe	inyzp.exe
PID 3160 wrote to memory of 3328	3160	inyzp.exe	inyzp.exe
PID 3160 wrote to memory of 3328	3160	inyzp.exe	inyzp.exe
PID 3728 wrote to memory of 4308	3728	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	cmd.exe
PID 3728 wrote to memory of 4308	3728	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	cmd.exe
PID 3728 wrote to memory of 4308	3728	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	cmd.exe
PID 3328 wrote to memory of 2496	3328	inyzp.exe	explorer.exe
PID 3328 wrote to memory of 2496	3328	inyzp.exe	explorer.exe
PID 3328 wrote to memory of 2496	3328	inyzp.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
"C:\Users\Admin\AppData\Local\Temp\88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4572

C:\Users\Admin\AppData\Local\Temp\88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
"C:\Users\Admin\AppData\Local\Temp\88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728

C:\ProgramData\Ryasev\inyzp.exe
"C:\ProgramData\Ryasev\inyzp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160

C:\ProgramData\Ryasev\inyzp.exe
"C:\ProgramData\Ryasev\inyzp.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
5⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0816dcec.bat"
3⤵
PID:4308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Ryasev\inyzp.exe

Filesize
314KB

MD5
cca22532947c17d46cc9157ed5caf5b2

SHA1
5c0bab463e6c2572b27b92be712bf56e21ea88d4

SHA256
c07b6fb13a4878a245b7609fda6ba272f3ef5c903518e0838af8cb0ec9b34e1a

SHA512
2e1738d13bea9cff28ad6d6cab8cd763e0906ca74f45ade6a22f3560e74bba56b2b9746ab8ecbf37e3b273d7ed1e03111bb8d8f1e0ae06e94c48e4d3038042c2

Download Submit
C:\ProgramData\Ryasev\inyzp.exe

Filesize
314KB

MD5
cca22532947c17d46cc9157ed5caf5b2

SHA1
5c0bab463e6c2572b27b92be712bf56e21ea88d4

SHA256
c07b6fb13a4878a245b7609fda6ba272f3ef5c903518e0838af8cb0ec9b34e1a

SHA512
2e1738d13bea9cff28ad6d6cab8cd763e0906ca74f45ade6a22f3560e74bba56b2b9746ab8ecbf37e3b273d7ed1e03111bb8d8f1e0ae06e94c48e4d3038042c2

Download Submit
C:\ProgramData\Ryasev\inyzp.exe

Filesize
314KB

MD5
cca22532947c17d46cc9157ed5caf5b2

SHA1
5c0bab463e6c2572b27b92be712bf56e21ea88d4

SHA256
c07b6fb13a4878a245b7609fda6ba272f3ef5c903518e0838af8cb0ec9b34e1a

SHA512
2e1738d13bea9cff28ad6d6cab8cd763e0906ca74f45ade6a22f3560e74bba56b2b9746ab8ecbf37e3b273d7ed1e03111bb8d8f1e0ae06e94c48e4d3038042c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp0816dcec.bat

Filesize
307B

MD5
a8750678c89bfdcd968c388903a923e0

SHA1
1ba4343cf0d492ab152f93a75a87a3310f1d54a7

SHA256
ff4aa7aba9292fa87b056f1228dfbd866e854be2010c34276b376d882533fe56

SHA512
e926e25693f9855fa3591ca75b653c72b0e280b38402e0c4d19e8a9532c46057b25775b456e6c037a3a22ba55bb6d1a9b076823a423d9c08ddae24f2e91fc44f

Download Submit
memory/2496-151-0x0000000000000000-mapping.dmp

Download
memory/2496-155-0x0000000000F70000-0x0000000000F9D000-memory.dmp

Filesize
180KB

Download
memory/3160-141-0x0000000000000000-mapping.dmp

Download
memory/3328-144-0x0000000000000000-mapping.dmp

Download
memory/3328-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3328-154-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3728-140-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3728-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3728-136-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3728-138-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3728-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3728-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3728-133-0x0000000000000000-mapping.dmp

Download
memory/3728-139-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4308-150-0x0000000000000000-mapping.dmp

Download
memory/4572-132-0x00000000008D0000-0x00000000008EC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads