dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57

Analysis

max time kernel
252s
max time network
322s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
Size

247KB
MD5

fd56c9ffb7f21f4de99409f50567bc46
SHA1

8f957118caf10f3549d9cba54c472f86c66029ae
SHA256

dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57
SHA512

7c97a21f3a2ec105f3cb797d9200df95a551179ce538fd551ef518f7206b80f5bca31ebd796ce12170398b71965a39a63d9bc52daf370de5cc14d5273b5e56b2
SSDEEP

3072:skBKiikA2e8MskcT5TqpZKX+DKhN4fEeZGm/yg87hIMDCx7v5zKS2OVHxIh5Hcj/:E6MTUvgQ3O0BosCfGhHDgcjBpwTZ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

arimr.exearimr.exe

pid process

1548 arimr.exe
392 arimr.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1012 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe

pid process

1508 dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe

pid	process
1548	arimr.exe
392	arimr.exe

pid	process
1012	cmd.exe

pid	process
1508	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

arimr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	arimr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{5F0E2C34-C5FB-A740-C612-C5026BE14FC9} = "C:\\Users\\Admin\\AppData\\Roaming\\Ufyg\\arimr.exe"	arimr.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exearimr.exe

description	pid	process	target process
PID 468 set thread context of 1508	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
PID 1548 set thread context of 392	1548	arimr.exe	arimr.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exearimr.exearimr.exe

pid	process
468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
1548	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe
392	arimr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exedd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exearimr.exe

description	pid	process
Token: SeDebugPrivilege	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
Token: SeSecurityPrivilege	1508	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
Token: SeDebugPrivilege	1548	arimr.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exedd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exearimr.exearimr.exe

description	pid	process	target process
PID 468 wrote to memory of 1508	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
PID 468 wrote to memory of 1508	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
PID 468 wrote to memory of 1508	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
PID 468 wrote to memory of 1508	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
PID 468 wrote to memory of 1508	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
PID 468 wrote to memory of 1508	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
PID 468 wrote to memory of 1508	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
PID 468 wrote to memory of 1508	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
PID 468 wrote to memory of 1508	468	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
PID 1508 wrote to memory of 1548	1508	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	arimr.exe
PID 1508 wrote to memory of 1548	1508	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	arimr.exe
PID 1508 wrote to memory of 1548	1508	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	arimr.exe
PID 1508 wrote to memory of 1548	1508	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	arimr.exe
PID 1548 wrote to memory of 392	1548	arimr.exe	arimr.exe
PID 1548 wrote to memory of 392	1548	arimr.exe	arimr.exe
PID 1548 wrote to memory of 392	1548	arimr.exe	arimr.exe
PID 1548 wrote to memory of 392	1548	arimr.exe	arimr.exe
PID 1548 wrote to memory of 392	1548	arimr.exe	arimr.exe
PID 1548 wrote to memory of 392	1548	arimr.exe	arimr.exe
PID 1548 wrote to memory of 392	1548	arimr.exe	arimr.exe
PID 1548 wrote to memory of 392	1548	arimr.exe	arimr.exe
PID 1548 wrote to memory of 392	1548	arimr.exe	arimr.exe
PID 1508 wrote to memory of 1012	1508	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	cmd.exe
PID 1508 wrote to memory of 1012	1508	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	cmd.exe
PID 1508 wrote to memory of 1012	1508	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	cmd.exe
PID 1508 wrote to memory of 1012	1508	dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe	cmd.exe
PID 392 wrote to memory of 1132	392	arimr.exe	taskhost.exe
PID 392 wrote to memory of 1132	392	arimr.exe	taskhost.exe
PID 392 wrote to memory of 1132	392	arimr.exe	taskhost.exe
PID 392 wrote to memory of 1132	392	arimr.exe	taskhost.exe
PID 392 wrote to memory of 1132	392	arimr.exe	taskhost.exe
PID 392 wrote to memory of 1192	392	arimr.exe	Dwm.exe
PID 392 wrote to memory of 1192	392	arimr.exe	Dwm.exe
PID 392 wrote to memory of 1192	392	arimr.exe	Dwm.exe
PID 392 wrote to memory of 1192	392	arimr.exe	Dwm.exe
PID 392 wrote to memory of 1192	392	arimr.exe	Dwm.exe
PID 392 wrote to memory of 1260	392	arimr.exe	Explorer.EXE
PID 392 wrote to memory of 1260	392	arimr.exe	Explorer.EXE
PID 392 wrote to memory of 1260	392	arimr.exe	Explorer.EXE
PID 392 wrote to memory of 1260	392	arimr.exe	Explorer.EXE
PID 392 wrote to memory of 1260	392	arimr.exe	Explorer.EXE
PID 392 wrote to memory of 1764	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1764	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1764	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1764	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1764	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1512	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1512	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1512	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1512	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1512	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1652	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1652	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1652	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1652	392	arimr.exe	DllHost.exe
PID 392 wrote to memory of 1652	392	arimr.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
"C:\Users\Admin\AppData\Local\Temp\dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Users\Admin\AppData\Local\Temp\dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe
"C:\Users\Admin\AppData\Local\Temp\dd254beddf2ca59bd331df5182f717faf89fd757110874c3fcb17705e28c2e57.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Roaming\Ufyg\arimr.exe
"C:\Users\Admin\AppData\Roaming\Ufyg\arimr.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Roaming\Ufyg\arimr.exe
"C:\Users\Admin\AppData\Roaming\Ufyg\arimr.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa98cb842.bat"
4⤵
- Deletes itself
PID:1012

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1512

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa98cb842.bat

Filesize
307B

MD5
90efbc8afd23be39de0c9fea244b69eb

SHA1
27fb68f65adebc5d3c25214c6dff8722270c879f

SHA256
5d2739854dc4761958cf6f0a87ebe43f7033a1bb5dfd6dbeafab4680cfdb6384

SHA512
66fe55543168ceae75e8ffdd3131f8bbbbcc98a53db9889fb9b753d6ddc62fbfe75da030e172bac754dfcb823ec810e345935d35ebb240c8028e085be8678a09

Download Submit
C:\Users\Admin\AppData\Roaming\Ufyg\arimr.exe

Filesize
247KB

MD5
63a6cd0ab53294106d6a4f077c4b3228

SHA1
1f9c7ea86dfdafd930a7fd59dbdef7ef82ffe228

SHA256
17373053354999e72a665c697dd464a21707af7983b52b7223ae57eaef8053aa

SHA512
2702bfc1327ae338f98d9d334ccac88f7cbabad516b21abfaf52cd2839f41226becd1af3f8f35c24ceb8216475e6ad3ca757e8012b6f73b8f688e5819c85a978

Download Submit
C:\Users\Admin\AppData\Roaming\Ufyg\arimr.exe

Filesize
247KB

MD5
63a6cd0ab53294106d6a4f077c4b3228

SHA1
1f9c7ea86dfdafd930a7fd59dbdef7ef82ffe228

SHA256
17373053354999e72a665c697dd464a21707af7983b52b7223ae57eaef8053aa

SHA512
2702bfc1327ae338f98d9d334ccac88f7cbabad516b21abfaf52cd2839f41226becd1af3f8f35c24ceb8216475e6ad3ca757e8012b6f73b8f688e5819c85a978

Download Submit
C:\Users\Admin\AppData\Roaming\Ufyg\arimr.exe

Filesize
247KB

MD5
63a6cd0ab53294106d6a4f077c4b3228

SHA1
1f9c7ea86dfdafd930a7fd59dbdef7ef82ffe228

SHA256
17373053354999e72a665c697dd464a21707af7983b52b7223ae57eaef8053aa

SHA512
2702bfc1327ae338f98d9d334ccac88f7cbabad516b21abfaf52cd2839f41226becd1af3f8f35c24ceb8216475e6ad3ca757e8012b6f73b8f688e5819c85a978

Download Submit
\Users\Admin\AppData\Roaming\Ufyg\arimr.exe

Filesize
247KB

MD5
63a6cd0ab53294106d6a4f077c4b3228

SHA1
1f9c7ea86dfdafd930a7fd59dbdef7ef82ffe228

SHA256
17373053354999e72a665c697dd464a21707af7983b52b7223ae57eaef8053aa

SHA512
2702bfc1327ae338f98d9d334ccac88f7cbabad516b21abfaf52cd2839f41226becd1af3f8f35c24ceb8216475e6ad3ca757e8012b6f73b8f688e5819c85a978

Download Submit
memory/392-88-0x0000000000413048-mapping.dmp

Download
memory/392-116-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/468-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/468-55-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/468-56-0x0000000002136000-0x0000000002147000-memory.dmp

Filesize
68KB

Download
memory/468-66-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/468-67-0x0000000002136000-0x0000000002147000-memory.dmp

Filesize
68KB

Download
memory/1012-95-0x0000000000000000-mapping.dmp

Download
memory/1132-101-0x0000000001CD0000-0x0000000001CF7000-memory.dmp

Filesize
156KB

Download
memory/1132-102-0x0000000001CD0000-0x0000000001CF7000-memory.dmp

Filesize
156KB

Download
memory/1132-100-0x0000000001CD0000-0x0000000001CF7000-memory.dmp

Filesize
156KB

Download
memory/1132-99-0x0000000001CD0000-0x0000000001CF7000-memory.dmp

Filesize
156KB

Download
memory/1192-106-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/1192-105-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/1192-109-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/1192-107-0x0000000001AC0000-0x0000000001AE7000-memory.dmp

Filesize
156KB

Download
memory/1260-115-0x00000000029F0000-0x0000000002A17000-memory.dmp

Filesize
156KB

Download
memory/1260-113-0x00000000029F0000-0x0000000002A17000-memory.dmp

Filesize
156KB

Download
memory/1260-112-0x00000000029F0000-0x0000000002A17000-memory.dmp

Filesize
156KB

Download
memory/1260-114-0x00000000029F0000-0x0000000002A17000-memory.dmp

Filesize
156KB

Download
memory/1508-71-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-98-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-73-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-72-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-69-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1508-64-0x0000000000413048-mapping.dmp

Download
memory/1512-125-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1512-128-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1512-127-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1512-126-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1548-90-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-75-0x0000000000000000-mapping.dmp

Download
memory/1548-91-0x0000000000956000-0x0000000000967000-memory.dmp

Filesize
68KB

Download
memory/1548-80-0x0000000000956000-0x0000000000967000-memory.dmp

Filesize
68KB

Download
memory/1548-79-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-131-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1652-132-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1652-133-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1652-134-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1764-119-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1764-120-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1764-121-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1764-122-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download