46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc

General

Target

46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
Size

342KB
MD5

d316e488cc86db952c066847377a6eed
SHA1

f655ef395e8bb7368403714c701f9321fae1d0c9
SHA256

46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc
SHA512

02ce394144943ff9a980ca3123abc8adc656fe7d02842fbe88f2b10439507b3dac479d8acf3473b251389ac87503be5ed44603cee1e2d9d9ba82661437a37f8f
SSDEEP

6144:klLPIE+U7heLUNbzwfz6XxWXPShX3WNVllmImGIzGAhGXU:qbIE+Ud/kfS0ShnW7JmGIzBQXU

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

myel.exemyel.exe

pid process

364 myel.exe
524 myel.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1748 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe

pid process

1524 46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe

pid	process
364	myel.exe
524	myel.exe

pid	process
1748	cmd.exe

pid	process
1524	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

myel.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{23259A54-98F9-C11A-23B0-26C0DDDD6F30} = "C:\\Users\\Admin\\AppData\\Roaming\\Oslii\\myel.exe"	myel.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	myel.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exemyel.exe

description	pid	process	target process
PID 1328 set thread context of 1524	1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
PID 364 set thread context of 524	364	myel.exe	myel.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

myel.exe

pid	process
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe
524	myel.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exemyel.exe

pid process

1328 46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
364 myel.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe

description pid process

Token: SeSecurityPrivilege 1524 46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe

pid	process
1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
364	myel.exe

description	pid	process
Token: SeSecurityPrivilege	1524	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exemyel.exemyel.exe

description	pid	process	target process
PID 1328 wrote to memory of 1524	1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
PID 1328 wrote to memory of 1524	1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
PID 1328 wrote to memory of 1524	1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
PID 1328 wrote to memory of 1524	1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
PID 1328 wrote to memory of 1524	1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
PID 1328 wrote to memory of 1524	1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
PID 1328 wrote to memory of 1524	1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
PID 1328 wrote to memory of 1524	1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
PID 1328 wrote to memory of 1524	1328	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
PID 1524 wrote to memory of 364	1524	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	myel.exe
PID 1524 wrote to memory of 364	1524	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	myel.exe
PID 1524 wrote to memory of 364	1524	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	myel.exe
PID 1524 wrote to memory of 364	1524	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	myel.exe
PID 364 wrote to memory of 524	364	myel.exe	myel.exe
PID 364 wrote to memory of 524	364	myel.exe	myel.exe
PID 364 wrote to memory of 524	364	myel.exe	myel.exe
PID 364 wrote to memory of 524	364	myel.exe	myel.exe
PID 364 wrote to memory of 524	364	myel.exe	myel.exe
PID 364 wrote to memory of 524	364	myel.exe	myel.exe
PID 364 wrote to memory of 524	364	myel.exe	myel.exe
PID 364 wrote to memory of 524	364	myel.exe	myel.exe
PID 364 wrote to memory of 524	364	myel.exe	myel.exe
PID 524 wrote to memory of 1112	524	myel.exe	taskhost.exe
PID 524 wrote to memory of 1112	524	myel.exe	taskhost.exe
PID 524 wrote to memory of 1112	524	myel.exe	taskhost.exe
PID 524 wrote to memory of 1112	524	myel.exe	taskhost.exe
PID 524 wrote to memory of 1112	524	myel.exe	taskhost.exe
PID 524 wrote to memory of 1172	524	myel.exe	Dwm.exe
PID 1524 wrote to memory of 1748	1524	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	cmd.exe
PID 1524 wrote to memory of 1748	1524	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	cmd.exe
PID 1524 wrote to memory of 1748	1524	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	cmd.exe
PID 1524 wrote to memory of 1748	1524	46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe	cmd.exe
PID 524 wrote to memory of 1172	524	myel.exe	Dwm.exe
PID 524 wrote to memory of 1172	524	myel.exe	Dwm.exe
PID 524 wrote to memory of 1172	524	myel.exe	Dwm.exe
PID 524 wrote to memory of 1172	524	myel.exe	Dwm.exe
PID 524 wrote to memory of 1200	524	myel.exe	Explorer.EXE
PID 524 wrote to memory of 1200	524	myel.exe	Explorer.EXE
PID 524 wrote to memory of 1200	524	myel.exe	Explorer.EXE
PID 524 wrote to memory of 1200	524	myel.exe	Explorer.EXE
PID 524 wrote to memory of 1200	524	myel.exe	Explorer.EXE
PID 524 wrote to memory of 1748	524	myel.exe	cmd.exe
PID 524 wrote to memory of 1144	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1144	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1144	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1144	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1144	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1948	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1948	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1948	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1948	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1948	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1584	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1584	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1584	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1584	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 1584	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 816	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 816	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 816	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 816	524	myel.exe	DllHost.exe
PID 524 wrote to memory of 816	524	myel.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
"C:\Users\Admin\AppData\Local\Temp\46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe
"C:\Users\Admin\AppData\Local\Temp\46eec0773ad77776ea476cc5ed535bb8350bf7ab0d8ac2c77e725df1fb20eacc.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Roaming\Oslii\myel.exe
"C:\Users\Admin\AppData\Roaming\Oslii\myel.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Roaming\Oslii\myel.exe
"C:\Users\Admin\AppData\Roaming\Oslii\myel.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp31f8724f.bat"
4⤵
- Deletes itself
PID:1748

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1144

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp31f8724f.bat
Filesize
307B

MD5
3df4a5d746a043c42334d683a87ecf50

SHA1
3530971c4ca5c317c8e57711f5d484ce089d86b4

SHA256
8d46688173bfd64d53990e67f24cc87f27b245c4e2387e65428b6201279c5d84

SHA512
c214859c84b786111067fe9366fe476487297cdae5d58a2b384afd7514569b53a427b2991143f83e89ccdd769b8cbe956fbff0efd2619029fc3b7acd9f41a3fc

Download Submit
C:\Users\Admin\AppData\Roaming\Oslii\myel.exe
Filesize
342KB

MD5
055322846c708a2aa955ed80565231f6

SHA1
1215b99d8a4228ce4921f74cc573b83a6e22a3a1

SHA256
ed2fafc2fdfa0da48eec19c9a81c43b8567519a703d1b8e049beabe908976d01

SHA512
d6f5f3595b57f115fa809a44fa75296db402532f9baa92a82b774e86d63c77c69340b2236e290ea74989a2047cc83bc8d89d84792430e182aa04addc772cb34c

Download Submit
C:\Users\Admin\AppData\Roaming\Oslii\myel.exe
Filesize
342KB

MD5
055322846c708a2aa955ed80565231f6

SHA1
1215b99d8a4228ce4921f74cc573b83a6e22a3a1

SHA256
ed2fafc2fdfa0da48eec19c9a81c43b8567519a703d1b8e049beabe908976d01

SHA512
d6f5f3595b57f115fa809a44fa75296db402532f9baa92a82b774e86d63c77c69340b2236e290ea74989a2047cc83bc8d89d84792430e182aa04addc772cb34c

Download Submit
C:\Users\Admin\AppData\Roaming\Oslii\myel.exe
Filesize
342KB

MD5
055322846c708a2aa955ed80565231f6

SHA1
1215b99d8a4228ce4921f74cc573b83a6e22a3a1

SHA256
ed2fafc2fdfa0da48eec19c9a81c43b8567519a703d1b8e049beabe908976d01

SHA512
d6f5f3595b57f115fa809a44fa75296db402532f9baa92a82b774e86d63c77c69340b2236e290ea74989a2047cc83bc8d89d84792430e182aa04addc772cb34c

Download Submit
\Users\Admin\AppData\Roaming\Oslii\myel.exe
Filesize
342KB

MD5
055322846c708a2aa955ed80565231f6

SHA1
1215b99d8a4228ce4921f74cc573b83a6e22a3a1

SHA256
ed2fafc2fdfa0da48eec19c9a81c43b8567519a703d1b8e049beabe908976d01

SHA512
d6f5f3595b57f115fa809a44fa75296db402532f9baa92a82b774e86d63c77c69340b2236e290ea74989a2047cc83bc8d89d84792430e182aa04addc772cb34c

Download Submit
memory/364-68-0x0000000000000000-mapping.dmp

Download
memory/524-119-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/524-99-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/524-78-0x0000000000416D95-mapping.dmp

Download
memory/816-129-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/816-128-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/816-130-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/816-131-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1112-87-0x0000000001D90000-0x0000000001DB7000-memory.dmp

Filesize
156KB

Download
memory/1112-86-0x0000000001D90000-0x0000000001DB7000-memory.dmp

Filesize
156KB

Download
memory/1112-85-0x0000000001D90000-0x0000000001DB7000-memory.dmp

Filesize
156KB

Download
memory/1112-88-0x0000000001D90000-0x0000000001DB7000-memory.dmp

Filesize
156KB

Download
memory/1144-112-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1144-111-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1144-110-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1144-109-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1172-96-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1172-91-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1172-93-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1172-95-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1200-100-0x00000000029C0000-0x00000000029E7000-memory.dmp

Filesize
156KB

Download
memory/1200-101-0x00000000029C0000-0x00000000029E7000-memory.dmp

Filesize
156KB

Download
memory/1200-102-0x00000000029C0000-0x00000000029E7000-memory.dmp

Filesize
156KB

Download
memory/1200-103-0x00000000029C0000-0x00000000029E7000-memory.dmp

Filesize
156KB

Download
memory/1328-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1524-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1524-62-0x0000000000416D95-mapping.dmp

Download
memory/1524-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1524-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1524-94-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1524-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1524-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1524-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1524-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1584-122-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1584-125-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1584-124-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1584-123-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1748-92-0x0000000000000000-mapping.dmp

Download
memory/1948-118-0x0000000003A60000-0x0000000003A87000-memory.dmp

Filesize
156KB

Download
memory/1948-117-0x0000000003A60000-0x0000000003A87000-memory.dmp

Filesize
156KB

Download
memory/1948-116-0x0000000003A60000-0x0000000003A87000-memory.dmp

Filesize
156KB

Download
memory/1948-115-0x0000000003A60000-0x0000000003A87000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads