7c40c3ad410be8e75f928c712de05d918ed880bc7427845793bd781f0d931c46

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c40c3ad410be8e75f928c712de05d918ed880bc7427845793bd781f0d931c46.exe
Size

338KB
MD5

0847d22ba443e40db3cdf15b98493bc1
SHA1

a172ae22e6953c01c4acc37dbbddf4443a0bff83
SHA256

7c40c3ad410be8e75f928c712de05d918ed880bc7427845793bd781f0d931c46
SHA512

f572ca31562711e6316c660ffcbb1a7fc9e9001bb5f773073f92146838012d5836091a3d6e1d16cc7c24a935736e84b4643a1ced5b10370dd40804663e572148
SSDEEP

6144:/WGw3ndCM8GHAXlGCe9hIuxUHOo3J6ukp5u90MYq+ZdA1uP3bM:OH3kBwA145echu+nXPI

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4596	ulry.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\Currentversion\Run	ulry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{32C81FC9-556D-BCA0-B82C-F77E75D9ED7C} = "C:\\Users\\Admin\\AppData\\Roaming\\Xoby\\ulry.exe"	ulry.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1828 set thread context of 4964	1828	7c40c3ad410be8e75f928c712de05d918ed880bc7427845793bd781f0d931c46.exe	82

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe
4596	ulry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 4596	1828	7c40c3ad410be8e75f928c712de05d918ed880bc7427845793bd781f0d931c46.exe	81
PID 1828 wrote to memory of 4596	1828	7c40c3ad410be8e75f928c712de05d918ed880bc7427845793bd781f0d931c46.exe	81
PID 1828 wrote to memory of 4596	1828	7c40c3ad410be8e75f928c712de05d918ed880bc7427845793bd781f0d931c46.exe	81
PID 4596 wrote to memory of 2304	4596	ulry.exe	25
PID 4596 wrote to memory of 2304	4596	ulry.exe	25
PID 4596 wrote to memory of 2304	4596	ulry.exe	25
PID 4596 wrote to memory of 2304	4596	ulry.exe	25
PID 4596 wrote to memory of 2304	4596	ulry.exe	25
PID 4596 wrote to memory of 2328	4596	ulry.exe	26
PID 4596 wrote to memory of 2328	4596	ulry.exe	26
PID 4596 wrote to memory of 2328	4596	ulry.exe	26
PID 4596 wrote to memory of 2328	4596	ulry.exe	26
PID 4596 wrote to memory of 2328	4596	ulry.exe	26
PID 4596 wrote to memory of 2432	4596	ulry.exe	28
PID 4596 wrote to memory of 2432	4596	ulry.exe	28
PID 4596 wrote to memory of 2432	4596	ulry.exe	28
PID 4596 wrote to memory of 2432	4596	ulry.exe	28
PID 4596 wrote to memory of 2432	4596	ulry.exe	28
PID 4596 wrote to memory of 3040	4596	ulry.exe	37
PID 4596 wrote to memory of 3040	4596	ulry.exe	37
PID 4596 wrote to memory of 3040	4596	ulry.exe	37
PID 4596 wrote to memory of 3040	4596	ulry.exe	37
PID 4596 wrote to memory of 3040	4596	ulry.exe	37
PID 4596 wrote to memory of 2708	4596	ulry.exe	62
PID 4596 wrote to memory of 2708	4596	ulry.exe	62
PID 4596 wrote to memory of 2708	4596	ulry.exe	62
PID 4596 wrote to memory of 2708	4596	ulry.exe	62
PID 4596 wrote to memory of 2708	4596	ulry.exe	62
PID 4596 wrote to memory of 3228	4596	ulry.exe	61
PID 4596 wrote to memory of 3228	4596	ulry.exe	61
PID 4596 wrote to memory of 3228	4596	ulry.exe	61
PID 4596 wrote to memory of 3228	4596	ulry.exe	61
PID 4596 wrote to memory of 3228	4596	ulry.exe	61
PID 4596 wrote to memory of 3324	4596	ulry.exe	60
PID 4596 wrote to memory of 3324	4596	ulry.exe	60
PID 4596 wrote to memory of 3324	4596	ulry.exe	60
PID 4596 wrote to memory of 3324	4596	ulry.exe	60
PID 4596 wrote to memory of 3324	4596	ulry.exe	60
PID 4596 wrote to memory of 3392	4596	ulry.exe	38
PID 4596 wrote to memory of 3392	4596	ulry.exe	38
PID 4596 wrote to memory of 3392	4596	ulry.exe	38
PID 4596 wrote to memory of 3392	4596	ulry.exe	38
PID 4596 wrote to memory of 3392	4596	ulry.exe	38
PID 4596 wrote to memory of 3480	4596	ulry.exe	59
PID 4596 wrote to memory of 3480	4596	ulry.exe	59
PID 4596 wrote to memory of 3480	4596	ulry.exe	59
PID 4596 wrote to memory of 3480	4596	ulry.exe	59
PID 4596 wrote to memory of 3480	4596	ulry.exe	59
PID 4596 wrote to memory of 3788	4596	ulry.exe	58
PID 4596 wrote to memory of 3788	4596	ulry.exe	58
PID 4596 wrote to memory of 3788	4596	ulry.exe	58
PID 4596 wrote to memory of 3788	4596	ulry.exe	58
PID 4596 wrote to memory of 3788	4596	ulry.exe	58
PID 4596 wrote to memory of 4768	4596	ulry.exe	56
PID 4596 wrote to memory of 4768	4596	ulry.exe	56
PID 4596 wrote to memory of 4768	4596	ulry.exe	56
PID 4596 wrote to memory of 4768	4596	ulry.exe	56
PID 4596 wrote to memory of 4768	4596	ulry.exe	56
PID 4596 wrote to memory of 1828	4596	ulry.exe	80
PID 4596 wrote to memory of 1828	4596	ulry.exe	80
PID 4596 wrote to memory of 1828	4596	ulry.exe	80
PID 4596 wrote to memory of 1828	4596	ulry.exe	80
PID 4596 wrote to memory of 1828	4596	ulry.exe	80
PID 1828 wrote to memory of 4964	1828	7c40c3ad410be8e75f928c712de05d918ed880bc7427845793bd781f0d931c46.exe	82

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2328

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3040
- C:\Users\Admin\AppData\Local\Temp\7c40c3ad410be8e75f928c712de05d918ed880bc7427845793bd781f0d931c46.exe
  "C:\Users\Admin\AppData\Local\Temp\7c40c3ad410be8e75f928c712de05d918ed880bc7427845793bd781f0d931c46.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Roaming\Xoby\ulry.exe
    "C:\Users\Admin\AppData\Roaming\Xoby\ulry.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbcf5b34a.bat"
    3⤵
    PID:4964

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3392

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3480

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbcf5b34a.bat

Filesize
307B

MD5
64c1054694a994a448bd0e93f206a2a3

SHA1
d6bcfaaf76ca3c9ba025c7b826b1d996b2416679

SHA256
5e10464c48516e651df99344a67540600bac01bc5aae9c75a8469ec90391cf8a

SHA512
5159a10d6bdc8980dc0439bd8189bdc0f9987c247655d45a957316bd47552407adda1717efaafc8fa97aac223e818be99fb4e35cf325c8da73a71f96eb0b730f

Download Submit
C:\Users\Admin\AppData\Roaming\Xoby\ulry.exe

Filesize
338KB

MD5
ad3d248670e6274f55dc02dfa09c9ff2

SHA1
30e7d09a3a2b7b62ab31a5a0427b23dbfda6fed0

SHA256
96146639e0b04347eab1dacbeedd79c5a23951d99871692c9d5441d416498f06

SHA512
aae95480e02010fd2ebb6e6bd4fb6f4687cb10e8c20fe4d815f98af2b4599c9b9940bb15dcfba124829b66878df04efb3f50e49dacc0a42be341a17622947954

Download Submit
C:\Users\Admin\AppData\Roaming\Xoby\ulry.exe

Filesize
338KB

MD5
ad3d248670e6274f55dc02dfa09c9ff2

SHA1
30e7d09a3a2b7b62ab31a5a0427b23dbfda6fed0

SHA256
96146639e0b04347eab1dacbeedd79c5a23951d99871692c9d5441d416498f06

SHA512
aae95480e02010fd2ebb6e6bd4fb6f4687cb10e8c20fe4d815f98af2b4599c9b9940bb15dcfba124829b66878df04efb3f50e49dacc0a42be341a17622947954

Download Submit
memory/1828-133-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1828-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1828-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1828-132-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1828-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1828-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1828-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1828-147-0x00000000021E0000-0x0000000002226000-memory.dmp

Filesize
280KB

Download
memory/1828-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1828-134-0x00000000020F0000-0x0000000002136000-memory.dmp

Filesize
280KB

Download
memory/1828-146-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4596-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4596-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4596-156-0x0000000000720000-0x0000000000766000-memory.dmp

Filesize
280KB

Download
memory/4964-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4964-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4964-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4964-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4964-155-0x0000000000B00000-0x0000000000B46000-memory.dmp

Filesize
280KB

Download
memory/4964-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4964-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4964-145-0x0000000000B00000-0x0000000000B46000-memory.dmp

Filesize
280KB

Download