54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b

Analysis

max time kernel
152s
max time network
116s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
Size

500KB
MD5

ae54b8f1a720989a3aef9b23ec06ecac
SHA1

bdd4ca1b84f8154453d90912c1eaa002763c156f
SHA256

54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b
SHA512

eef30a72e151be7bedc39b75d2bd0a7bda7837818371f6ec056d34c205836a6440d8a3dc51d749134f138b1158e9c90e1411549e4b66f6b2c584d138b1251012
SSDEEP

6144:dL3JBr2nuuudy/TuuuZqcoxBIU9CdGKuuuee+pJ5TvzeA0GM1/s2CXl2:dbnrZyCRcB5CdGqxy68/s2S2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ymlyu.exeymlyu.exe

pid process

1104 ymlyu.exe
1140 ymlyu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

888 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe

pid process

1900 54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe

pid	process
1104	ymlyu.exe
1140	ymlyu.exe

pid	process
888	cmd.exe

pid	process
1900	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ymlyu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	ymlyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6FB5EB02-BA00-EA16-973A-5E67D3C48179} = "C:\\Users\\Admin\\AppData\\Roaming\\Heduz\\ymlyu.exe"	ymlyu.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exeymlyu.exe

description	pid	process	target process
PID 1976 set thread context of 1900	1976	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1104 set thread context of 1140	1104	ymlyu.exe	ymlyu.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

ymlyu.exe

pid	process
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe
1140	ymlyu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe

description pid process

Token: SeSecurityPrivilege 1900 54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe

description	pid	process
Token: SeSecurityPrivilege	1900	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exeymlyu.exeymlyu.exe

description	pid	process	target process
PID 1976 wrote to memory of 1900	1976	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1976 wrote to memory of 1900	1976	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1976 wrote to memory of 1900	1976	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1976 wrote to memory of 1900	1976	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1976 wrote to memory of 1900	1976	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1976 wrote to memory of 1900	1976	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1976 wrote to memory of 1900	1976	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1976 wrote to memory of 1900	1976	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1976 wrote to memory of 1900	1976	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1900 wrote to memory of 1104	1900	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	ymlyu.exe
PID 1900 wrote to memory of 1104	1900	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	ymlyu.exe
PID 1900 wrote to memory of 1104	1900	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	ymlyu.exe
PID 1900 wrote to memory of 1104	1900	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	ymlyu.exe
PID 1104 wrote to memory of 1140	1104	ymlyu.exe	ymlyu.exe
PID 1104 wrote to memory of 1140	1104	ymlyu.exe	ymlyu.exe
PID 1104 wrote to memory of 1140	1104	ymlyu.exe	ymlyu.exe
PID 1104 wrote to memory of 1140	1104	ymlyu.exe	ymlyu.exe
PID 1104 wrote to memory of 1140	1104	ymlyu.exe	ymlyu.exe
PID 1104 wrote to memory of 1140	1104	ymlyu.exe	ymlyu.exe
PID 1104 wrote to memory of 1140	1104	ymlyu.exe	ymlyu.exe
PID 1104 wrote to memory of 1140	1104	ymlyu.exe	ymlyu.exe
PID 1104 wrote to memory of 1140	1104	ymlyu.exe	ymlyu.exe
PID 1140 wrote to memory of 1128	1140	ymlyu.exe	taskhost.exe
PID 1140 wrote to memory of 1128	1140	ymlyu.exe	taskhost.exe
PID 1140 wrote to memory of 1128	1140	ymlyu.exe	taskhost.exe
PID 1140 wrote to memory of 1128	1140	ymlyu.exe	taskhost.exe
PID 1140 wrote to memory of 1128	1140	ymlyu.exe	taskhost.exe
PID 1140 wrote to memory of 1192	1140	ymlyu.exe	Dwm.exe
PID 1140 wrote to memory of 1192	1140	ymlyu.exe	Dwm.exe
PID 1140 wrote to memory of 1192	1140	ymlyu.exe	Dwm.exe
PID 1140 wrote to memory of 1192	1140	ymlyu.exe	Dwm.exe
PID 1140 wrote to memory of 1192	1140	ymlyu.exe	Dwm.exe
PID 1140 wrote to memory of 1268	1140	ymlyu.exe	Explorer.EXE
PID 1140 wrote to memory of 1268	1140	ymlyu.exe	Explorer.EXE
PID 1140 wrote to memory of 1268	1140	ymlyu.exe	Explorer.EXE
PID 1140 wrote to memory of 1268	1140	ymlyu.exe	Explorer.EXE
PID 1140 wrote to memory of 1268	1140	ymlyu.exe	Explorer.EXE
PID 1140 wrote to memory of 1900	1140	ymlyu.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1140 wrote to memory of 1900	1140	ymlyu.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1140 wrote to memory of 1900	1140	ymlyu.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1140 wrote to memory of 1900	1140	ymlyu.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1140 wrote to memory of 1900	1140	ymlyu.exe	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
PID 1900 wrote to memory of 888	1900	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	cmd.exe
PID 1900 wrote to memory of 888	1900	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	cmd.exe
PID 1900 wrote to memory of 888	1900	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	cmd.exe
PID 1900 wrote to memory of 888	1900	54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe	cmd.exe
PID 1140 wrote to memory of 888	1140	ymlyu.exe	cmd.exe
PID 1140 wrote to memory of 888	1140	ymlyu.exe	cmd.exe
PID 1140 wrote to memory of 1180	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 1180	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 1180	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 1180	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 1180	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 2012	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 2012	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 2012	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 2012	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 2012	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 1488	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 1488	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 1488	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 1488	1140	ymlyu.exe	DllHost.exe
PID 1140 wrote to memory of 1488	1140	ymlyu.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
"C:\Users\Admin\AppData\Local\Temp\54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe
"C:\Users\Admin\AppData\Local\Temp\54914cb960660fe3fd85c8f6512f192df80a322109237f57367709a211f0750b.exe"
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Roaming\Heduz\ymlyu.exe
"C:\Users\Admin\AppData\Roaming\Heduz\ymlyu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\Heduz\ymlyu.exe
"C:\Users\Admin\AppData\Roaming\Heduz\ymlyu.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp72001820.bat"
4⤵
- Deletes itself
PID:888

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1180

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp72001820.bat

Filesize
307B

MD5
f6bab947071e7b16dfeac806c4881f00

SHA1
0beec872432292a340aad9cc055878234d483cd3

SHA256
e96deea2c0497d8d7baae4de719cb8f254ae29f213d1a2e166facce5712a3a28

SHA512
0a20fda221949cf9f54fd7a91c5f2cf5c8882f2a7291eef56446e5306f50a9010cd3e80ad4494ef59f9a3b9fdc04eeb4d9213d78084c08c4f71f7bf5196e142a

Download Submit
C:\Users\Admin\AppData\Roaming\Heduz\ymlyu.exe

Filesize
500KB

MD5
d9bf0dc28fd7c8670524a1c64c0eea53

SHA1
540ec31b084358934a53f110d044c3c72df585b0

SHA256
544b6a5fcfc14d6692a491ed62970dd66d6b31df0bdb89b7f78818181590ff96

SHA512
02645358104d5f95291d860de2604ebf4eae3d9a1b6fa223c255ac60315b31dd8f272a74fecf6859f75a96d62ec7c2124af47e573fb6681e13238f08fe37f315

Download Submit
C:\Users\Admin\AppData\Roaming\Heduz\ymlyu.exe

Filesize
500KB

MD5
d9bf0dc28fd7c8670524a1c64c0eea53

SHA1
540ec31b084358934a53f110d044c3c72df585b0

SHA256
544b6a5fcfc14d6692a491ed62970dd66d6b31df0bdb89b7f78818181590ff96

SHA512
02645358104d5f95291d860de2604ebf4eae3d9a1b6fa223c255ac60315b31dd8f272a74fecf6859f75a96d62ec7c2124af47e573fb6681e13238f08fe37f315

Download Submit
C:\Users\Admin\AppData\Roaming\Heduz\ymlyu.exe

Filesize
500KB

MD5
d9bf0dc28fd7c8670524a1c64c0eea53

SHA1
540ec31b084358934a53f110d044c3c72df585b0

SHA256
544b6a5fcfc14d6692a491ed62970dd66d6b31df0bdb89b7f78818181590ff96

SHA512
02645358104d5f95291d860de2604ebf4eae3d9a1b6fa223c255ac60315b31dd8f272a74fecf6859f75a96d62ec7c2124af47e573fb6681e13238f08fe37f315

Download Submit
\Users\Admin\AppData\Roaming\Heduz\ymlyu.exe

Filesize
500KB

MD5
d9bf0dc28fd7c8670524a1c64c0eea53

SHA1
540ec31b084358934a53f110d044c3c72df585b0

SHA256
544b6a5fcfc14d6692a491ed62970dd66d6b31df0bdb89b7f78818181590ff96

SHA512
02645358104d5f95291d860de2604ebf4eae3d9a1b6fa223c255ac60315b31dd8f272a74fecf6859f75a96d62ec7c2124af47e573fb6681e13238f08fe37f315

Download Submit
memory/888-107-0x0000000000000000-mapping.dmp

Download
memory/1104-68-0x0000000000000000-mapping.dmp

Download
memory/1128-88-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-85-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-87-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1128-86-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/1140-114-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1140-78-0x0000000000413048-mapping.dmp

Download
memory/1180-117-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1180-120-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1180-119-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1180-118-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1192-94-0x00000000019E0000-0x0000000001A07000-memory.dmp

Filesize
156KB

Download
memory/1192-93-0x00000000019E0000-0x0000000001A07000-memory.dmp

Filesize
156KB

Download
memory/1192-91-0x00000000019E0000-0x0000000001A07000-memory.dmp

Filesize
156KB

Download
memory/1192-92-0x00000000019E0000-0x0000000001A07000-memory.dmp

Filesize
156KB

Download
memory/1268-100-0x0000000002610000-0x0000000002637000-memory.dmp

Filesize
156KB

Download
memory/1268-99-0x0000000002610000-0x0000000002637000-memory.dmp

Filesize
156KB

Download
memory/1268-98-0x0000000002610000-0x0000000002637000-memory.dmp

Filesize
156KB

Download
memory/1268-97-0x0000000002610000-0x0000000002637000-memory.dmp

Filesize
156KB

Download
memory/1488-132-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1488-131-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1488-130-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1488-129-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1900-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1900-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1900-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1900-108-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1900-109-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/1900-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1900-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1900-106-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/1900-62-0x0000000000413048-mapping.dmp

Download
memory/1900-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1900-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1900-104-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/1900-105-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/1900-103-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/1976-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/2012-123-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/2012-125-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/2012-126-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/2012-124-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download