a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9

General

Target

a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe
Size

308KB
MD5

f32e5e1d8991cf5f9cc40f5512c91064
SHA1

ca5c1061a956378d516630bddae1d66d3b95ac76
SHA256

a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9
SHA512

7230524067dcddb4515f12ac97e468dc9021907169ac700e23daa6da1b492c63133dd1357c676e239da0677d9a1c75608b12b61dc2ec81ccb99f4d9af8c6cdd5
SSDEEP

6144:8/jcP+wbqV9GnOkiq7KzVsb/E99ijlXTIjSgDNymDTXYAqh:8KJb09GniqGSTJwx5jqh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xyrae.exe

pid process

432 xyrae.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

840 cmd.exe

pid	process
840	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe

pid	process
1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe
1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xyrae.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	xyrae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xyrae = "C:\\Users\\Admin\\AppData\\Roaming\\Teec\\xyrae.exe"	xyrae.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe

description pid process target process

PID 1660 set thread context of 840 1660 a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe cmd.exe

description	pid	process	target process
PID 1660 set thread context of 840	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

xyrae.exe

pid	process
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe
432	xyrae.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exexyrae.exe

description	pid	process	target process
PID 1660 wrote to memory of 432	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	xyrae.exe
PID 1660 wrote to memory of 432	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	xyrae.exe
PID 1660 wrote to memory of 432	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	xyrae.exe
PID 1660 wrote to memory of 432	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	xyrae.exe
PID 432 wrote to memory of 1120	432	xyrae.exe	taskhost.exe
PID 432 wrote to memory of 1120	432	xyrae.exe	taskhost.exe
PID 432 wrote to memory of 1120	432	xyrae.exe	taskhost.exe
PID 432 wrote to memory of 1120	432	xyrae.exe	taskhost.exe
PID 432 wrote to memory of 1120	432	xyrae.exe	taskhost.exe
PID 432 wrote to memory of 1176	432	xyrae.exe	Dwm.exe
PID 432 wrote to memory of 1176	432	xyrae.exe	Dwm.exe
PID 432 wrote to memory of 1176	432	xyrae.exe	Dwm.exe
PID 432 wrote to memory of 1176	432	xyrae.exe	Dwm.exe
PID 432 wrote to memory of 1176	432	xyrae.exe	Dwm.exe
PID 432 wrote to memory of 1284	432	xyrae.exe	Explorer.EXE
PID 432 wrote to memory of 1284	432	xyrae.exe	Explorer.EXE
PID 432 wrote to memory of 1284	432	xyrae.exe	Explorer.EXE
PID 432 wrote to memory of 1284	432	xyrae.exe	Explorer.EXE
PID 432 wrote to memory of 1284	432	xyrae.exe	Explorer.EXE
PID 432 wrote to memory of 1660	432	xyrae.exe	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe
PID 432 wrote to memory of 1660	432	xyrae.exe	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe
PID 432 wrote to memory of 1660	432	xyrae.exe	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe
PID 432 wrote to memory of 1660	432	xyrae.exe	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe
PID 432 wrote to memory of 1660	432	xyrae.exe	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe
PID 1660 wrote to memory of 840	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	cmd.exe
PID 1660 wrote to memory of 840	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	cmd.exe
PID 1660 wrote to memory of 840	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	cmd.exe
PID 1660 wrote to memory of 840	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	cmd.exe
PID 1660 wrote to memory of 840	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	cmd.exe
PID 1660 wrote to memory of 840	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	cmd.exe
PID 1660 wrote to memory of 840	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	cmd.exe
PID 1660 wrote to memory of 840	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	cmd.exe
PID 1660 wrote to memory of 840	1660	a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe	cmd.exe
PID 432 wrote to memory of 1064	432	xyrae.exe	conhost.exe
PID 432 wrote to memory of 1064	432	xyrae.exe	conhost.exe
PID 432 wrote to memory of 1064	432	xyrae.exe	conhost.exe
PID 432 wrote to memory of 1064	432	xyrae.exe	conhost.exe
PID 432 wrote to memory of 1064	432	xyrae.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe
"C:\Users\Admin\AppData\Local\Temp\a0d1444453ddbc211602b0b9b3716327b9dc47a3af2b11cdd768d09aae8e9ee9.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Roaming\Teec\xyrae.exe
"C:\Users\Admin\AppData\Roaming\Teec\xyrae.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\REMDE7.bat"
3⤵
- Deletes itself
PID:840

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5560738441279740831578272174-1726282380-151526859135097416519807809701913814061"
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\REMDE7.bat
Filesize
302B

MD5
b2ea8c3507dd09bdb9a2c4525d80e4d1

SHA1
7ca7d9762b59cc784b5c8c4f77e78a915135f703

SHA256
94abbd11cb47a0a1e3447e180173caa19c328ff656331cc0db6bf5957e25efd5

SHA512
8f8f73c4dd4f920c77a3e02dcfcca5f4ebe5ef02574fcdaf263e133a99d003e7482f1f20c6681621d0eeff6b712768f65b04a5b17b3a41cedbd938829d08bde5

Download Submit
C:\Users\Admin\AppData\Roaming\Teec\xyrae.exe
Filesize
308KB

MD5
53412559729f4da679e117c498aab214

SHA1
14d725252d0404a9a202e5116ecfc62a700c012d

SHA256
27ff1a964976bdb8999811066e563c4ac4655099e344d7f94511c0d208a10105

SHA512
7c6c208c30c876c456414d4d7a1898d929347daf4e337fab7ba6d4269babd481924f9e6bba18e68b8e64ba32140e670c71ab77a7a5165d74ebd05b12b627e571

Download Submit
C:\Users\Admin\AppData\Roaming\Teec\xyrae.exe
Filesize
308KB

MD5
53412559729f4da679e117c498aab214

SHA1
14d725252d0404a9a202e5116ecfc62a700c012d

SHA256
27ff1a964976bdb8999811066e563c4ac4655099e344d7f94511c0d208a10105

SHA512
7c6c208c30c876c456414d4d7a1898d929347daf4e337fab7ba6d4269babd481924f9e6bba18e68b8e64ba32140e670c71ab77a7a5165d74ebd05b12b627e571

Download Submit
\Users\Admin\AppData\Roaming\Teec\xyrae.exe
Filesize
308KB

MD5
53412559729f4da679e117c498aab214

SHA1
14d725252d0404a9a202e5116ecfc62a700c012d

SHA256
27ff1a964976bdb8999811066e563c4ac4655099e344d7f94511c0d208a10105

SHA512
7c6c208c30c876c456414d4d7a1898d929347daf4e337fab7ba6d4269babd481924f9e6bba18e68b8e64ba32140e670c71ab77a7a5165d74ebd05b12b627e571

Download Submit
\Users\Admin\AppData\Roaming\Teec\xyrae.exe
Filesize
308KB

MD5
53412559729f4da679e117c498aab214

SHA1
14d725252d0404a9a202e5116ecfc62a700c012d

SHA256
27ff1a964976bdb8999811066e563c4ac4655099e344d7f94511c0d208a10105

SHA512
7c6c208c30c876c456414d4d7a1898d929347daf4e337fab7ba6d4269babd481924f9e6bba18e68b8e64ba32140e670c71ab77a7a5165d74ebd05b12b627e571

Download Submit
memory/432-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/432-59-0x0000000000000000-mapping.dmp

Download
memory/840-112-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/840-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/840-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/840-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/840-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/840-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/840-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/840-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/840-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/840-103-0x0000000000082ED8-mapping.dmp

Download
memory/840-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/840-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/840-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1064-117-0x0000000000140000-0x0000000000189000-memory.dmp

Filesize
292KB

Download
memory/1064-115-0x0000000000140000-0x0000000000189000-memory.dmp

Filesize
292KB

Download
memory/1064-116-0x0000000000140000-0x0000000000189000-memory.dmp

Filesize
292KB

Download
memory/1064-118-0x0000000000140000-0x0000000000189000-memory.dmp

Filesize
292KB

Download
memory/1120-69-0x0000000001ED0000-0x0000000001F19000-memory.dmp

Filesize
292KB

Download
memory/1120-65-0x0000000001ED0000-0x0000000001F19000-memory.dmp

Filesize
292KB

Download
memory/1120-67-0x0000000001ED0000-0x0000000001F19000-memory.dmp

Filesize
292KB

Download
memory/1120-68-0x0000000001ED0000-0x0000000001F19000-memory.dmp

Filesize
292KB

Download
memory/1120-70-0x0000000001ED0000-0x0000000001F19000-memory.dmp

Filesize
292KB

Download
memory/1176-76-0x0000000001A10000-0x0000000001A59000-memory.dmp

Filesize
292KB

Download
memory/1176-73-0x0000000001A10000-0x0000000001A59000-memory.dmp

Filesize
292KB

Download
memory/1176-74-0x0000000001A10000-0x0000000001A59000-memory.dmp

Filesize
292KB

Download
memory/1176-75-0x0000000001A10000-0x0000000001A59000-memory.dmp

Filesize
292KB

Download
memory/1284-81-0x0000000002AC0000-0x0000000002B09000-memory.dmp

Filesize
292KB

Download
memory/1284-80-0x0000000002AC0000-0x0000000002B09000-memory.dmp

Filesize
292KB

Download
memory/1284-79-0x0000000002AC0000-0x0000000002B09000-memory.dmp

Filesize
292KB

Download
memory/1284-82-0x0000000002AC0000-0x0000000002B09000-memory.dmp

Filesize
292KB

Download
memory/1660-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1660-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1660-85-0x0000000002050000-0x0000000002099000-memory.dmp

Filesize
292KB

Download
memory/1660-87-0x0000000002050000-0x0000000002099000-memory.dmp

Filesize
292KB

Download
memory/1660-95-0x0000000002050000-0x0000000002099000-memory.dmp

Filesize
292KB

Download
memory/1660-86-0x0000000002050000-0x0000000002099000-memory.dmp

Filesize
292KB

Download
memory/1660-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1660-88-0x0000000002050000-0x0000000002099000-memory.dmp

Filesize
292KB

Download
memory/1660-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1660-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1660-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1660-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1660-56-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/1660-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads