2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937

General

Target

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
Size

391KB
MD5

8d075f98d22c930bd92b5d9f01899fe6
SHA1

b38a61958617c13bcdca9956e05b4cf5b1ca6dc2
SHA256

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937
SHA512

3a684bcbb084b3c77b934f9411ab59f4fa0000f407f2fa3b9b39cf8acdcdfe3873da7231f7ef8f50574746517e34427e756b806db24d61a1122759a274c98dc9
SSDEEP

6144:XAmQQ7/pjykp5+BV8EAEKd1vgmFv6KZf7iMcQCJwvAynaN0mHU766t2EUHEm1:XZ7/RpsV8EAXIc66fa+AyI07dikC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

kyof.exekyof.exe

pid process

2032 kyof.exe
2000 kyof.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

320 cmd.exe

pid	process
2032	kyof.exe
2000	kyof.exe

pid	process
320	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exekyof.exe

pid	process
1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
2032	kyof.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kyof.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	kyof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kyof = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Urer\\kyof.exe"	kyof.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exekyof.exe

description	pid	process	target process
PID 1208 set thread context of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 2032 set thread context of 2000	2032	kyof.exe	kyof.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exekyof.exe

pid	process
1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe
2000	kyof.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exekyof.exekyof.exe

description	pid	process	target process
PID 1208 wrote to memory of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 1208 wrote to memory of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 1208 wrote to memory of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 1208 wrote to memory of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 1208 wrote to memory of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 1208 wrote to memory of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 1208 wrote to memory of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 1208 wrote to memory of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 1208 wrote to memory of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 1208 wrote to memory of 1732	1208	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
PID 1732 wrote to memory of 2032	1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	kyof.exe
PID 1732 wrote to memory of 2032	1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	kyof.exe
PID 1732 wrote to memory of 2032	1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	kyof.exe
PID 1732 wrote to memory of 2032	1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	kyof.exe
PID 2032 wrote to memory of 2000	2032	kyof.exe	kyof.exe
PID 2032 wrote to memory of 2000	2032	kyof.exe	kyof.exe
PID 2032 wrote to memory of 2000	2032	kyof.exe	kyof.exe
PID 2032 wrote to memory of 2000	2032	kyof.exe	kyof.exe
PID 2032 wrote to memory of 2000	2032	kyof.exe	kyof.exe
PID 2032 wrote to memory of 2000	2032	kyof.exe	kyof.exe
PID 2032 wrote to memory of 2000	2032	kyof.exe	kyof.exe
PID 2032 wrote to memory of 2000	2032	kyof.exe	kyof.exe
PID 2032 wrote to memory of 2000	2032	kyof.exe	kyof.exe
PID 2032 wrote to memory of 2000	2032	kyof.exe	kyof.exe
PID 1732 wrote to memory of 320	1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	cmd.exe
PID 1732 wrote to memory of 320	1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	cmd.exe
PID 1732 wrote to memory of 320	1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	cmd.exe
PID 1732 wrote to memory of 320	1732	2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe	cmd.exe
PID 2000 wrote to memory of 1256	2000	kyof.exe	taskhost.exe
PID 2000 wrote to memory of 1256	2000	kyof.exe	taskhost.exe
PID 2000 wrote to memory of 1256	2000	kyof.exe	taskhost.exe
PID 2000 wrote to memory of 1256	2000	kyof.exe	taskhost.exe
PID 2000 wrote to memory of 1256	2000	kyof.exe	taskhost.exe
PID 2000 wrote to memory of 1332	2000	kyof.exe	Dwm.exe
PID 2000 wrote to memory of 1332	2000	kyof.exe	Dwm.exe
PID 2000 wrote to memory of 1332	2000	kyof.exe	Dwm.exe
PID 2000 wrote to memory of 1332	2000	kyof.exe	Dwm.exe
PID 2000 wrote to memory of 1332	2000	kyof.exe	Dwm.exe
PID 2000 wrote to memory of 1388	2000	kyof.exe	Explorer.EXE
PID 2000 wrote to memory of 1388	2000	kyof.exe	Explorer.EXE
PID 2000 wrote to memory of 1388	2000	kyof.exe	Explorer.EXE
PID 2000 wrote to memory of 1388	2000	kyof.exe	Explorer.EXE
PID 2000 wrote to memory of 1388	2000	kyof.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
"C:\Users\Admin\AppData\Local\Temp\2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe
"C:\Users\Admin\AppData\Local\Temp\2eeeff87458a58f332b8a472432362da26c74caaa26ee18c3ed9a6fb4174b937.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\Urer\kyof.exe
"C:\Users\Admin\AppData\Local\Temp\Urer\kyof.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\Urer\kyof.exe
"C:\Users\Admin\AppData\Local\Temp\Urer\kyof.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BUZE2F7.bat"
4⤵
- Deletes itself
PID:320

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BUZE2F7.bat
Filesize
276B

MD5
7f80c67b85ead391904115ec14c450c9

SHA1
31dc23e6f8c9f01985b6309afd54a6deeeb11dd9

SHA256
84946c43e5ad67bf09cbfd2c07755fcb70b42b6a06a8ffe3eb0a30659ffb8f0f

SHA512
f5ad12397d4937c1482d70f7a29b9c8d3bb325b5975958c87fb0ac0f14f8d9e31d42124ab1af125e8f71c8546d171b760abf0cd335bf471f1a88b8aa91627a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urer\kyof.exe
Filesize
391KB

MD5
9a7da5fbc594e963219d2b10336a402c

SHA1
77abc254a12aade2f330e38c5c6a7715f5b8a1d1

SHA256
99291ea00e0a9fdbf746dd2f8eebeffdc05476979833d7b480562ea091d713a5

SHA512
c70773f38d7b1a45e5217570053513259187244b19b9a0b9ff266a3312b04884d55d19959b9f61001a3baaf8f08fc84f90243840fc7d1efb16d465298aee23d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urer\kyof.exe
Filesize
391KB

MD5
9a7da5fbc594e963219d2b10336a402c

SHA1
77abc254a12aade2f330e38c5c6a7715f5b8a1d1

SHA256
99291ea00e0a9fdbf746dd2f8eebeffdc05476979833d7b480562ea091d713a5

SHA512
c70773f38d7b1a45e5217570053513259187244b19b9a0b9ff266a3312b04884d55d19959b9f61001a3baaf8f08fc84f90243840fc7d1efb16d465298aee23d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urer\kyof.exe
Filesize
391KB

MD5
9a7da5fbc594e963219d2b10336a402c

SHA1
77abc254a12aade2f330e38c5c6a7715f5b8a1d1

SHA256
99291ea00e0a9fdbf746dd2f8eebeffdc05476979833d7b480562ea091d713a5

SHA512
c70773f38d7b1a45e5217570053513259187244b19b9a0b9ff266a3312b04884d55d19959b9f61001a3baaf8f08fc84f90243840fc7d1efb16d465298aee23d5

Download Submit
\Users\Admin\AppData\Local\Temp\Urer\kyof.exe
Filesize
391KB

MD5
9a7da5fbc594e963219d2b10336a402c

SHA1
77abc254a12aade2f330e38c5c6a7715f5b8a1d1

SHA256
99291ea00e0a9fdbf746dd2f8eebeffdc05476979833d7b480562ea091d713a5

SHA512
c70773f38d7b1a45e5217570053513259187244b19b9a0b9ff266a3312b04884d55d19959b9f61001a3baaf8f08fc84f90243840fc7d1efb16d465298aee23d5

Download Submit
\Users\Admin\AppData\Local\Temp\Urer\kyof.exe
Filesize
391KB

MD5
9a7da5fbc594e963219d2b10336a402c

SHA1
77abc254a12aade2f330e38c5c6a7715f5b8a1d1

SHA256
99291ea00e0a9fdbf746dd2f8eebeffdc05476979833d7b480562ea091d713a5

SHA512
c70773f38d7b1a45e5217570053513259187244b19b9a0b9ff266a3312b04884d55d19959b9f61001a3baaf8f08fc84f90243840fc7d1efb16d465298aee23d5

Download Submit
\Users\Admin\AppData\Local\Temp\Urer\kyof.exe
Filesize
391KB

MD5
9a7da5fbc594e963219d2b10336a402c

SHA1
77abc254a12aade2f330e38c5c6a7715f5b8a1d1

SHA256
99291ea00e0a9fdbf746dd2f8eebeffdc05476979833d7b480562ea091d713a5

SHA512
c70773f38d7b1a45e5217570053513259187244b19b9a0b9ff266a3312b04884d55d19959b9f61001a3baaf8f08fc84f90243840fc7d1efb16d465298aee23d5

Download Submit
memory/320-92-0x0000000000000000-mapping.dmp

Download
memory/1208-67-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1208-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1256-99-0x0000000001BA0000-0x0000000001BE2000-memory.dmp

Filesize
264KB

Download
memory/1256-100-0x0000000001BA0000-0x0000000001BE2000-memory.dmp

Filesize
264KB

Download
memory/1256-98-0x0000000001BA0000-0x0000000001BE2000-memory.dmp

Filesize
264KB

Download
memory/1256-97-0x0000000001BA0000-0x0000000001BE2000-memory.dmp

Filesize
264KB

Download
memory/1332-106-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1332-103-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1332-104-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1332-105-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1388-109-0x0000000002A50000-0x0000000002A92000-memory.dmp

Filesize
264KB

Download
memory/1388-110-0x0000000002A50000-0x0000000002A92000-memory.dmp

Filesize
264KB

Download
memory/1388-111-0x0000000002A50000-0x0000000002A92000-memory.dmp

Filesize
264KB

Download
memory/1388-112-0x0000000002A50000-0x0000000002A92000-memory.dmp

Filesize
264KB

Download
memory/1732-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-63-0x000000000030E47E-mapping.dmp

Download
memory/1732-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-85-0x000000000118E47E-mapping.dmp

Download
memory/2000-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-114-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-72-0x0000000000000000-mapping.dmp

Download
memory/2032-88-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads