2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5

General

Target

2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
Size

350KB
MD5

4ac860f2dfe44d64c0a43b9a3cc38e40
SHA1

2085d9eec3602b1605a68356ab8167cb116bdee0
SHA256

2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5
SHA512

d69593a02ddb357fd2d5a302113a25d49df63971a1fbb483505ab7faee3e18e82a96d73c931278f549375b559409718d2a6ae0ff95d57d9dfaad11798042f7d9
SSDEEP

6144:P7W9jgZngovqAHaxOK6W6beumW+XGccIuZENT3rdp3N:PagZ7vwx2/NmDXkIhp3

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pujat.exe

pid process

4100 pujat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pujat.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	pujat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{C3916187-556D-BCA0-4F67-978E82928D8C} = "C:\\Users\\Admin\\AppData\\Roaming\\Amikyl\\pujat.exe"	pujat.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe

description	pid	process	target process
PID 3060 set thread context of 2852	3060	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pujat.exe

pid	process
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe
4100	pujat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exepujat.exe

description	pid	process	target process
PID 3060 wrote to memory of 4100	3060	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	pujat.exe
PID 3060 wrote to memory of 4100	3060	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	pujat.exe
PID 3060 wrote to memory of 4100	3060	2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe	pujat.exe
PID 4100 wrote to memory of 2428	4100	pujat.exe	sihost.exe
PID 4100 wrote to memory of 2428	4100	pujat.exe	sihost.exe
PID 4100 wrote to memory of 2428	4100	pujat.exe	sihost.exe
PID 4100 wrote to memory of 2428	4100	pujat.exe	sihost.exe
PID 4100 wrote to memory of 2428	4100	pujat.exe	sihost.exe
PID 4100 wrote to memory of 2480	4100	pujat.exe	svchost.exe
PID 4100 wrote to memory of 2480	4100	pujat.exe	svchost.exe
PID 4100 wrote to memory of 2480	4100	pujat.exe	svchost.exe
PID 4100 wrote to memory of 2480	4100	pujat.exe	svchost.exe
PID 4100 wrote to memory of 2480	4100	pujat.exe	svchost.exe
PID 4100 wrote to memory of 2644	4100	pujat.exe	taskhostw.exe
PID 4100 wrote to memory of 2644	4100	pujat.exe	taskhostw.exe
PID 4100 wrote to memory of 2644	4100	pujat.exe	taskhostw.exe
PID 4100 wrote to memory of 2644	4100	pujat.exe	taskhostw.exe
PID 4100 wrote to memory of 2644	4100	pujat.exe	taskhostw.exe
PID 4100 wrote to memory of 2096	4100	pujat.exe	Explorer.EXE
PID 4100 wrote to memory of 2096	4100	pujat.exe	Explorer.EXE
PID 4100 wrote to memory of 2096	4100	pujat.exe	Explorer.EXE
PID 4100 wrote to memory of 2096	4100	pujat.exe	Explorer.EXE
PID 4100 wrote to memory of 2096	4100	pujat.exe	Explorer.EXE
PID 4100 wrote to memory of 3080	4100	pujat.exe	svchost.exe
PID 4100 wrote to memory of 3080	4100	pujat.exe	svchost.exe
PID 4100 wrote to memory of 3080	4100	pujat.exe	svchost.exe
PID 4100 wrote to memory of 3080	4100	pujat.exe	svchost.exe
PID 4100 wrote to memory of 3080	4100	pujat.exe	svchost.exe
PID 4100 wrote to memory of 3280	4100	pujat.exe	DllHost.exe
PID 4100 wrote to memory of 3280	4100	pujat.exe	DllHost.exe
PID 4100 wrote to memory of 3280	4100	pujat.exe	DllHost.exe
PID 4100 wrote to memory of 3280	4100	pujat.exe	DllHost.exe
PID 4100 wrote to memory of 3280	4100	pujat.exe	DllHost.exe
PID 4100 wrote to memory of 3388	4100	pujat.exe	StartMenuExperienceHost.exe
PID 4100 wrote to memory of 3388	4100	pujat.exe	StartMenuExperienceHost.exe
PID 4100 wrote to memory of 3388	4100	pujat.exe	StartMenuExperienceHost.exe
PID 4100 wrote to memory of 3388	4100	pujat.exe	StartMenuExperienceHost.exe
PID 4100 wrote to memory of 3388	4100	pujat.exe	StartMenuExperienceHost.exe
PID 4100 wrote to memory of 3456	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 3456	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 3456	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 3456	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 3456	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 3540	4100	pujat.exe	SearchApp.exe
PID 4100 wrote to memory of 3540	4100	pujat.exe	SearchApp.exe
PID 4100 wrote to memory of 3540	4100	pujat.exe	SearchApp.exe
PID 4100 wrote to memory of 3540	4100	pujat.exe	SearchApp.exe
PID 4100 wrote to memory of 3540	4100	pujat.exe	SearchApp.exe
PID 4100 wrote to memory of 3808	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 3808	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 3808	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 3808	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 3808	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 4716	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 4716	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 4716	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 4716	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 4716	4100	pujat.exe	RuntimeBroker.exe
PID 4100 wrote to memory of 2712	4100	pujat.exe	backgroundTaskHost.exe
PID 4100 wrote to memory of 2712	4100	pujat.exe	backgroundTaskHost.exe
PID 4100 wrote to memory of 2712	4100	pujat.exe	backgroundTaskHost.exe
PID 4100 wrote to memory of 2712	4100	pujat.exe	backgroundTaskHost.exe
PID 4100 wrote to memory of 2712	4100	pujat.exe	backgroundTaskHost.exe
PID 4100 wrote to memory of 1492	4100	pujat.exe	backgroundTaskHost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2712

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe
"C:\Users\Admin\AppData\Local\Temp\2b0aa26b6108793645b26f7d70d0fab28fac27e4c8bcb7252d2ee4e3480570c5.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Roaming\Amikyl\pujat.exe
"C:\Users\Admin\AppData\Roaming\Amikyl\pujat.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp870fe2ec.bat"
3⤵
PID:2852

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2480

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4604

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3292

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2132

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4568

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp870fe2ec.bat

Filesize
307B

MD5
69700c345ecf74b6ed047b1d2b926ec9

SHA1
56a6c00e084917a8e259207269103c05ce880a1f

SHA256
d136e30a3e435d98b9161d412082668bd267a830a12038fdd4e77df9b7f92ff6

SHA512
bf9ffabf8372a8a35fc1bdd7d3a458dde3d6c2913f49ac8102b97151d953af929582ff25b859b7b4b968c9c85712f68f54a936dc2f453680a2e0d5ab6d2490ec

Download Submit
C:\Users\Admin\AppData\Roaming\Amikyl\pujat.exe

Filesize
350KB

MD5
05ec6dd66d6ebca6595efbcd12c4cebe

SHA1
aa9245a194a64c0e007e5be0de1bb5666da8a753

SHA256
3db664dfcbbd96212d8c86a0e7d1098da5c58f932227f51eb211b8cc91a1a2bc

SHA512
cd57bc67b8af52eae01da2800c3749034ce4980f99667fb2bfa40162e755a1c981355fe1bf00b4a92455d787c852c2015c4f0261a659a8f86c242447099c2fbf

Download Submit
C:\Users\Admin\AppData\Roaming\Amikyl\pujat.exe

Filesize
350KB

MD5
05ec6dd66d6ebca6595efbcd12c4cebe

SHA1
aa9245a194a64c0e007e5be0de1bb5666da8a753

SHA256
3db664dfcbbd96212d8c86a0e7d1098da5c58f932227f51eb211b8cc91a1a2bc

SHA512
cd57bc67b8af52eae01da2800c3749034ce4980f99667fb2bfa40162e755a1c981355fe1bf00b4a92455d787c852c2015c4f0261a659a8f86c242447099c2fbf

Download Submit
memory/2852-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2852-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2852-160-0x0000000000F50000-0x0000000000F97000-memory.dmp

Filesize
284KB

Download
memory/2852-158-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2852-157-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2852-156-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2852-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2852-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2852-149-0x0000000000F50000-0x0000000000F97000-memory.dmp

Filesize
284KB

Download
memory/2852-148-0x0000000000000000-mapping.dmp

Download
memory/3060-132-0x00000000021E0000-0x0000000002227000-memory.dmp

Filesize
284KB

Download
memory/3060-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3060-145-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3060-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3060-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3060-150-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3060-151-0x0000000002320000-0x0000000002367000-memory.dmp

Filesize
284KB

Download
memory/3060-133-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3060-147-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3060-146-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3060-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3060-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3060-134-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4100-140-0x00000000005C0000-0x0000000000607000-memory.dmp

Filesize
284KB

Download
memory/4100-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4100-137-0x0000000000000000-mapping.dmp

Download
memory/4100-161-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads