2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c

General

Target

2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe
Size

191KB
MD5

7fb6b13d8caee1d6bd7fead75c30f5ab
SHA1

885db78bad71287dd62b091d34e4d7bd67490afa
SHA256

2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c
SHA512

6285b4dfbc0760b7dcbcaf4bc4823b849f3e5a9389dc469aacdb5f14f30990775926e48529fd62043a1e38908f47b5b91fa63db410d86581907978bc1d4ff9c2
SSDEEP

3072:41iaU+3rjl6VUvvgL/lALKDL+3+kZ0w94ifW3ontQ0ZTcdwOTo7:dwjwOvgrSLKH+3H0wc3otd22D

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

anpiw.exe

pid process

1352 anpiw.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1660 cmd.exe

pid	process
1660	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe

pid	process
1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe
1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

anpiw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	anpiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F026AC15-12EF-7D89-138E-B90D2E97E96F} = "C:\\Users\\Admin\\AppData\\Roaming\\Cyak\\anpiw.exe"	anpiw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe

description	pid	process	target process
PID 1552 set thread context of 1660	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

anpiw.exe

pid	process
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe
1352	anpiw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe

description pid process

Token: SeSecurityPrivilege 1552 2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe

description	pid	process
Token: SeSecurityPrivilege	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exeanpiw.exe

description	pid	process	target process
PID 1552 wrote to memory of 1352	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	anpiw.exe
PID 1552 wrote to memory of 1352	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	anpiw.exe
PID 1552 wrote to memory of 1352	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	anpiw.exe
PID 1552 wrote to memory of 1352	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	anpiw.exe
PID 1352 wrote to memory of 1132	1352	anpiw.exe	taskhost.exe
PID 1352 wrote to memory of 1132	1352	anpiw.exe	taskhost.exe
PID 1352 wrote to memory of 1132	1352	anpiw.exe	taskhost.exe
PID 1352 wrote to memory of 1132	1352	anpiw.exe	taskhost.exe
PID 1352 wrote to memory of 1132	1352	anpiw.exe	taskhost.exe
PID 1352 wrote to memory of 1188	1352	anpiw.exe	Dwm.exe
PID 1352 wrote to memory of 1188	1352	anpiw.exe	Dwm.exe
PID 1352 wrote to memory of 1188	1352	anpiw.exe	Dwm.exe
PID 1352 wrote to memory of 1188	1352	anpiw.exe	Dwm.exe
PID 1352 wrote to memory of 1188	1352	anpiw.exe	Dwm.exe
PID 1352 wrote to memory of 1220	1352	anpiw.exe	Explorer.EXE
PID 1352 wrote to memory of 1220	1352	anpiw.exe	Explorer.EXE
PID 1352 wrote to memory of 1220	1352	anpiw.exe	Explorer.EXE
PID 1352 wrote to memory of 1220	1352	anpiw.exe	Explorer.EXE
PID 1352 wrote to memory of 1220	1352	anpiw.exe	Explorer.EXE
PID 1352 wrote to memory of 1552	1352	anpiw.exe	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe
PID 1352 wrote to memory of 1552	1352	anpiw.exe	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe
PID 1352 wrote to memory of 1552	1352	anpiw.exe	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe
PID 1352 wrote to memory of 1552	1352	anpiw.exe	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe
PID 1352 wrote to memory of 1552	1352	anpiw.exe	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe
PID 1552 wrote to memory of 1660	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	cmd.exe
PID 1552 wrote to memory of 1660	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	cmd.exe
PID 1552 wrote to memory of 1660	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	cmd.exe
PID 1552 wrote to memory of 1660	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	cmd.exe
PID 1552 wrote to memory of 1660	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	cmd.exe
PID 1552 wrote to memory of 1660	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	cmd.exe
PID 1552 wrote to memory of 1660	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	cmd.exe
PID 1552 wrote to memory of 1660	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	cmd.exe
PID 1552 wrote to memory of 1660	1552	2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe
"C:\Users\Admin\AppData\Local\Temp\2363caa6929908500a459aa41cd27c9f8f63bd1a0e13d081af7d25bdfc7ba33c.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Roaming\Cyak\anpiw.exe
"C:\Users\Admin\AppData\Roaming\Cyak\anpiw.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe001f263.bat"
3⤵
- Deletes itself
PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe001f263.bat

Filesize
307B

MD5
6f4675651b5d460ff96ce17e4a5bdb48

SHA1
7dbf67e7909a681ab8e8d065b218a703d3af7062

SHA256
5ee3c84d18f2b2d5c48d6d986f7e72e47df85df38fcc23399ea3a68eede2f2b0

SHA512
3e344acd231158153c3aca8b5511f8781f0ab848c901f4a713ceaa8c745cc4f8c7e083842316aa53d03ba120ee30265b6aa3d936d3b78920cb14e29af6d158ba

Download Submit
C:\Users\Admin\AppData\Roaming\Cyak\anpiw.exe

Filesize
191KB

MD5
67dfce38bb5f091a2776b4fe562eb37b

SHA1
456a962ecff94e0f5f1d11f547332c931652a788

SHA256
ab2784f1e9d25bbf2f3e067c0f550c312b0e21f90a338c4d27050cc29f9ba672

SHA512
fb96d0064322b7c7d8c8c3dceaa86c70b7cf341bf33b5d6d6c8363724d8f58e222975867b1e699a2b3cd42b62a842e7526f1a82ede1143b5a4eac349cbd202a8

Download Submit
C:\Users\Admin\AppData\Roaming\Cyak\anpiw.exe

Filesize
191KB

MD5
67dfce38bb5f091a2776b4fe562eb37b

SHA1
456a962ecff94e0f5f1d11f547332c931652a788

SHA256
ab2784f1e9d25bbf2f3e067c0f550c312b0e21f90a338c4d27050cc29f9ba672

SHA512
fb96d0064322b7c7d8c8c3dceaa86c70b7cf341bf33b5d6d6c8363724d8f58e222975867b1e699a2b3cd42b62a842e7526f1a82ede1143b5a4eac349cbd202a8

Download Submit
\Users\Admin\AppData\Roaming\Cyak\anpiw.exe

Filesize
191KB

MD5
67dfce38bb5f091a2776b4fe562eb37b

SHA1
456a962ecff94e0f5f1d11f547332c931652a788

SHA256
ab2784f1e9d25bbf2f3e067c0f550c312b0e21f90a338c4d27050cc29f9ba672

SHA512
fb96d0064322b7c7d8c8c3dceaa86c70b7cf341bf33b5d6d6c8363724d8f58e222975867b1e699a2b3cd42b62a842e7526f1a82ede1143b5a4eac349cbd202a8

Download Submit
\Users\Admin\AppData\Roaming\Cyak\anpiw.exe

Filesize
191KB

MD5
67dfce38bb5f091a2776b4fe562eb37b

SHA1
456a962ecff94e0f5f1d11f547332c931652a788

SHA256
ab2784f1e9d25bbf2f3e067c0f550c312b0e21f90a338c4d27050cc29f9ba672

SHA512
fb96d0064322b7c7d8c8c3dceaa86c70b7cf341bf33b5d6d6c8363724d8f58e222975867b1e699a2b3cd42b62a842e7526f1a82ede1143b5a4eac349cbd202a8

Download Submit
memory/1132-63-0x0000000001F00000-0x0000000001F28000-memory.dmp

Filesize
160KB

Download
memory/1132-65-0x0000000001F00000-0x0000000001F28000-memory.dmp

Filesize
160KB

Download
memory/1132-66-0x0000000001F00000-0x0000000001F28000-memory.dmp

Filesize
160KB

Download
memory/1132-67-0x0000000001F00000-0x0000000001F28000-memory.dmp

Filesize
160KB

Download
memory/1132-68-0x0000000001F00000-0x0000000001F28000-memory.dmp

Filesize
160KB

Download
memory/1188-73-0x0000000001DE0000-0x0000000001E08000-memory.dmp

Filesize
160KB

Download
memory/1188-72-0x0000000001DE0000-0x0000000001E08000-memory.dmp

Filesize
160KB

Download
memory/1188-74-0x0000000001DE0000-0x0000000001E08000-memory.dmp

Filesize
160KB

Download
memory/1188-71-0x0000000001DE0000-0x0000000001E08000-memory.dmp

Filesize
160KB

Download
memory/1220-78-0x0000000002AA0000-0x0000000002AC8000-memory.dmp

Filesize
160KB

Download
memory/1220-77-0x0000000002AA0000-0x0000000002AC8000-memory.dmp

Filesize
160KB

Download
memory/1220-79-0x0000000002AA0000-0x0000000002AC8000-memory.dmp

Filesize
160KB

Download
memory/1220-80-0x0000000002AA0000-0x0000000002AC8000-memory.dmp

Filesize
160KB

Download
memory/1352-59-0x0000000000000000-mapping.dmp

Download
memory/1352-101-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1352-100-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-96-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

Filesize
160KB

Download
memory/1552-83-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

Filesize
160KB

Download
memory/1552-85-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

Filesize
160KB

Download
memory/1552-86-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

Filesize
160KB

Download
memory/1552-84-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

Filesize
160KB

Download
memory/1552-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1552-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-93-0x0000000000170000-0x0000000000198000-memory.dmp

Filesize
160KB

Download
memory/1660-94-0x000000000018108A-mapping.dmp

Download
memory/1660-89-0x0000000000170000-0x0000000000198000-memory.dmp

Filesize
160KB

Download
memory/1660-99-0x0000000000170000-0x0000000000198000-memory.dmp

Filesize
160KB

Download
memory/1660-91-0x0000000000170000-0x0000000000198000-memory.dmp

Filesize
160KB

Download
memory/1660-92-0x0000000000170000-0x0000000000198000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads