82bef85e792010eb8524eb52cdaca98e43a1378ce15123e596069ab8c59a9ce5

Analysis

max time kernel
126s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82bef85e792010eb8524eb52cdaca98e43a1378ce15123e596069ab8c59a9ce5.dll
Size

337KB
MD5

15eb5ff4262141a76fa4a30647898f10
SHA1

62f9ab909d2d6febec851400f7babfff5db4adf3
SHA256

82bef85e792010eb8524eb52cdaca98e43a1378ce15123e596069ab8c59a9ce5
SHA512

86885bb9d257a3b9a8a7da456f5c9bdc0aa189ecbd6aa695ea7b62b350b824f80906754c5f14a12c42e75bb28a3119044fe60cb9df2732b940dc07e0fcc0c6a3
SSDEEP

6144:nfwzl1JD1NCrEbtYXb/AIc7Tg/V/zoJIGyxFq/Vl43:fwLJDKrEebfDQ43

Score

8^/10

evasion

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
384	eyyw.exe
1340	eyyw.exe
332	csrss.exe

Loads dropped DLL 3 IoCs

pid	Process
1676	rundll32.exe
1676	rundll32.exe
384	eyyw.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 384 set thread context of 1664	384	eyyw.exe	32

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
384	eyyw.exe
384	eyyw.exe
384	eyyw.exe
384	eyyw.exe
384	eyyw.exe
384	eyyw.exe
384	eyyw.exe
384	eyyw.exe
384	eyyw.exe
332	csrss.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1676	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	384	eyyw.exe
Token: SeDebugPrivilege	384	eyyw.exe
Token: SeShutdownPrivilege	1276	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1676 wrote to memory of 384	1676	rundll32.exe	28
PID 1676 wrote to memory of 384	1676	rundll32.exe	28
PID 1676 wrote to memory of 384	1676	rundll32.exe	28
PID 1676 wrote to memory of 384	1676	rundll32.exe	28
PID 384 wrote to memory of 1340	384	eyyw.exe	29
PID 384 wrote to memory of 1340	384	eyyw.exe	29
PID 384 wrote to memory of 1340	384	eyyw.exe	29
PID 384 wrote to memory of 1340	384	eyyw.exe	29
PID 384 wrote to memory of 1276	384	eyyw.exe	15
PID 384 wrote to memory of 332	384	eyyw.exe	6
PID 384 wrote to memory of 1664	384	eyyw.exe	32
PID 384 wrote to memory of 1664	384	eyyw.exe	32
PID 384 wrote to memory of 1664	384	eyyw.exe	32
PID 384 wrote to memory of 1664	384	eyyw.exe	32
PID 384 wrote to memory of 1664	384	eyyw.exe	32
PID 332 wrote to memory of 860	332	csrss.exe	21

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1276
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\82bef85e792010eb8524eb52cdaca98e43a1378ce15123e596069ab8c59a9ce5.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\82bef85e792010eb8524eb52cdaca98e43a1378ce15123e596069ab8c59a9ce5.dll,#1
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\eyyw.exe
      "C:\Users\Admin\AppData\Local\Temp\eyyw.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Users\Admin\AppData\Local\Temp\eyyw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eyyw.exe" nfaddtdsdqaohwozdij
        5⤵
        Executes dropped EXE
        
        PID:1340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eyyw.exe

Filesize
337KB

MD5
4f216012e6530d897bb476fc92412e4c

SHA1
c00f0f33f2a6fa5991725c119a5901bf725116bb

SHA256
de4fd9a3d945a5ad1e8f7417d1ec325a730c95dbba703078c54eaa2092aed6a1

SHA512
3db4eaf5593794481978ebb825dc67ca93d161f9d3374c6337d49656517cc0af47745cfdecaba4242f55fcf7e157fbc5a5850fc7c816e7ce832b6bc9f4959e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyyw.exe

Filesize
337KB

MD5
4f216012e6530d897bb476fc92412e4c

SHA1
c00f0f33f2a6fa5991725c119a5901bf725116bb

SHA256
de4fd9a3d945a5ad1e8f7417d1ec325a730c95dbba703078c54eaa2092aed6a1

SHA512
3db4eaf5593794481978ebb825dc67ca93d161f9d3374c6337d49656517cc0af47745cfdecaba4242f55fcf7e157fbc5a5850fc7c816e7ce832b6bc9f4959e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyyw.exe

Filesize
337KB

MD5
4f216012e6530d897bb476fc92412e4c

SHA1
c00f0f33f2a6fa5991725c119a5901bf725116bb

SHA256
de4fd9a3d945a5ad1e8f7417d1ec325a730c95dbba703078c54eaa2092aed6a1

SHA512
3db4eaf5593794481978ebb825dc67ca93d161f9d3374c6337d49656517cc0af47745cfdecaba4242f55fcf7e157fbc5a5850fc7c816e7ce832b6bc9f4959e8c

Download Submit
C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
71e6aedb2591b6c64dd6de51df9eb58f

SHA1
ef0ae42f3b69add9c6b9e7189b28732785ca605d

SHA256
6769110e561f9edfea18f2deb89a676ea5d68553656c6810a0d88bcc5fa64259

SHA512
475b85d014cd999be5346c95c46702d5ee2bd763149cffcb6be3003158111d53c5235f6a55604aa98da9d76643ce9818cce86ca00a14d27a543f30e90e2ae63d

Download Submit
\Users\Admin\AppData\Local\Temp\eyyw.exe

Filesize
337KB

MD5
4f216012e6530d897bb476fc92412e4c

SHA1
c00f0f33f2a6fa5991725c119a5901bf725116bb

SHA256
de4fd9a3d945a5ad1e8f7417d1ec325a730c95dbba703078c54eaa2092aed6a1

SHA512
3db4eaf5593794481978ebb825dc67ca93d161f9d3374c6337d49656517cc0af47745cfdecaba4242f55fcf7e157fbc5a5850fc7c816e7ce832b6bc9f4959e8c

Download Submit
\Users\Admin\AppData\Local\Temp\eyyw.exe

Filesize
337KB

MD5
4f216012e6530d897bb476fc92412e4c

SHA1
c00f0f33f2a6fa5991725c119a5901bf725116bb

SHA256
de4fd9a3d945a5ad1e8f7417d1ec325a730c95dbba703078c54eaa2092aed6a1

SHA512
3db4eaf5593794481978ebb825dc67ca93d161f9d3374c6337d49656517cc0af47745cfdecaba4242f55fcf7e157fbc5a5850fc7c816e7ce832b6bc9f4959e8c

Download Submit
\Users\Admin\AppData\Local\Temp\eyyw.exe

Filesize
337KB

MD5
4f216012e6530d897bb476fc92412e4c

SHA1
c00f0f33f2a6fa5991725c119a5901bf725116bb

SHA256
de4fd9a3d945a5ad1e8f7417d1ec325a730c95dbba703078c54eaa2092aed6a1

SHA512
3db4eaf5593794481978ebb825dc67ca93d161f9d3374c6337d49656517cc0af47745cfdecaba4242f55fcf7e157fbc5a5850fc7c816e7ce832b6bc9f4959e8c

Download Submit
\Windows\System32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
memory/332-88-0x0000000001EF0000-0x0000000001F01000-memory.dmp

Filesize
68KB

Download
memory/384-63-0x0000000000401000-0x000000000043D000-memory.dmp

Filesize
240KB

Download
memory/384-60-0x0000000000000000-mapping.dmp

Download
memory/384-64-0x0000000000400000-0x0000000000457EF0-memory.dmp

Filesize
351KB

Download
memory/384-82-0x0000000002070000-0x0000000002480000-memory.dmp

Filesize
4.1MB

Download
memory/384-83-0x0000000000400000-0x0000000000457EF0-memory.dmp

Filesize
351KB

Download
memory/860-103-0x0000000000350000-0x000000000035B000-memory.dmp

Filesize
44KB

Download
memory/860-102-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/860-101-0x0000000000350000-0x000000000035B000-memory.dmp

Filesize
44KB

Download
memory/860-100-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/860-98-0x0000000000340000-0x000000000034B000-memory.dmp

Filesize
44KB

Download
memory/860-94-0x0000000000340000-0x000000000034B000-memory.dmp

Filesize
44KB

Download
memory/860-90-0x0000000000340000-0x000000000034B000-memory.dmp

Filesize
44KB

Download
memory/1276-73-0x0000000002A30000-0x0000000002A36000-memory.dmp

Filesize
24KB

Download
memory/1276-81-0x0000000002A30000-0x0000000002A36000-memory.dmp

Filesize
24KB

Download
memory/1276-77-0x0000000002A30000-0x0000000002A36000-memory.dmp

Filesize
24KB

Download
memory/1340-85-0x0000000000400000-0x0000000000457EF0-memory.dmp

Filesize
351KB

Download
memory/1340-84-0x0000000001FA0000-0x00000000023B0000-memory.dmp

Filesize
4.1MB

Download
memory/1340-67-0x0000000000000000-mapping.dmp

Download
memory/1664-89-0x0000000000000000-mapping.dmp

Download
memory/1676-57-0x0000000000190000-0x00000000001E8000-memory.dmp

Filesize
352KB

Download
memory/1676-56-0x0000000000191000-0x00000000001CD000-memory.dmp

Filesize
240KB

Download
memory/1676-55-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1676-72-0x00000000020A0000-0x0000000002240000-memory.dmp

Filesize
1.6MB

Download
memory/1676-54-0x0000000000000000-mapping.dmp

Download