2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5

Analysis

max time kernel
152s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
Size

350KB
MD5

4ac860f2dfe44d64c0a43b9a3cc38e40
SHA1

2085d9eec3602b1605a68356ab8167cb116bdee0
SHA256

2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5
SHA512

d69593a02ddb357fd2d5a302113a25d49df63971a1fbb483505ab7faee3e18e82a96d73c931278f549375b559409718d2a6ae0ff95d57d9dfaad11798042f7d9
SSDEEP

6144:P7W9jgZngovqAHaxOK6W6beumW+XGccIuZENT3rdp3N:PagZ7vwx2/NmDXkIhp3

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

byiwz.exe

pid process

1776 byiwz.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

580 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe

pid process

1184 2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe

pid	process
580	cmd.exe

pid	process
1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

byiwz.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	byiwz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Nerali\\byiwz.exe"	byiwz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe

description pid process target process

PID 1184 set thread context of 580 1184 2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe cmd.exe

description	pid	process	target process
PID 1184 set thread context of 580	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

byiwz.exe

pid	process
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe
1776	byiwz.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exebyiwz.exe

pid process

1184 2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
1776 byiwz.exe

pid	process
1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
1776	byiwz.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exebyiwz.exe

description	pid	process	target process
PID 1184 wrote to memory of 1776	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	byiwz.exe
PID 1184 wrote to memory of 1776	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	byiwz.exe
PID 1184 wrote to memory of 1776	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	byiwz.exe
PID 1184 wrote to memory of 1776	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	byiwz.exe
PID 1776 wrote to memory of 1256	1776	byiwz.exe	taskhost.exe
PID 1776 wrote to memory of 1256	1776	byiwz.exe	taskhost.exe
PID 1776 wrote to memory of 1256	1776	byiwz.exe	taskhost.exe
PID 1776 wrote to memory of 1256	1776	byiwz.exe	taskhost.exe
PID 1776 wrote to memory of 1256	1776	byiwz.exe	taskhost.exe
PID 1776 wrote to memory of 1340	1776	byiwz.exe	Dwm.exe
PID 1776 wrote to memory of 1340	1776	byiwz.exe	Dwm.exe
PID 1776 wrote to memory of 1340	1776	byiwz.exe	Dwm.exe
PID 1776 wrote to memory of 1340	1776	byiwz.exe	Dwm.exe
PID 1776 wrote to memory of 1340	1776	byiwz.exe	Dwm.exe
PID 1776 wrote to memory of 1412	1776	byiwz.exe	Explorer.EXE
PID 1776 wrote to memory of 1412	1776	byiwz.exe	Explorer.EXE
PID 1776 wrote to memory of 1412	1776	byiwz.exe	Explorer.EXE
PID 1776 wrote to memory of 1412	1776	byiwz.exe	Explorer.EXE
PID 1776 wrote to memory of 1412	1776	byiwz.exe	Explorer.EXE
PID 1776 wrote to memory of 1184	1776	byiwz.exe	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
PID 1776 wrote to memory of 1184	1776	byiwz.exe	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
PID 1776 wrote to memory of 1184	1776	byiwz.exe	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
PID 1776 wrote to memory of 1184	1776	byiwz.exe	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
PID 1776 wrote to memory of 1184	1776	byiwz.exe	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
PID 1184 wrote to memory of 580	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe
PID 1184 wrote to memory of 580	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe
PID 1184 wrote to memory of 580	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe
PID 1184 wrote to memory of 580	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe
PID 1184 wrote to memory of 580	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe
PID 1184 wrote to memory of 580	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe
PID 1184 wrote to memory of 580	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe
PID 1184 wrote to memory of 580	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe
PID 1184 wrote to memory of 580	1184	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
"C:\Users\Admin\AppData\Local\Temp\2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Roaming\Nerali\byiwz.exe
"C:\Users\Admin\AppData\Roaming\Nerali\byiwz.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpce1ac06b.bat"
3⤵
- Deletes itself
PID:580

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpce1ac06b.bat

Filesize
307B

MD5
ee29868ebc028ef5ac90ed86419e6001

SHA1
4fc906694e3ab5aec8312ee003a8c6760956dd67

SHA256
18173ccafc044d270fedf9c068a29a4b30e510dc6c15f08880e2a6bb6f43c961

SHA512
133f6925d3e6759ca30f29c273a7bc015829b5429cd6ce0be204d3b4fdb9ebf536712e59e83eb70162f21baaaf11c1781f7a529d884b87df65a3b2aaa7419700

Download Submit
C:\Users\Admin\AppData\Roaming\Nerali\byiwz.exe

Filesize
350KB

MD5
087b291d3c39e923841b5db0191b74a0

SHA1
d11b6d1fec08d191ff69f185583a3a8806ca67f0

SHA256
10cba07fdaf400da3560d822db797965781355bdf56e7196e8875d09dacd2c2f

SHA512
40ff9547d1c1436403932f71e9b5746f141b38f514ac6ebb11bf58897f10143eaa5627e1b4ea75816d8ddca48c53fe94fdd8a25417481ce02a335d39a87032d1

Download Submit
C:\Users\Admin\AppData\Roaming\Nerali\byiwz.exe

Filesize
350KB

MD5
087b291d3c39e923841b5db0191b74a0

SHA1
d11b6d1fec08d191ff69f185583a3a8806ca67f0

SHA256
10cba07fdaf400da3560d822db797965781355bdf56e7196e8875d09dacd2c2f

SHA512
40ff9547d1c1436403932f71e9b5746f141b38f514ac6ebb11bf58897f10143eaa5627e1b4ea75816d8ddca48c53fe94fdd8a25417481ce02a335d39a87032d1

Download Submit
\Users\Admin\AppData\Roaming\Nerali\byiwz.exe

Filesize
350KB

MD5
087b291d3c39e923841b5db0191b74a0

SHA1
d11b6d1fec08d191ff69f185583a3a8806ca67f0

SHA256
10cba07fdaf400da3560d822db797965781355bdf56e7196e8875d09dacd2c2f

SHA512
40ff9547d1c1436403932f71e9b5746f141b38f514ac6ebb11bf58897f10143eaa5627e1b4ea75816d8ddca48c53fe94fdd8a25417481ce02a335d39a87032d1

Download Submit
memory/580-115-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/580-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/580-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/580-117-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/580-119-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/580-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/580-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/580-99-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/580-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/580-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/580-104-0x00000000000602A5-mapping.dmp

Download
memory/580-96-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/580-98-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/580-100-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1184-105-0x00000000001C0000-0x0000000000207000-memory.dmp

Filesize
284KB

Download
memory/1184-84-0x0000000002270000-0x00000000022B7000-memory.dmp

Filesize
284KB

Download
memory/1184-55-0x00000000001C0000-0x0000000000207000-memory.dmp

Filesize
284KB

Download
memory/1184-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1184-87-0x0000000002270000-0x00000000022B7000-memory.dmp

Filesize
284KB

Download
memory/1184-86-0x0000000002270000-0x00000000022B7000-memory.dmp

Filesize
284KB

Download
memory/1184-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1184-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1184-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1184-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1184-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1184-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1184-85-0x0000000002270000-0x00000000022B7000-memory.dmp

Filesize
284KB

Download
memory/1184-57-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1184-58-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1184-107-0x0000000002270000-0x00000000022B7000-memory.dmp

Filesize
284KB

Download
memory/1184-106-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-103-0x0000000002270000-0x00000000022CB000-memory.dmp

Filesize
364KB

Download
memory/1256-69-0x0000000001BC0000-0x0000000001C07000-memory.dmp

Filesize
284KB

Download
memory/1256-64-0x0000000001BC0000-0x0000000001C07000-memory.dmp

Filesize
284KB

Download
memory/1256-66-0x0000000001BC0000-0x0000000001C07000-memory.dmp

Filesize
284KB

Download
memory/1256-67-0x0000000001BC0000-0x0000000001C07000-memory.dmp

Filesize
284KB

Download
memory/1256-68-0x0000000001BC0000-0x0000000001C07000-memory.dmp

Filesize
284KB

Download
memory/1340-73-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1340-74-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1340-72-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1340-75-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1412-79-0x0000000002960000-0x00000000029A7000-memory.dmp

Filesize
284KB

Download
memory/1412-78-0x0000000002960000-0x00000000029A7000-memory.dmp

Filesize
284KB

Download
memory/1412-81-0x0000000002960000-0x00000000029A7000-memory.dmp

Filesize
284KB

Download
memory/1412-80-0x0000000002960000-0x00000000029A7000-memory.dmp

Filesize
284KB

Download
memory/1776-102-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1776-101-0x0000000001B80000-0x0000000001BC7000-memory.dmp

Filesize
284KB

Download
memory/1776-60-0x0000000000000000-mapping.dmp

Download
memory/1776-118-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download