2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e

General

Target

2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe
Size

306KB
MD5

e9e49ca7ccfb9666fdc620fd45859c76
SHA1

32fce03ad57b868497caf3f5b9d4edec9766d5dc
SHA256

2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e
SHA512

da5223dcb0210c9c759a4f9390a258961bdfa08b1d06cc3cf3aa20d49edc9fb5a77dde71b4cbf6141f96970b6b2e8b84946a3c9419bd7daa299a3a23466c65cb
SSDEEP

6144:592lnHHnHrLrLLrLrDm2LjLjLNhXu61UpfEbh7DHi4ce+FTtAWy5jog/llhjRf5t:jKLjLjLNhXu2UUa5HXgTHfU+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

uruqh.exe

pid process

2376 uruqh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uruqh.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	uruqh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uruqh = "C:\\Users\\Admin\\AppData\\Roaming\\Ezuqo\\uruqh.exe"	uruqh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe

description	pid	process	target process
PID 3896 set thread context of 1784	3896	2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

uruqh.exe

pid	process
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe
2376	uruqh.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exeuruqh.exe

description	pid	process	target process
PID 3896 wrote to memory of 2376	3896	2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe	uruqh.exe
PID 3896 wrote to memory of 2376	3896	2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe	uruqh.exe
PID 3896 wrote to memory of 2376	3896	2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe	uruqh.exe
PID 2376 wrote to memory of 2332	2376	uruqh.exe	sihost.exe
PID 2376 wrote to memory of 2332	2376	uruqh.exe	sihost.exe
PID 2376 wrote to memory of 2332	2376	uruqh.exe	sihost.exe
PID 2376 wrote to memory of 2332	2376	uruqh.exe	sihost.exe
PID 2376 wrote to memory of 2332	2376	uruqh.exe	sihost.exe
PID 2376 wrote to memory of 2396	2376	uruqh.exe	svchost.exe
PID 2376 wrote to memory of 2396	2376	uruqh.exe	svchost.exe
PID 2376 wrote to memory of 2396	2376	uruqh.exe	svchost.exe
PID 2376 wrote to memory of 2396	2376	uruqh.exe	svchost.exe
PID 2376 wrote to memory of 2396	2376	uruqh.exe	svchost.exe
PID 2376 wrote to memory of 2464	2376	uruqh.exe	taskhostw.exe
PID 2376 wrote to memory of 2464	2376	uruqh.exe	taskhostw.exe
PID 2376 wrote to memory of 2464	2376	uruqh.exe	taskhostw.exe
PID 2376 wrote to memory of 2464	2376	uruqh.exe	taskhostw.exe
PID 2376 wrote to memory of 2464	2376	uruqh.exe	taskhostw.exe
PID 2376 wrote to memory of 372	2376	uruqh.exe	Explorer.EXE
PID 2376 wrote to memory of 372	2376	uruqh.exe	Explorer.EXE
PID 2376 wrote to memory of 372	2376	uruqh.exe	Explorer.EXE
PID 2376 wrote to memory of 372	2376	uruqh.exe	Explorer.EXE
PID 2376 wrote to memory of 372	2376	uruqh.exe	Explorer.EXE
PID 2376 wrote to memory of 2804	2376	uruqh.exe	svchost.exe
PID 2376 wrote to memory of 2804	2376	uruqh.exe	svchost.exe
PID 2376 wrote to memory of 2804	2376	uruqh.exe	svchost.exe
PID 2376 wrote to memory of 2804	2376	uruqh.exe	svchost.exe
PID 2376 wrote to memory of 2804	2376	uruqh.exe	svchost.exe
PID 2376 wrote to memory of 3244	2376	uruqh.exe	DllHost.exe
PID 2376 wrote to memory of 3244	2376	uruqh.exe	DllHost.exe
PID 2376 wrote to memory of 3244	2376	uruqh.exe	DllHost.exe
PID 2376 wrote to memory of 3244	2376	uruqh.exe	DllHost.exe
PID 2376 wrote to memory of 3244	2376	uruqh.exe	DllHost.exe
PID 2376 wrote to memory of 3344	2376	uruqh.exe	StartMenuExperienceHost.exe
PID 2376 wrote to memory of 3344	2376	uruqh.exe	StartMenuExperienceHost.exe
PID 2376 wrote to memory of 3344	2376	uruqh.exe	StartMenuExperienceHost.exe
PID 2376 wrote to memory of 3344	2376	uruqh.exe	StartMenuExperienceHost.exe
PID 2376 wrote to memory of 3344	2376	uruqh.exe	StartMenuExperienceHost.exe
PID 2376 wrote to memory of 3408	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 3408	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 3408	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 3408	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 3408	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 3492	2376	uruqh.exe	SearchApp.exe
PID 2376 wrote to memory of 3492	2376	uruqh.exe	SearchApp.exe
PID 2376 wrote to memory of 3492	2376	uruqh.exe	SearchApp.exe
PID 2376 wrote to memory of 3492	2376	uruqh.exe	SearchApp.exe
PID 2376 wrote to memory of 3492	2376	uruqh.exe	SearchApp.exe
PID 2376 wrote to memory of 3760	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 3760	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 3760	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 3760	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 3760	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 4668	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 4668	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 4668	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 4668	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 4668	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 4200	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 4200	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 4200	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 4200	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 4200	2376	uruqh.exe	RuntimeBroker.exe
PID 2376 wrote to memory of 3896	2376	uruqh.exe	2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4668

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2804

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe
"C:\Users\Admin\AppData\Local\Temp\2810189da6ce0e8fa78ce061089608f413fef1b876ffef6290e29a890006e79e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Roaming\Ezuqo\uruqh.exe
"C:\Users\Admin\AppData\Roaming\Ezuqo\uruqh.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AYL736B.bat"
3⤵
PID:1784

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2396

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2332

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:396

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3120

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AYL736B.bat

Filesize
303B

MD5
c5f67a3749dfa93fe22050acee6fb8e4

SHA1
d14ed3f4aa1ae46947ce0bb90ba039cb054f7ed1

SHA256
bc454fe00330ed783400cebab2c467eaddd4a9b54a8cf7385f703ba47745aa5d

SHA512
4a62cf02f4e28929e54531a4553e7f4d10b2f9d9e57b062128d7aadf606fe048f8c985a350597f7cbcf70da0837bfc9a04624ffd255cc3ef7124c9af0e3e44d0

Download Submit
C:\Users\Admin\AppData\Roaming\Ezuqo\uruqh.exe

Filesize
306KB

MD5
0735c92118fca063872b078e74c704a7

SHA1
3c38f792d47ae7d872da5af07d13fc6221546147

SHA256
5ba4abbf307c663bb4023ac3c824d138c3932cddfdc3b224c2802fe186788d67

SHA512
85b0b976f2ee3f8874001940e2c3e58f38a70e9baf33ec81ba1bd53584d5639e9e61270ce232e403e627249d9eecbcaf7422fd45aef5493b85016ae70f4ebb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Ezuqo\uruqh.exe

Filesize
306KB

MD5
0735c92118fca063872b078e74c704a7

SHA1
3c38f792d47ae7d872da5af07d13fc6221546147

SHA256
5ba4abbf307c663bb4023ac3c824d138c3932cddfdc3b224c2802fe186788d67

SHA512
85b0b976f2ee3f8874001940e2c3e58f38a70e9baf33ec81ba1bd53584d5639e9e61270ce232e403e627249d9eecbcaf7422fd45aef5493b85016ae70f4ebb5a

Download Submit
memory/1784-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-156-0x0000000001140000-0x0000000001189000-memory.dmp

Filesize
292KB

Download
memory/1784-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-145-0x0000000000000000-mapping.dmp

Download
memory/1784-146-0x0000000001140000-0x0000000001189000-memory.dmp

Filesize
292KB

Download
memory/1784-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2376-137-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2376-134-0x0000000000000000-mapping.dmp

Download
memory/3896-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3896-147-0x00000000028B0000-0x00000000028F9000-memory.dmp

Filesize
292KB

Download
memory/3896-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3896-132-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3896-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3896-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3896-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3896-133-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/3896-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads