7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b

Analysis

max time kernel
164s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
Size

269KB
MD5

58976e5821ae6701f6aabbc279951cc0
SHA1

9878db60426f3b0de4535afc4573c612b05cfe28
SHA256

7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b
SHA512

8c76c202e2cec464e4586cffa72bb18bd47adcbd8e2e17163287f88475368cc8b06657210c2af639a2d17b64cf623a857be5542fbf4da555e1f2f122de4c51d7
SSDEEP

6144:7iQ4+wpCBAiKc3yu7svlVVQWx5lkinovBfBD+D3SMHZzA:7jwcBlHL7sdl5oJpASMHZc

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4236	lyvox.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	lyvox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lyvox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Betyux\\lyvox.exe"	lyvox.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3292 set thread context of 512	3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	80

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe
4236	lyvox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 4236	3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	79
PID 3292 wrote to memory of 4236	3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	79
PID 3292 wrote to memory of 4236	3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	79
PID 4236 wrote to memory of 2708	4236	lyvox.exe	50
PID 4236 wrote to memory of 2708	4236	lyvox.exe	50
PID 4236 wrote to memory of 2708	4236	lyvox.exe	50
PID 4236 wrote to memory of 2708	4236	lyvox.exe	50
PID 4236 wrote to memory of 2708	4236	lyvox.exe	50
PID 4236 wrote to memory of 2728	4236	lyvox.exe	51
PID 4236 wrote to memory of 2728	4236	lyvox.exe	51
PID 4236 wrote to memory of 2728	4236	lyvox.exe	51
PID 4236 wrote to memory of 2728	4236	lyvox.exe	51
PID 4236 wrote to memory of 2728	4236	lyvox.exe	51
PID 4236 wrote to memory of 2872	4236	lyvox.exe	52
PID 4236 wrote to memory of 2872	4236	lyvox.exe	52
PID 4236 wrote to memory of 2872	4236	lyvox.exe	52
PID 4236 wrote to memory of 2872	4236	lyvox.exe	52
PID 4236 wrote to memory of 2872	4236	lyvox.exe	52
PID 4236 wrote to memory of 376	4236	lyvox.exe	54
PID 4236 wrote to memory of 376	4236	lyvox.exe	54
PID 4236 wrote to memory of 376	4236	lyvox.exe	54
PID 4236 wrote to memory of 376	4236	lyvox.exe	54
PID 4236 wrote to memory of 376	4236	lyvox.exe	54
PID 4236 wrote to memory of 3076	4236	lyvox.exe	55
PID 4236 wrote to memory of 3076	4236	lyvox.exe	55
PID 4236 wrote to memory of 3076	4236	lyvox.exe	55
PID 4236 wrote to memory of 3076	4236	lyvox.exe	55
PID 4236 wrote to memory of 3076	4236	lyvox.exe	55
PID 4236 wrote to memory of 3280	4236	lyvox.exe	56
PID 4236 wrote to memory of 3280	4236	lyvox.exe	56
PID 4236 wrote to memory of 3280	4236	lyvox.exe	56
PID 4236 wrote to memory of 3280	4236	lyvox.exe	56
PID 4236 wrote to memory of 3280	4236	lyvox.exe	56
PID 4236 wrote to memory of 3376	4236	lyvox.exe	57
PID 4236 wrote to memory of 3376	4236	lyvox.exe	57
PID 4236 wrote to memory of 3376	4236	lyvox.exe	57
PID 4236 wrote to memory of 3376	4236	lyvox.exe	57
PID 4236 wrote to memory of 3376	4236	lyvox.exe	57
PID 4236 wrote to memory of 3444	4236	lyvox.exe	58
PID 4236 wrote to memory of 3444	4236	lyvox.exe	58
PID 4236 wrote to memory of 3444	4236	lyvox.exe	58
PID 4236 wrote to memory of 3444	4236	lyvox.exe	58
PID 4236 wrote to memory of 3444	4236	lyvox.exe	58
PID 4236 wrote to memory of 3536	4236	lyvox.exe	59
PID 4236 wrote to memory of 3536	4236	lyvox.exe	59
PID 4236 wrote to memory of 3536	4236	lyvox.exe	59
PID 4236 wrote to memory of 3536	4236	lyvox.exe	59
PID 4236 wrote to memory of 3536	4236	lyvox.exe	59
PID 4236 wrote to memory of 3672	4236	lyvox.exe	60
PID 4236 wrote to memory of 3672	4236	lyvox.exe	60
PID 4236 wrote to memory of 3672	4236	lyvox.exe	60
PID 4236 wrote to memory of 3672	4236	lyvox.exe	60
PID 4236 wrote to memory of 3672	4236	lyvox.exe	60
PID 4236 wrote to memory of 4720	4236	lyvox.exe	63
PID 4236 wrote to memory of 4720	4236	lyvox.exe	63
PID 4236 wrote to memory of 4720	4236	lyvox.exe	63
PID 4236 wrote to memory of 4720	4236	lyvox.exe	63
PID 4236 wrote to memory of 4720	4236	lyvox.exe	63
PID 4236 wrote to memory of 3292	4236	lyvox.exe	78
PID 4236 wrote to memory of 3292	4236	lyvox.exe	78
PID 4236 wrote to memory of 3292	4236	lyvox.exe	78
PID 4236 wrote to memory of 3292	4236	lyvox.exe	78
PID 4236 wrote to memory of 3292	4236	lyvox.exe	78
PID 3292 wrote to memory of 512	3292	7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe	80

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2728

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2872

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe
  "C:\Users\Admin\AppData\Local\Temp\7f5e4fcad117286fc9a04917aea47cfd4ccb2805803f4be07f913d399a6cb67b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\Betyux\lyvox.exe
    "C:\Users\Admin\AppData\Local\Temp\Betyux\lyvox.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CLC2B18.bat"
    3⤵
    PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3076

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3536

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Betyux\lyvox.exe

Filesize
269KB

MD5
82279e1c1bc1119410c27e753afd3390

SHA1
85521de896761eb0c2fdf1b0139fa3d6cc506169

SHA256
5121048363e2351ec9d579b772ec945bbdf96c494effe044a9b77cf66ee7d7ce

SHA512
3933ce8844c71dabc9a7a32179e1c5f58316fff49efa268ffbfbf2190f20068d884f8d6054f32e53a6b2ed00298abb96276cafdd59490d983f96739bf3e6e931

Download Submit
C:\Users\Admin\AppData\Local\Temp\Betyux\lyvox.exe

Filesize
269KB

MD5
82279e1c1bc1119410c27e753afd3390

SHA1
85521de896761eb0c2fdf1b0139fa3d6cc506169

SHA256
5121048363e2351ec9d579b772ec945bbdf96c494effe044a9b77cf66ee7d7ce

SHA512
3933ce8844c71dabc9a7a32179e1c5f58316fff49efa268ffbfbf2190f20068d884f8d6054f32e53a6b2ed00298abb96276cafdd59490d983f96739bf3e6e931

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLC2B18.bat

Filesize
274B

MD5
5db376d9c7fa4ae6ff0dba18dae7dd5b

SHA1
4cbdd9e5c8b54e588235382e398890a46d22f656

SHA256
9b69e3a4a3ae0f4a58b8f0fffab0462f28d7276df3369612ef8bfde17ea9728e

SHA512
6c2216dc569715bfd6a14e975fcaabdae4f1b1c9b64e07b82d950a74447a120f12a5d930c2bdd972df543ff9a0279cc477e6e515167975fb54a4f32a2b0f6612

Download Submit
memory/512-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-153-0x0000000001300000-0x0000000001342000-memory.dmp

Filesize
264KB

Download
memory/512-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-146-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-147-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/512-145-0x0000000001300000-0x0000000001342000-memory.dmp

Filesize
264KB

Download
memory/3292-138-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3292-132-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3292-133-0x0000000000401000-0x0000000000439000-memory.dmp

Filesize
224KB

Download