f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103

General

Target

f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
Size

340KB
MD5

878140a67a623cb80aee2db8592241b5
SHA1

89ad1fc74efc5d635e3d13e2e30b2047fd2979bc
SHA256

f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103
SHA512

7e461e1cce6bb1e22be584af0a79237fc1b5eea6d9f5ab51831aed28746a00b4b448479e5fc651d91f19f1df3f8bcac2ebddd535ba9125d789e0da01c777181e
SSDEEP

6144:YtqsCcx37x7GILKDO5YhewKNTEIDTRuHYAjhWUUN+12Be:DsdB7+N8V3DTY48UU1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

urazo.exeurazo.exe

pid process

3408 urazo.exe
4060 urazo.exe

pid	process
3408	urazo.exe
4060	urazo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

urazo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	urazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Urazo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Arab\\urazo.exe"	urazo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exeurazo.exe

description	pid	process	target process
PID 4152 set thread context of 2100	4152	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
PID 3408 set thread context of 4060	3408	urazo.exe	urazo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exeurazo.exe

pid	process
2100	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
2100	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe
4060	urazo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exef7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exeurazo.exeurazo.exe

description	pid	process	target process
PID 4152 wrote to memory of 2100	4152	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
PID 4152 wrote to memory of 2100	4152	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
PID 4152 wrote to memory of 2100	4152	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
PID 4152 wrote to memory of 2100	4152	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
PID 4152 wrote to memory of 2100	4152	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
PID 4152 wrote to memory of 2100	4152	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
PID 4152 wrote to memory of 2100	4152	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
PID 4152 wrote to memory of 2100	4152	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
PID 4152 wrote to memory of 2100	4152	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
PID 2100 wrote to memory of 3408	2100	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	urazo.exe
PID 2100 wrote to memory of 3408	2100	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	urazo.exe
PID 2100 wrote to memory of 3408	2100	f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe	urazo.exe
PID 3408 wrote to memory of 4060	3408	urazo.exe	urazo.exe
PID 3408 wrote to memory of 4060	3408	urazo.exe	urazo.exe
PID 3408 wrote to memory of 4060	3408	urazo.exe	urazo.exe
PID 3408 wrote to memory of 4060	3408	urazo.exe	urazo.exe
PID 3408 wrote to memory of 4060	3408	urazo.exe	urazo.exe
PID 3408 wrote to memory of 4060	3408	urazo.exe	urazo.exe
PID 3408 wrote to memory of 4060	3408	urazo.exe	urazo.exe
PID 3408 wrote to memory of 4060	3408	urazo.exe	urazo.exe
PID 3408 wrote to memory of 4060	3408	urazo.exe	urazo.exe
PID 4060 wrote to memory of 2432	4060	urazo.exe	sihost.exe
PID 4060 wrote to memory of 2432	4060	urazo.exe	sihost.exe
PID 4060 wrote to memory of 2432	4060	urazo.exe	sihost.exe
PID 4060 wrote to memory of 2432	4060	urazo.exe	sihost.exe
PID 4060 wrote to memory of 2432	4060	urazo.exe	sihost.exe
PID 4060 wrote to memory of 2452	4060	urazo.exe	svchost.exe
PID 4060 wrote to memory of 2452	4060	urazo.exe	svchost.exe
PID 4060 wrote to memory of 2452	4060	urazo.exe	svchost.exe
PID 4060 wrote to memory of 2452	4060	urazo.exe	svchost.exe
PID 4060 wrote to memory of 2452	4060	urazo.exe	svchost.exe
PID 4060 wrote to memory of 2720	4060	urazo.exe	taskhostw.exe
PID 4060 wrote to memory of 2720	4060	urazo.exe	taskhostw.exe
PID 4060 wrote to memory of 2720	4060	urazo.exe	taskhostw.exe
PID 4060 wrote to memory of 2720	4060	urazo.exe	taskhostw.exe
PID 4060 wrote to memory of 2720	4060	urazo.exe	taskhostw.exe
PID 4060 wrote to memory of 3064	4060	urazo.exe	Explorer.EXE
PID 4060 wrote to memory of 3064	4060	urazo.exe	Explorer.EXE
PID 4060 wrote to memory of 3064	4060	urazo.exe	Explorer.EXE
PID 4060 wrote to memory of 3064	4060	urazo.exe	Explorer.EXE
PID 4060 wrote to memory of 3064	4060	urazo.exe	Explorer.EXE
PID 4060 wrote to memory of 2984	4060	urazo.exe	svchost.exe
PID 4060 wrote to memory of 2984	4060	urazo.exe	svchost.exe
PID 4060 wrote to memory of 2984	4060	urazo.exe	svchost.exe
PID 4060 wrote to memory of 2984	4060	urazo.exe	svchost.exe
PID 4060 wrote to memory of 2984	4060	urazo.exe	svchost.exe
PID 4060 wrote to memory of 3260	4060	urazo.exe	DllHost.exe
PID 4060 wrote to memory of 3260	4060	urazo.exe	DllHost.exe
PID 4060 wrote to memory of 3260	4060	urazo.exe	DllHost.exe
PID 4060 wrote to memory of 3260	4060	urazo.exe	DllHost.exe
PID 4060 wrote to memory of 3260	4060	urazo.exe	DllHost.exe
PID 4060 wrote to memory of 3360	4060	urazo.exe	StartMenuExperienceHost.exe
PID 4060 wrote to memory of 3360	4060	urazo.exe	StartMenuExperienceHost.exe
PID 4060 wrote to memory of 3360	4060	urazo.exe	StartMenuExperienceHost.exe
PID 4060 wrote to memory of 3360	4060	urazo.exe	StartMenuExperienceHost.exe
PID 4060 wrote to memory of 3360	4060	urazo.exe	StartMenuExperienceHost.exe
PID 4060 wrote to memory of 3428	4060	urazo.exe	RuntimeBroker.exe
PID 4060 wrote to memory of 3428	4060	urazo.exe	RuntimeBroker.exe
PID 4060 wrote to memory of 3428	4060	urazo.exe	RuntimeBroker.exe
PID 4060 wrote to memory of 3428	4060	urazo.exe	RuntimeBroker.exe
PID 4060 wrote to memory of 3428	4060	urazo.exe	RuntimeBroker.exe
PID 4060 wrote to memory of 3512	4060	urazo.exe	SearchApp.exe
PID 4060 wrote to memory of 3512	4060	urazo.exe	SearchApp.exe
PID 4060 wrote to memory of 3512	4060	urazo.exe	SearchApp.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2984

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
"C:\Users\Admin\AppData\Local\Temp\f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe
"C:\Users\Admin\AppData\Local\Temp\f7bb55045df83ee94e45fedac711e4393ad54f83c422ea50cb0a752851560103.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\Arab\urazo.exe
"C:\Users\Admin\AppData\Local\Temp\Arab\urazo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\Arab\urazo.exe
"C:\Users\Admin\AppData\Local\Temp\Arab\urazo.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JKK7A78.bat"
4⤵
PID:1280

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2720

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3668

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2452

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Arab\urazo.exe
Filesize
340KB

MD5
9bc74da76bd8361a31cb2f9904dc92a0

SHA1
96e792bbf7fff45faa9aec7ca2e522af062e1ed9

SHA256
c2ff24b215506063c7f0e4380b20a1d223705e620be418c8df149e345347ac0b

SHA512
311a92f0964ad732431c24903169b466fb8ba3cf35813387369740adcc13306e9823311a538ac568189021a680da3af002dae6f9b3d12c796fd296c0c6be87f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Arab\urazo.exe
Filesize
340KB

MD5
9bc74da76bd8361a31cb2f9904dc92a0

SHA1
96e792bbf7fff45faa9aec7ca2e522af062e1ed9

SHA256
c2ff24b215506063c7f0e4380b20a1d223705e620be418c8df149e345347ac0b

SHA512
311a92f0964ad732431c24903169b466fb8ba3cf35813387369740adcc13306e9823311a538ac568189021a680da3af002dae6f9b3d12c796fd296c0c6be87f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Arab\urazo.exe
Filesize
340KB

MD5
9bc74da76bd8361a31cb2f9904dc92a0

SHA1
96e792bbf7fff45faa9aec7ca2e522af062e1ed9

SHA256
c2ff24b215506063c7f0e4380b20a1d223705e620be418c8df149e345347ac0b

SHA512
311a92f0964ad732431c24903169b466fb8ba3cf35813387369740adcc13306e9823311a538ac568189021a680da3af002dae6f9b3d12c796fd296c0c6be87f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKK7A78.bat
Filesize
284B

MD5
23ef30188449ba491c75471eeadb1347

SHA1
592ac366955edd1cccff3868970b86aa3a310909

SHA256
9cd56b7724fc6846c3ca7ac9c608a2a361694e35eb477ff18d638b37e4e97da7

SHA512
ce48d97b926d211e98bc18c9fd7b150a7c8df0f52d84114bd21105c9e869a4b7d8cd8e6ff6dac9d882f4ce4265b47a6811e970b29426f234e18a6c6e105561b9

Download Submit
memory/1280-158-0x0000000000720000-0x0000000000762000-memory.dmp

Filesize
264KB

Download
memory/1280-157-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1280-156-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1280-151-0x0000000000000000-mapping.dmp

Download
memory/2100-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-154-0x00000000010C0000-0x0000000001102000-memory.dmp

Filesize
264KB

Download
memory/2100-133-0x0000000000000000-mapping.dmp

Download
memory/2100-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2100-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3408-149-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/3408-141-0x0000000000000000-mapping.dmp

Download
memory/3408-144-0x0000000000E36000-0x0000000000E3B000-memory.dmp

Filesize
20KB

Download
memory/4060-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4060-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4060-145-0x0000000000000000-mapping.dmp

Download
memory/4060-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4060-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-140-0x0000000000BE3000-0x0000000000BE6000-memory.dmp

Filesize
12KB

Download
memory/4152-138-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4152-132-0x0000000000BE3000-0x0000000000BE6000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads