7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b

General

Target

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
Size

269KB
MD5

58976e5821ae6701f6aabbc279951cc0
SHA1

9878db60426f3b0de4535afc4573c612b05cfe28
SHA256

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b
SHA512

8c76c202e2cec464e4586cffa72bb18bd47adcbd8e2e17163287f88475368cc8b06657210c2af639a2d17b64cf623a857be5542fbf4da555e1f2f122de4c51d7
SSDEEP

6144:7iQ4+wpCBAiKc3yu7svlVVQWx5lkinovBfBD+D3SMHZzA:7jwcBlHL7sdl5oJpASMHZc

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lyyqu.exe

pid process

1340 lyyqu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

556 cmd.exe

pid	process
1340	lyyqu.exe

pid	process
556	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe

pid	process
1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lyyqu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	lyyqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lyyqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ezde\\lyyqu.exe"	lyyqu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe

description pid process target process

PID 1588 set thread context of 556 1588 7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe cmd.exe

description	pid	process	target process
PID 1588 set thread context of 556	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exelyyqu.exe

pid	process
1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe
1340	lyyqu.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exelyyqu.exe

description	pid	process	target process
PID 1588 wrote to memory of 1340	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	lyyqu.exe
PID 1588 wrote to memory of 1340	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	lyyqu.exe
PID 1588 wrote to memory of 1340	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	lyyqu.exe
PID 1588 wrote to memory of 1340	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	lyyqu.exe
PID 1340 wrote to memory of 1124	1340	lyyqu.exe	taskhost.exe
PID 1340 wrote to memory of 1124	1340	lyyqu.exe	taskhost.exe
PID 1340 wrote to memory of 1124	1340	lyyqu.exe	taskhost.exe
PID 1340 wrote to memory of 1124	1340	lyyqu.exe	taskhost.exe
PID 1340 wrote to memory of 1124	1340	lyyqu.exe	taskhost.exe
PID 1340 wrote to memory of 1232	1340	lyyqu.exe	Dwm.exe
PID 1340 wrote to memory of 1232	1340	lyyqu.exe	Dwm.exe
PID 1340 wrote to memory of 1232	1340	lyyqu.exe	Dwm.exe
PID 1340 wrote to memory of 1232	1340	lyyqu.exe	Dwm.exe
PID 1340 wrote to memory of 1232	1340	lyyqu.exe	Dwm.exe
PID 1340 wrote to memory of 1288	1340	lyyqu.exe	Explorer.EXE
PID 1340 wrote to memory of 1288	1340	lyyqu.exe	Explorer.EXE
PID 1340 wrote to memory of 1288	1340	lyyqu.exe	Explorer.EXE
PID 1340 wrote to memory of 1288	1340	lyyqu.exe	Explorer.EXE
PID 1340 wrote to memory of 1288	1340	lyyqu.exe	Explorer.EXE
PID 1340 wrote to memory of 1588	1340	lyyqu.exe	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
PID 1340 wrote to memory of 1588	1340	lyyqu.exe	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
PID 1340 wrote to memory of 1588	1340	lyyqu.exe	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
PID 1340 wrote to memory of 1588	1340	lyyqu.exe	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
PID 1340 wrote to memory of 1588	1340	lyyqu.exe	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
PID 1588 wrote to memory of 556	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe
PID 1588 wrote to memory of 556	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe
PID 1588 wrote to memory of 556	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe
PID 1588 wrote to memory of 556	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe
PID 1588 wrote to memory of 556	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe
PID 1588 wrote to memory of 556	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe
PID 1588 wrote to memory of 556	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe
PID 1588 wrote to memory of 556	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe
PID 1588 wrote to memory of 556	1588	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe
PID 1340 wrote to memory of 1880	1340	lyyqu.exe	conhost.exe
PID 1340 wrote to memory of 1880	1340	lyyqu.exe	conhost.exe
PID 1340 wrote to memory of 1880	1340	lyyqu.exe	conhost.exe
PID 1340 wrote to memory of 1880	1340	lyyqu.exe	conhost.exe
PID 1340 wrote to memory of 1880	1340	lyyqu.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
"C:\Users\Admin\AppData\Local\Temp\7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\Ezde\lyyqu.exe
"C:\Users\Admin\AppData\Local\Temp\Ezde\lyyqu.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JAH3F7.bat"
2⤵
- Deletes itself
PID:556

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12374672001409634653-421093261-2000258921194385841710707685382058058849-608132333"
1⤵
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ezde\lyyqu.exe
Filesize
269KB

MD5
b5b4c0ccd0043f2622a97b64b9cb1c91

SHA1
7e8dea010edb36ce485f61c5ed824f791162812a

SHA256
83cd792d199d00702a09de5b075a0b3e44d82d92489524b759b35bad8d8e59a6

SHA512
7376ba08c18fb819617c5c97862d02fa3c690d8d4459a743ec01acc358a9110801087ed631870d6b303de85a0354736ba7c30e564226a05281c2d2a3cc2bebf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ezde\lyyqu.exe
Filesize
269KB

MD5
b5b4c0ccd0043f2622a97b64b9cb1c91

SHA1
7e8dea010edb36ce485f61c5ed824f791162812a

SHA256
83cd792d199d00702a09de5b075a0b3e44d82d92489524b759b35bad8d8e59a6

SHA512
7376ba08c18fb819617c5c97862d02fa3c690d8d4459a743ec01acc358a9110801087ed631870d6b303de85a0354736ba7c30e564226a05281c2d2a3cc2bebf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAH3F7.bat
Filesize
274B

MD5
186aa31a919689b7434523183b5e5aba

SHA1
b34aef9a4601ebd63161c1e0a165527b80c0b8d6

SHA256
e698ab07042245dc0dce186ff0f5f2f80cb114049b4a96c34c1272a0f5e869ff

SHA512
7500d420b51fb565ae3cec252686020cbd1a8d605eb8848b5a986b24c7d11cb9e97b01c70402418bf128bec672a0094ce2355c589badef64a49a906b826424cd

Download Submit
\Users\Admin\AppData\Local\Temp\Ezde\lyyqu.exe
Filesize
269KB

MD5
b5b4c0ccd0043f2622a97b64b9cb1c91

SHA1
7e8dea010edb36ce485f61c5ed824f791162812a

SHA256
83cd792d199d00702a09de5b075a0b3e44d82d92489524b759b35bad8d8e59a6

SHA512
7376ba08c18fb819617c5c97862d02fa3c690d8d4459a743ec01acc358a9110801087ed631870d6b303de85a0354736ba7c30e564226a05281c2d2a3cc2bebf4

Download Submit
\Users\Admin\AppData\Local\Temp\Ezde\lyyqu.exe
Filesize
269KB

MD5
b5b4c0ccd0043f2622a97b64b9cb1c91

SHA1
7e8dea010edb36ce485f61c5ed824f791162812a

SHA256
83cd792d199d00702a09de5b075a0b3e44d82d92489524b759b35bad8d8e59a6

SHA512
7376ba08c18fb819617c5c97862d02fa3c690d8d4459a743ec01acc358a9110801087ed631870d6b303de85a0354736ba7c30e564226a05281c2d2a3cc2bebf4

Download Submit
memory/556-116-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/556-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/556-118-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/556-96-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/556-115-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/556-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/556-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/556-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/556-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/556-104-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/556-101-0x0000000000075D23-mapping.dmp

Download
memory/556-98-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/556-99-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/556-100-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1124-66-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/1124-69-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/1124-68-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/1124-64-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/1124-67-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/1232-72-0x0000000001BF0000-0x0000000001C32000-memory.dmp

Filesize
264KB

Download
memory/1232-73-0x0000000001BF0000-0x0000000001C32000-memory.dmp

Filesize
264KB

Download
memory/1232-75-0x0000000001BF0000-0x0000000001C32000-memory.dmp

Filesize
264KB

Download
memory/1232-74-0x0000000001BF0000-0x0000000001C32000-memory.dmp

Filesize
264KB

Download
memory/1288-78-0x00000000025D0000-0x0000000002612000-memory.dmp

Filesize
264KB

Download
memory/1288-81-0x00000000025D0000-0x0000000002612000-memory.dmp

Filesize
264KB

Download
memory/1288-80-0x00000000025D0000-0x0000000002612000-memory.dmp

Filesize
264KB

Download
memory/1288-79-0x00000000025D0000-0x0000000002612000-memory.dmp

Filesize
264KB

Download
memory/1340-59-0x0000000000000000-mapping.dmp

Download
memory/1588-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1588-87-0x0000000000380000-0x00000000003C2000-memory.dmp

Filesize
264KB

Download
memory/1588-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1588-102-0x0000000000380000-0x00000000003C2000-memory.dmp

Filesize
264KB

Download
memory/1588-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1588-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1588-56-0x0000000000401000-0x0000000000439000-memory.dmp

Filesize
224KB

Download
memory/1588-85-0x0000000000380000-0x00000000003C2000-memory.dmp

Filesize
264KB

Download
memory/1588-86-0x0000000000380000-0x00000000003C2000-memory.dmp

Filesize
264KB

Download
memory/1588-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1588-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1588-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1588-84-0x0000000000380000-0x00000000003C2000-memory.dmp

Filesize
264KB

Download
memory/1588-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1880-110-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download
memory/1880-109-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download
memory/1880-108-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download
memory/1880-107-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads