7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b

General

Target

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
Size

269KB
MD5

58976e5821ae6701f6aabbc279951cc0
SHA1

9878db60426f3b0de4535afc4573c612b05cfe28
SHA256

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b
SHA512

8c76c202e2cec464e4586cffa72bb18bd47adcbd8e2e17163287f88475368cc8b06657210c2af639a2d17b64cf623a857be5542fbf4da555e1f2f122de4c51d7
SSDEEP

6144:7iQ4+wpCBAiKc3yu7svlVVQWx5lkinovBfBD+D3SMHZzA:7jwcBlHL7sdl5oJpASMHZc

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lyvox.exe

pid process

4236 lyvox.exe

pid	process
4236	lyvox.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lyvox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	lyvox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lyvox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Betyux\\lyvox.exe"	lyvox.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe

description pid process target process

PID 3292 set thread context of 512 3292 7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe cmd.exe

description	pid	process	target process
PID 3292 set thread context of 512	3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exelyvox.exe

pid	process
3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exelyvox.exe

description	pid	process	target process
PID 3292 wrote to memory of 4236	3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	lyvox.exe
PID 3292 wrote to memory of 4236	3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	lyvox.exe
PID 3292 wrote to memory of 4236	3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	lyvox.exe
PID 4236 wrote to memory of 2708	4236	lyvox.exe	sihost.exe
PID 4236 wrote to memory of 2708	4236	lyvox.exe	sihost.exe
PID 4236 wrote to memory of 2708	4236	lyvox.exe	sihost.exe
PID 4236 wrote to memory of 2708	4236	lyvox.exe	sihost.exe
PID 4236 wrote to memory of 2708	4236	lyvox.exe	sihost.exe
PID 4236 wrote to memory of 2728	4236	lyvox.exe	svchost.exe
PID 4236 wrote to memory of 2728	4236	lyvox.exe	svchost.exe
PID 4236 wrote to memory of 2728	4236	lyvox.exe	svchost.exe
PID 4236 wrote to memory of 2728	4236	lyvox.exe	svchost.exe
PID 4236 wrote to memory of 2728	4236	lyvox.exe	svchost.exe
PID 4236 wrote to memory of 2872	4236	lyvox.exe	taskhostw.exe
PID 4236 wrote to memory of 2872	4236	lyvox.exe	taskhostw.exe
PID 4236 wrote to memory of 2872	4236	lyvox.exe	taskhostw.exe
PID 4236 wrote to memory of 2872	4236	lyvox.exe	taskhostw.exe
PID 4236 wrote to memory of 2872	4236	lyvox.exe	taskhostw.exe
PID 4236 wrote to memory of 376	4236	lyvox.exe	Explorer.EXE
PID 4236 wrote to memory of 376	4236	lyvox.exe	Explorer.EXE
PID 4236 wrote to memory of 376	4236	lyvox.exe	Explorer.EXE
PID 4236 wrote to memory of 376	4236	lyvox.exe	Explorer.EXE
PID 4236 wrote to memory of 376	4236	lyvox.exe	Explorer.EXE
PID 4236 wrote to memory of 3076	4236	lyvox.exe	svchost.exe
PID 4236 wrote to memory of 3076	4236	lyvox.exe	svchost.exe
PID 4236 wrote to memory of 3076	4236	lyvox.exe	svchost.exe
PID 4236 wrote to memory of 3076	4236	lyvox.exe	svchost.exe
PID 4236 wrote to memory of 3076	4236	lyvox.exe	svchost.exe
PID 4236 wrote to memory of 3280	4236	lyvox.exe	DllHost.exe
PID 4236 wrote to memory of 3280	4236	lyvox.exe	DllHost.exe
PID 4236 wrote to memory of 3280	4236	lyvox.exe	DllHost.exe
PID 4236 wrote to memory of 3280	4236	lyvox.exe	DllHost.exe
PID 4236 wrote to memory of 3280	4236	lyvox.exe	DllHost.exe
PID 4236 wrote to memory of 3376	4236	lyvox.exe	StartMenuExperienceHost.exe
PID 4236 wrote to memory of 3376	4236	lyvox.exe	StartMenuExperienceHost.exe
PID 4236 wrote to memory of 3376	4236	lyvox.exe	StartMenuExperienceHost.exe
PID 4236 wrote to memory of 3376	4236	lyvox.exe	StartMenuExperienceHost.exe
PID 4236 wrote to memory of 3376	4236	lyvox.exe	StartMenuExperienceHost.exe
PID 4236 wrote to memory of 3444	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 3444	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 3444	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 3444	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 3444	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 3536	4236	lyvox.exe	SearchApp.exe
PID 4236 wrote to memory of 3536	4236	lyvox.exe	SearchApp.exe
PID 4236 wrote to memory of 3536	4236	lyvox.exe	SearchApp.exe
PID 4236 wrote to memory of 3536	4236	lyvox.exe	SearchApp.exe
PID 4236 wrote to memory of 3536	4236	lyvox.exe	SearchApp.exe
PID 4236 wrote to memory of 3672	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 3672	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 3672	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 3672	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 3672	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 4720	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 4720	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 4720	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 4720	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 4720	4236	lyvox.exe	RuntimeBroker.exe
PID 4236 wrote to memory of 3292	4236	lyvox.exe	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
PID 4236 wrote to memory of 3292	4236	lyvox.exe	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
PID 4236 wrote to memory of 3292	4236	lyvox.exe	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
PID 4236 wrote to memory of 3292	4236	lyvox.exe	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
PID 4236 wrote to memory of 3292	4236	lyvox.exe	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
PID 3292 wrote to memory of 512	3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	cmd.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2728

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2872

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
"C:\Users\Admin\AppData\Local\Temp\7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3292

C:\Users\Admin\AppData\Local\Temp\Betyux\lyvox.exe
"C:\Users\Admin\AppData\Local\Temp\Betyux\lyvox.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CLC2B18.bat"
3⤵
PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3076

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3536

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Betyux\lyvox.exe
Filesize
269KB

MD5
82279e1c1bc1119410c27e753afd3390

SHA1
85521de896761eb0c2fdf1b0139fa3d6cc506169

SHA256
5121048363e2351ec9d579b772ec945bbdf96c494effe044a9b77cf66ee7d7ce

SHA512
3933ce8844c71dabc9a7a32179e1c5f58316fff49efa268ffbfbf2190f20068d884f8d6054f32e53a6b2ed00298abb96276cafdd59490d983f96739bf3e6e931

Download Submit
C:\Users\Admin\AppData\Local\Temp\Betyux\lyvox.exe
Filesize
269KB

MD5
82279e1c1bc1119410c27e753afd3390

SHA1
85521de896761eb0c2fdf1b0139fa3d6cc506169

SHA256
5121048363e2351ec9d579b772ec945bbdf96c494effe044a9b77cf66ee7d7ce

SHA512
3933ce8844c71dabc9a7a32179e1c5f58316fff49efa268ffbfbf2190f20068d884f8d6054f32e53a6b2ed00298abb96276cafdd59490d983f96739bf3e6e931

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLC2B18.bat
Filesize
274B

MD5
5db376d9c7fa4ae6ff0dba18dae7dd5b

SHA1
4cbdd9e5c8b54e588235382e398890a46d22f656

SHA256
9b69e3a4a3ae0f4a58b8f0fffab0462f28d7276df3369612ef8bfde17ea9728e

SHA512
6c2216dc569715bfd6a14e975fcaabdae4f1b1c9b64e07b82d950a74447a120f12a5d930c2bdd972df543ff9a0279cc477e6e515167975fb54a4f32a2b0f6612

Download Submit
memory/512-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-153-0x0000000001300000-0x0000000001342000-memory.dmp

Filesize
264KB

Download
memory/512-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-146-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-147-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-144-0x0000000000000000-mapping.dmp

Download
memory/512-145-0x0000000001300000-0x0000000001342000-memory.dmp

Filesize
264KB

Download
memory/3292-138-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-132-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3292-133-0x0000000000401000-0x0000000000439000-memory.dmp

Filesize
224KB

Download
memory/4236-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads