d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0

General

Target

d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
Size

152KB
MD5

42d3f8095ee81957884ace52a36da770
SHA1

576d8e441be5159240c8a42568518f09a8f7963c
SHA256

d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0
SHA512

be33e69fecdc4607b9adf8f4bb733b099cbd806bb5a91835b00fd94e765c225a58c63f25b1b5132354bcd88f69568793bd3d77c360772c566af4a6b50d860a6d
SSDEEP

1536:ryUhRUuyTgLMk2DaTvLvpH+hhTQ2+7Sn7qdZ9h4MVSDoL:rBsh0gJavYv+7oqdZ3HVS

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Auywyw.exeAuywyw.exe

pid process

4536 Auywyw.exe
1896 Auywyw.exe

pid	process
4536	Auywyw.exe
1896	Auywyw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Auywyw = "C:\\Users\\Admin\\AppData\\Roaming\\Auywyw.exe"	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exeAuywyw.exe

description	pid	process	target process
PID 1572 set thread context of 320	1572	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
PID 4536 set thread context of 1896	4536	Auywyw.exe	Auywyw.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3603103973"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998404"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F5DC46C3-6B77-11ED-B8D8-5EDCA19B148A} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3603259811"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998404"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe

pid	process
320	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
320	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Auywyw.exeiexplore.exe

description pid process

Token: SeDebugPrivilege 1896 Auywyw.exe
Token: SeDebugPrivilege 3300 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2200 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2200 IEXPLORE.EXE
2200 IEXPLORE.EXE
4200 IEXPLORE.EXE
4200 IEXPLORE.EXE
4200 IEXPLORE.EXE
4200 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1896	Auywyw.exe
Token: SeDebugPrivilege	3300	iexplore.exe

pid	process
2200	IEXPLORE.EXE

pid	process
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
4200	IEXPLORE.EXE
4200	IEXPLORE.EXE
4200	IEXPLORE.EXE
4200	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exed8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exeAuywyw.exeAuywyw.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1572 wrote to memory of 320	1572	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
PID 1572 wrote to memory of 320	1572	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
PID 1572 wrote to memory of 320	1572	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
PID 1572 wrote to memory of 320	1572	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
PID 1572 wrote to memory of 320	1572	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
PID 1572 wrote to memory of 320	1572	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
PID 1572 wrote to memory of 320	1572	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
PID 1572 wrote to memory of 320	1572	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
PID 1572 wrote to memory of 320	1572	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
PID 320 wrote to memory of 4536	320	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	Auywyw.exe
PID 320 wrote to memory of 4536	320	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	Auywyw.exe
PID 320 wrote to memory of 4536	320	d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe	Auywyw.exe
PID 4536 wrote to memory of 1896	4536	Auywyw.exe	Auywyw.exe
PID 4536 wrote to memory of 1896	4536	Auywyw.exe	Auywyw.exe
PID 4536 wrote to memory of 1896	4536	Auywyw.exe	Auywyw.exe
PID 4536 wrote to memory of 1896	4536	Auywyw.exe	Auywyw.exe
PID 4536 wrote to memory of 1896	4536	Auywyw.exe	Auywyw.exe
PID 4536 wrote to memory of 1896	4536	Auywyw.exe	Auywyw.exe
PID 4536 wrote to memory of 1896	4536	Auywyw.exe	Auywyw.exe
PID 4536 wrote to memory of 1896	4536	Auywyw.exe	Auywyw.exe
PID 4536 wrote to memory of 1896	4536	Auywyw.exe	Auywyw.exe
PID 1896 wrote to memory of 3300	1896	Auywyw.exe	iexplore.exe
PID 1896 wrote to memory of 3300	1896	Auywyw.exe	iexplore.exe
PID 1896 wrote to memory of 3300	1896	Auywyw.exe	iexplore.exe
PID 3300 wrote to memory of 2200	3300	iexplore.exe	IEXPLORE.EXE
PID 3300 wrote to memory of 2200	3300	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 3300	1896	Auywyw.exe	iexplore.exe
PID 1896 wrote to memory of 3300	1896	Auywyw.exe	iexplore.exe
PID 2200 wrote to memory of 4200	2200	IEXPLORE.EXE	IEXPLORE.EXE
PID 2200 wrote to memory of 4200	2200	IEXPLORE.EXE	IEXPLORE.EXE
PID 2200 wrote to memory of 4200	2200	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
"C:\Users\Admin\AppData\Local\Temp\d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe
"C:\Users\Admin\AppData\Local\Temp\d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Roaming\Auywyw.exe
"C:\Users\Admin\AppData\Roaming\Auywyw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Roaming\Auywyw.exe
"C:\Users\Admin\AppData\Roaming\Auywyw.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:17410 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Auywyw.exe

Filesize
152KB

MD5
42d3f8095ee81957884ace52a36da770

SHA1
576d8e441be5159240c8a42568518f09a8f7963c

SHA256
d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0

SHA512
be33e69fecdc4607b9adf8f4bb733b099cbd806bb5a91835b00fd94e765c225a58c63f25b1b5132354bcd88f69568793bd3d77c360772c566af4a6b50d860a6d

Download Submit
C:\Users\Admin\AppData\Roaming\Auywyw.exe

Filesize
152KB

MD5
42d3f8095ee81957884ace52a36da770

SHA1
576d8e441be5159240c8a42568518f09a8f7963c

SHA256
d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0

SHA512
be33e69fecdc4607b9adf8f4bb733b099cbd806bb5a91835b00fd94e765c225a58c63f25b1b5132354bcd88f69568793bd3d77c360772c566af4a6b50d860a6d

Download Submit
C:\Users\Admin\AppData\Roaming\Auywyw.exe

Filesize
152KB

MD5
42d3f8095ee81957884ace52a36da770

SHA1
576d8e441be5159240c8a42568518f09a8f7963c

SHA256
d8fdba6e9834965a9e0a63a471bcb6f63449fbe5fe049fd9d3ac99d06b011fa0

SHA512
be33e69fecdc4607b9adf8f4bb733b099cbd806bb5a91835b00fd94e765c225a58c63f25b1b5132354bcd88f69568793bd3d77c360772c566af4a6b50d860a6d

Download Submit
memory/320-133-0x0000000000000000-mapping.dmp

Download
memory/320-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/320-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/320-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/320-149-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1572-136-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1572-132-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1896-142-0x0000000000000000-mapping.dmp

Download
memory/1896-148-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1896-150-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4536-146-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4536-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads