c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8

General

Target

c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe
Size

309KB
MD5

3649a157bf6c9c18a7449984b21a9a35
SHA1

66469e285f66b8cdb4b97dd8a9d2b99529442a9b
SHA256

c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8
SHA512

d883f3a868a788425eba145c9f68ab2e22ccecd35e1edbaddbb94bbf1e630dd523af2d86adb82c14d217136f17bd8894021a4e0923081f7ac5994f8fc241085c
SSDEEP

6144:8kKoh/+NWD3hEiyb1WDIBve+OwhT0x02EY:81I/3DWDbcDOGFKY5V

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

osympo.exe

pid process

968 osympo.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1528 cmd.exe

pid	process
1528	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe

pid	process
1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe
1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

osympo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	osympo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Osympo = "C:\\Users\\Admin\\AppData\\Roaming\\Jynyyf\\osympo.exe"	osympo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe

description	pid	process	target process
PID 1064 set thread context of 1528	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

osympo.exe

pid	process
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe
968	osympo.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exeosympo.exe

description	pid	process	target process
PID 1064 wrote to memory of 968	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	osympo.exe
PID 1064 wrote to memory of 968	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	osympo.exe
PID 1064 wrote to memory of 968	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	osympo.exe
PID 1064 wrote to memory of 968	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	osympo.exe
PID 968 wrote to memory of 1216	968	osympo.exe	taskhost.exe
PID 968 wrote to memory of 1216	968	osympo.exe	taskhost.exe
PID 968 wrote to memory of 1216	968	osympo.exe	taskhost.exe
PID 968 wrote to memory of 1216	968	osympo.exe	taskhost.exe
PID 968 wrote to memory of 1216	968	osympo.exe	taskhost.exe
PID 968 wrote to memory of 1304	968	osympo.exe	Dwm.exe
PID 968 wrote to memory of 1304	968	osympo.exe	Dwm.exe
PID 968 wrote to memory of 1304	968	osympo.exe	Dwm.exe
PID 968 wrote to memory of 1304	968	osympo.exe	Dwm.exe
PID 968 wrote to memory of 1304	968	osympo.exe	Dwm.exe
PID 968 wrote to memory of 1360	968	osympo.exe	Explorer.EXE
PID 968 wrote to memory of 1360	968	osympo.exe	Explorer.EXE
PID 968 wrote to memory of 1360	968	osympo.exe	Explorer.EXE
PID 968 wrote to memory of 1360	968	osympo.exe	Explorer.EXE
PID 968 wrote to memory of 1360	968	osympo.exe	Explorer.EXE
PID 968 wrote to memory of 1064	968	osympo.exe	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe
PID 968 wrote to memory of 1064	968	osympo.exe	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe
PID 968 wrote to memory of 1064	968	osympo.exe	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe
PID 968 wrote to memory of 1064	968	osympo.exe	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe
PID 968 wrote to memory of 1064	968	osympo.exe	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe
PID 1064 wrote to memory of 1528	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe
"C:\Users\Admin\AppData\Local\Temp\c920ba3c2065e10dff499d3156dcebc2ec5c1496deec2344200570e648c7e5b8.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Roaming\Jynyyf\osympo.exe
"C:\Users\Admin\AppData\Roaming\Jynyyf\osympo.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\JJS68FC.bat"
3⤵
- Deletes itself
PID:1528

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1304

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JJS68FC.bat
Filesize
303B

MD5
964c12119c7eefc6e4362d54eaff8878

SHA1
dd240c484c98e20b9afcacb7c0cfd83e4b3f5811

SHA256
26a73a329d048e5ebe61e3e64bc1ee490289870dc27eebf77d564ad81a9b131b

SHA512
495fe7b0adb8adb3e1856cf3a6119318f18fb941ed48152571ab5d757224a0ec2f41d49e1ae6d820a732d8b46a8724dd4c97aea41421f739a3875727cefa0b29

Download Submit
C:\Users\Admin\AppData\Roaming\Jynyyf\osympo.exe
Filesize
309KB

MD5
9bf15454cda982856f90ff72ec05982d

SHA1
d44cba74ad5dc42dcf0f66412540efd348383031

SHA256
af62a4c5879af7888f83c66816983791874601154e3020f2caeb0aef00c0a065

SHA512
81fad580fb3005eb09e508c3f993c747b583316d5a941d8cb9b3936658699984b7f52cbf0ba6877b006ebcd89956d2c061f7b7c9e34c213ae80d25fdb7d1b61d

Download Submit
C:\Users\Admin\AppData\Roaming\Jynyyf\osympo.exe
Filesize
309KB

MD5
9bf15454cda982856f90ff72ec05982d

SHA1
d44cba74ad5dc42dcf0f66412540efd348383031

SHA256
af62a4c5879af7888f83c66816983791874601154e3020f2caeb0aef00c0a065

SHA512
81fad580fb3005eb09e508c3f993c747b583316d5a941d8cb9b3936658699984b7f52cbf0ba6877b006ebcd89956d2c061f7b7c9e34c213ae80d25fdb7d1b61d

Download Submit
\Users\Admin\AppData\Roaming\Jynyyf\osympo.exe
Filesize
309KB

MD5
9bf15454cda982856f90ff72ec05982d

SHA1
d44cba74ad5dc42dcf0f66412540efd348383031

SHA256
af62a4c5879af7888f83c66816983791874601154e3020f2caeb0aef00c0a065

SHA512
81fad580fb3005eb09e508c3f993c747b583316d5a941d8cb9b3936658699984b7f52cbf0ba6877b006ebcd89956d2c061f7b7c9e34c213ae80d25fdb7d1b61d

Download Submit
\Users\Admin\AppData\Roaming\Jynyyf\osympo.exe
Filesize
309KB

MD5
9bf15454cda982856f90ff72ec05982d

SHA1
d44cba74ad5dc42dcf0f66412540efd348383031

SHA256
af62a4c5879af7888f83c66816983791874601154e3020f2caeb0aef00c0a065

SHA512
81fad580fb3005eb09e508c3f993c747b583316d5a941d8cb9b3936658699984b7f52cbf0ba6877b006ebcd89956d2c061f7b7c9e34c213ae80d25fdb7d1b61d

Download Submit
memory/968-62-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/968-59-0x0000000000000000-mapping.dmp

Download
memory/1064-103-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/1064-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1064-54-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1064-86-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/1064-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1064-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1064-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1064-56-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1064-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1064-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1064-88-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/1064-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1064-87-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/1064-85-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/1216-67-0x0000000001BE0000-0x0000000001C29000-memory.dmp

Filesize
292KB

Download
memory/1216-69-0x0000000001BE0000-0x0000000001C29000-memory.dmp

Filesize
292KB

Download
memory/1216-70-0x0000000001BE0000-0x0000000001C29000-memory.dmp

Filesize
292KB

Download
memory/1216-65-0x0000000001BE0000-0x0000000001C29000-memory.dmp

Filesize
292KB

Download
memory/1216-68-0x0000000001BE0000-0x0000000001C29000-memory.dmp

Filesize
292KB

Download
memory/1304-76-0x00000000001B0000-0x00000000001F9000-memory.dmp

Filesize
292KB

Download
memory/1304-75-0x00000000001B0000-0x00000000001F9000-memory.dmp

Filesize
292KB

Download
memory/1304-74-0x00000000001B0000-0x00000000001F9000-memory.dmp

Filesize
292KB

Download
memory/1304-73-0x00000000001B0000-0x00000000001F9000-memory.dmp

Filesize
292KB

Download
memory/1360-81-0x0000000002A70000-0x0000000002AB9000-memory.dmp

Filesize
292KB

Download
memory/1360-82-0x0000000002A70000-0x0000000002AB9000-memory.dmp

Filesize
292KB

Download
memory/1360-80-0x0000000002A70000-0x0000000002AB9000-memory.dmp

Filesize
292KB

Download
memory/1360-79-0x0000000002A70000-0x0000000002AB9000-memory.dmp

Filesize
292KB

Download
memory/1528-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1528-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1528-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1528-102-0x0000000000083B6A-mapping.dmp

Download
memory/1528-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1528-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1528-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1528-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1528-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1528-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1528-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1528-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1528-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads