43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150

General

Target

43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
Size

264KB
MD5

1dde503c7bc30d549f8a5e328e97aec4
SHA1

125ba81c949f821891e57829a36b702493b084fd
SHA256

43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150
SHA512

535b484ac22821b05e516625858144f2870d3daf3b60e9a14efdb716766596cd0cc2666459436d9c5f3f339d501a8a64118ef5912ed9ddd51dbe9e074c45582d
SSDEEP

6144:gm2QxsaNwiRgk0wgUYibnW80YrZy8gP+t:d2KsCwiRSwgU5TW8/yNy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

vuoty.exevuoty.exe

pid process

1028 vuoty.exe
520 vuoty.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1696 cmd.exe

pid	process
1028	vuoty.exe
520	vuoty.exe

pid	process
1696	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe

pid	process
2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exevuoty.exe

description	pid	process	target process
PID 2036 set thread context of 2012	2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
PID 1028 set thread context of 520	1028	vuoty.exe	vuoty.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe

description pid process

Token: SeSecurityPrivilege 2012 43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exevuoty.exe

pid process

2036 43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
1028 vuoty.exe

description	pid	process
Token: SeSecurityPrivilege	2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe

pid	process
2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
1028	vuoty.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exevuoty.exe

description	pid	process	target process
PID 2036 wrote to memory of 2012	2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
PID 2036 wrote to memory of 2012	2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
PID 2036 wrote to memory of 2012	2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
PID 2036 wrote to memory of 2012	2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
PID 2036 wrote to memory of 2012	2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
PID 2036 wrote to memory of 2012	2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
PID 2036 wrote to memory of 2012	2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
PID 2036 wrote to memory of 2012	2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
PID 2036 wrote to memory of 2012	2036	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
PID 2012 wrote to memory of 1028	2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	vuoty.exe
PID 2012 wrote to memory of 1028	2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	vuoty.exe
PID 2012 wrote to memory of 1028	2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	vuoty.exe
PID 2012 wrote to memory of 1028	2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	vuoty.exe
PID 1028 wrote to memory of 520	1028	vuoty.exe	vuoty.exe
PID 1028 wrote to memory of 520	1028	vuoty.exe	vuoty.exe
PID 1028 wrote to memory of 520	1028	vuoty.exe	vuoty.exe
PID 1028 wrote to memory of 520	1028	vuoty.exe	vuoty.exe
PID 1028 wrote to memory of 520	1028	vuoty.exe	vuoty.exe
PID 1028 wrote to memory of 520	1028	vuoty.exe	vuoty.exe
PID 1028 wrote to memory of 520	1028	vuoty.exe	vuoty.exe
PID 1028 wrote to memory of 520	1028	vuoty.exe	vuoty.exe
PID 1028 wrote to memory of 520	1028	vuoty.exe	vuoty.exe
PID 2012 wrote to memory of 1696	2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	cmd.exe
PID 2012 wrote to memory of 1696	2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	cmd.exe
PID 2012 wrote to memory of 1696	2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	cmd.exe
PID 2012 wrote to memory of 1696	2012	43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
"C:\Users\Admin\AppData\Local\Temp\43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe
"C:\Users\Admin\AppData\Local\Temp\43e835ec042436d6d88c1bf5e91f25fa4e4b211aa26eeb0f1b810d3b49e2e150.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Roaming\Ebuza\vuoty.exe
"C:\Users\Admin\AppData\Roaming\Ebuza\vuoty.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Roaming\Ebuza\vuoty.exe
"C:\Users\Admin\AppData\Roaming\Ebuza\vuoty.exe"
4⤵
- Executes dropped EXE
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7fba3684.bat"
3⤵
- Deletes itself
PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7fba3684.bat

Filesize
307B

MD5
28cae2157b9358f0dda596663b598bcf

SHA1
01e9c96937e4c1b9fd3caaac7cbabd6d38c92072

SHA256
1173d5ae4de3fa05b3b86161a3648aa8984c5eb985b14d7189fa61eead58c1a5

SHA512
a0ef50aaadf80c762eaaac6678c1f37557998c75cb16918996647fe7223bead99a584502f36c37023c115831034aa9c021c6271ff097ad3ae05d84e8b2c3ade2

Download Submit
C:\Users\Admin\AppData\Roaming\Ebuza\vuoty.exe

Filesize
264KB

MD5
5f7801f134b0553b02282e4129e607b5

SHA1
7fb27b7f9b250ceb50ffea2a4a4794451565995e

SHA256
3215e37afa0fde8f0871abc603f2be2b436876369681692423238f876ec33ba0

SHA512
bb6446db78c4fef797bb812f00812f4ed7e725010df051f07104ef10653ece7efec7f11fccc66a0c8bd4cd62bd1b88166af7fa7fe5e0d0299222ffc912ec0ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Ebuza\vuoty.exe

Filesize
264KB

MD5
5f7801f134b0553b02282e4129e607b5

SHA1
7fb27b7f9b250ceb50ffea2a4a4794451565995e

SHA256
3215e37afa0fde8f0871abc603f2be2b436876369681692423238f876ec33ba0

SHA512
bb6446db78c4fef797bb812f00812f4ed7e725010df051f07104ef10653ece7efec7f11fccc66a0c8bd4cd62bd1b88166af7fa7fe5e0d0299222ffc912ec0ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Ebuza\vuoty.exe

Filesize
264KB

MD5
5f7801f134b0553b02282e4129e607b5

SHA1
7fb27b7f9b250ceb50ffea2a4a4794451565995e

SHA256
3215e37afa0fde8f0871abc603f2be2b436876369681692423238f876ec33ba0

SHA512
bb6446db78c4fef797bb812f00812f4ed7e725010df051f07104ef10653ece7efec7f11fccc66a0c8bd4cd62bd1b88166af7fa7fe5e0d0299222ffc912ec0ea4

Download Submit
\Users\Admin\AppData\Roaming\Ebuza\vuoty.exe

Filesize
264KB

MD5
5f7801f134b0553b02282e4129e607b5

SHA1
7fb27b7f9b250ceb50ffea2a4a4794451565995e

SHA256
3215e37afa0fde8f0871abc603f2be2b436876369681692423238f876ec33ba0

SHA512
bb6446db78c4fef797bb812f00812f4ed7e725010df051f07104ef10653ece7efec7f11fccc66a0c8bd4cd62bd1b88166af7fa7fe5e0d0299222ffc912ec0ea4

Download Submit
\Users\Admin\AppData\Roaming\Ebuza\vuoty.exe

Filesize
264KB

MD5
5f7801f134b0553b02282e4129e607b5

SHA1
7fb27b7f9b250ceb50ffea2a4a4794451565995e

SHA256
3215e37afa0fde8f0871abc603f2be2b436876369681692423238f876ec33ba0

SHA512
bb6446db78c4fef797bb812f00812f4ed7e725010df051f07104ef10653ece7efec7f11fccc66a0c8bd4cd62bd1b88166af7fa7fe5e0d0299222ffc912ec0ea4

Download Submit
memory/520-72-0x0000000000413048-mapping.dmp

Download
memory/1028-65-0x0000000000000000-mapping.dmp

Download
memory/1028-69-0x0000000000297000-0x0000000000299000-memory.dmp

Filesize
8KB

Download
memory/1696-75-0x0000000000000000-mapping.dmp

Download
memory/2012-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2012-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2012-60-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/2012-58-0x0000000000413048-mapping.dmp

Download
memory/2012-76-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2012-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2036-56-0x0000000000277000-0x0000000000279000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads