b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039

Analysis

max time kernel
150s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe
Size

300KB
MD5

472edb1d1f5a25434e3c333600652aa8
SHA1

9a7e707ddd75bb0ca135f39d8d4869a0471a47e1
SHA256

b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039
SHA512

32bad60dba688d958ffc4d90a9473f3787dc6243856668f1440554bf18ad025e521c945d0c21aa9948116484dc81836e78b89adfb97193fe52520794103fc6ad
SSDEEP

6144:fFWnPekevsoKmOz/KURShu5flMy16wL+kCfjLwcfqMr/JWAsoYKZX0:MZSlKJK8991LikCfjLziuG

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
916	xaury.exe

Deletes itself 1 IoCs

pid	Process
564	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe
1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Lygiu\\xaury.exe"	xaury.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	xaury.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 564	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	28

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe
916	xaury.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 916	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	27
PID 1688 wrote to memory of 916	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	27
PID 1688 wrote to memory of 916	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	27
PID 1688 wrote to memory of 916	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	27
PID 916 wrote to memory of 1160	916	xaury.exe	19
PID 916 wrote to memory of 1160	916	xaury.exe	19
PID 916 wrote to memory of 1160	916	xaury.exe	19
PID 916 wrote to memory of 1160	916	xaury.exe	19
PID 916 wrote to memory of 1160	916	xaury.exe	19
PID 916 wrote to memory of 1232	916	xaury.exe	18
PID 916 wrote to memory of 1232	916	xaury.exe	18
PID 916 wrote to memory of 1232	916	xaury.exe	18
PID 916 wrote to memory of 1232	916	xaury.exe	18
PID 916 wrote to memory of 1232	916	xaury.exe	18
PID 916 wrote to memory of 1284	916	xaury.exe	17
PID 916 wrote to memory of 1284	916	xaury.exe	17
PID 916 wrote to memory of 1284	916	xaury.exe	17
PID 916 wrote to memory of 1284	916	xaury.exe	17
PID 916 wrote to memory of 1284	916	xaury.exe	17
PID 916 wrote to memory of 1688	916	xaury.exe	26
PID 916 wrote to memory of 1688	916	xaury.exe	26
PID 916 wrote to memory of 1688	916	xaury.exe	26
PID 916 wrote to memory of 1688	916	xaury.exe	26
PID 916 wrote to memory of 1688	916	xaury.exe	26
PID 1688 wrote to memory of 564	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	28
PID 1688 wrote to memory of 564	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	28
PID 1688 wrote to memory of 564	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	28
PID 1688 wrote to memory of 564	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	28
PID 1688 wrote to memory of 564	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	28
PID 1688 wrote to memory of 564	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	28
PID 1688 wrote to memory of 564	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	28
PID 1688 wrote to memory of 564	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	28
PID 1688 wrote to memory of 564	1688	b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe
  "C:\Users\Admin\AppData\Local\Temp\b0bbb21bd252c54f18ef8c1ab13485efa7b1d20735477b007bf7ab4c96dbe039.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Roaming\Lygiu\xaury.exe
    "C:\Users\Admin\AppData\Roaming\Lygiu\xaury.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp25d9d683.bat"
    3⤵
    - Deletes itself
    PID:564

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp25d9d683.bat

Filesize
307B

MD5
1d7f0b9d4b39b7ec9863342a3589303e

SHA1
20f4fc362471d3f2862e1fa5e71ff014f97963fb

SHA256
87d861a4dbfd784421922fa38532aacedc23f246519c32144e31ca378aba0ae8

SHA512
b02d92f22ce821b6aef90345b755a9eba9f8166b36f711923e72d043069ea1a472be441730164032f11d632fe70ef037e9f0f8653347f0e4b299cb141cf5087b

Download Submit
C:\Users\Admin\AppData\Roaming\Lygiu\xaury.exe

Filesize
300KB

MD5
f27c96905c7900af853f82729dc34922

SHA1
2ab698aaef9fcecde361906bff7a2c21e8728a8b

SHA256
e843c8b2b5150a495a1cf6d127e635b856149807d865a04ded29558f52174a8c

SHA512
5abd130e73b2cc51ac84be825bceb3a0190065a0c30e2f8c0b6ee0179c11c681243d209bebdda5e3a0c4287fd196137b37c6383dd083ed40bccd3baec37b395e

Download Submit
C:\Users\Admin\AppData\Roaming\Lygiu\xaury.exe

Filesize
300KB

MD5
f27c96905c7900af853f82729dc34922

SHA1
2ab698aaef9fcecde361906bff7a2c21e8728a8b

SHA256
e843c8b2b5150a495a1cf6d127e635b856149807d865a04ded29558f52174a8c

SHA512
5abd130e73b2cc51ac84be825bceb3a0190065a0c30e2f8c0b6ee0179c11c681243d209bebdda5e3a0c4287fd196137b37c6383dd083ed40bccd3baec37b395e

Download Submit
\Users\Admin\AppData\Roaming\Lygiu\xaury.exe

Filesize
300KB

MD5
f27c96905c7900af853f82729dc34922

SHA1
2ab698aaef9fcecde361906bff7a2c21e8728a8b

SHA256
e843c8b2b5150a495a1cf6d127e635b856149807d865a04ded29558f52174a8c

SHA512
5abd130e73b2cc51ac84be825bceb3a0190065a0c30e2f8c0b6ee0179c11c681243d209bebdda5e3a0c4287fd196137b37c6383dd083ed40bccd3baec37b395e

Download Submit
\Users\Admin\AppData\Roaming\Lygiu\xaury.exe

Filesize
300KB

MD5
f27c96905c7900af853f82729dc34922

SHA1
2ab698aaef9fcecde361906bff7a2c21e8728a8b

SHA256
e843c8b2b5150a495a1cf6d127e635b856149807d865a04ded29558f52174a8c

SHA512
5abd130e73b2cc51ac84be825bceb3a0190065a0c30e2f8c0b6ee0179c11c681243d209bebdda5e3a0c4287fd196137b37c6383dd083ed40bccd3baec37b395e

Download Submit
memory/564-106-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/564-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-115-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/564-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/564-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-98-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/564-102-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/564-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1160-70-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1160-65-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1160-67-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1160-68-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1160-69-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1232-76-0x0000000001D40000-0x0000000001D88000-memory.dmp

Filesize
288KB

Download
memory/1232-73-0x0000000001D40000-0x0000000001D88000-memory.dmp

Filesize
288KB

Download
memory/1232-74-0x0000000001D40000-0x0000000001D88000-memory.dmp

Filesize
288KB

Download
memory/1232-75-0x0000000001D40000-0x0000000001D88000-memory.dmp

Filesize
288KB

Download
memory/1284-81-0x0000000002950000-0x0000000002998000-memory.dmp

Filesize
288KB

Download
memory/1284-80-0x0000000002950000-0x0000000002998000-memory.dmp

Filesize
288KB

Download
memory/1284-79-0x0000000002950000-0x0000000002998000-memory.dmp

Filesize
288KB

Download
memory/1284-82-0x0000000002950000-0x0000000002998000-memory.dmp

Filesize
288KB

Download
memory/1688-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1688-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1688-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1688-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1688-104-0x0000000002300000-0x0000000002348000-memory.dmp

Filesize
288KB

Download
memory/1688-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1688-91-0x0000000002300000-0x0000000002350000-memory.dmp

Filesize
320KB

Download
memory/1688-85-0x0000000002300000-0x0000000002348000-memory.dmp

Filesize
288KB

Download
memory/1688-54-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1688-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1688-88-0x0000000002300000-0x0000000002348000-memory.dmp

Filesize
288KB

Download
memory/1688-87-0x0000000002300000-0x0000000002348000-memory.dmp

Filesize
288KB

Download
memory/1688-86-0x0000000002300000-0x0000000002348000-memory.dmp

Filesize
288KB

Download
memory/1688-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1688-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download