76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3

General

Target

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
Size

248KB
MD5

c21c3dbeca0b9907fecb00fd52af2ed1
SHA1

428c51312b76451a57c60aec540fde14f6ea6b78
SHA256

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3
SHA512

93db1fb60fa399d8a30d8782bb9310cee2cfc68682010d988fb3ce8d6dad17904a4aaefed4b840208ed3d654e92dc5f4c7e87ea8f88adc71784ef9e782b340ed
SSDEEP

6144:A23pwG2Dz3v6bSwTrqEwT2CPTOulbPIS4q:B5wG6zv61/xCrO+bPDX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

yluhq.exeyluhq.exe

pid process

4516 yluhq.exe
4564 yluhq.exe

pid	process
4516	yluhq.exe
4564	yluhq.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exeyluhq.exe

description	pid	process	target process
PID 4252 set thread context of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 4516 set thread context of 4564	4516	yluhq.exe	yluhq.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

yluhq.exe

pid process

4564 yluhq.exe
4564 yluhq.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe

description pid process

Token: SeSecurityPrivilege 1016 76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exeyluhq.exe

pid process

4252 76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
4516 yluhq.exe

pid	process
4564	yluhq.exe
4564	yluhq.exe

description	pid	process
Token: SeSecurityPrivilege	1016	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe

pid	process
4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
4516	yluhq.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exeyluhq.exeyluhq.exe

description	pid	process	target process
PID 4252 wrote to memory of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 4252 wrote to memory of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 4252 wrote to memory of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 4252 wrote to memory of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 4252 wrote to memory of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 4252 wrote to memory of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 4252 wrote to memory of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 4252 wrote to memory of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 4252 wrote to memory of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 4252 wrote to memory of 1016	4252	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
PID 1016 wrote to memory of 4516	1016	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	yluhq.exe
PID 1016 wrote to memory of 4516	1016	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	yluhq.exe
PID 1016 wrote to memory of 4516	1016	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	yluhq.exe
PID 4516 wrote to memory of 4564	4516	yluhq.exe	yluhq.exe
PID 4516 wrote to memory of 4564	4516	yluhq.exe	yluhq.exe
PID 4516 wrote to memory of 4564	4516	yluhq.exe	yluhq.exe
PID 4516 wrote to memory of 4564	4516	yluhq.exe	yluhq.exe
PID 4516 wrote to memory of 4564	4516	yluhq.exe	yluhq.exe
PID 4516 wrote to memory of 4564	4516	yluhq.exe	yluhq.exe
PID 4516 wrote to memory of 4564	4516	yluhq.exe	yluhq.exe
PID 4516 wrote to memory of 4564	4516	yluhq.exe	yluhq.exe
PID 4516 wrote to memory of 4564	4516	yluhq.exe	yluhq.exe
PID 4516 wrote to memory of 4564	4516	yluhq.exe	yluhq.exe
PID 1016 wrote to memory of 4104	1016	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	cmd.exe
PID 1016 wrote to memory of 4104	1016	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	cmd.exe
PID 1016 wrote to memory of 4104	1016	76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe	cmd.exe
PID 4564 wrote to memory of 4520	4564	yluhq.exe	explorer.exe
PID 4564 wrote to memory of 4520	4564	yluhq.exe	explorer.exe
PID 4564 wrote to memory of 4520	4564	yluhq.exe	explorer.exe
PID 4564 wrote to memory of 4520	4564	yluhq.exe	explorer.exe
PID 4564 wrote to memory of 4520	4564	yluhq.exe	explorer.exe
PID 4564 wrote to memory of 4520	4564	yluhq.exe	explorer.exe
PID 4564 wrote to memory of 4520	4564	yluhq.exe	explorer.exe
PID 4564 wrote to memory of 4520	4564	yluhq.exe	explorer.exe
PID 4564 wrote to memory of 4520	4564	yluhq.exe	explorer.exe
PID 4564 wrote to memory of 4104	4564	yluhq.exe	cmd.exe
PID 4564 wrote to memory of 4104	4564	yluhq.exe	cmd.exe
PID 4564 wrote to memory of 4104	4564	yluhq.exe	cmd.exe
PID 4564 wrote to memory of 4104	4564	yluhq.exe	cmd.exe
PID 4564 wrote to memory of 4104	4564	yluhq.exe	cmd.exe
PID 4564 wrote to memory of 4104	4564	yluhq.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
"C:\Users\Admin\AppData\Local\Temp\76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe
"C:\Users\Admin\AppData\Local\Temp\76cb1d90d74fd544fff6c842adfd6ca6106db7c86e0b1faf5de21287c02fe5f3.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Roaming\Biiq\yluhq.exe
"C:\Users\Admin\AppData\Roaming\Biiq\yluhq.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516

C:\Users\Admin\AppData\Roaming\Biiq\yluhq.exe
"C:\Users\Admin\AppData\Roaming\Biiq\yluhq.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
5⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpafddb08a.bat"
3⤵
PID:4104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpafddb08a.bat
Filesize
307B

MD5
6ff66f00602ced203d7993c9bc2908af

SHA1
255d4409034674bec07ab2092b7e16ece226b3b8

SHA256
a6c679a293de6e614326628ed1eb89857c7cdd98f5f3a2c1a9ad41f22e7c7322

SHA512
4f320d81e3af8c0421422c9fad6b878c311989a4b0042bd3fe02a6a6db370b75ec5b5e419f03b8b403bbf54185c9f078021c090b5171644f3029edcea3ed595c

Download Submit
C:\Users\Admin\AppData\Roaming\Biiq\yluhq.exe
Filesize
248KB

MD5
0b30c128ed9441a9fc1a56c2b35d3f06

SHA1
18ae29af44a652bddb8fc0850cbc04c3cac80f9e

SHA256
09a16abb12f5ba51463c3a0cd2c898010e1b4f20d0fd295e62325db58bb3b347

SHA512
cef99acef679a4a07fe72a9dabada7661294964f4a42cfe70113d2523940bff440f56a33ff40e590f1823e5f0fe581c93da2a97660f3ad997c001f658a467c94

Download Submit
C:\Users\Admin\AppData\Roaming\Biiq\yluhq.exe
Filesize
248KB

MD5
0b30c128ed9441a9fc1a56c2b35d3f06

SHA1
18ae29af44a652bddb8fc0850cbc04c3cac80f9e

SHA256
09a16abb12f5ba51463c3a0cd2c898010e1b4f20d0fd295e62325db58bb3b347

SHA512
cef99acef679a4a07fe72a9dabada7661294964f4a42cfe70113d2523940bff440f56a33ff40e590f1823e5f0fe581c93da2a97660f3ad997c001f658a467c94

Download Submit
C:\Users\Admin\AppData\Roaming\Biiq\yluhq.exe
Filesize
248KB

MD5
0b30c128ed9441a9fc1a56c2b35d3f06

SHA1
18ae29af44a652bddb8fc0850cbc04c3cac80f9e

SHA256
09a16abb12f5ba51463c3a0cd2c898010e1b4f20d0fd295e62325db58bb3b347

SHA512
cef99acef679a4a07fe72a9dabada7661294964f4a42cfe70113d2523940bff440f56a33ff40e590f1823e5f0fe581c93da2a97660f3ad997c001f658a467c94

Download Submit
memory/1016-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1016-153-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1016-134-0x0000000000000000-mapping.dmp

Download
memory/1016-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1016-146-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1016-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1016-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4104-157-0x0000000000890000-0x00000000008BE000-memory.dmp

Filesize
184KB

Download
memory/4104-152-0x0000000000000000-mapping.dmp

Download
memory/4252-136-0x0000000002280000-0x0000000002286000-memory.dmp

Filesize
24KB

Download
memory/4516-141-0x0000000000000000-mapping.dmp

Download
memory/4520-154-0x0000000000000000-mapping.dmp

Download
memory/4520-158-0x00000000004B0000-0x00000000004DE000-memory.dmp

Filesize
184KB

Download
memory/4564-147-0x0000000000000000-mapping.dmp

Download
memory/4564-156-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing