d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b

Analysis

max time kernel
153s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
Size

262KB
MD5

bb1ad57760a1ca3fdffd86c2539c7031
SHA1

e29b1944ce1d7dd3b611adb6dec5e99e0bb4e141
SHA256

d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b
SHA512

4facb0b42ddd92b304c7f5c4f5488585cbbf7473fff07c8549d7a8ad50b3352810b8f387fd6ca86af0b455831b9c819900dbf4502a7f2c9fa4fc257fd193e443
SSDEEP

6144:UpNzqRprtJZaWmGcqRoOUeMz122/lSzsLt/pVkMM:UvqLk/eLU1cYlSzC/cMM

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

myix.exemyix.exe

pid process

1356 myix.exe
1132 myix.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2004 cmd.exe

pid	process
1356	myix.exe
1132	myix.exe

pid	process
2004	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe

pid	process
1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

myix.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	myix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1E92AE8F-51AB-A7A6-6B0E-CDA52E534C66} = "C:\\Users\\Admin\\AppData\\Roaming\\Uzni\\myix.exe"	myix.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exemyix.exe

description	pid	process	target process
PID 1196 set thread context of 1364	1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1356 set thread context of 1132	1356	myix.exe	myix.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

myix.exe

pid process

1132 myix.exe
1132 myix.exe
1132 myix.exe
1132 myix.exe
1132 myix.exe
1132 myix.exe

pid	process
1132	myix.exe
1132	myix.exe
1132	myix.exe
1132	myix.exe
1132	myix.exe
1132	myix.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe

description	pid	process
Token: SeSecurityPrivilege	1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
Token: SeSecurityPrivilege	1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exemyix.exe

pid process

1196 d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
1356 myix.exe

pid	process
1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
1356	myix.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exed0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exemyix.exemyix.exe

description	pid	process	target process
PID 1196 wrote to memory of 1364	1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1196 wrote to memory of 1364	1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1196 wrote to memory of 1364	1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1196 wrote to memory of 1364	1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1196 wrote to memory of 1364	1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1196 wrote to memory of 1364	1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1196 wrote to memory of 1364	1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1196 wrote to memory of 1364	1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1196 wrote to memory of 1364	1196	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1364 wrote to memory of 1356	1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	myix.exe
PID 1364 wrote to memory of 1356	1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	myix.exe
PID 1364 wrote to memory of 1356	1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	myix.exe
PID 1364 wrote to memory of 1356	1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	myix.exe
PID 1356 wrote to memory of 1132	1356	myix.exe	myix.exe
PID 1356 wrote to memory of 1132	1356	myix.exe	myix.exe
PID 1356 wrote to memory of 1132	1356	myix.exe	myix.exe
PID 1356 wrote to memory of 1132	1356	myix.exe	myix.exe
PID 1356 wrote to memory of 1132	1356	myix.exe	myix.exe
PID 1356 wrote to memory of 1132	1356	myix.exe	myix.exe
PID 1356 wrote to memory of 1132	1356	myix.exe	myix.exe
PID 1356 wrote to memory of 1132	1356	myix.exe	myix.exe
PID 1356 wrote to memory of 1132	1356	myix.exe	myix.exe
PID 1132 wrote to memory of 1124	1132	myix.exe	taskhost.exe
PID 1132 wrote to memory of 1124	1132	myix.exe	taskhost.exe
PID 1132 wrote to memory of 1124	1132	myix.exe	taskhost.exe
PID 1132 wrote to memory of 1124	1132	myix.exe	taskhost.exe
PID 1132 wrote to memory of 1124	1132	myix.exe	taskhost.exe
PID 1132 wrote to memory of 1232	1132	myix.exe	Dwm.exe
PID 1132 wrote to memory of 1232	1132	myix.exe	Dwm.exe
PID 1132 wrote to memory of 1232	1132	myix.exe	Dwm.exe
PID 1132 wrote to memory of 1232	1132	myix.exe	Dwm.exe
PID 1132 wrote to memory of 1232	1132	myix.exe	Dwm.exe
PID 1132 wrote to memory of 1288	1132	myix.exe	Explorer.EXE
PID 1132 wrote to memory of 1288	1132	myix.exe	Explorer.EXE
PID 1132 wrote to memory of 1288	1132	myix.exe	Explorer.EXE
PID 1132 wrote to memory of 1288	1132	myix.exe	Explorer.EXE
PID 1132 wrote to memory of 1288	1132	myix.exe	Explorer.EXE
PID 1132 wrote to memory of 1364	1132	myix.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1132 wrote to memory of 1364	1132	myix.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1132 wrote to memory of 1364	1132	myix.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1132 wrote to memory of 1364	1132	myix.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1132 wrote to memory of 1364	1132	myix.exe	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
PID 1364 wrote to memory of 2004	1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	cmd.exe
PID 1364 wrote to memory of 2004	1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	cmd.exe
PID 1364 wrote to memory of 2004	1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	cmd.exe
PID 1364 wrote to memory of 2004	1364	d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe	cmd.exe
PID 1132 wrote to memory of 2004	1132	myix.exe	cmd.exe
PID 1132 wrote to memory of 2004	1132	myix.exe	cmd.exe
PID 1132 wrote to memory of 2004	1132	myix.exe	cmd.exe
PID 1132 wrote to memory of 2004	1132	myix.exe	cmd.exe
PID 1132 wrote to memory of 2004	1132	myix.exe	cmd.exe
PID 1132 wrote to memory of 1620	1132	myix.exe	conhost.exe
PID 1132 wrote to memory of 1548	1132	myix.exe	DllHost.exe
PID 1132 wrote to memory of 1548	1132	myix.exe	DllHost.exe
PID 1132 wrote to memory of 1548	1132	myix.exe	DllHost.exe
PID 1132 wrote to memory of 1548	1132	myix.exe	DllHost.exe
PID 1132 wrote to memory of 1548	1132	myix.exe	DllHost.exe
PID 1132 wrote to memory of 1192	1132	myix.exe	DllHost.exe
PID 1132 wrote to memory of 1192	1132	myix.exe	DllHost.exe
PID 1132 wrote to memory of 1192	1132	myix.exe	DllHost.exe
PID 1132 wrote to memory of 1192	1132	myix.exe	DllHost.exe
PID 1132 wrote to memory of 1192	1132	myix.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
"C:\Users\Admin\AppData\Local\Temp\d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe
"C:\Users\Admin\AppData\Local\Temp\d0cad76b2cd313f7346ad89787a7a03249638cc4a848df8246e0edf6f118737b.exe"
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Roaming\Uzni\myix.exe
"C:\Users\Admin\AppData\Roaming\Uzni\myix.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Roaming\Uzni\myix.exe
"C:\Users\Admin\AppData\Roaming\Uzni\myix.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcb5eb189.bat"
4⤵
- Deletes itself
PID:2004

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12374672001409634653-421093261-2000258921194385841710707685382058058849-608132333"
1⤵
PID:1620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcb5eb189.bat

Filesize
307B

MD5
fcc58994c0b6766cc06fbb0b9c819cf6

SHA1
70a7b9fdacf44912cc9ea46805976c785ce9806f

SHA256
f28a50f1afaaf229fc1b424281152e54b8bb62c74bd2245abd5497bf6da05889

SHA512
29f96cf1e3a58c19b6d6b5b6f318a6f6ec491304ca7c9e14dfb8a0ca130c7873bb068a585165c0f84e76763e60f0956caa751334e029df2a7efee745648421c4

Download Submit
C:\Users\Admin\AppData\Roaming\Uzni\myix.exe

Filesize
262KB

MD5
1bb67908bcfe942dcbc4c224885ff501

SHA1
665250a2420deedf4973c490f57da54fcf7330fe

SHA256
4ce5833bb18c6970a1b9d09882a72920ad62ec7ffc1c6936e01359e4fbc4b3dc

SHA512
be9f5ff0b6bcd6728f7db59cc9ab0209c956aa49a42d0fd8bd25626b274e20d22890c05f3b6924ce489a5387e811881da0523376d3ec016df28ef7db0f515e6a

Download Submit
C:\Users\Admin\AppData\Roaming\Uzni\myix.exe

Filesize
262KB

MD5
1bb67908bcfe942dcbc4c224885ff501

SHA1
665250a2420deedf4973c490f57da54fcf7330fe

SHA256
4ce5833bb18c6970a1b9d09882a72920ad62ec7ffc1c6936e01359e4fbc4b3dc

SHA512
be9f5ff0b6bcd6728f7db59cc9ab0209c956aa49a42d0fd8bd25626b274e20d22890c05f3b6924ce489a5387e811881da0523376d3ec016df28ef7db0f515e6a

Download Submit
C:\Users\Admin\AppData\Roaming\Uzni\myix.exe

Filesize
262KB

MD5
1bb67908bcfe942dcbc4c224885ff501

SHA1
665250a2420deedf4973c490f57da54fcf7330fe

SHA256
4ce5833bb18c6970a1b9d09882a72920ad62ec7ffc1c6936e01359e4fbc4b3dc

SHA512
be9f5ff0b6bcd6728f7db59cc9ab0209c956aa49a42d0fd8bd25626b274e20d22890c05f3b6924ce489a5387e811881da0523376d3ec016df28ef7db0f515e6a

Download Submit
\Users\Admin\AppData\Roaming\Uzni\myix.exe

Filesize
262KB

MD5
1bb67908bcfe942dcbc4c224885ff501

SHA1
665250a2420deedf4973c490f57da54fcf7330fe

SHA256
4ce5833bb18c6970a1b9d09882a72920ad62ec7ffc1c6936e01359e4fbc4b3dc

SHA512
be9f5ff0b6bcd6728f7db59cc9ab0209c956aa49a42d0fd8bd25626b274e20d22890c05f3b6924ce489a5387e811881da0523376d3ec016df28ef7db0f515e6a

Download Submit
\Users\Admin\AppData\Roaming\Uzni\myix.exe

Filesize
262KB

MD5
1bb67908bcfe942dcbc4c224885ff501

SHA1
665250a2420deedf4973c490f57da54fcf7330fe

SHA256
4ce5833bb18c6970a1b9d09882a72920ad62ec7ffc1c6936e01359e4fbc4b3dc

SHA512
be9f5ff0b6bcd6728f7db59cc9ab0209c956aa49a42d0fd8bd25626b274e20d22890c05f3b6924ce489a5387e811881da0523376d3ec016df28ef7db0f515e6a

Download Submit
memory/1124-78-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1124-79-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1124-76-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1124-74-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1124-77-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1132-70-0x0000000000413048-mapping.dmp

Download
memory/1132-93-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1192-118-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1192-121-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1192-120-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1192-119-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1232-82-0x0000000001BF0000-0x0000000001C17000-memory.dmp

Filesize
156KB

Download
memory/1232-83-0x0000000001BF0000-0x0000000001C17000-memory.dmp

Filesize
156KB

Download
memory/1232-84-0x0000000001BF0000-0x0000000001C17000-memory.dmp

Filesize
156KB

Download
memory/1232-85-0x0000000001BF0000-0x0000000001C17000-memory.dmp

Filesize
156KB

Download
memory/1288-89-0x00000000025D0000-0x00000000025F7000-memory.dmp

Filesize
156KB

Download
memory/1288-91-0x00000000025D0000-0x00000000025F7000-memory.dmp

Filesize
156KB

Download
memory/1288-90-0x00000000025D0000-0x00000000025F7000-memory.dmp

Filesize
156KB

Download
memory/1288-88-0x00000000025D0000-0x00000000025F7000-memory.dmp

Filesize
156KB

Download
memory/1356-64-0x0000000000000000-mapping.dmp

Download
memory/1364-96-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1364-98-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1364-97-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1364-95-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1364-100-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1364-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1364-101-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1364-59-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1364-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1364-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1364-57-0x0000000000413048-mapping.dmp

Download
memory/1548-114-0x0000000001D50000-0x0000000001D77000-memory.dmp

Filesize
156KB

Download
memory/1548-112-0x0000000001D50000-0x0000000001D77000-memory.dmp

Filesize
156KB

Download
memory/1548-113-0x0000000001D50000-0x0000000001D77000-memory.dmp

Filesize
156KB

Download
memory/1548-115-0x0000000001D50000-0x0000000001D77000-memory.dmp

Filesize
156KB

Download
memory/2004-107-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/2004-106-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/2004-105-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/2004-104-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/2004-99-0x0000000000000000-mapping.dmp

Download