b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd

General

Target

b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
Size

321KB
MD5

59e8f070a9bdd632360c1d6d4613cfca
SHA1

2b24b8f443799e0671f64d6de75e1cc0329c953c
SHA256

b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd
SHA512

c9a7b5559e912de1e592d652c334d304b1a498cf5299b17b9176bb05720601ce64489bdad50958950bc770e76a4733f4c441f63e1ac30ee9ada7f3a853cf3356
SSDEEP

6144:Pw1NvVVPK/P7jIx0b6sy9JyvoP4jnRmhOzBrknTL7cuEBd9SV:iB3KHAf7Jyv+4jR/zGnTL7PEFSV

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ufxuw.exe

pid process

1768 ufxuw.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

852 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe

pid process

1104 b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe

pid	process
852	cmd.exe

pid	process
1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ufxuw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	ufxuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ufxuw = "C:\\Users\\Admin\\AppData\\Roaming\\Zydar\\ufxuw.exe"	ufxuw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe

description pid process target process

PID 1104 set thread context of 852 1104 b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe cmd.exe

description	pid	process	target process
PID 1104 set thread context of 852	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

ufxuw.exe

pid	process
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe
1768	ufxuw.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exeufxuw.exe

pid process

1104 b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
1768 ufxuw.exe

pid	process
1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
1768	ufxuw.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exeufxuw.exe

description	pid	process	target process
PID 1104 wrote to memory of 1768	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	ufxuw.exe
PID 1104 wrote to memory of 1768	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	ufxuw.exe
PID 1104 wrote to memory of 1768	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	ufxuw.exe
PID 1104 wrote to memory of 1768	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	ufxuw.exe
PID 1768 wrote to memory of 1156	1768	ufxuw.exe	taskhost.exe
PID 1768 wrote to memory of 1156	1768	ufxuw.exe	taskhost.exe
PID 1768 wrote to memory of 1156	1768	ufxuw.exe	taskhost.exe
PID 1768 wrote to memory of 1156	1768	ufxuw.exe	taskhost.exe
PID 1768 wrote to memory of 1156	1768	ufxuw.exe	taskhost.exe
PID 1768 wrote to memory of 1228	1768	ufxuw.exe	Dwm.exe
PID 1768 wrote to memory of 1228	1768	ufxuw.exe	Dwm.exe
PID 1768 wrote to memory of 1228	1768	ufxuw.exe	Dwm.exe
PID 1768 wrote to memory of 1228	1768	ufxuw.exe	Dwm.exe
PID 1768 wrote to memory of 1228	1768	ufxuw.exe	Dwm.exe
PID 1768 wrote to memory of 1256	1768	ufxuw.exe	Explorer.EXE
PID 1768 wrote to memory of 1256	1768	ufxuw.exe	Explorer.EXE
PID 1768 wrote to memory of 1256	1768	ufxuw.exe	Explorer.EXE
PID 1768 wrote to memory of 1256	1768	ufxuw.exe	Explorer.EXE
PID 1768 wrote to memory of 1256	1768	ufxuw.exe	Explorer.EXE
PID 1768 wrote to memory of 1104	1768	ufxuw.exe	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
PID 1768 wrote to memory of 1104	1768	ufxuw.exe	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
PID 1768 wrote to memory of 1104	1768	ufxuw.exe	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
PID 1768 wrote to memory of 1104	1768	ufxuw.exe	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
PID 1768 wrote to memory of 1104	1768	ufxuw.exe	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
PID 1104 wrote to memory of 852	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe
PID 1104 wrote to memory of 852	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe
PID 1104 wrote to memory of 852	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe
PID 1104 wrote to memory of 852	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe
PID 1104 wrote to memory of 852	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe
PID 1104 wrote to memory of 852	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe
PID 1104 wrote to memory of 852	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe
PID 1104 wrote to memory of 852	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe
PID 1104 wrote to memory of 852	1104	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
"C:\Users\Admin\AppData\Local\Temp\b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\Zydar\ufxuw.exe
"C:\Users\Admin\AppData\Roaming\Zydar\ufxuw.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\XUADE79.bat"
2⤵
- Deletes itself
PID:852

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XUADE79.bat
Filesize
303B

MD5
ae1f24aa97c32fd7fcd233ad6012374a

SHA1
0c7a65aeeb18a9bd0a3620b66cae013bfbbff558

SHA256
0f9e18752a7f6d9e6fb3377ba34f2e765f88abdc144f1a5b8e1d0a5555730370

SHA512
7661ee6676e615c10dbedd22e3ad8c24ef1cc4afcebe24d49d23698e44228d351bbfd7d54c02c69584983737544f42e1f2ccc56219aeb053e0263689155cec61

Download Submit
C:\Users\Admin\AppData\Roaming\Zydar\ufxuw.exe
Filesize
321KB

MD5
2d4d512100ec45decc6d5a3af93d7aab

SHA1
4395d2ae8cec429498fe304dde2c4ea7e6b05879

SHA256
3ccc1251c80beebf73f82d25309398673b8c773e722c1248603953b67610fab5

SHA512
79f44fcba46201c7778a7d50e00af205737ef0e5526b47ebe193655857f7566f1c376c438fccdec3114dcdb6394bfa626bed8432bf90770d2479557fd2151664

Download Submit
C:\Users\Admin\AppData\Roaming\Zydar\ufxuw.exe
Filesize
321KB

MD5
2d4d512100ec45decc6d5a3af93d7aab

SHA1
4395d2ae8cec429498fe304dde2c4ea7e6b05879

SHA256
3ccc1251c80beebf73f82d25309398673b8c773e722c1248603953b67610fab5

SHA512
79f44fcba46201c7778a7d50e00af205737ef0e5526b47ebe193655857f7566f1c376c438fccdec3114dcdb6394bfa626bed8432bf90770d2479557fd2151664

Download Submit
\Users\Admin\AppData\Roaming\Zydar\ufxuw.exe
Filesize
321KB

MD5
2d4d512100ec45decc6d5a3af93d7aab

SHA1
4395d2ae8cec429498fe304dde2c4ea7e6b05879

SHA256
3ccc1251c80beebf73f82d25309398673b8c773e722c1248603953b67610fab5

SHA512
79f44fcba46201c7778a7d50e00af205737ef0e5526b47ebe193655857f7566f1c376c438fccdec3114dcdb6394bfa626bed8432bf90770d2479557fd2151664

Download Submit
memory/852-119-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/852-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/852-107-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/852-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/852-120-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/852-122-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/852-116-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/852-115-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/852-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/852-110-0x000000000006BDA4-mapping.dmp

Download
memory/852-105-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/852-109-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/852-108-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1104-97-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-93-0x00000000003B0000-0x00000000003F8000-memory.dmp

Filesize
288KB

Download
memory/1104-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1104-57-0x000000000043F000-0x0000000000442000-memory.dmp

Filesize
12KB

Download
memory/1104-58-0x0000000000442000-0x0000000000445000-memory.dmp

Filesize
12KB

Download
memory/1104-59-0x0000000000445000-0x0000000000448000-memory.dmp

Filesize
12KB

Download
memory/1104-60-0x0000000000401000-0x000000000043F000-memory.dmp

Filesize
248KB

Download
memory/1104-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1104-98-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1104-102-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-101-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-100-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-99-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1104-96-0x00000000003B0000-0x00000000003F8000-memory.dmp

Filesize
288KB

Download
memory/1104-95-0x00000000003B0000-0x00000000003F8000-memory.dmp

Filesize
288KB

Download
memory/1104-94-0x00000000003B0000-0x00000000003F8000-memory.dmp

Filesize
288KB

Download
memory/1104-112-0x00000000003B0000-0x00000000003F8000-memory.dmp

Filesize
288KB

Download
memory/1104-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1156-78-0x0000000001DB0000-0x0000000001DF8000-memory.dmp

Filesize
288KB

Download
memory/1156-77-0x0000000001DB0000-0x0000000001DF8000-memory.dmp

Filesize
288KB

Download
memory/1156-75-0x0000000001DB0000-0x0000000001DF8000-memory.dmp

Filesize
288KB

Download
memory/1156-73-0x0000000001DB0000-0x0000000001DF8000-memory.dmp

Filesize
288KB

Download
memory/1156-76-0x0000000001DB0000-0x0000000001DF8000-memory.dmp

Filesize
288KB

Download
memory/1228-84-0x0000000001E40000-0x0000000001E88000-memory.dmp

Filesize
288KB

Download
memory/1228-81-0x0000000001E40000-0x0000000001E88000-memory.dmp

Filesize
288KB

Download
memory/1228-82-0x0000000001E40000-0x0000000001E88000-memory.dmp

Filesize
288KB

Download
memory/1228-83-0x0000000001E40000-0x0000000001E88000-memory.dmp

Filesize
288KB

Download
memory/1256-90-0x0000000003E00000-0x0000000003E48000-memory.dmp

Filesize
288KB

Download
memory/1256-89-0x0000000003E00000-0x0000000003E48000-memory.dmp

Filesize
288KB

Download
memory/1256-88-0x0000000003E00000-0x0000000003E48000-memory.dmp

Filesize
288KB

Download
memory/1256-87-0x0000000003E00000-0x0000000003E48000-memory.dmp

Filesize
288KB

Download
memory/1768-62-0x0000000000000000-mapping.dmp

Download
memory/1768-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1768-123-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads