92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6

General

Target

92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
Size

265KB
MD5

a5a87aefcda306cfc3abaefee9e6fd12
SHA1

ca05e6214d2aedc579dd9b07fda70909906b32f1
SHA256

92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6
SHA512

b1f9d57ccfec85179c01681b990eb5ca82298f5a415c5759030eb517b97ac46989dbfb9be72e89bb86f15387c141093d446db283ad2ee14e74abb3012a922865
SSDEEP

6144:vnWTGgt+dItTmDNakgbk0Neby74kxB4E:vWhhtaakr0Nuyck7j

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

zyirq.exezyirq.exe

pid process

588 zyirq.exe
676 zyirq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

640 cmd.exe

pid	process
588	zyirq.exe
676	zyirq.exe

pid	process
640	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe

pid	process
1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exezyirq.exe

description	pid	process	target process
PID 1552 set thread context of 1760	1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
PID 588 set thread context of 676	588	zyirq.exe	zyirq.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

zyirq.exe

pid process

676 zyirq.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe

description pid process

Token: SeSecurityPrivilege 1760 92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exezyirq.exe

pid process

1552 92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
588 zyirq.exe

pid	process
676	zyirq.exe

description	pid	process
Token: SeSecurityPrivilege	1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe

pid	process
1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
588	zyirq.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exezyirq.exezyirq.exe

description	pid	process	target process
PID 1552 wrote to memory of 1760	1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
PID 1552 wrote to memory of 1760	1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
PID 1552 wrote to memory of 1760	1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
PID 1552 wrote to memory of 1760	1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
PID 1552 wrote to memory of 1760	1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
PID 1552 wrote to memory of 1760	1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
PID 1552 wrote to memory of 1760	1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
PID 1552 wrote to memory of 1760	1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
PID 1552 wrote to memory of 1760	1552	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
PID 1760 wrote to memory of 588	1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	zyirq.exe
PID 1760 wrote to memory of 588	1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	zyirq.exe
PID 1760 wrote to memory of 588	1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	zyirq.exe
PID 1760 wrote to memory of 588	1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	zyirq.exe
PID 588 wrote to memory of 676	588	zyirq.exe	zyirq.exe
PID 588 wrote to memory of 676	588	zyirq.exe	zyirq.exe
PID 588 wrote to memory of 676	588	zyirq.exe	zyirq.exe
PID 588 wrote to memory of 676	588	zyirq.exe	zyirq.exe
PID 588 wrote to memory of 676	588	zyirq.exe	zyirq.exe
PID 588 wrote to memory of 676	588	zyirq.exe	zyirq.exe
PID 588 wrote to memory of 676	588	zyirq.exe	zyirq.exe
PID 588 wrote to memory of 676	588	zyirq.exe	zyirq.exe
PID 588 wrote to memory of 676	588	zyirq.exe	zyirq.exe
PID 676 wrote to memory of 1132	676	zyirq.exe	taskhost.exe
PID 676 wrote to memory of 1132	676	zyirq.exe	taskhost.exe
PID 676 wrote to memory of 1132	676	zyirq.exe	taskhost.exe
PID 676 wrote to memory of 1132	676	zyirq.exe	taskhost.exe
PID 1760 wrote to memory of 640	1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	cmd.exe
PID 1760 wrote to memory of 640	1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	cmd.exe
PID 1760 wrote to memory of 640	1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	cmd.exe
PID 1760 wrote to memory of 640	1760	92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe	cmd.exe
PID 676 wrote to memory of 1132	676	zyirq.exe	taskhost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
"C:\Users\Admin\AppData\Local\Temp\92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe
"C:\Users\Admin\AppData\Local\Temp\92e712491a7089987b7985048ede8c908a7c0c7405f099595accce995ea934a6.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Roaming\Raizzi\zyirq.exe
"C:\Users\Admin\AppData\Roaming\Raizzi\zyirq.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Roaming\Raizzi\zyirq.exe
"C:\Users\Admin\AppData\Roaming\Raizzi\zyirq.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp66a66e08.bat"
3⤵
- Deletes itself
PID:640

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp66a66e08.bat
Filesize
307B

MD5
315fb010d69c1399fef71a5b9ac8b3ed

SHA1
671af425de4d53d5b31b83acf5310f97de5a2083

SHA256
dd1174a8dff99be21cdaa21a61495732f4f6c6c7ef9deb67a65c9de3317dc047

SHA512
ec5e331c32812a0540c35adab705aba4b9eaf28354a961b4e46529dff11b3254b652ee69140766814036455b67f93acd795cfa4fe8f1d76d855465094d1f3085

Download Submit
C:\Users\Admin\AppData\Roaming\Raizzi\zyirq.exe
Filesize
265KB

MD5
3c7d62e7f615fe51b9189356091c4d8f

SHA1
d9682d726a971cad6b271ab7e9db030720a824c0

SHA256
aea9d73d5a6865396849372f44010593f79fec37e9f6f0b34da7ba20b1258dea

SHA512
19650b3120ece391c970fb11fcfad2b34b9b99119e09469c37109034a3eabbcb9439d57bbadd9577766476540d95f39a19392e0394b1cbf81891b412f6cdfa56

Download Submit
C:\Users\Admin\AppData\Roaming\Raizzi\zyirq.exe
Filesize
265KB

MD5
3c7d62e7f615fe51b9189356091c4d8f

SHA1
d9682d726a971cad6b271ab7e9db030720a824c0

SHA256
aea9d73d5a6865396849372f44010593f79fec37e9f6f0b34da7ba20b1258dea

SHA512
19650b3120ece391c970fb11fcfad2b34b9b99119e09469c37109034a3eabbcb9439d57bbadd9577766476540d95f39a19392e0394b1cbf81891b412f6cdfa56

Download Submit
C:\Users\Admin\AppData\Roaming\Raizzi\zyirq.exe
Filesize
265KB

MD5
3c7d62e7f615fe51b9189356091c4d8f

SHA1
d9682d726a971cad6b271ab7e9db030720a824c0

SHA256
aea9d73d5a6865396849372f44010593f79fec37e9f6f0b34da7ba20b1258dea

SHA512
19650b3120ece391c970fb11fcfad2b34b9b99119e09469c37109034a3eabbcb9439d57bbadd9577766476540d95f39a19392e0394b1cbf81891b412f6cdfa56

Download Submit
\Users\Admin\AppData\Roaming\Raizzi\zyirq.exe
Filesize
265KB

MD5
3c7d62e7f615fe51b9189356091c4d8f

SHA1
d9682d726a971cad6b271ab7e9db030720a824c0

SHA256
aea9d73d5a6865396849372f44010593f79fec37e9f6f0b34da7ba20b1258dea

SHA512
19650b3120ece391c970fb11fcfad2b34b9b99119e09469c37109034a3eabbcb9439d57bbadd9577766476540d95f39a19392e0394b1cbf81891b412f6cdfa56

Download Submit
\Users\Admin\AppData\Roaming\Raizzi\zyirq.exe
Filesize
265KB

MD5
3c7d62e7f615fe51b9189356091c4d8f

SHA1
d9682d726a971cad6b271ab7e9db030720a824c0

SHA256
aea9d73d5a6865396849372f44010593f79fec37e9f6f0b34da7ba20b1258dea

SHA512
19650b3120ece391c970fb11fcfad2b34b9b99119e09469c37109034a3eabbcb9439d57bbadd9577766476540d95f39a19392e0394b1cbf81891b412f6cdfa56

Download Submit
memory/588-64-0x0000000000000000-mapping.dmp

Download
memory/640-80-0x0000000000000000-mapping.dmp

Download
memory/676-70-0x0000000000413048-mapping.dmp

Download
memory/676-85-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1132-79-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1132-74-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1132-78-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1132-77-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1132-76-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/1760-59-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1760-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1760-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1760-82-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1760-57-0x0000000000413048-mapping.dmp

Download
memory/1760-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads