76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe
Size

292KB
MD5

c3e115ea525f4202ed2e945269d50f38
SHA1

7fcc872227e97394f71163cf52050835287d7e6c
SHA256

76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863
SHA512

f0eb51951f6de6767ce80c782c868738732cb6935e9a3ccf15818a32b2ee436092268f5c18dc1a4e0d93a701e9a7550b65cb3beef7656bf1ac6e728c3fd873f4
SSDEEP

6144:dDXUje2+6SbP3P0/yGtjtep28DOUj2XV/1fGb/QvPNyWTI:9XUjH+pP0RBtW2m3cV/4TQvLT

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

temeij.exe

pid process

1512 temeij.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

764 cmd.exe

pid	process
764	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe

pid	process
1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe
1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

temeij.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	temeij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Temeij = "C:\\Users\\Admin\\AppData\\Roaming\\Avyr\\temeij.exe"	temeij.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe

description pid process target process

PID 1192 set thread context of 764 1192 76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe cmd.exe

description	pid	process	target process
PID 1192 set thread context of 764	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

temeij.exe

pid	process
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe
1512	temeij.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exetemeij.exe

description	pid	process	target process
PID 1192 wrote to memory of 1512	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	temeij.exe
PID 1192 wrote to memory of 1512	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	temeij.exe
PID 1192 wrote to memory of 1512	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	temeij.exe
PID 1192 wrote to memory of 1512	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	temeij.exe
PID 1512 wrote to memory of 1120	1512	temeij.exe	taskhost.exe
PID 1512 wrote to memory of 1120	1512	temeij.exe	taskhost.exe
PID 1512 wrote to memory of 1120	1512	temeij.exe	taskhost.exe
PID 1512 wrote to memory of 1120	1512	temeij.exe	taskhost.exe
PID 1512 wrote to memory of 1120	1512	temeij.exe	taskhost.exe
PID 1512 wrote to memory of 1184	1512	temeij.exe	Dwm.exe
PID 1512 wrote to memory of 1184	1512	temeij.exe	Dwm.exe
PID 1512 wrote to memory of 1184	1512	temeij.exe	Dwm.exe
PID 1512 wrote to memory of 1184	1512	temeij.exe	Dwm.exe
PID 1512 wrote to memory of 1184	1512	temeij.exe	Dwm.exe
PID 1512 wrote to memory of 1248	1512	temeij.exe	Explorer.EXE
PID 1512 wrote to memory of 1248	1512	temeij.exe	Explorer.EXE
PID 1512 wrote to memory of 1248	1512	temeij.exe	Explorer.EXE
PID 1512 wrote to memory of 1248	1512	temeij.exe	Explorer.EXE
PID 1512 wrote to memory of 1248	1512	temeij.exe	Explorer.EXE
PID 1512 wrote to memory of 1192	1512	temeij.exe	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe
PID 1512 wrote to memory of 1192	1512	temeij.exe	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe
PID 1512 wrote to memory of 1192	1512	temeij.exe	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe
PID 1512 wrote to memory of 1192	1512	temeij.exe	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe
PID 1512 wrote to memory of 1192	1512	temeij.exe	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe
PID 1192 wrote to memory of 764	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	cmd.exe
PID 1192 wrote to memory of 764	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	cmd.exe
PID 1192 wrote to memory of 764	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	cmd.exe
PID 1192 wrote to memory of 764	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	cmd.exe
PID 1192 wrote to memory of 764	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	cmd.exe
PID 1192 wrote to memory of 764	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	cmd.exe
PID 1192 wrote to memory of 764	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	cmd.exe
PID 1192 wrote to memory of 764	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	cmd.exe
PID 1192 wrote to memory of 764	1192	76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe
  "C:\Users\Admin\AppData\Local\Temp\76fda38844994b8426f1c54ea9088590bf726deb0adc6840016d498303b47863.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Roaming\Avyr\temeij.exe
    "C:\Users\Admin\AppData\Roaming\Avyr\temeij.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\VXXF067.bat"
    3⤵
    - Deletes itself
    PID:764

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VXXF067.bat

Filesize
303B

MD5
86c8c8a3d1aa57642df4e88dcb9ffb18

SHA1
0822d6254b5c4c1e2d95533e8e8ce51a0887ad69

SHA256
fa11a9296dfded6c2016d543ebc72b8123cd1368c2237f6347a42c7fd0ec9777

SHA512
856037b4791ebcf29c88840288cc8e9c280d11f86483d5a884fea91159cca6450590f8ce79ae57443506a11bcb6981b532b863c4f67374260bef06c5208c601f

Download Submit
C:\Users\Admin\AppData\Roaming\Avyr\temeij.exe

Filesize
292KB

MD5
3824c18319c5a1c0c8f6873aff88f760

SHA1
527c3f8724a576f2e0454f19db3d358bfa23a25c

SHA256
93d588176a5a8759bbdba741876545460eb16c0f8c6ae41600ee9aee3170624f

SHA512
997354f1edd27c34532a27c92bd68ab48bc59d4ecacd224618aab07c8371a3b9e6b90eb3880afd7d8b98429cd532b4f7552dbc6e52f92d7dfb9a788524312fa1

Download Submit
C:\Users\Admin\AppData\Roaming\Avyr\temeij.exe

Filesize
292KB

MD5
3824c18319c5a1c0c8f6873aff88f760

SHA1
527c3f8724a576f2e0454f19db3d358bfa23a25c

SHA256
93d588176a5a8759bbdba741876545460eb16c0f8c6ae41600ee9aee3170624f

SHA512
997354f1edd27c34532a27c92bd68ab48bc59d4ecacd224618aab07c8371a3b9e6b90eb3880afd7d8b98429cd532b4f7552dbc6e52f92d7dfb9a788524312fa1

Download Submit
\Users\Admin\AppData\Roaming\Avyr\temeij.exe

Filesize
292KB

MD5
3824c18319c5a1c0c8f6873aff88f760

SHA1
527c3f8724a576f2e0454f19db3d358bfa23a25c

SHA256
93d588176a5a8759bbdba741876545460eb16c0f8c6ae41600ee9aee3170624f

SHA512
997354f1edd27c34532a27c92bd68ab48bc59d4ecacd224618aab07c8371a3b9e6b90eb3880afd7d8b98429cd532b4f7552dbc6e52f92d7dfb9a788524312fa1

Download Submit
\Users\Admin\AppData\Roaming\Avyr\temeij.exe

Filesize
292KB

MD5
3824c18319c5a1c0c8f6873aff88f760

SHA1
527c3f8724a576f2e0454f19db3d358bfa23a25c

SHA256
93d588176a5a8759bbdba741876545460eb16c0f8c6ae41600ee9aee3170624f

SHA512
997354f1edd27c34532a27c92bd68ab48bc59d4ecacd224618aab07c8371a3b9e6b90eb3880afd7d8b98429cd532b4f7552dbc6e52f92d7dfb9a788524312fa1

Download Submit
memory/764-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-113-0x0000000000180000-0x00000000001C8000-memory.dmp

Filesize
288KB

Download
memory/764-101-0x0000000000180000-0x00000000001C8000-memory.dmp

Filesize
288KB

Download
memory/764-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/764-102-0x0000000000193445-mapping.dmp

Download
memory/764-97-0x0000000000180000-0x00000000001C8000-memory.dmp

Filesize
288KB

Download
memory/764-99-0x0000000000180000-0x00000000001C8000-memory.dmp

Filesize
288KB

Download
memory/764-100-0x0000000000180000-0x00000000001C8000-memory.dmp

Filesize
288KB

Download
memory/1120-68-0x0000000001C80000-0x0000000001CC8000-memory.dmp

Filesize
288KB

Download
memory/1120-65-0x0000000001C80000-0x0000000001CC8000-memory.dmp

Filesize
288KB

Download
memory/1120-67-0x0000000001C80000-0x0000000001CC8000-memory.dmp

Filesize
288KB

Download
memory/1120-69-0x0000000001C80000-0x0000000001CC8000-memory.dmp

Filesize
288KB

Download
memory/1120-70-0x0000000001C80000-0x0000000001CC8000-memory.dmp

Filesize
288KB

Download
memory/1184-76-0x0000000001D60000-0x0000000001DA8000-memory.dmp

Filesize
288KB

Download
memory/1184-73-0x0000000001D60000-0x0000000001DA8000-memory.dmp

Filesize
288KB

Download
memory/1184-74-0x0000000001D60000-0x0000000001DA8000-memory.dmp

Filesize
288KB

Download
memory/1184-75-0x0000000001D60000-0x0000000001DA8000-memory.dmp

Filesize
288KB

Download
memory/1192-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1192-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1192-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1192-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1192-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1192-54-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1192-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1192-56-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1192-85-0x0000000001EC0000-0x0000000001F08000-memory.dmp

Filesize
288KB

Download
memory/1192-87-0x0000000001EC0000-0x0000000001F08000-memory.dmp

Filesize
288KB

Download
memory/1192-104-0x0000000001EC0000-0x0000000001F08000-memory.dmp

Filesize
288KB

Download
memory/1192-88-0x0000000001EC0000-0x0000000001F08000-memory.dmp

Filesize
288KB

Download
memory/1192-86-0x0000000001EC0000-0x0000000001F08000-memory.dmp

Filesize
288KB

Download
memory/1192-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1248-82-0x0000000002580000-0x00000000025C8000-memory.dmp

Filesize
288KB

Download
memory/1248-81-0x0000000002580000-0x00000000025C8000-memory.dmp

Filesize
288KB

Download
memory/1248-80-0x0000000002580000-0x00000000025C8000-memory.dmp

Filesize
288KB

Download
memory/1248-79-0x0000000002580000-0x00000000025C8000-memory.dmp

Filesize
288KB

Download
memory/1512-62-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1512-59-0x0000000000000000-mapping.dmp

Download