fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544

General

Target

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
Size

339KB
MD5

a3fa59b62f4b44f00d90cd9920f662b3
SHA1

a127a90e504de3297f77daac402ececeeda725d7
SHA256

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544
SHA512

cdc7b77a96bd7139b27b357b795960f61ea6c8ea3aa299bf75579071a320f006dc423d036c179452b218674b0760c921722e003850f3e1b5113f1a9ae3e9d7df
SSDEEP

6144:2KsYUzjJfYb+3jXutNt0GlXv4DZDGY0P6G:FsYYjJgb+3qrWuXADZDn0z

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

iwyhgi.exeiwyhgi.exe

pid process

1264 iwyhgi.exe
4116 iwyhgi.exe

pid	process
1264	iwyhgi.exe
4116	iwyhgi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iwyhgi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iwyhgi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Dyovcy\\iwyhgi.exe"	iwyhgi.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	iwyhgi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exeiwyhgi.exe

description	pid	process	target process
PID 1044 set thread context of 8	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1264 set thread context of 4116	1264	iwyhgi.exe	iwyhgi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exeiwyhgi.exe

pid	process
8	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
8	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe
4116	iwyhgi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exefb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exeiwyhgi.exeiwyhgi.exe

description	pid	process	target process
PID 1044 wrote to memory of 3900	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 3900	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 3900	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 8	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 8	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 8	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 8	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 8	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 8	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 8	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 8	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 1044 wrote to memory of 8	1044	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
PID 8 wrote to memory of 1264	8	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	iwyhgi.exe
PID 8 wrote to memory of 1264	8	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	iwyhgi.exe
PID 8 wrote to memory of 1264	8	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	iwyhgi.exe
PID 1264 wrote to memory of 4116	1264	iwyhgi.exe	iwyhgi.exe
PID 1264 wrote to memory of 4116	1264	iwyhgi.exe	iwyhgi.exe
PID 1264 wrote to memory of 4116	1264	iwyhgi.exe	iwyhgi.exe
PID 1264 wrote to memory of 4116	1264	iwyhgi.exe	iwyhgi.exe
PID 1264 wrote to memory of 4116	1264	iwyhgi.exe	iwyhgi.exe
PID 1264 wrote to memory of 4116	1264	iwyhgi.exe	iwyhgi.exe
PID 1264 wrote to memory of 4116	1264	iwyhgi.exe	iwyhgi.exe
PID 1264 wrote to memory of 4116	1264	iwyhgi.exe	iwyhgi.exe
PID 1264 wrote to memory of 4116	1264	iwyhgi.exe	iwyhgi.exe
PID 4116 wrote to memory of 2340	4116	iwyhgi.exe	sihost.exe
PID 4116 wrote to memory of 2340	4116	iwyhgi.exe	sihost.exe
PID 4116 wrote to memory of 2340	4116	iwyhgi.exe	sihost.exe
PID 4116 wrote to memory of 2340	4116	iwyhgi.exe	sihost.exe
PID 4116 wrote to memory of 2340	4116	iwyhgi.exe	sihost.exe
PID 4116 wrote to memory of 2368	4116	iwyhgi.exe	svchost.exe
PID 4116 wrote to memory of 2368	4116	iwyhgi.exe	svchost.exe
PID 4116 wrote to memory of 2368	4116	iwyhgi.exe	svchost.exe
PID 4116 wrote to memory of 2368	4116	iwyhgi.exe	svchost.exe
PID 4116 wrote to memory of 2368	4116	iwyhgi.exe	svchost.exe
PID 4116 wrote to memory of 2464	4116	iwyhgi.exe	taskhostw.exe
PID 4116 wrote to memory of 2464	4116	iwyhgi.exe	taskhostw.exe
PID 4116 wrote to memory of 2464	4116	iwyhgi.exe	taskhostw.exe
PID 4116 wrote to memory of 2464	4116	iwyhgi.exe	taskhostw.exe
PID 4116 wrote to memory of 2464	4116	iwyhgi.exe	taskhostw.exe
PID 4116 wrote to memory of 2456	4116	iwyhgi.exe	Explorer.EXE
PID 4116 wrote to memory of 2456	4116	iwyhgi.exe	Explorer.EXE
PID 4116 wrote to memory of 2456	4116	iwyhgi.exe	Explorer.EXE
PID 4116 wrote to memory of 2456	4116	iwyhgi.exe	Explorer.EXE
PID 4116 wrote to memory of 2456	4116	iwyhgi.exe	Explorer.EXE
PID 4116 wrote to memory of 2736	4116	iwyhgi.exe	svchost.exe
PID 4116 wrote to memory of 2736	4116	iwyhgi.exe	svchost.exe
PID 4116 wrote to memory of 2736	4116	iwyhgi.exe	svchost.exe
PID 4116 wrote to memory of 2736	4116	iwyhgi.exe	svchost.exe
PID 4116 wrote to memory of 2736	4116	iwyhgi.exe	svchost.exe
PID 4116 wrote to memory of 3260	4116	iwyhgi.exe	DllHost.exe
PID 4116 wrote to memory of 3260	4116	iwyhgi.exe	DllHost.exe
PID 4116 wrote to memory of 3260	4116	iwyhgi.exe	DllHost.exe
PID 4116 wrote to memory of 3260	4116	iwyhgi.exe	DllHost.exe
PID 4116 wrote to memory of 3260	4116	iwyhgi.exe	DllHost.exe
PID 4116 wrote to memory of 3368	4116	iwyhgi.exe	StartMenuExperienceHost.exe
PID 4116 wrote to memory of 3368	4116	iwyhgi.exe	StartMenuExperienceHost.exe
PID 4116 wrote to memory of 3368	4116	iwyhgi.exe	StartMenuExperienceHost.exe
PID 4116 wrote to memory of 3368	4116	iwyhgi.exe	StartMenuExperienceHost.exe
PID 4116 wrote to memory of 3368	4116	iwyhgi.exe	StartMenuExperienceHost.exe
PID 8 wrote to memory of 4796	8	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	cmd.exe
PID 8 wrote to memory of 4796	8	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	cmd.exe
PID 8 wrote to memory of 4796	8	fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe	cmd.exe
PID 4116 wrote to memory of 3432	4116	iwyhgi.exe	RuntimeBroker.exe
PID 4116 wrote to memory of 3432	4116	iwyhgi.exe	RuntimeBroker.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2368

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
"C:\Users\Admin\AppData\Local\Temp\fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
"C:\Users\Admin\AppData\Local\Temp\fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe"
3⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe
"C:\Users\Admin\AppData\Local\Temp\fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Local\Temp\Dyovcy\iwyhgi.exe
"C:\Users\Admin\AppData\Local\Temp\Dyovcy\iwyhgi.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\Dyovcy\iwyhgi.exe
"C:\Users\Admin\AppData\Local\Temp\Dyovcy\iwyhgi.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CIC7B75.bat"
4⤵
PID:4796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CIC7B75.bat
Filesize
284B

MD5
97bab7668fa4926c5121b09211290c29

SHA1
85c1e3ac6853592d65e6608f944bf7571c26f5f3

SHA256
8e7160e49b46ee3b0cec12aa9aee2a8457b5bc1cfbb01091e2dbd8538354ee22

SHA512
edb2bd09c9030c5766485b21eded0e59d5b356673cf2678f716ce36b41e6e0fea7f37a063ac5d707370bd68f3c10aaa520756fd4d2363efaf0dd903e21ecab50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dyovcy\iwyhgi.exe
Filesize
339KB

MD5
a7d3d5fd6c987fc515a536282b3f153d

SHA1
fcf935d49c6bd6e93f0040e094f8e4282dd19f1c

SHA256
dd4afdae38a8b2536cdbe0b2d5584a7921e6a166a4dd616f8ede750dac1f4fa2

SHA512
e4342941bf43e9178ee4185a1a569a6b778cbe7cae962222535063eb1777d4ff53e96f21015e2168330903ff2e624a87520265754449f7eddb85dfe83e2cb2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dyovcy\iwyhgi.exe
Filesize
339KB

MD5
a7d3d5fd6c987fc515a536282b3f153d

SHA1
fcf935d49c6bd6e93f0040e094f8e4282dd19f1c

SHA256
dd4afdae38a8b2536cdbe0b2d5584a7921e6a166a4dd616f8ede750dac1f4fa2

SHA512
e4342941bf43e9178ee4185a1a569a6b778cbe7cae962222535063eb1777d4ff53e96f21015e2168330903ff2e624a87520265754449f7eddb85dfe83e2cb2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dyovcy\iwyhgi.exe
Filesize
339KB

MD5
a7d3d5fd6c987fc515a536282b3f153d

SHA1
fcf935d49c6bd6e93f0040e094f8e4282dd19f1c

SHA256
dd4afdae38a8b2536cdbe0b2d5584a7921e6a166a4dd616f8ede750dac1f4fa2

SHA512
e4342941bf43e9178ee4185a1a569a6b778cbe7cae962222535063eb1777d4ff53e96f21015e2168330903ff2e624a87520265754449f7eddb85dfe83e2cb2b3

Download Submit
memory/8-133-0x0000000000000000-mapping.dmp

Download
memory/8-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/8-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/8-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/8-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/8-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-132-0x00000000007D3000-0x00000000007D6000-memory.dmp

Filesize
12KB

Download
memory/1044-136-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1044-155-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1044-135-0x00000000007D3000-0x00000000007D6000-memory.dmp

Filesize
12KB

Download
memory/1264-143-0x00000000007AB000-0x00000000007AE000-memory.dmp

Filesize
12KB

Download
memory/1264-140-0x0000000000000000-mapping.dmp

Download
memory/1264-148-0x0000000073EB0000-0x0000000074461000-memory.dmp

Filesize
5.7MB

Download
memory/1264-149-0x00000000007AB000-0x00000000007AE000-memory.dmp

Filesize
12KB

Download
memory/4116-144-0x0000000000000000-mapping.dmp

Download
memory/4116-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-150-0x0000000000000000-mapping.dmp

Download
memory/4796-154-0x00000000007D0000-0x0000000000812000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads