98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393

General

Target

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
Size

300KB
MD5

1e65378ed7d208e3f7d3700f32b73cf1
SHA1

eb49144024cd00e2d2aac7c8adf13d89cc2a5535
SHA256

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393
SHA512

26df5f42a9d60f3040992560d0c3e133c62bad8bf4cdc5b1cf35f899f7dd70d9a48140988e654df779dfe3f326ec76d074e044a0c13f811e7873b804c2830d58
SSDEEP

6144:07DJbyFLycSQRcOCUVJDQfwjpCU2NVG4hBMkVkIs31E:07DJbopSyhNQWs/BwOkIH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ryycz.exeryycz.exe

pid process

4916 ryycz.exe
2364 ryycz.exe

pid	process
4916	ryycz.exe
2364	ryycz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ryycz.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	ryycz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ryycz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Duek\\ryycz.exe"	ryycz.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exeryycz.exe

description	pid	process	target process
PID 3456 set thread context of 4824	3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 4916 set thread context of 2364	4916	ryycz.exe	ryycz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exeryycz.exeryycz.exe

pid	process
3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
4824	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
4824	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
4916	ryycz.exe
4916	ryycz.exe
4916	ryycz.exe
4916	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe
2364	ryycz.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exeryycz.exe

pid	process
3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
4916	ryycz.exe
4916	ryycz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exeryycz.exeryycz.exe

description	pid	process	target process
PID 3456 wrote to memory of 4824	3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 3456 wrote to memory of 4824	3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 3456 wrote to memory of 4824	3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 3456 wrote to memory of 4824	3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 3456 wrote to memory of 4824	3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 3456 wrote to memory of 4824	3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 3456 wrote to memory of 4824	3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 3456 wrote to memory of 4824	3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 3456 wrote to memory of 4824	3456	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
PID 4824 wrote to memory of 4916	4824	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	ryycz.exe
PID 4824 wrote to memory of 4916	4824	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	ryycz.exe
PID 4824 wrote to memory of 4916	4824	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	ryycz.exe
PID 4916 wrote to memory of 2364	4916	ryycz.exe	ryycz.exe
PID 4916 wrote to memory of 2364	4916	ryycz.exe	ryycz.exe
PID 4916 wrote to memory of 2364	4916	ryycz.exe	ryycz.exe
PID 4916 wrote to memory of 2364	4916	ryycz.exe	ryycz.exe
PID 4916 wrote to memory of 2364	4916	ryycz.exe	ryycz.exe
PID 4916 wrote to memory of 2364	4916	ryycz.exe	ryycz.exe
PID 4916 wrote to memory of 2364	4916	ryycz.exe	ryycz.exe
PID 4916 wrote to memory of 2364	4916	ryycz.exe	ryycz.exe
PID 4916 wrote to memory of 2364	4916	ryycz.exe	ryycz.exe
PID 4824 wrote to memory of 644	4824	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	cmd.exe
PID 4824 wrote to memory of 644	4824	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	cmd.exe
PID 4824 wrote to memory of 644	4824	98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe	cmd.exe
PID 2364 wrote to memory of 2524	2364	ryycz.exe	sihost.exe
PID 2364 wrote to memory of 2524	2364	ryycz.exe	sihost.exe
PID 2364 wrote to memory of 2524	2364	ryycz.exe	sihost.exe
PID 2364 wrote to memory of 2524	2364	ryycz.exe	sihost.exe
PID 2364 wrote to memory of 2524	2364	ryycz.exe	sihost.exe
PID 2364 wrote to memory of 2536	2364	ryycz.exe	svchost.exe
PID 2364 wrote to memory of 2536	2364	ryycz.exe	svchost.exe
PID 2364 wrote to memory of 2536	2364	ryycz.exe	svchost.exe
PID 2364 wrote to memory of 2536	2364	ryycz.exe	svchost.exe
PID 2364 wrote to memory of 2536	2364	ryycz.exe	svchost.exe
PID 2364 wrote to memory of 2636	2364	ryycz.exe	taskhostw.exe
PID 2364 wrote to memory of 2636	2364	ryycz.exe	taskhostw.exe
PID 2364 wrote to memory of 2636	2364	ryycz.exe	taskhostw.exe
PID 2364 wrote to memory of 2636	2364	ryycz.exe	taskhostw.exe
PID 2364 wrote to memory of 2636	2364	ryycz.exe	taskhostw.exe
PID 2364 wrote to memory of 740	2364	ryycz.exe	Explorer.EXE
PID 2364 wrote to memory of 740	2364	ryycz.exe	Explorer.EXE
PID 2364 wrote to memory of 740	2364	ryycz.exe	Explorer.EXE
PID 2364 wrote to memory of 740	2364	ryycz.exe	Explorer.EXE
PID 2364 wrote to memory of 740	2364	ryycz.exe	Explorer.EXE
PID 2364 wrote to memory of 3100	2364	ryycz.exe	svchost.exe
PID 2364 wrote to memory of 3100	2364	ryycz.exe	svchost.exe
PID 2364 wrote to memory of 3100	2364	ryycz.exe	svchost.exe
PID 2364 wrote to memory of 3100	2364	ryycz.exe	svchost.exe
PID 2364 wrote to memory of 3100	2364	ryycz.exe	svchost.exe
PID 2364 wrote to memory of 3304	2364	ryycz.exe	DllHost.exe
PID 2364 wrote to memory of 3304	2364	ryycz.exe	DllHost.exe
PID 2364 wrote to memory of 3304	2364	ryycz.exe	DllHost.exe
PID 2364 wrote to memory of 3304	2364	ryycz.exe	DllHost.exe
PID 2364 wrote to memory of 3304	2364	ryycz.exe	DllHost.exe
PID 2364 wrote to memory of 3396	2364	ryycz.exe	StartMenuExperienceHost.exe
PID 2364 wrote to memory of 3396	2364	ryycz.exe	StartMenuExperienceHost.exe
PID 2364 wrote to memory of 3396	2364	ryycz.exe	StartMenuExperienceHost.exe
PID 2364 wrote to memory of 3396	2364	ryycz.exe	StartMenuExperienceHost.exe
PID 2364 wrote to memory of 3396	2364	ryycz.exe	StartMenuExperienceHost.exe
PID 2364 wrote to memory of 3460	2364	ryycz.exe	RuntimeBroker.exe
PID 2364 wrote to memory of 3460	2364	ryycz.exe	RuntimeBroker.exe
PID 2364 wrote to memory of 3460	2364	ryycz.exe	RuntimeBroker.exe
PID 2364 wrote to memory of 3460	2364	ryycz.exe	RuntimeBroker.exe
PID 2364 wrote to memory of 3460	2364	ryycz.exe	RuntimeBroker.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2524

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2636

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2164

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4384

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:904

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
"C:\Users\Admin\AppData\Local\Temp\98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
C:\Users\Admin\AppData\Local\Temp\98200cc0ff273cfec73adf55562836adec4c86e85ec4f31dea7d233d54df4393.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\Duek\ryycz.exe
"C:\Users\Admin\AppData\Local\Temp\Duek\ryycz.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\Duek\ryycz.exe
C:\Users\Admin\AppData\Local\Temp\Duek\ryycz.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JMKB0A6.bat"
4⤵
PID:644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2536

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4000

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4712

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Duek\ryycz.exe

Filesize
300KB

MD5
12b326bd3aa3b9bc4a3d9c3ab0b25dd7

SHA1
f605ac92b3949559814d6906d0b2ff3a020f8cb3

SHA256
0b22e56c5a7426b20bb8251585da611f4116e16531413e170a1f2cb1729d7907

SHA512
59387f8c74b37df36e435917baa7fe5bb598339571c347236430e026fd804105794a6699809ab2dc1e61f7a6d0ed5f1041b7a65287901c2bb95c43be04e70134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Duek\ryycz.exe

Filesize
300KB

MD5
12b326bd3aa3b9bc4a3d9c3ab0b25dd7

SHA1
f605ac92b3949559814d6906d0b2ff3a020f8cb3

SHA256
0b22e56c5a7426b20bb8251585da611f4116e16531413e170a1f2cb1729d7907

SHA512
59387f8c74b37df36e435917baa7fe5bb598339571c347236430e026fd804105794a6699809ab2dc1e61f7a6d0ed5f1041b7a65287901c2bb95c43be04e70134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Duek\ryycz.exe

Filesize
300KB

MD5
12b326bd3aa3b9bc4a3d9c3ab0b25dd7

SHA1
f605ac92b3949559814d6906d0b2ff3a020f8cb3

SHA256
0b22e56c5a7426b20bb8251585da611f4116e16531413e170a1f2cb1729d7907

SHA512
59387f8c74b37df36e435917baa7fe5bb598339571c347236430e026fd804105794a6699809ab2dc1e61f7a6d0ed5f1041b7a65287901c2bb95c43be04e70134

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMKB0A6.bat

Filesize
280B

MD5
271c6598ccd7ec501669c8d536b38290

SHA1
7b81ee75708c5f92d3db457d0cb6561a40143b86

SHA256
8282914546094922bae937640a6ebeaa815875b4f7b07932eaa21950c14a52aa

SHA512
1406d1d3e4d5f160e568a80f798ed09743c96452c49b3b77a9cbbb21e55ba63783e70e1845e6b2664dbd025a596e6c59dfc8dea793864c2bb40e20a1adc82b5c

Download Submit
memory/644-153-0x0000000000B50000-0x0000000000B92000-memory.dmp

Filesize
264KB

Download
memory/644-147-0x0000000000000000-mapping.dmp

Download
memory/644-151-0x0000000000B50000-0x0000000000B92000-memory.dmp

Filesize
264KB

Download
memory/2364-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-143-0x0000000000000000-mapping.dmp

Download
memory/2364-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3456-135-0x00000000007A0000-0x00000000007A4000-memory.dmp

Filesize
16KB

Download
memory/4824-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-132-0x0000000000000000-mapping.dmp

Download
memory/4824-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4916-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads