113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74

General

Target

113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe
Size

1.9MB
MD5

a18ed45b52b674ecc23b31681255c53a
SHA1

2656689676849653335a992192229818c3beac8b
SHA256

113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74
SHA512

83219f39e894c0b6f5f7b62bb2e8b74a10c0fc20cd12257f219098dea835e444acab9037c248f1d50c917e28879b07bb15fe72f50aa944f4d46e893adea23428
SSDEEP

24576:z2O/GltmPqpmf6q4IFn4/WgswzAXkVB3zJ6yU+Kn1g89rDi67g6zwzRQegxP2TRy:T/fZ4Iq/gEBP3zJ6yUNnhb5k1tTRze

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dmyhywu.exe

pid process

1300 dmyhywu.exe

pid	process
1300	dmyhywu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dmyhywu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	dmyhywu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\2K483J~1 = "C:\\Users\\Admin\\2K483J~1\\nnxebgp.vbs"	dmyhywu.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

dmyhywu.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dmyhywu.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dmyhywu.exe

description pid process target process

PID 1300 set thread context of 4704 1300 dmyhywu.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dmyhywu.exe

pid process

1300 dmyhywu.exe
1300 dmyhywu.exe
1300 dmyhywu.exe
1300 dmyhywu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dmyhywu.exe

description	pid	process	target process
PID 1300 set thread context of 4704	1300	dmyhywu.exe	RegSvcs.exe

pid	process
1300	dmyhywu.exe
1300	dmyhywu.exe
1300	dmyhywu.exe
1300	dmyhywu.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exedmyhywu.exe

description	pid	process	target process
PID 4944 wrote to memory of 1300	4944	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe	dmyhywu.exe
PID 4944 wrote to memory of 1300	4944	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe	dmyhywu.exe
PID 4944 wrote to memory of 1300	4944	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe	dmyhywu.exe
PID 1300 wrote to memory of 4704	1300	dmyhywu.exe	RegSvcs.exe
PID 1300 wrote to memory of 4704	1300	dmyhywu.exe	RegSvcs.exe
PID 1300 wrote to memory of 4704	1300	dmyhywu.exe	RegSvcs.exe
PID 1300 wrote to memory of 4704	1300	dmyhywu.exe	RegSvcs.exe
PID 1300 wrote to memory of 4704	1300	dmyhywu.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe
"C:\Users\Admin\AppData\Local\Temp\113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\2k483j96b7k7\dmyhywu.exe
"C:\Users\Admin\2k483j96b7k7\dmyhywu.exe" xjgf
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2K483J~1\QFXWZO~1.BAB
Filesize
1.1MB

MD5
6bf1b71b109003e69298829d0efdc18d

SHA1
0432013b3a80cd6ff92f67c90110f2724c403979

SHA256
b371447bcafea9e221b68cbc36d9275785d204458e3118845ab011ddc64018b5

SHA512
946d0d460c084baac462d6ca4bac0c90bd0c531ba479a26f2adeaed76983d011c8c9c592ebe0f9bf39e687b565782f08cce678e5adaa0cca92412ec92ed6c200

Download Submit
C:\Users\Admin\2K483J~1\klnooluqy.HFX
Filesize
89B

MD5
87172b927436d328c16fdd2441effac4

SHA1
bd9af389ce92213d50e5ef6dff04d70e24204fa5

SHA256
b553e9cb69cc265ad2dfacea7430b7b817fa55c0a999daa4265b8ede10ee39f2

SHA512
d3579ceccd74012bdaa9de5c118b1d92c44bcf486991cd3d49df75753609d507a5936c8e438d4ef496b684df15a42cb4bb6f8015e79291298725bdfe61c989fe

Download Submit
C:\Users\Admin\2k483j96b7k7\dmyhywu.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\2k483j96b7k7\dmyhywu.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\2k483j96b7k7\xjgf
Filesize
646.7MB

MD5
859590379f35b2be5b773722e9e0efd3

SHA1
183665b95f71a5a0f9476b4e1b47e006e887f9d7

SHA256
57e9177d6bdb8f20f0a822e540573d303bdf742f25403554d55a46998eecbe22

SHA512
cc6868c679c68577859dee931ddc089a12c8219a25ae5783a5c35d10ed0a2716367b308c0aa7aebccce5bea7f88e6884988dbd19feba41bfcb3791a11eebbb7b

Download Submit
memory/1300-132-0x0000000000000000-mapping.dmp

Download
memory/4704-138-0x0000000000000000-mapping.dmp

Download
memory/4704-139-0x0000000000820000-0x0000000000942000-memory.dmp

Filesize
1.1MB

Download
memory/4704-140-0x0000000004E00000-0x0000000004E9C000-memory.dmp

Filesize
624KB

Download
memory/4704-141-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/4704-142-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/4704-143-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/4704-144-0x0000000005130000-0x0000000005186000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads