15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc

Analysis

max time kernel
204s
max time network
209s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
Size

600KB
MD5

832782e8825d602ab1f56ef028a3a09f
SHA1

cdf038350ccef100415629ff7a8b17d5501c39a5
SHA256

15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc
SHA512

dfe2c6af9adcd4237f23ac8d9b2e9688ab49c778c5403f008ec96ad96a3db3031b869adb12897037ccf0ec2d8fe99a699efb5e5c4ef5143f083747d7d0f76a9f
SSDEEP

6144:xKkuO2YCt6BXyo04xS3O4F/6xOb2FxY2Fh12RrJJUzvtuQZ7TOLWxYV/8LTLEvZz:x4l3OJxOUShezvMQZy+26GZ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ryago.exeryago.exe

pid process

428 ryago.exe
1880 ryago.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1920 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe

pid process

1960 15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe

pid	process
428	ryago.exe
1880	ryago.exe

pid	process
1920	cmd.exe

pid	process
1960	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ryago.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	ryago.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Iwygyfxi = "C:\\Users\\Admin\\AppData\\Roaming\\Vaitpa\\ryago.exe"	ryago.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exeryago.exe

description	pid	process	target process
PID 1788 set thread context of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 set thread context of 1960	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 428 set thread context of 1692	428	ryago.exe	AppLaunch.exe
PID 428 set thread context of 1880	428	ryago.exe	ryago.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exeryago.exeryago.exe

pid	process
1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
428	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe
1880	ryago.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exeryago.exe

description	pid	process
Token: SeDebugPrivilege	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
Token: SeSecurityPrivilege	1960	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
Token: SeSecurityPrivilege	1960	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
Token: SeDebugPrivilege	428	ryago.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exeryago.exe

description	pid	process	target process
PID 1788 wrote to memory of 1664	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	CMD.exe
PID 1788 wrote to memory of 1664	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	CMD.exe
PID 1788 wrote to memory of 1664	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	CMD.exe
PID 1788 wrote to memory of 1664	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	CMD.exe
PID 1788 wrote to memory of 1308	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	CMD.exe
PID 1788 wrote to memory of 1308	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	CMD.exe
PID 1788 wrote to memory of 1308	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	CMD.exe
PID 1788 wrote to memory of 1308	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	CMD.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 1384	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	AppLaunch.exe
PID 1788 wrote to memory of 620	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 620	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 620	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 620	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 1960	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 1960	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 1960	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 1960	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 1960	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 1960	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 1960	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 1960	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1788 wrote to memory of 1960	1788	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
PID 1960 wrote to memory of 428	1960	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	ryago.exe
PID 1960 wrote to memory of 428	1960	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	ryago.exe
PID 1960 wrote to memory of 428	1960	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	ryago.exe
PID 1960 wrote to memory of 428	1960	15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe	ryago.exe
PID 428 wrote to memory of 1868	428	ryago.exe	CMD.exe
PID 428 wrote to memory of 1868	428	ryago.exe	CMD.exe
PID 428 wrote to memory of 1868	428	ryago.exe	CMD.exe
PID 428 wrote to memory of 1868	428	ryago.exe	CMD.exe
PID 428 wrote to memory of 2024	428	ryago.exe	CMD.exe
PID 428 wrote to memory of 2024	428	ryago.exe	CMD.exe
PID 428 wrote to memory of 2024	428	ryago.exe	CMD.exe
PID 428 wrote to memory of 2024	428	ryago.exe	CMD.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1692	428	ryago.exe	AppLaunch.exe
PID 428 wrote to memory of 1880	428	ryago.exe	ryago.exe
PID 428 wrote to memory of 1880	428	ryago.exe	ryago.exe
PID 428 wrote to memory of 1880	428	ryago.exe	ryago.exe
PID 428 wrote to memory of 1880	428	ryago.exe	ryago.exe
PID 428 wrote to memory of 1880	428	ryago.exe	ryago.exe
PID 428 wrote to memory of 1880	428	ryago.exe	ryago.exe
PID 428 wrote to memory of 1880	428	ryago.exe	ryago.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
"C:\Users\Admin\AppData\Local\Temp\15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\CMD.exe
"CMD"
3⤵
PID:1664

C:\Windows\SysWOW64\CMD.exe
"CMD"
3⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
3⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
"C:\Users\Admin\AppData\Local\Temp\15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe"
3⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe
"C:\Users\Admin\AppData\Local\Temp\15b2e980e1d6df1df0918d5c504eafd037900aab654215847735f46b5900b5dc.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Roaming\Vaitpa\ryago.exe
"C:\Users\Admin\AppData\Roaming\Vaitpa\ryago.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\CMD.exe
"CMD"
5⤵
PID:1868

C:\Windows\SysWOW64\CMD.exe
"CMD"
5⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
5⤵
PID:1692

C:\Users\Admin\AppData\Roaming\Vaitpa\ryago.exe
"C:\Users\Admin\AppData\Roaming\Vaitpa\ryago.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfc16bd5c.bat"
4⤵
- Deletes itself
PID:1920

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
Filesize
834B

MD5
2f9af8e0d783cfa432c7041713c8f5ee

SHA1
974e325ade4fd9e3f450913e8269c78d1ef4836a

SHA256
b4c71719b03d24adf1b8d89707cdf20e2b0be78c58686d78c340da6fd3a00eb3

SHA512
3ccb5b22dd0cb7e4841b4979d1c0aa6e921925cc9a187c88d67d6e2f19285ed4acc30424c7e481b61e215bdae8af9d4bdc9c17fada508ff0385cd9d456968c72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_500F57EEC9E626F78EE636E0FA5E7AFB
Filesize
1KB

MD5
975da2aaca74674764b7ea4c9a46ee7b

SHA1
b0229072db3f1e15b6394ad1421e65e48a12a801

SHA256
b84f10911c85d2fb4ce3c9bc488d782e5f6ed970f5ac320758c6323fbfe7ae96

SHA512
68ef6db79116a2f4d14fc28177b5b62988ca510259995fb86cac0e82b3230949207750bf0f87cda8497783be2642521d8ebfc0c28e647cbc07d480881a219d21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize
404B

MD5
9b99dde5b79a6094e28c9d4eb257296e

SHA1
00aee3873784173438ac68f80217b5d2e991174b

SHA256
45252d91529412a8bd9059244f72d054759451c295d0c01ac5c48f83f4278190

SHA512
2d15e1477134a2923cab63080e177ce9946f6d486edafb5fabf3c5de6545e446f23ae1b9a45615c455fe202e4c9f5e0bf34405572a8008274b0802e5afe123db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
Filesize
188B

MD5
d8e087bf9fbd91b56402745c4361658d

SHA1
f89c0b4df8d1ade996d68fc12fba4150ae29d7de

SHA256
c7b38ec747cbfc83a932c58e6f632bcb9fdef91168669fb4161782323693b237

SHA512
a74cae814a3b2eeca099c480dd7dbf1199f024ddff4e91e4d5d81fbf6d1434521f4203b9cebb4e7d10ec161f86d2e7c2002e51b431899c601a2faade9b07b630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
42188094caa9087f1d525b5337bb16fe

SHA1
817bb8dd6c5a750e5ab886b2da1372461e04614e

SHA256
74be786765e885f1b5c1884a52b9381d340e225999dce4a61719c17aeb57a749

SHA512
7c7b9801cb3ea4e09d7bdd43157f3e695386c7aeb32a5658545ae4984f4b67e848ba6b972ea2f852417e0a2dd7d1efabac9a89ed0a68b1c00bf59d31ccb1165d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_500F57EEC9E626F78EE636E0FA5E7AFB
Filesize
394B

MD5
96c84bad42d0a7d7770bdd4bb5d030a1

SHA1
df8bd0bca25f8f5532616d3693a6fd2547b2dd09

SHA256
3387671a50d6e49ddeda85b554e35a15ae39671e0ad35fe028480cfbbc45cd27

SHA512
53a3a9644a78537561dcddd5371a762a6c4f2fdc3ec2787f7bdf08a4b98f73fee067333272836ba5c694d0b198a2d787359285f26c691f76c7901caefb91d9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfc16bd5c.bat
Filesize
307B

MD5
a78c5e69233b2e70900b80a438f9cb94

SHA1
9e7675f366bb4641155c3e53f21d4206231589e2

SHA256
0df327cb98e74e2e8f475335961de21419533ae978f013f10b308e183e84d599

SHA512
1141f4a1c28f314149e06baf3d4ae8070854fe79d47599eb5e40d32610ae222534d242fd9888391e12bbc429c3c8a54bcff2054e713a3726d56e5098fc0cf83b

Download Submit
C:\Users\Admin\AppData\Roaming\Vaitpa\ryago.exe
Filesize
600KB

MD5
26972fc6fdcfd3c37fd6b0c11cdef6ec

SHA1
4822cc56f3c51e04db6a47a32d99e9e54be76211

SHA256
86eca8dcafcb5a5db1001ea5ec2cf42baea21f13ff6933e3da1d4575e444d4cb

SHA512
5dee7ccb8612e94c87f10aa03fa7598b7163b3776c1ea414bebb607aec48b2e552983c24869d901e01c17ae4849c0954dc77127eeb56dbf124a3fd10cf69fe02

Download Submit
C:\Users\Admin\AppData\Roaming\Vaitpa\ryago.exe
Filesize
600KB

MD5
26972fc6fdcfd3c37fd6b0c11cdef6ec

SHA1
4822cc56f3c51e04db6a47a32d99e9e54be76211

SHA256
86eca8dcafcb5a5db1001ea5ec2cf42baea21f13ff6933e3da1d4575e444d4cb

SHA512
5dee7ccb8612e94c87f10aa03fa7598b7163b3776c1ea414bebb607aec48b2e552983c24869d901e01c17ae4849c0954dc77127eeb56dbf124a3fd10cf69fe02

Download Submit
C:\Users\Admin\AppData\Roaming\Vaitpa\ryago.exe
Filesize
600KB

MD5
26972fc6fdcfd3c37fd6b0c11cdef6ec

SHA1
4822cc56f3c51e04db6a47a32d99e9e54be76211

SHA256
86eca8dcafcb5a5db1001ea5ec2cf42baea21f13ff6933e3da1d4575e444d4cb

SHA512
5dee7ccb8612e94c87f10aa03fa7598b7163b3776c1ea414bebb607aec48b2e552983c24869d901e01c17ae4849c0954dc77127eeb56dbf124a3fd10cf69fe02

Download Submit
\Users\Admin\AppData\Roaming\Vaitpa\ryago.exe
Filesize
600KB

MD5
26972fc6fdcfd3c37fd6b0c11cdef6ec

SHA1
4822cc56f3c51e04db6a47a32d99e9e54be76211

SHA256
86eca8dcafcb5a5db1001ea5ec2cf42baea21f13ff6933e3da1d4575e444d4cb

SHA512
5dee7ccb8612e94c87f10aa03fa7598b7163b3776c1ea414bebb607aec48b2e552983c24869d901e01c17ae4849c0954dc77127eeb56dbf124a3fd10cf69fe02

Download Submit
memory/428-138-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/428-127-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/428-97-0x0000000000000000-mapping.dmp

Download
memory/1308-58-0x0000000000000000-mapping.dmp

Download
memory/1384-73-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1384-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1384-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1384-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1384-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1384-65-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1384-66-0x000000000042B055-mapping.dmp

Download
memory/1384-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1384-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1384-75-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1664-57-0x0000000000000000-mapping.dmp

Download
memory/1692-117-0x000000000042B055-mapping.dmp

Download
memory/1692-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1692-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1692-122-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1788-56-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-55-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-85-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1868-108-0x0000000000000000-mapping.dmp

Download
memory/1880-135-0x000000000042B055-mapping.dmp

Download
memory/1880-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-141-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1920-143-0x0000000000000000-mapping.dmp

Download
memory/1960-92-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-87-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-83-0x000000000042B055-mapping.dmp

Download
memory/1960-95-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-94-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-93-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2024-109-0x0000000000000000-mapping.dmp

Download