268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8

Analysis

max time kernel
167s
max time network
190s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 19:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe
Size

303KB
MD5

d8027ba768b6d32564abbd0c7d757545
SHA1

968631e477b9e1ddca039c576182408a1c9c62ee
SHA256

268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8
SHA512

74d90cd38243434ea3fe94759aca4e8630154c5f7156a3bb36beb640007fcf5c0482fd607d80f14924bfa1bd091de10f4307d415df6447d1a5704d538e06af38
SSDEEP

6144:8yIdcbBW5HMx5XAQb8osNrIpJ2h9VFwiYqeQROlf6WBflilua4ksoYqdC:adcbBAHMx5Q88u0j+iYqeQQZ6WBY4j

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1384	yfji.exe

Deletes itself 1 IoCs

pid	Process
1516	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe
1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	yfji.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yfji = "C:\\Users\\Admin\\AppData\\Roaming\\Utgyl\\yfji.exe"	yfji.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 1516	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	29

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe
1384	yfji.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1384	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	28
PID 1668 wrote to memory of 1384	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	28
PID 1668 wrote to memory of 1384	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	28
PID 1668 wrote to memory of 1384	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	28
PID 1384 wrote to memory of 1116	1384	yfji.exe	15
PID 1384 wrote to memory of 1116	1384	yfji.exe	15
PID 1384 wrote to memory of 1116	1384	yfji.exe	15
PID 1384 wrote to memory of 1116	1384	yfji.exe	15
PID 1384 wrote to memory of 1116	1384	yfji.exe	15
PID 1384 wrote to memory of 1168	1384	yfji.exe	6
PID 1384 wrote to memory of 1168	1384	yfji.exe	6
PID 1384 wrote to memory of 1168	1384	yfji.exe	6
PID 1384 wrote to memory of 1168	1384	yfji.exe	6
PID 1384 wrote to memory of 1168	1384	yfji.exe	6
PID 1384 wrote to memory of 1224	1384	yfji.exe	14
PID 1384 wrote to memory of 1224	1384	yfji.exe	14
PID 1384 wrote to memory of 1224	1384	yfji.exe	14
PID 1384 wrote to memory of 1224	1384	yfji.exe	14
PID 1384 wrote to memory of 1224	1384	yfji.exe	14
PID 1384 wrote to memory of 1668	1384	yfji.exe	12
PID 1384 wrote to memory of 1668	1384	yfji.exe	12
PID 1384 wrote to memory of 1668	1384	yfji.exe	12
PID 1384 wrote to memory of 1668	1384	yfji.exe	12
PID 1384 wrote to memory of 1668	1384	yfji.exe	12
PID 1668 wrote to memory of 1516	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	29
PID 1668 wrote to memory of 1516	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	29
PID 1668 wrote to memory of 1516	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	29
PID 1668 wrote to memory of 1516	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	29
PID 1668 wrote to memory of 1516	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	29
PID 1668 wrote to memory of 1516	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	29
PID 1668 wrote to memory of 1516	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	29
PID 1668 wrote to memory of 1516	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	29
PID 1668 wrote to memory of 1516	1668	268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe	29

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe
"C:\Users\Admin\AppData\Local\Temp\268454d0edc8ef4ab1aa22b67d09101badc7945aaeeb1b3f1f9b74bfa2978ed8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Roaming\Utgyl\yfji.exe
  "C:\Users\Admin\AppData\Roaming\Utgyl\yfji.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\SAA81B2.bat"
  2⤵
  - Deletes itself
  PID:1516

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SAA81B2.bat

Filesize
303B

MD5
1c5c04b6851f1dfa013cb40316dd8248

SHA1
64f5aa455709ee33dd4c6b80bf9979e870b8a4b9

SHA256
cc63c395156a37dad16df080620a6bd7f1e503ae01cc28a4e57ab852370740e6

SHA512
4f3cf56b628a8911cb45081b20cfba54521e813be87050737bfeba41e4a0e1bb73aa58d60c17b5e1b5a74b00d89207b7c1c34dbb2145deba1e56cc3e4ceb935d

Download Submit
C:\Users\Admin\AppData\Roaming\Utgyl\yfji.exe

Filesize
303KB

MD5
58670921a9797d2225f6ae7bb4741325

SHA1
1876b12cdd509bf8532851aff09e100ba43fb4ba

SHA256
334c37a6385bc9e0051ab0c43018aff8d3e6e61889144678f8286ec62290fc02

SHA512
3d33f91ccfb3d5a318bfd707cdea88bfbdde1b24c5f433a72d6da9b46cc004a6a3f24372a74d48b94ed76a867c9d50529c5204c2ff8aecb3a5926b338f07c4db

Download Submit
C:\Users\Admin\AppData\Roaming\Utgyl\yfji.exe

Filesize
303KB

MD5
58670921a9797d2225f6ae7bb4741325

SHA1
1876b12cdd509bf8532851aff09e100ba43fb4ba

SHA256
334c37a6385bc9e0051ab0c43018aff8d3e6e61889144678f8286ec62290fc02

SHA512
3d33f91ccfb3d5a318bfd707cdea88bfbdde1b24c5f433a72d6da9b46cc004a6a3f24372a74d48b94ed76a867c9d50529c5204c2ff8aecb3a5926b338f07c4db

Download Submit
\Users\Admin\AppData\Roaming\Utgyl\yfji.exe

Filesize
303KB

MD5
58670921a9797d2225f6ae7bb4741325

SHA1
1876b12cdd509bf8532851aff09e100ba43fb4ba

SHA256
334c37a6385bc9e0051ab0c43018aff8d3e6e61889144678f8286ec62290fc02

SHA512
3d33f91ccfb3d5a318bfd707cdea88bfbdde1b24c5f433a72d6da9b46cc004a6a3f24372a74d48b94ed76a867c9d50529c5204c2ff8aecb3a5926b338f07c4db

Download Submit
\Users\Admin\AppData\Roaming\Utgyl\yfji.exe

Filesize
303KB

MD5
58670921a9797d2225f6ae7bb4741325

SHA1
1876b12cdd509bf8532851aff09e100ba43fb4ba

SHA256
334c37a6385bc9e0051ab0c43018aff8d3e6e61889144678f8286ec62290fc02

SHA512
3d33f91ccfb3d5a318bfd707cdea88bfbdde1b24c5f433a72d6da9b46cc004a6a3f24372a74d48b94ed76a867c9d50529c5204c2ff8aecb3a5926b338f07c4db

Download Submit
memory/1116-67-0x0000000001CB0000-0x0000000001CF9000-memory.dmp

Filesize
292KB

Download
memory/1116-69-0x0000000001CB0000-0x0000000001CF9000-memory.dmp

Filesize
292KB

Download
memory/1116-70-0x0000000001CB0000-0x0000000001CF9000-memory.dmp

Filesize
292KB

Download
memory/1116-68-0x0000000001CB0000-0x0000000001CF9000-memory.dmp

Filesize
292KB

Download
memory/1116-65-0x0000000001CB0000-0x0000000001CF9000-memory.dmp

Filesize
292KB

Download
memory/1168-73-0x0000000001AF0000-0x0000000001B39000-memory.dmp

Filesize
292KB

Download
memory/1168-74-0x0000000001AF0000-0x0000000001B39000-memory.dmp

Filesize
292KB

Download
memory/1168-76-0x0000000001AF0000-0x0000000001B39000-memory.dmp

Filesize
292KB

Download
memory/1168-75-0x0000000001AF0000-0x0000000001B39000-memory.dmp

Filesize
292KB

Download
memory/1224-81-0x0000000002B00000-0x0000000002B49000-memory.dmp

Filesize
292KB

Download
memory/1224-82-0x0000000002B00000-0x0000000002B49000-memory.dmp

Filesize
292KB

Download
memory/1224-79-0x0000000002B00000-0x0000000002B49000-memory.dmp

Filesize
292KB

Download
memory/1224-80-0x0000000002B00000-0x0000000002B49000-memory.dmp

Filesize
292KB

Download
memory/1384-62-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1516-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1516-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1516-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1516-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1516-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1516-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1516-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1516-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1516-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1516-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1516-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1516-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1668-56-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1668-88-0x0000000001F70000-0x0000000001FB9000-memory.dmp

Filesize
292KB

Download
memory/1668-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1668-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1668-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1668-104-0x0000000001F70000-0x0000000001FB9000-memory.dmp

Filesize
292KB

Download
memory/1668-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1668-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1668-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1668-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1668-91-0x0000000001F70000-0x0000000001FB9000-memory.dmp

Filesize
292KB

Download
memory/1668-87-0x0000000001F70000-0x0000000001FB9000-memory.dmp

Filesize
292KB

Download
memory/1668-86-0x0000000001F70000-0x0000000001FB9000-memory.dmp

Filesize
292KB

Download
memory/1668-85-0x0000000001F70000-0x0000000001FB9000-memory.dmp

Filesize
292KB

Download
memory/1668-54-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download