472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c

General

Target

472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe
Size

428KB
MD5

ad7313b71afd12bb2bdf006931fe0fd9
SHA1

df85d9fc222b241eb26cad8281666f2ccf901ba3
SHA256

472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c
SHA512

4505d1ba04c5d9f3d5da9dbf428bfa581272bc5c3bafda3a74b214e00a50332c42bbb790194f3363265ce0443a367a8326a1706846d169de40888365e627c6d5
SSDEEP

12288:vGYuufqCYpkYcnyxSPB/wTcOP6M2hElG7b7Xxk832mJOq:+UfqCOkpyxSPBoTcEh832mJ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

uruja.exe

pid process

2560 uruja.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uruja.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	uruja.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uruja = "C:\\Users\\Admin\\AppData\\Roaming\\Ypukk\\uruja.exe"	uruja.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe

description	pid	process	target process
PID 2564 set thread context of 2728	2564	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

uruja.exe

pid	process
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe
2560	uruja.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exeuruja.exe

description	pid	process	target process
PID 2564 wrote to memory of 2560	2564	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe	uruja.exe
PID 2564 wrote to memory of 2560	2564	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe	uruja.exe
PID 2564 wrote to memory of 2560	2564	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe	uruja.exe
PID 2560 wrote to memory of 2700	2560	uruja.exe	sihost.exe
PID 2560 wrote to memory of 2700	2560	uruja.exe	sihost.exe
PID 2560 wrote to memory of 2700	2560	uruja.exe	sihost.exe
PID 2560 wrote to memory of 2700	2560	uruja.exe	sihost.exe
PID 2560 wrote to memory of 2700	2560	uruja.exe	sihost.exe
PID 2560 wrote to memory of 2816	2560	uruja.exe	svchost.exe
PID 2560 wrote to memory of 2816	2560	uruja.exe	svchost.exe
PID 2560 wrote to memory of 2816	2560	uruja.exe	svchost.exe
PID 2560 wrote to memory of 2816	2560	uruja.exe	svchost.exe
PID 2560 wrote to memory of 2816	2560	uruja.exe	svchost.exe
PID 2560 wrote to memory of 2868	2560	uruja.exe	taskhostw.exe
PID 2560 wrote to memory of 2868	2560	uruja.exe	taskhostw.exe
PID 2560 wrote to memory of 2868	2560	uruja.exe	taskhostw.exe
PID 2560 wrote to memory of 2868	2560	uruja.exe	taskhostw.exe
PID 2560 wrote to memory of 2868	2560	uruja.exe	taskhostw.exe
PID 2560 wrote to memory of 2376	2560	uruja.exe	Explorer.EXE
PID 2560 wrote to memory of 2376	2560	uruja.exe	Explorer.EXE
PID 2560 wrote to memory of 2376	2560	uruja.exe	Explorer.EXE
PID 2560 wrote to memory of 2376	2560	uruja.exe	Explorer.EXE
PID 2560 wrote to memory of 2376	2560	uruja.exe	Explorer.EXE
PID 2560 wrote to memory of 2936	2560	uruja.exe	svchost.exe
PID 2560 wrote to memory of 2936	2560	uruja.exe	svchost.exe
PID 2560 wrote to memory of 2936	2560	uruja.exe	svchost.exe
PID 2560 wrote to memory of 2936	2560	uruja.exe	svchost.exe
PID 2560 wrote to memory of 2936	2560	uruja.exe	svchost.exe
PID 2560 wrote to memory of 3276	2560	uruja.exe	DllHost.exe
PID 2560 wrote to memory of 3276	2560	uruja.exe	DllHost.exe
PID 2560 wrote to memory of 3276	2560	uruja.exe	DllHost.exe
PID 2560 wrote to memory of 3276	2560	uruja.exe	DllHost.exe
PID 2560 wrote to memory of 3276	2560	uruja.exe	DllHost.exe
PID 2560 wrote to memory of 3376	2560	uruja.exe	StartMenuExperienceHost.exe
PID 2560 wrote to memory of 3376	2560	uruja.exe	StartMenuExperienceHost.exe
PID 2560 wrote to memory of 3376	2560	uruja.exe	StartMenuExperienceHost.exe
PID 2560 wrote to memory of 3376	2560	uruja.exe	StartMenuExperienceHost.exe
PID 2560 wrote to memory of 3376	2560	uruja.exe	StartMenuExperienceHost.exe
PID 2560 wrote to memory of 3444	2560	uruja.exe	RuntimeBroker.exe
PID 2560 wrote to memory of 3444	2560	uruja.exe	RuntimeBroker.exe
PID 2560 wrote to memory of 3444	2560	uruja.exe	RuntimeBroker.exe
PID 2560 wrote to memory of 3444	2560	uruja.exe	RuntimeBroker.exe
PID 2560 wrote to memory of 3444	2560	uruja.exe	RuntimeBroker.exe
PID 2560 wrote to memory of 3532	2560	uruja.exe	SearchApp.exe
PID 2560 wrote to memory of 3532	2560	uruja.exe	SearchApp.exe
PID 2560 wrote to memory of 3532	2560	uruja.exe	SearchApp.exe
PID 2560 wrote to memory of 3532	2560	uruja.exe	SearchApp.exe
PID 2560 wrote to memory of 3532	2560	uruja.exe	SearchApp.exe
PID 2560 wrote to memory of 3700	2560	uruja.exe	RuntimeBroker.exe
PID 2560 wrote to memory of 3700	2560	uruja.exe	RuntimeBroker.exe
PID 2560 wrote to memory of 3700	2560	uruja.exe	RuntimeBroker.exe
PID 2560 wrote to memory of 3700	2560	uruja.exe	RuntimeBroker.exe
PID 2560 wrote to memory of 3700	2560	uruja.exe	RuntimeBroker.exe
PID 2560 wrote to memory of 2564	2560	uruja.exe	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe
PID 2560 wrote to memory of 2564	2560	uruja.exe	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe
PID 2560 wrote to memory of 2564	2560	uruja.exe	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe
PID 2560 wrote to memory of 2564	2560	uruja.exe	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe
PID 2560 wrote to memory of 2564	2560	uruja.exe	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe
PID 2564 wrote to memory of 2728	2564	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe	cmd.exe
PID 2564 wrote to memory of 2728	2564	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe	cmd.exe
PID 2564 wrote to memory of 2728	2564	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe	cmd.exe
PID 2564 wrote to memory of 2728	2564	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe	cmd.exe
PID 2564 wrote to memory of 2728	2564	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe	cmd.exe
PID 2564 wrote to memory of 2728	2564	472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe	cmd.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2700

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2868

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe
"C:\Users\Admin\AppData\Local\Temp\472b678218aeffc5d5b352550612d1da44a4734d83d1e14646440560e251fb5c.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Roaming\Ypukk\uruja.exe
"C:\Users\Admin\AppData\Roaming\Ypukk\uruja.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\IRL9391.bat"
3⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3532

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRL9391.bat
Filesize
303B

MD5
04907fcc2532fc9d64386b2db92ef7e5

SHA1
d091bd1e2e997f7b8f878c02b3f6b3cc58727d79

SHA256
cb16289645bf67db96bf10a442c9995e2e4d1f3864d8a71ecb9a80755cc727af

SHA512
7cd1032091a43048143bcd657c2724ab2e70b3bb83fe870f1fc155b7fa0f282765bbd4183d912fd9266148fe9973b54920a263caf4087337c4095714c01b0d1d

Download Submit
C:\Users\Admin\AppData\Roaming\Ypukk\uruja.exe
Filesize
428KB

MD5
d5ec348bc071044397bca68e5ac7c86a

SHA1
22a06dd2ed7816a941d3309ea3254f92b2eebcc3

SHA256
7bc5f9e3ed6b0c1c4776effe4d35565ff6ff73ea9448021cf599b4e234e9d732

SHA512
ef843e0ed2b2bdd2a40491e396c62d5a36161ec560ca4cce77e1c1f6a05dd098a759ac5dac20ed92b0e6b07cd812251b1201a2069424f44daac96fe9525804dd

Download Submit
C:\Users\Admin\AppData\Roaming\Ypukk\uruja.exe
Filesize
428KB

MD5
d5ec348bc071044397bca68e5ac7c86a

SHA1
22a06dd2ed7816a941d3309ea3254f92b2eebcc3

SHA256
7bc5f9e3ed6b0c1c4776effe4d35565ff6ff73ea9448021cf599b4e234e9d732

SHA512
ef843e0ed2b2bdd2a40491e396c62d5a36161ec560ca4cce77e1c1f6a05dd098a759ac5dac20ed92b0e6b07cd812251b1201a2069424f44daac96fe9525804dd

Download Submit
memory/2560-147-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2560-135-0x0000000000000000-mapping.dmp

Download
memory/2560-148-0x00000000025E0000-0x00000000029E0000-memory.dmp

Filesize
4.0MB

Download
memory/2560-161-0x00000000025E0000-0x00000000029E0000-memory.dmp

Filesize
4.0MB

Download
memory/2564-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2564-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2564-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2564-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2564-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2564-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2564-136-0x00000000027B0000-0x0000000002BB0000-memory.dmp

Filesize
4.0MB

Download
memory/2564-132-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2564-133-0x00000000027B0000-0x0000000002BB0000-memory.dmp

Filesize
4.0MB

Download
memory/2564-134-0x00000000027B0000-0x0000000002BB0000-memory.dmp

Filesize
4.0MB

Download
memory/2564-149-0x00000000026D0000-0x0000000002719000-memory.dmp

Filesize
292KB

Download
memory/2564-150-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2564-151-0x00000000027B0000-0x0000000002BB0000-memory.dmp

Filesize
4.0MB

Download
memory/2728-146-0x0000000000600000-0x0000000000649000-memory.dmp

Filesize
292KB

Download
memory/2728-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2728-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2728-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2728-156-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2728-157-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2728-158-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2728-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2728-160-0x0000000000600000-0x0000000000649000-memory.dmp

Filesize
292KB

Download
memory/2728-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads