90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1

Analysis

max time kernel
150s
max time network
80s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 00:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe
Size

209KB
MD5

c0d62caa0437de0a41c61e5584a29594
SHA1

200037c27215b5d9c7cb994bc96192da3e1d1e3d
SHA256

90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1
SHA512

f8ffd8932e22c07a05decfcf59e4d654f82d12ad0b6d65d7b032ff924785a0d654b67257c060e15bb59a0f19d9ff60bd605ad9d66d1026fbf96c0accfbbc36f3
SSDEEP

6144:X4Csg/wAcsP4YeUPeYOwToSAw3HgNzx5Nod38:ovdAFChSATV5N+M

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1504	losy.exe
1692	losy.exe

Deletes itself 1 IoCs

pid	Process
892	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe
1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	losy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	losy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Emgigoof = "C:\\Users\\Admin\\AppData\\Roaming\\Ciygqy\\losy.exe"	losy.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 1880	1672	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	27
PID 1504 set thread context of 1692	1504	losy.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe
1692	losy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe
Token: SeSecurityPrivilege	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe
Token: SeSecurityPrivilege	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe
Token: SeSecurityPrivilege	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1880	1672	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	27
PID 1672 wrote to memory of 1880	1672	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	27
PID 1672 wrote to memory of 1880	1672	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	27
PID 1672 wrote to memory of 1880	1672	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	27
PID 1672 wrote to memory of 1880	1672	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	27
PID 1672 wrote to memory of 1880	1672	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	27
PID 1672 wrote to memory of 1880	1672	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	27
PID 1672 wrote to memory of 1880	1672	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	27
PID 1672 wrote to memory of 1880	1672	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	27
PID 1880 wrote to memory of 1504	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	28
PID 1880 wrote to memory of 1504	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	28
PID 1880 wrote to memory of 1504	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	28
PID 1880 wrote to memory of 1504	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	28
PID 1504 wrote to memory of 1692	1504	losy.exe	29
PID 1504 wrote to memory of 1692	1504	losy.exe	29
PID 1504 wrote to memory of 1692	1504	losy.exe	29
PID 1504 wrote to memory of 1692	1504	losy.exe	29
PID 1504 wrote to memory of 1692	1504	losy.exe	29
PID 1504 wrote to memory of 1692	1504	losy.exe	29
PID 1504 wrote to memory of 1692	1504	losy.exe	29
PID 1504 wrote to memory of 1692	1504	losy.exe	29
PID 1504 wrote to memory of 1692	1504	losy.exe	29
PID 1692 wrote to memory of 1136	1692	losy.exe	19
PID 1692 wrote to memory of 1136	1692	losy.exe	19
PID 1692 wrote to memory of 1136	1692	losy.exe	19
PID 1692 wrote to memory of 1136	1692	losy.exe	19
PID 1692 wrote to memory of 1136	1692	losy.exe	19
PID 1692 wrote to memory of 1232	1692	losy.exe	18
PID 1692 wrote to memory of 1232	1692	losy.exe	18
PID 1692 wrote to memory of 1232	1692	losy.exe	18
PID 1692 wrote to memory of 1232	1692	losy.exe	18
PID 1692 wrote to memory of 1232	1692	losy.exe	18
PID 1692 wrote to memory of 1268	1692	losy.exe	12
PID 1692 wrote to memory of 1268	1692	losy.exe	12
PID 1692 wrote to memory of 1268	1692	losy.exe	12
PID 1692 wrote to memory of 1268	1692	losy.exe	12
PID 1692 wrote to memory of 1268	1692	losy.exe	12
PID 1692 wrote to memory of 1880	1692	losy.exe	27
PID 1692 wrote to memory of 1880	1692	losy.exe	27
PID 1692 wrote to memory of 1880	1692	losy.exe	27
PID 1692 wrote to memory of 1880	1692	losy.exe	27
PID 1692 wrote to memory of 1880	1692	losy.exe	27
PID 1880 wrote to memory of 892	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	30
PID 1880 wrote to memory of 892	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	30
PID 1880 wrote to memory of 892	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	30
PID 1880 wrote to memory of 892	1880	90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe	30
PID 1692 wrote to memory of 892	1692	losy.exe	30
PID 1692 wrote to memory of 1556	1692	losy.exe	32
PID 1692 wrote to memory of 1556	1692	losy.exe	32
PID 1692 wrote to memory of 1556	1692	losy.exe	32
PID 1692 wrote to memory of 1556	1692	losy.exe	32
PID 1692 wrote to memory of 1556	1692	losy.exe	32
PID 1692 wrote to memory of 584	1692	losy.exe	33
PID 1692 wrote to memory of 584	1692	losy.exe	33
PID 1692 wrote to memory of 584	1692	losy.exe	33
PID 1692 wrote to memory of 584	1692	losy.exe	33
PID 1692 wrote to memory of 584	1692	losy.exe	33
PID 1692 wrote to memory of 604	1692	losy.exe	34
PID 1692 wrote to memory of 604	1692	losy.exe	34
PID 1692 wrote to memory of 604	1692	losy.exe	34
PID 1692 wrote to memory of 604	1692	losy.exe	34
PID 1692 wrote to memory of 604	1692	losy.exe	34
PID 1692 wrote to memory of 1812	1692	losy.exe	35
PID 1692 wrote to memory of 1812	1692	losy.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe
  "C:\Users\Admin\AppData\Local\Temp\90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe
    C:\Users\Admin\AppData\Local\Temp\90d8055f8858c99a1c735436d42bbe1ff54363c9428b927c2eb7edbba45cf6c1.exe
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Users\Admin\AppData\Roaming\Ciygqy\losy.exe
      "C:\Users\Admin\AppData\Roaming\Ciygqy\losy.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Users\Admin\AppData\Roaming\Ciygqy\losy.exe
        
        C:\Users\Admin\AppData\Roaming\Ciygqy\losy.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6fa75b7d.bat"
      4⤵
      Deletes itself
      PID:892

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6fa75b7d.bat

Filesize
307B

MD5
71297af2e7acbada7179ad382eb67a08

SHA1
1c9101be7494ad064f2b76f5dce7c5d25d67a0c6

SHA256
a62918bcdd5e78262fd2c941091fb430a9098a23c819ac5e2ff15f09a6da48af

SHA512
17ee50a0a7a8422dce4c6c19612768fe3cdee6c71c304e83d455dda1de20c1387bfd725da3aeb105dc0b0eec918e2049c149dc793e6cc6752e6aa30716a36b93

Download Submit
C:\Users\Admin\AppData\Roaming\Ciygqy\losy.exe

Filesize
209KB

MD5
55ba3a13a3238b815fa07a26865fb4a2

SHA1
4ddd298996f689ade8877a3d5991ed69ed056925

SHA256
983962f60a24b281144e1f502be026dc32b22b3a7d53a39fc222b1dab6202f0d

SHA512
3cd243c44cce4497948c12aa5e5c17b56fd135b79fe10c1211a3c63eae6b86938f0ede55f1bf1d286cd6954ceb3ecd080edfd0b502e29b08a3ea5112c9eb3994

Download Submit
C:\Users\Admin\AppData\Roaming\Ciygqy\losy.exe

Filesize
209KB

MD5
55ba3a13a3238b815fa07a26865fb4a2

SHA1
4ddd298996f689ade8877a3d5991ed69ed056925

SHA256
983962f60a24b281144e1f502be026dc32b22b3a7d53a39fc222b1dab6202f0d

SHA512
3cd243c44cce4497948c12aa5e5c17b56fd135b79fe10c1211a3c63eae6b86938f0ede55f1bf1d286cd6954ceb3ecd080edfd0b502e29b08a3ea5112c9eb3994

Download Submit
C:\Users\Admin\AppData\Roaming\Ciygqy\losy.exe

Filesize
209KB

MD5
55ba3a13a3238b815fa07a26865fb4a2

SHA1
4ddd298996f689ade8877a3d5991ed69ed056925

SHA256
983962f60a24b281144e1f502be026dc32b22b3a7d53a39fc222b1dab6202f0d

SHA512
3cd243c44cce4497948c12aa5e5c17b56fd135b79fe10c1211a3c63eae6b86938f0ede55f1bf1d286cd6954ceb3ecd080edfd0b502e29b08a3ea5112c9eb3994

Download Submit
C:\Users\Admin\AppData\Roaming\Xeevc\iczi.igy

Filesize
421B

MD5
678a078a4276e714dca570ac5f556e8a

SHA1
4564ac4435e566604fa875aa5997db67a8f4ad2e

SHA256
600dad6619699e594774b721423e9a48c2a0187cc5885b71c5d78c78d75fa884

SHA512
4634fe4b63416be7a45f3aa5a67cfa4dc4dce7e4086d2dddd011b1d0a3317967a758a9f434cc8fb6970f2d27cb26d7ac54fa7051184c901584ea487ce0419b7a

Download Submit
\Users\Admin\AppData\Roaming\Ciygqy\losy.exe

Filesize
209KB

MD5
55ba3a13a3238b815fa07a26865fb4a2

SHA1
4ddd298996f689ade8877a3d5991ed69ed056925

SHA256
983962f60a24b281144e1f502be026dc32b22b3a7d53a39fc222b1dab6202f0d

SHA512
3cd243c44cce4497948c12aa5e5c17b56fd135b79fe10c1211a3c63eae6b86938f0ede55f1bf1d286cd6954ceb3ecd080edfd0b502e29b08a3ea5112c9eb3994

Download Submit
\Users\Admin\AppData\Roaming\Ciygqy\losy.exe

Filesize
209KB

MD5
55ba3a13a3238b815fa07a26865fb4a2

SHA1
4ddd298996f689ade8877a3d5991ed69ed056925

SHA256
983962f60a24b281144e1f502be026dc32b22b3a7d53a39fc222b1dab6202f0d

SHA512
3cd243c44cce4497948c12aa5e5c17b56fd135b79fe10c1211a3c63eae6b86938f0ede55f1bf1d286cd6954ceb3ecd080edfd0b502e29b08a3ea5112c9eb3994

Download Submit
memory/1136-89-0x0000000001ED0000-0x0000000001F0B000-memory.dmp

Filesize
236KB

Download
memory/1136-88-0x0000000001ED0000-0x0000000001F0B000-memory.dmp

Filesize
236KB

Download
memory/1136-90-0x0000000001ED0000-0x0000000001F0B000-memory.dmp

Filesize
236KB

Download
memory/1136-87-0x0000000001ED0000-0x0000000001F0B000-memory.dmp

Filesize
236KB

Download
memory/1232-93-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1232-95-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1232-96-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1232-94-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1268-99-0x00000000029C0000-0x00000000029FB000-memory.dmp

Filesize
236KB

Download
memory/1268-100-0x00000000029C0000-0x00000000029FB000-memory.dmp

Filesize
236KB

Download
memory/1268-102-0x00000000029C0000-0x00000000029FB000-memory.dmp

Filesize
236KB

Download
memory/1268-101-0x00000000029C0000-0x00000000029FB000-memory.dmp

Filesize
236KB

Download
memory/1672-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1692-84-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1692-253-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-113-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-116-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-105-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-107-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-106-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-108-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-109-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-111-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-65-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-118-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-120-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-122-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-126-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-124-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-128-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-235-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-236-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1880-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download