98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393

General

Target

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
Size

300KB
MD5

1e65378ed7d208e3f7d3700f32b73cf1
SHA1

eb49144024cd00e2d2aac7c8adf13d89cc2a5535
SHA256

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393
SHA512

26df5f42a9d60f3040992560d0c3e133c62bad8bf4cdc5b1cf35f899f7dd70d9a48140988e654df779dfe3f326ec76d074e044a0c13f811e7873b804c2830d58
SSDEEP

6144:07DJbyFLycSQRcOCUVJDQfwjpCU2NVG4hBMkVkIs31E:07DJbopSyhNQWs/BwOkIH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

tiaz.exetiaz.exe

pid process

1928 tiaz.exe
1508 tiaz.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

328 cmd.exe

pid	process
1928	tiaz.exe
1508	tiaz.exe

pid	process
328	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exetiaz.exe

pid	process
1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
1928	tiaz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tiaz.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	tiaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tiaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ejjud\\tiaz.exe"	tiaz.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exetiaz.exe

description	pid	process	target process
PID 2036 set thread context of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 1928 set thread context of 1508	1928	tiaz.exe	tiaz.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exetiaz.exetiaz.exe

pid	process
2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
1928	tiaz.exe
1928	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe
1508	tiaz.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exetiaz.exe

pid	process
2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
1928	tiaz.exe
1928	tiaz.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exetiaz.exetiaz.exe

description	pid	process	target process
PID 2036 wrote to memory of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 2036 wrote to memory of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 2036 wrote to memory of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 2036 wrote to memory of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 2036 wrote to memory of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 2036 wrote to memory of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 2036 wrote to memory of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 2036 wrote to memory of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 2036 wrote to memory of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 2036 wrote to memory of 1120	2036	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 1120 wrote to memory of 1928	1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	tiaz.exe
PID 1120 wrote to memory of 1928	1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	tiaz.exe
PID 1120 wrote to memory of 1928	1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	tiaz.exe
PID 1120 wrote to memory of 1928	1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	tiaz.exe
PID 1928 wrote to memory of 1508	1928	tiaz.exe	tiaz.exe
PID 1928 wrote to memory of 1508	1928	tiaz.exe	tiaz.exe
PID 1928 wrote to memory of 1508	1928	tiaz.exe	tiaz.exe
PID 1928 wrote to memory of 1508	1928	tiaz.exe	tiaz.exe
PID 1928 wrote to memory of 1508	1928	tiaz.exe	tiaz.exe
PID 1928 wrote to memory of 1508	1928	tiaz.exe	tiaz.exe
PID 1928 wrote to memory of 1508	1928	tiaz.exe	tiaz.exe
PID 1928 wrote to memory of 1508	1928	tiaz.exe	tiaz.exe
PID 1928 wrote to memory of 1508	1928	tiaz.exe	tiaz.exe
PID 1928 wrote to memory of 1508	1928	tiaz.exe	tiaz.exe
PID 1120 wrote to memory of 328	1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	cmd.exe
PID 1120 wrote to memory of 328	1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	cmd.exe
PID 1120 wrote to memory of 328	1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	cmd.exe
PID 1120 wrote to memory of 328	1120	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	cmd.exe
PID 1508 wrote to memory of 1124	1508	tiaz.exe	taskhost.exe
PID 1508 wrote to memory of 1124	1508	tiaz.exe	taskhost.exe
PID 1508 wrote to memory of 1124	1508	tiaz.exe	taskhost.exe
PID 1508 wrote to memory of 1124	1508	tiaz.exe	taskhost.exe
PID 1508 wrote to memory of 1124	1508	tiaz.exe	taskhost.exe
PID 1508 wrote to memory of 1188	1508	tiaz.exe	Dwm.exe
PID 1508 wrote to memory of 1188	1508	tiaz.exe	Dwm.exe
PID 1508 wrote to memory of 1188	1508	tiaz.exe	Dwm.exe
PID 1508 wrote to memory of 1188	1508	tiaz.exe	Dwm.exe
PID 1508 wrote to memory of 1188	1508	tiaz.exe	Dwm.exe
PID 1508 wrote to memory of 1224	1508	tiaz.exe	Explorer.EXE
PID 1508 wrote to memory of 1224	1508	tiaz.exe	Explorer.EXE
PID 1508 wrote to memory of 1224	1508	tiaz.exe	Explorer.EXE
PID 1508 wrote to memory of 1224	1508	tiaz.exe	Explorer.EXE
PID 1508 wrote to memory of 1224	1508	tiaz.exe	Explorer.EXE
PID 1508 wrote to memory of 328	1508	tiaz.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
"C:\Users\Admin\AppData\Local\Temp\98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
C:\Users\Admin\AppData\Local\Temp\98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\Ejjud\tiaz.exe
"C:\Users\Admin\AppData\Local\Temp\Ejjud\tiaz.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\Ejjud\tiaz.exe
C:\Users\Admin\AppData\Local\Temp\Ejjud\tiaz.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NOY1ABF.bat"
3⤵
- Deletes itself
PID:328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ejjud\tiaz.exe
Filesize
300KB

MD5
97780287bb5c4a723ddb664e56465325

SHA1
26b83290c73367cd8ec315b537aebd45a7c99223

SHA256
8efbf2995c5a9855ba8a396de9a626a10f92340d3ab5b7f923d6cbbb8368d517

SHA512
7564db551ed3040bfd7a9225437ad65f31072c9bf61ddafb4c36eae01359e38ff977e6540c6c9379311775066a5b2035612da9706ff1176ac94a2b45add9136a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ejjud\tiaz.exe
Filesize
300KB

MD5
97780287bb5c4a723ddb664e56465325

SHA1
26b83290c73367cd8ec315b537aebd45a7c99223

SHA256
8efbf2995c5a9855ba8a396de9a626a10f92340d3ab5b7f923d6cbbb8368d517

SHA512
7564db551ed3040bfd7a9225437ad65f31072c9bf61ddafb4c36eae01359e38ff977e6540c6c9379311775066a5b2035612da9706ff1176ac94a2b45add9136a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ejjud\tiaz.exe
Filesize
300KB

MD5
97780287bb5c4a723ddb664e56465325

SHA1
26b83290c73367cd8ec315b537aebd45a7c99223

SHA256
8efbf2995c5a9855ba8a396de9a626a10f92340d3ab5b7f923d6cbbb8368d517

SHA512
7564db551ed3040bfd7a9225437ad65f31072c9bf61ddafb4c36eae01359e38ff977e6540c6c9379311775066a5b2035612da9706ff1176ac94a2b45add9136a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOY1ABF.bat
Filesize
284B

MD5
880d516ab144e23c986836764bbf468b

SHA1
a33d8656d9e67d9d5bac6633cf5000aaaa5308a3

SHA256
162b5b1405f5e8749f8c1886cd855320301c8c39dedb98112af239710b09fe4a

SHA512
f707cf66bb245ac04aaba3f456e7e5078644b606ab534f3e37ff46687bc828bc87280c9b5ef56a8ea49f8ccb618938ad2655cde101a159a21aa62c5a826052e9

Download Submit
\Users\Admin\AppData\Local\Temp\Ejjud\tiaz.exe
Filesize
300KB

MD5
97780287bb5c4a723ddb664e56465325

SHA1
26b83290c73367cd8ec315b537aebd45a7c99223

SHA256
8efbf2995c5a9855ba8a396de9a626a10f92340d3ab5b7f923d6cbbb8368d517

SHA512
7564db551ed3040bfd7a9225437ad65f31072c9bf61ddafb4c36eae01359e38ff977e6540c6c9379311775066a5b2035612da9706ff1176ac94a2b45add9136a

Download Submit
\Users\Admin\AppData\Local\Temp\Ejjud\tiaz.exe
Filesize
300KB

MD5
97780287bb5c4a723ddb664e56465325

SHA1
26b83290c73367cd8ec315b537aebd45a7c99223

SHA256
8efbf2995c5a9855ba8a396de9a626a10f92340d3ab5b7f923d6cbbb8368d517

SHA512
7564db551ed3040bfd7a9225437ad65f31072c9bf61ddafb4c36eae01359e38ff977e6540c6c9379311775066a5b2035612da9706ff1176ac94a2b45add9136a

Download Submit
\Users\Admin\AppData\Local\Temp\Ejjud\tiaz.exe
Filesize
300KB

MD5
97780287bb5c4a723ddb664e56465325

SHA1
26b83290c73367cd8ec315b537aebd45a7c99223

SHA256
8efbf2995c5a9855ba8a396de9a626a10f92340d3ab5b7f923d6cbbb8368d517

SHA512
7564db551ed3040bfd7a9225437ad65f31072c9bf61ddafb4c36eae01359e38ff977e6540c6c9379311775066a5b2035612da9706ff1176ac94a2b45add9136a

Download Submit
memory/328-93-0x0000000000000000-mapping.dmp

Download
memory/1120-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-64-0x0000000000426135-mapping.dmp

Download
memory/1120-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-75-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1120-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1124-97-0x0000000001F30000-0x0000000001F72000-memory.dmp

Filesize
264KB

Download
memory/1124-98-0x0000000001F30000-0x0000000001F72000-memory.dmp

Filesize
264KB

Download
memory/1124-99-0x0000000001F30000-0x0000000001F72000-memory.dmp

Filesize
264KB

Download
memory/1124-100-0x0000000001F30000-0x0000000001F72000-memory.dmp

Filesize
264KB

Download
memory/1188-105-0x0000000001BD0000-0x0000000001C12000-memory.dmp

Filesize
264KB

Download
memory/1188-104-0x0000000001BD0000-0x0000000001C12000-memory.dmp

Filesize
264KB

Download
memory/1188-106-0x0000000001BD0000-0x0000000001C12000-memory.dmp

Filesize
264KB

Download
memory/1188-103-0x0000000001BD0000-0x0000000001C12000-memory.dmp

Filesize
264KB

Download
memory/1224-113-0x0000000002AD0000-0x0000000002B12000-memory.dmp

Filesize
264KB

Download
memory/1224-110-0x0000000002AD0000-0x0000000002B12000-memory.dmp

Filesize
264KB

Download
memory/1224-112-0x0000000002AD0000-0x0000000002B12000-memory.dmp

Filesize
264KB

Download
memory/1224-111-0x0000000002AD0000-0x0000000002B12000-memory.dmp

Filesize
264KB

Download
memory/1508-88-0x0000000000426135-mapping.dmp

Download
memory/1508-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1508-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-73-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/2036-65-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads