2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e

Analysis

max time kernel
206s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe
Size

306KB
MD5

e9e49ca7ccfb9666fdc620fd45859c76
SHA1

32fce03ad57b868497caf3f5b9d4edec9766d5dc
SHA256

2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e
SHA512

da5223dcb0210c9c759a4f9390a258961bdfa08b1d06cc3cf3aa20d49edc9fb5a77dde71b4cbf6141f96970b6b2e8b84946a3c9419bd7daa299a3a23466c65cb
SSDEEP

6144:592lnHHnHrLrLLrLrDm2LjLjLNhXu61UpfEbh7DHi4ce+FTtAWy5jog/llhjRf5t:jKLjLjLNhXu2UUa5HXgTHfU+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2376	uruqh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	uruqh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uruqh = "C:\\Users\\Admin\\AppData\\Roaming\\Ezuqo\\uruqh.exe"	uruqh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3896 set thread context of 1784	3896	2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe	89

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 2376	3896	2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe	85
PID 3896 wrote to memory of 2376	3896	2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe	85
PID 3896 wrote to memory of 2376	3896	2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe	85
PID 2376 wrote to memory of 2332	2376	uruqh.exe	47
PID 2376 wrote to memory of 2332	2376	uruqh.exe	47
PID 2376 wrote to memory of 2332	2376	uruqh.exe	47
PID 2376 wrote to memory of 2332	2376	uruqh.exe	47
PID 2376 wrote to memory of 2332	2376	uruqh.exe	47
PID 2376 wrote to memory of 2396	2376	uruqh.exe	46
PID 2376 wrote to memory of 2396	2376	uruqh.exe	46
PID 2376 wrote to memory of 2396	2376	uruqh.exe	46
PID 2376 wrote to memory of 2396	2376	uruqh.exe	46
PID 2376 wrote to memory of 2396	2376	uruqh.exe	46
PID 2376 wrote to memory of 2464	2376	uruqh.exe	43
PID 2376 wrote to memory of 2464	2376	uruqh.exe	43
PID 2376 wrote to memory of 2464	2376	uruqh.exe	43
PID 2376 wrote to memory of 2464	2376	uruqh.exe	43
PID 2376 wrote to memory of 2464	2376	uruqh.exe	43
PID 2376 wrote to memory of 372	2376	uruqh.exe	35
PID 2376 wrote to memory of 372	2376	uruqh.exe	35
PID 2376 wrote to memory of 372	2376	uruqh.exe	35
PID 2376 wrote to memory of 372	2376	uruqh.exe	35
PID 2376 wrote to memory of 372	2376	uruqh.exe	35
PID 2376 wrote to memory of 2804	2376	uruqh.exe	34
PID 2376 wrote to memory of 2804	2376	uruqh.exe	34
PID 2376 wrote to memory of 2804	2376	uruqh.exe	34
PID 2376 wrote to memory of 2804	2376	uruqh.exe	34
PID 2376 wrote to memory of 2804	2376	uruqh.exe	34
PID 2376 wrote to memory of 3244	2376	uruqh.exe	33
PID 2376 wrote to memory of 3244	2376	uruqh.exe	33
PID 2376 wrote to memory of 3244	2376	uruqh.exe	33
PID 2376 wrote to memory of 3244	2376	uruqh.exe	33
PID 2376 wrote to memory of 3244	2376	uruqh.exe	33
PID 2376 wrote to memory of 3344	2376	uruqh.exe	32
PID 2376 wrote to memory of 3344	2376	uruqh.exe	32
PID 2376 wrote to memory of 3344	2376	uruqh.exe	32
PID 2376 wrote to memory of 3344	2376	uruqh.exe	32
PID 2376 wrote to memory of 3344	2376	uruqh.exe	32
PID 2376 wrote to memory of 3408	2376	uruqh.exe	31
PID 2376 wrote to memory of 3408	2376	uruqh.exe	31
PID 2376 wrote to memory of 3408	2376	uruqh.exe	31
PID 2376 wrote to memory of 3408	2376	uruqh.exe	31
PID 2376 wrote to memory of 3408	2376	uruqh.exe	31
PID 2376 wrote to memory of 3492	2376	uruqh.exe	30
PID 2376 wrote to memory of 3492	2376	uruqh.exe	30
PID 2376 wrote to memory of 3492	2376	uruqh.exe	30
PID 2376 wrote to memory of 3492	2376	uruqh.exe	30
PID 2376 wrote to memory of 3492	2376	uruqh.exe	30
PID 2376 wrote to memory of 3760	2376	uruqh.exe	29
PID 2376 wrote to memory of 3760	2376	uruqh.exe	29
PID 2376 wrote to memory of 3760	2376	uruqh.exe	29
PID 2376 wrote to memory of 3760	2376	uruqh.exe	29
PID 2376 wrote to memory of 3760	2376	uruqh.exe	29
PID 2376 wrote to memory of 4668	2376	uruqh.exe	26
PID 2376 wrote to memory of 4668	2376	uruqh.exe	26
PID 2376 wrote to memory of 4668	2376	uruqh.exe	26
PID 2376 wrote to memory of 4668	2376	uruqh.exe	26
PID 2376 wrote to memory of 4668	2376	uruqh.exe	26
PID 2376 wrote to memory of 4200	2376	uruqh.exe	10
PID 2376 wrote to memory of 4200	2376	uruqh.exe	10
PID 2376 wrote to memory of 4200	2376	uruqh.exe	10
PID 2376 wrote to memory of 4200	2376	uruqh.exe	10
PID 2376 wrote to memory of 4200	2376	uruqh.exe	10
PID 2376 wrote to memory of 3896	2376	uruqh.exe	81

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4668

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2804

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:372
- C:\Users\Admin\AppData\Local\Temp\2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe
  "C:\Users\Admin\AppData\Local\Temp\2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Users\Admin\AppData\Roaming\Ezuqo\uruqh.exe
    "C:\Users\Admin\AppData\Roaming\Ezuqo\uruqh.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AYL736B.bat"
    3⤵
    PID:1784

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2396

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2332

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:396

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3120

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AYL736B.bat

Filesize
303B

MD5
c5f67a3749dfa93fe22050acee6fb8e4

SHA1
d14ed3f4aa1ae46947ce0bb90ba039cb054f7ed1

SHA256
bc454fe00330ed783400cebab2c467eaddd4a9b54a8cf7385f703ba47745aa5d

SHA512
4a62cf02f4e28929e54531a4553e7f4d10b2f9d9e57b062128d7aadf606fe048f8c985a350597f7cbcf70da0837bfc9a04624ffd255cc3ef7124c9af0e3e44d0

Download Submit
C:\Users\Admin\AppData\Roaming\Ezuqo\uruqh.exe

Filesize
306KB

MD5
0735c92118fca063872b078e74c704a7

SHA1
3c38f792d47ae7d872da5af07d13fc6221546147

SHA256
5ba4abbf307c663bb4023ac3c824d138c3932cddfdc3b224c2802fe186788d67

SHA512
85b0b976f2ee3f8874001940e2c3e58f38a70e9baf33ec81ba1bd53584d5639e9e61270ce232e403e627249d9eecbcaf7422fd45aef5493b85016ae70f4ebb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Ezuqo\uruqh.exe

Filesize
306KB

MD5
0735c92118fca063872b078e74c704a7

SHA1
3c38f792d47ae7d872da5af07d13fc6221546147

SHA256
5ba4abbf307c663bb4023ac3c824d138c3932cddfdc3b224c2802fe186788d67

SHA512
85b0b976f2ee3f8874001940e2c3e58f38a70e9baf33ec81ba1bd53584d5639e9e61270ce232e403e627249d9eecbcaf7422fd45aef5493b85016ae70f4ebb5a

Download Submit
memory/1784-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-156-0x0000000001140000-0x0000000001189000-memory.dmp

Filesize
292KB

Download
memory/1784-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-146-0x0000000001140000-0x0000000001189000-memory.dmp

Filesize
292KB

Download
memory/1784-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2376-137-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3896-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3896-147-0x00000000028B0000-0x00000000028F9000-memory.dmp

Filesize
292KB

Download
memory/3896-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3896-132-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3896-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3896-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3896-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3896-133-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/3896-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download