84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe
Size

358KB
MD5

dadea8652cf1f1a4273b9e9c3ac442fb
SHA1

640b88298ea370ff493250a567bc1170a798576e
SHA256

84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485
SHA512

4e82f338618f450e93e8af92946b1ed4f2220b8e742c5c329651766d30ec9fdf09b1efa0ae065bdf0ca8f396eb80680937d305a9f17b0d1deb6f3bc96dbd2109
SSDEEP

6144:4zdSNMU2jhGER06DNBR/dfOGZtTUS/hj79ovsS8X52atIA:ldURlfOGZxzj7W02uIA

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1264	rywii.exe

Deletes itself 1 IoCs

pid	Process
1308	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe
832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	rywii.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Vesy\\rywii.exe"	rywii.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 832 set thread context of 1308	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe
1264	rywii.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe
1264	rywii.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1264	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	29
PID 832 wrote to memory of 1264	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	29
PID 832 wrote to memory of 1264	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	29
PID 832 wrote to memory of 1264	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	29
PID 1264 wrote to memory of 1112	1264	rywii.exe	14
PID 1264 wrote to memory of 1112	1264	rywii.exe	14
PID 1264 wrote to memory of 1112	1264	rywii.exe	14
PID 1264 wrote to memory of 1112	1264	rywii.exe	14
PID 1264 wrote to memory of 1112	1264	rywii.exe	14
PID 1264 wrote to memory of 1180	1264	rywii.exe	13
PID 1264 wrote to memory of 1180	1264	rywii.exe	13
PID 1264 wrote to memory of 1180	1264	rywii.exe	13
PID 1264 wrote to memory of 1180	1264	rywii.exe	13
PID 1264 wrote to memory of 1180	1264	rywii.exe	13
PID 1264 wrote to memory of 1208	1264	rywii.exe	12
PID 1264 wrote to memory of 1208	1264	rywii.exe	12
PID 1264 wrote to memory of 1208	1264	rywii.exe	12
PID 1264 wrote to memory of 1208	1264	rywii.exe	12
PID 1264 wrote to memory of 1208	1264	rywii.exe	12
PID 1264 wrote to memory of 832	1264	rywii.exe	18
PID 1264 wrote to memory of 832	1264	rywii.exe	18
PID 1264 wrote to memory of 832	1264	rywii.exe	18
PID 1264 wrote to memory of 832	1264	rywii.exe	18
PID 1264 wrote to memory of 832	1264	rywii.exe	18
PID 832 wrote to memory of 1308	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	28
PID 832 wrote to memory of 1308	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	28
PID 832 wrote to memory of 1308	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	28
PID 832 wrote to memory of 1308	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	28
PID 832 wrote to memory of 1308	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	28
PID 832 wrote to memory of 1308	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	28
PID 832 wrote to memory of 1308	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	28
PID 832 wrote to memory of 1308	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	28
PID 832 wrote to memory of 1308	832	84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe
  "C:\Users\Admin\AppData\Local\Temp\84a64a11ba59e0b541122f9f492fc40a17f0ce3bcf2978eacca0d7a81d637485.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd3b06939.bat"
    3⤵
    - Deletes itself
    PID:1308
- - C:\Users\Admin\AppData\Roaming\Vesy\rywii.exe
    "C:\Users\Admin\AppData\Roaming\Vesy\rywii.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1264

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd3b06939.bat

Filesize
307B

MD5
13219efa064bf33017b8f914d298fc3c

SHA1
589634e163f153b4b71aaa3baabdaecef484ddff

SHA256
a5baeaf7d0ec8bcb1d49f1f11b63e170b43751eb2fcb391080035d1edbeacd7c

SHA512
fd20e10ee8801169038b98083f187fb23c456db2de0899d60cdafac59d2578150b0211a67fce9abb49a98344c126fd9ecfa3799def7e38dd3656a0e83be3ddc2

Download Submit
C:\Users\Admin\AppData\Roaming\Vesy\rywii.exe

Filesize
358KB

MD5
cd2b41c0448596bac26e8d63d2bad54b

SHA1
004f7128bfdec8bcac419f536d975e224a83c022

SHA256
c7ee1ce6deba6185fa3f1b75954286f5c8db628fda2d23818fd4ff8d53811dc2

SHA512
9273de6412f82ac442af911d6cdb81ed3ee96b8dc5447b51b0cb4090f7bd056130640dc603c0cb76378ff1675b75d03af3440956ca159da946aa6dd53087009f

Download Submit
C:\Users\Admin\AppData\Roaming\Vesy\rywii.exe

Filesize
358KB

MD5
cd2b41c0448596bac26e8d63d2bad54b

SHA1
004f7128bfdec8bcac419f536d975e224a83c022

SHA256
c7ee1ce6deba6185fa3f1b75954286f5c8db628fda2d23818fd4ff8d53811dc2

SHA512
9273de6412f82ac442af911d6cdb81ed3ee96b8dc5447b51b0cb4090f7bd056130640dc603c0cb76378ff1675b75d03af3440956ca159da946aa6dd53087009f

Download Submit
\Users\Admin\AppData\Roaming\Vesy\rywii.exe

Filesize
358KB

MD5
cd2b41c0448596bac26e8d63d2bad54b

SHA1
004f7128bfdec8bcac419f536d975e224a83c022

SHA256
c7ee1ce6deba6185fa3f1b75954286f5c8db628fda2d23818fd4ff8d53811dc2

SHA512
9273de6412f82ac442af911d6cdb81ed3ee96b8dc5447b51b0cb4090f7bd056130640dc603c0cb76378ff1675b75d03af3440956ca159da946aa6dd53087009f

Download Submit
\Users\Admin\AppData\Roaming\Vesy\rywii.exe

Filesize
358KB

MD5
cd2b41c0448596bac26e8d63d2bad54b

SHA1
004f7128bfdec8bcac419f536d975e224a83c022

SHA256
c7ee1ce6deba6185fa3f1b75954286f5c8db628fda2d23818fd4ff8d53811dc2

SHA512
9273de6412f82ac442af911d6cdb81ed3ee96b8dc5447b51b0cb4090f7bd056130640dc603c0cb76378ff1675b75d03af3440956ca159da946aa6dd53087009f

Download Submit
memory/832-96-0x0000000001BE0000-0x0000000001C3B000-memory.dmp

Filesize
364KB

Download
memory/832-95-0x00000000005F0000-0x0000000000634000-memory.dmp

Filesize
272KB

Download
memory/832-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-85-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/832-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/832-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-98-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/832-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-83-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/832-84-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/832-86-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/1112-66-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1112-68-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1112-63-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1112-67-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1112-65-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1180-71-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1180-72-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1180-73-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1180-74-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1208-78-0x0000000002A10000-0x0000000002A54000-memory.dmp

Filesize
272KB

Download
memory/1208-77-0x0000000002A10000-0x0000000002A54000-memory.dmp

Filesize
272KB

Download
memory/1208-79-0x0000000002A10000-0x0000000002A54000-memory.dmp

Filesize
272KB

Download
memory/1208-80-0x0000000002A10000-0x0000000002A54000-memory.dmp

Filesize
272KB

Download
memory/1264-104-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1264-102-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1264-103-0x0000000001C30000-0x0000000001C8B000-memory.dmp

Filesize
364KB

Download
memory/1264-59-0x0000000000000000-mapping.dmp

Download
memory/1308-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1308-101-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1308-94-0x00000000000671E6-mapping.dmp

Download
memory/1308-91-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1308-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1308-89-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download