816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 12:30

Target

816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399.exe
Size

157KB
MD5

7c4ae11e12694c172d03480dc158ab5f
SHA1

e732c826714a4b7bd3ead4dca111a2b4bffbdf4d
SHA256

816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399
SHA512

4c4f13696808c2b076f433006879d9e152d639ce5f8dac90f97feba8b8e51b14a7e633e76795d366ce2a63dcb1c02de7605acfcc5edb82aee672b3c0bad9b8fd
SSDEEP

3072:mrLCtaoH9/WLL4SSq13c7oDsB7xacCAp7Bl31Ye2gBlEF8mn:Tta+LSSq13cUDWVvBlOIU

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1404	Mnyzoa.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Mnyzoa.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399.exe
File created	C:\Windows\Mnyzoa.exe	816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399.exe
File opened for modification	C:\Windows\Mnyzoa.exe	816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Mnyzoa.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Mnyzoa.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International	Mnyzoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1404	1812	816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399.exe	28
PID 1812 wrote to memory of 1404	1812	816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399.exe	28
PID 1812 wrote to memory of 1404	1812	816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399.exe	28
PID 1812 wrote to memory of 1404	1812	816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399.exe	28

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\Mnyzoa.exe

Filesize
157KB

MD5
7c4ae11e12694c172d03480dc158ab5f

SHA1
e732c826714a4b7bd3ead4dca111a2b4bffbdf4d

SHA256
816318ffa9ccf893b79a2ee22bcb1a47adbcce50633d543a9c2858e1f1048399

SHA512
4c4f13696808c2b076f433006879d9e152d639ce5f8dac90f97feba8b8e51b14a7e633e76795d366ce2a63dcb1c02de7605acfcc5edb82aee672b3c0bad9b8fd

Download Submit
C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
408B

MD5
0def20c478deb9c97800d14a8382642d

SHA1
7e33333f2f8284b89521a301d870ae640592f8b5

SHA256
22d7ebd5a0810e6d14caa697539b749e252545004dbc33ad0f6b39e2ce7a7b57

SHA512
706c3cf69063746eeaa17a295cde33ae943cc8ec54be1db0a745587549b20fb672cc94d9f4363cd619a1a3fbd1158d00645f585b91941427fad081ccf8aa4ddf

Download Submit
memory/1404-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1404-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1812-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1812-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1812-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1812-61-0x0000000002030000-0x000000000206B000-memory.dmp

Filesize
236KB

Download
memory/1812-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download