b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd

General

Target

b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
Size

321KB
MD5

59e8f070a9bdd632360c1d6d4613cfca
SHA1

2b24b8f443799e0671f64d6de75e1cc0329c953c
SHA256

b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd
SHA512

c9a7b5559e912de1e592d652c334d304b1a498cf5299b17b9176bb05720601ce64489bdad50958950bc770e76a4733f4c441f63e1ac30ee9ada7f3a853cf3356
SSDEEP

6144:Pw1NvVVPK/P7jIx0b6sy9JyvoP4jnRmhOzBrknTL7cuEBd9SV:iB3KHAf7Jyv+4jR/zGnTL7PEFSV

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

oryvaz.exe

pid process

4984 oryvaz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

oryvaz.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	oryvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oryvaz = "C:\\Users\\Admin\\AppData\\Roaming\\Huim\\oryvaz.exe"	oryvaz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe

description	pid	process	target process
PID 1756 set thread context of 1432	1756	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

oryvaz.exe

pid	process
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe
4984	oryvaz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exeoryvaz.exe

description	pid	process	target process
PID 1756 wrote to memory of 4984	1756	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	oryvaz.exe
PID 1756 wrote to memory of 4984	1756	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	oryvaz.exe
PID 1756 wrote to memory of 4984	1756	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe	oryvaz.exe
PID 4984 wrote to memory of 2324	4984	oryvaz.exe	sihost.exe
PID 4984 wrote to memory of 2324	4984	oryvaz.exe	sihost.exe
PID 4984 wrote to memory of 2324	4984	oryvaz.exe	sihost.exe
PID 4984 wrote to memory of 2324	4984	oryvaz.exe	sihost.exe
PID 4984 wrote to memory of 2324	4984	oryvaz.exe	sihost.exe
PID 4984 wrote to memory of 2340	4984	oryvaz.exe	svchost.exe
PID 4984 wrote to memory of 2340	4984	oryvaz.exe	svchost.exe
PID 4984 wrote to memory of 2340	4984	oryvaz.exe	svchost.exe
PID 4984 wrote to memory of 2340	4984	oryvaz.exe	svchost.exe
PID 4984 wrote to memory of 2340	4984	oryvaz.exe	svchost.exe
PID 4984 wrote to memory of 2436	4984	oryvaz.exe	taskhostw.exe
PID 4984 wrote to memory of 2436	4984	oryvaz.exe	taskhostw.exe
PID 4984 wrote to memory of 2436	4984	oryvaz.exe	taskhostw.exe
PID 4984 wrote to memory of 2436	4984	oryvaz.exe	taskhostw.exe
PID 4984 wrote to memory of 2436	4984	oryvaz.exe	taskhostw.exe
PID 4984 wrote to memory of 3048	4984	oryvaz.exe	Explorer.EXE
PID 4984 wrote to memory of 3048	4984	oryvaz.exe	Explorer.EXE
PID 4984 wrote to memory of 3048	4984	oryvaz.exe	Explorer.EXE
PID 4984 wrote to memory of 3048	4984	oryvaz.exe	Explorer.EXE
PID 4984 wrote to memory of 3048	4984	oryvaz.exe	Explorer.EXE
PID 4984 wrote to memory of 3092	4984	oryvaz.exe	svchost.exe
PID 4984 wrote to memory of 3092	4984	oryvaz.exe	svchost.exe
PID 4984 wrote to memory of 3092	4984	oryvaz.exe	svchost.exe
PID 4984 wrote to memory of 3092	4984	oryvaz.exe	svchost.exe
PID 4984 wrote to memory of 3092	4984	oryvaz.exe	svchost.exe
PID 4984 wrote to memory of 3276	4984	oryvaz.exe	DllHost.exe
PID 4984 wrote to memory of 3276	4984	oryvaz.exe	DllHost.exe
PID 4984 wrote to memory of 3276	4984	oryvaz.exe	DllHost.exe
PID 4984 wrote to memory of 3276	4984	oryvaz.exe	DllHost.exe
PID 4984 wrote to memory of 3276	4984	oryvaz.exe	DllHost.exe
PID 4984 wrote to memory of 3372	4984	oryvaz.exe	StartMenuExperienceHost.exe
PID 4984 wrote to memory of 3372	4984	oryvaz.exe	StartMenuExperienceHost.exe
PID 4984 wrote to memory of 3372	4984	oryvaz.exe	StartMenuExperienceHost.exe
PID 4984 wrote to memory of 3372	4984	oryvaz.exe	StartMenuExperienceHost.exe
PID 4984 wrote to memory of 3372	4984	oryvaz.exe	StartMenuExperienceHost.exe
PID 4984 wrote to memory of 3436	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 3436	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 3436	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 3436	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 3436	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 3520	4984	oryvaz.exe	SearchApp.exe
PID 4984 wrote to memory of 3520	4984	oryvaz.exe	SearchApp.exe
PID 4984 wrote to memory of 3520	4984	oryvaz.exe	SearchApp.exe
PID 4984 wrote to memory of 3520	4984	oryvaz.exe	SearchApp.exe
PID 4984 wrote to memory of 3520	4984	oryvaz.exe	SearchApp.exe
PID 4984 wrote to memory of 3748	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 3748	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 3748	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 3748	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 3748	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 4748	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 4748	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 4748	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 4748	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 4748	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 4324	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 4324	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 4324	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 4324	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 4324	4984	oryvaz.exe	RuntimeBroker.exe
PID 4984 wrote to memory of 1756	4984	oryvaz.exe	b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2324

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4324

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe
"C:\Users\Admin\AppData\Local\Temp\b079a64137c6696c5ffb96a2b19d337772d9a7e304efa8e50d3093bdac20f7cd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\Huim\oryvaz.exe
"C:\Users\Admin\AppData\Roaming\Huim\oryvaz.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\VTT5BCE.bat"
3⤵
PID:1432

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VTT5BCE.bat
Filesize
303B

MD5
55663bf56090872f94f07dd8348bfe2e

SHA1
2331f6b488bff3607ba842cd27064137c70ab7c6

SHA256
7c27f160cc9b4dc85cbb51cfd63226241b21a7ac7f9e9ca057a3befde0d86b8a

SHA512
3e351d83221d4a9cee144dff3258776e928db8f0992ad2b2d6ed71003a7b0a279d14b1dfa19386f2817aeaf0b07655967a9195c50e9f4aa0a0f703bcd80dc3cb

Download Submit
C:\Users\Admin\AppData\Roaming\Huim\oryvaz.exe
Filesize
321KB

MD5
66012c9687ff237a35dcb4ef235ade14

SHA1
2e3c46b66ac5615e53dde07533e44e3c6410c2ef

SHA256
471f70ff99cb207830bd7bf6330788537040b6d28d122306677a12444252ad70

SHA512
1bd32075ec0c1f7f42190dbe1bcb53b6386bab1f5bd04edd7dcde86a7f03e298faa200c588e89159a3d328dc2d17094d01aafa60acbde3759ba3a834c5ecfa24

Download Submit
C:\Users\Admin\AppData\Roaming\Huim\oryvaz.exe
Filesize
321KB

MD5
66012c9687ff237a35dcb4ef235ade14

SHA1
2e3c46b66ac5615e53dde07533e44e3c6410c2ef

SHA256
471f70ff99cb207830bd7bf6330788537040b6d28d122306677a12444252ad70

SHA512
1bd32075ec0c1f7f42190dbe1bcb53b6386bab1f5bd04edd7dcde86a7f03e298faa200c588e89159a3d328dc2d17094d01aafa60acbde3759ba3a834c5ecfa24

Download Submit
memory/1432-159-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1432-160-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1432-166-0x0000000000BA0000-0x0000000000BE8000-memory.dmp

Filesize
288KB

Download
memory/1432-164-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1432-163-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1432-162-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1432-161-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1432-157-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1432-154-0x0000000000BA0000-0x0000000000BE8000-memory.dmp

Filesize
288KB

Download
memory/1432-153-0x0000000000000000-mapping.dmp

Download
memory/1756-136-0x0000000000442000-0x0000000000445000-memory.dmp

Filesize
12KB

Download
memory/1756-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1756-132-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1756-147-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1756-137-0x0000000000445000-0x0000000000448000-memory.dmp

Filesize
12KB

Download
memory/1756-156-0x0000000003570000-0x00000000035B8000-memory.dmp

Filesize
288KB

Download
memory/1756-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1756-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1756-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1756-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1756-158-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1756-135-0x000000000043F000-0x0000000000442000-memory.dmp

Filesize
12KB

Download
memory/1756-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1756-138-0x0000000000401000-0x000000000043F000-memory.dmp

Filesize
248KB

Download
memory/4984-155-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4984-139-0x0000000000000000-mapping.dmp

Download
memory/4984-167-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads