fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544

General

Target

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
Size

339KB
MD5

a3fa59b62f4b44f00d90cd9920f662b3
SHA1

a127a90e504de3297f77daac402ececeeda725d7
SHA256

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544
SHA512

cdc7b77a96bd7139b27b357b795960f61ea6c8ea3aa299bf75579071a320f006dc423d036c179452b218674b0760c921722e003850f3e1b5113f1a9ae3e9d7df
SSDEEP

6144:2KsYUzjJfYb+3jXutNt0GlXv4DZDGY0P6G:FsYYjJgb+3qrWuXADZDn0z

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

uvxyo.exeuvxyo.exe

pid process

1956 uvxyo.exe
1952 uvxyo.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1876 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exeuvxyo.exe

pid process

1488 fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
1956 uvxyo.exe

pid	process
1956	uvxyo.exe
1952	uvxyo.exe

pid	process
1876	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uvxyo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	uvxyo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uvxyo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Efcada\\uvxyo.exe"	uvxyo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exeuvxyo.exe

description	pid	process	target process
PID 1692 set thread context of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1956 set thread context of 1952	1956	uvxyo.exe	uvxyo.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exeuvxyo.exe

pid	process
1488	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe
1952	uvxyo.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exefb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exeuvxyo.exeuvxyo.exe

description	pid	process	target process
PID 1692 wrote to memory of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1692 wrote to memory of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1692 wrote to memory of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1692 wrote to memory of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1692 wrote to memory of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1692 wrote to memory of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1692 wrote to memory of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1692 wrote to memory of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1692 wrote to memory of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1692 wrote to memory of 1488	1692	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1488 wrote to memory of 1956	1488	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	uvxyo.exe
PID 1488 wrote to memory of 1956	1488	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	uvxyo.exe
PID 1488 wrote to memory of 1956	1488	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	uvxyo.exe
PID 1488 wrote to memory of 1956	1488	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	uvxyo.exe
PID 1956 wrote to memory of 1952	1956	uvxyo.exe	uvxyo.exe
PID 1956 wrote to memory of 1952	1956	uvxyo.exe	uvxyo.exe
PID 1956 wrote to memory of 1952	1956	uvxyo.exe	uvxyo.exe
PID 1956 wrote to memory of 1952	1956	uvxyo.exe	uvxyo.exe
PID 1956 wrote to memory of 1952	1956	uvxyo.exe	uvxyo.exe
PID 1956 wrote to memory of 1952	1956	uvxyo.exe	uvxyo.exe
PID 1956 wrote to memory of 1952	1956	uvxyo.exe	uvxyo.exe
PID 1956 wrote to memory of 1952	1956	uvxyo.exe	uvxyo.exe
PID 1956 wrote to memory of 1952	1956	uvxyo.exe	uvxyo.exe
PID 1956 wrote to memory of 1952	1956	uvxyo.exe	uvxyo.exe
PID 1952 wrote to memory of 1232	1952	uvxyo.exe	taskhost.exe
PID 1952 wrote to memory of 1232	1952	uvxyo.exe	taskhost.exe
PID 1952 wrote to memory of 1232	1952	uvxyo.exe	taskhost.exe
PID 1952 wrote to memory of 1232	1952	uvxyo.exe	taskhost.exe
PID 1952 wrote to memory of 1232	1952	uvxyo.exe	taskhost.exe
PID 1952 wrote to memory of 1320	1952	uvxyo.exe	Dwm.exe
PID 1952 wrote to memory of 1320	1952	uvxyo.exe	Dwm.exe
PID 1952 wrote to memory of 1320	1952	uvxyo.exe	Dwm.exe
PID 1952 wrote to memory of 1320	1952	uvxyo.exe	Dwm.exe
PID 1952 wrote to memory of 1320	1952	uvxyo.exe	Dwm.exe
PID 1952 wrote to memory of 1384	1952	uvxyo.exe	Explorer.EXE
PID 1952 wrote to memory of 1384	1952	uvxyo.exe	Explorer.EXE
PID 1952 wrote to memory of 1384	1952	uvxyo.exe	Explorer.EXE
PID 1952 wrote to memory of 1384	1952	uvxyo.exe	Explorer.EXE
PID 1952 wrote to memory of 1384	1952	uvxyo.exe	Explorer.EXE
PID 1952 wrote to memory of 1488	1952	uvxyo.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1952 wrote to memory of 1488	1952	uvxyo.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1952 wrote to memory of 1488	1952	uvxyo.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1952 wrote to memory of 1488	1952	uvxyo.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1952 wrote to memory of 1488	1952	uvxyo.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1488 wrote to memory of 1876	1488	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	cmd.exe
PID 1488 wrote to memory of 1876	1488	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	cmd.exe
PID 1488 wrote to memory of 1876	1488	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	cmd.exe
PID 1488 wrote to memory of 1876	1488	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	cmd.exe
PID 1952 wrote to memory of 1876	1952	uvxyo.exe	cmd.exe
PID 1952 wrote to memory of 1876	1952	uvxyo.exe	cmd.exe
PID 1952 wrote to memory of 1876	1952	uvxyo.exe	cmd.exe
PID 1952 wrote to memory of 1876	1952	uvxyo.exe	cmd.exe
PID 1952 wrote to memory of 1876	1952	uvxyo.exe	cmd.exe
PID 1952 wrote to memory of 1028	1952	uvxyo.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
"C:\Users\Admin\AppData\Local\Temp\fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
"C:\Users\Admin\AppData\Local\Temp\fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\Efcada\uvxyo.exe
"C:\Users\Admin\AppData\Local\Temp\Efcada\uvxyo.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\Efcada\uvxyo.exe
"C:\Users\Admin\AppData\Local\Temp\Efcada\uvxyo.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NPL4528.bat"
4⤵
- Deletes itself
PID:1876

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2118100550-5322536961246599264-1948797931856632183-34478202312051767291987237461"
1⤵
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Efcada\uvxyo.exe
Filesize
339KB

MD5
91909398b9620c35a5c9cf25fa7a8b63

SHA1
86cedc02b2f1d7a5847ed2bb852a1cd96d8a421b

SHA256
0d1991b3afb04a8ca7bbaebd3ab00f7ee6ebeb0c7b987e314aec09a063cd65b2

SHA512
40230b7a8d9c3aa0810ca7367811cb1d113d043e664d1521b533ee8d7ee2c146018b416b561a2a3313a3b3f916c20300e8b016cbdf6e4124ea0d399d8c005ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Efcada\uvxyo.exe
Filesize
339KB

MD5
91909398b9620c35a5c9cf25fa7a8b63

SHA1
86cedc02b2f1d7a5847ed2bb852a1cd96d8a421b

SHA256
0d1991b3afb04a8ca7bbaebd3ab00f7ee6ebeb0c7b987e314aec09a063cd65b2

SHA512
40230b7a8d9c3aa0810ca7367811cb1d113d043e664d1521b533ee8d7ee2c146018b416b561a2a3313a3b3f916c20300e8b016cbdf6e4124ea0d399d8c005ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Efcada\uvxyo.exe
Filesize
339KB

MD5
91909398b9620c35a5c9cf25fa7a8b63

SHA1
86cedc02b2f1d7a5847ed2bb852a1cd96d8a421b

SHA256
0d1991b3afb04a8ca7bbaebd3ab00f7ee6ebeb0c7b987e314aec09a063cd65b2

SHA512
40230b7a8d9c3aa0810ca7367811cb1d113d043e664d1521b533ee8d7ee2c146018b416b561a2a3313a3b3f916c20300e8b016cbdf6e4124ea0d399d8c005ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NPL4528.bat
Filesize
278B

MD5
79f61edc7b7dd7ab392395c32657424f

SHA1
488935959b56d6f92b67d15835989781ca7f8b22

SHA256
75a28c347d9b2a12c423c06fd639048b57112f6c614cddfb1cdd9aa7b283753a

SHA512
0762ed4a7bb19681df74ae13742855daa8213e4e5f296f60863136d12d00d6cee88a1369ca2fa570115b7d99e14e7ac7f9590aa46f10137b3501a60e9f39b550

Download Submit
\Users\Admin\AppData\Local\Temp\Efcada\uvxyo.exe
Filesize
339KB

MD5
91909398b9620c35a5c9cf25fa7a8b63

SHA1
86cedc02b2f1d7a5847ed2bb852a1cd96d8a421b

SHA256
0d1991b3afb04a8ca7bbaebd3ab00f7ee6ebeb0c7b987e314aec09a063cd65b2

SHA512
40230b7a8d9c3aa0810ca7367811cb1d113d043e664d1521b533ee8d7ee2c146018b416b561a2a3313a3b3f916c20300e8b016cbdf6e4124ea0d399d8c005ab2

Download Submit
\Users\Admin\AppData\Local\Temp\Efcada\uvxyo.exe
Filesize
339KB

MD5
91909398b9620c35a5c9cf25fa7a8b63

SHA1
86cedc02b2f1d7a5847ed2bb852a1cd96d8a421b

SHA256
0d1991b3afb04a8ca7bbaebd3ab00f7ee6ebeb0c7b987e314aec09a063cd65b2

SHA512
40230b7a8d9c3aa0810ca7367811cb1d113d043e664d1521b533ee8d7ee2c146018b416b561a2a3313a3b3f916c20300e8b016cbdf6e4124ea0d399d8c005ab2

Download Submit
memory/1232-96-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/1232-98-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/1232-97-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/1232-95-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/1320-101-0x0000000001B40000-0x0000000001B82000-memory.dmp

Filesize
264KB

Download
memory/1320-102-0x0000000001B40000-0x0000000001B82000-memory.dmp

Filesize
264KB

Download
memory/1320-104-0x0000000001B40000-0x0000000001B82000-memory.dmp

Filesize
264KB

Download
memory/1320-103-0x0000000001B40000-0x0000000001B82000-memory.dmp

Filesize
264KB

Download
memory/1384-108-0x0000000002620000-0x0000000002662000-memory.dmp

Filesize
264KB

Download
memory/1384-110-0x0000000002620000-0x0000000002662000-memory.dmp

Filesize
264KB

Download
memory/1384-109-0x0000000002620000-0x0000000002662000-memory.dmp

Filesize
264KB

Download
memory/1384-107-0x0000000002620000-0x0000000002662000-memory.dmp

Filesize
264KB

Download
memory/1488-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-116-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1488-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1488-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1488-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-63-0x0000000000D13ECE-mapping.dmp

Download
memory/1488-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-121-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1488-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-114-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1488-115-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1488-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-113-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1488-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1692-67-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1876-126-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1876-119-0x0000000000000000-mapping.dmp

Download
memory/1876-124-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1876-125-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1876-127-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1952-92-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-85-0x0000000000AE3ECE-mapping.dmp

Download
memory/1952-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-72-0x0000000000000000-mapping.dmp

Download
memory/1956-88-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-89-0x00000000001FE000-0x0000000000201000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads