74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe
Size

322KB
MD5

6c78a972994cc61b642f870ff9239c28
SHA1

67e15a2e9084165b5dee5d3a31abb35a01d6a3ce
SHA256

74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f
SHA512

4ce2e245a9388d6dab824874edc61a6fa8d2b6758b26810d6b1852fb71ed4109a99d8b530cd3dfb5db83eaccdda9bf80c5e344203f9d3649b6ef22ee6ce6539c
SSDEEP

6144:VJgJqLRdtwj7Cx9CfmXyKN3Or7PigcAkfTGHsOE9G/2yEuaIrouctmz:3SyRw+9CfmXyKBOXYAwTXO0zuaIrour

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1896	anfu.exe
2000	anfu.exe

Deletes itself 1 IoCs

pid	Process
1084	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
780	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe
780	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	anfu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Ytyxaw\\anfu.exe"	anfu.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 780	900	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	27
PID 1896 set thread context of 2000	1896	anfu.exe	29

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe
2000	anfu.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 780	900	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	27
PID 900 wrote to memory of 780	900	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	27
PID 900 wrote to memory of 780	900	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	27
PID 900 wrote to memory of 780	900	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	27
PID 900 wrote to memory of 780	900	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	27
PID 900 wrote to memory of 780	900	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	27
PID 900 wrote to memory of 780	900	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	27
PID 900 wrote to memory of 780	900	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	27
PID 900 wrote to memory of 780	900	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	27
PID 780 wrote to memory of 1896	780	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	28
PID 780 wrote to memory of 1896	780	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	28
PID 780 wrote to memory of 1896	780	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	28
PID 780 wrote to memory of 1896	780	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	28
PID 1896 wrote to memory of 2000	1896	anfu.exe	29
PID 1896 wrote to memory of 2000	1896	anfu.exe	29
PID 1896 wrote to memory of 2000	1896	anfu.exe	29
PID 1896 wrote to memory of 2000	1896	anfu.exe	29
PID 1896 wrote to memory of 2000	1896	anfu.exe	29
PID 1896 wrote to memory of 2000	1896	anfu.exe	29
PID 1896 wrote to memory of 2000	1896	anfu.exe	29
PID 1896 wrote to memory of 2000	1896	anfu.exe	29
PID 1896 wrote to memory of 2000	1896	anfu.exe	29
PID 2000 wrote to memory of 1260	2000	anfu.exe	16
PID 2000 wrote to memory of 1260	2000	anfu.exe	16
PID 780 wrote to memory of 1084	780	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	30
PID 780 wrote to memory of 1084	780	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	30
PID 780 wrote to memory of 1084	780	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	30
PID 780 wrote to memory of 1084	780	74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe	30
PID 2000 wrote to memory of 1260	2000	anfu.exe	16
PID 2000 wrote to memory of 1260	2000	anfu.exe	16
PID 2000 wrote to memory of 1260	2000	anfu.exe	16
PID 2000 wrote to memory of 1364	2000	anfu.exe	15
PID 2000 wrote to memory of 1364	2000	anfu.exe	15
PID 2000 wrote to memory of 1364	2000	anfu.exe	15
PID 2000 wrote to memory of 1364	2000	anfu.exe	15
PID 2000 wrote to memory of 1364	2000	anfu.exe	15
PID 2000 wrote to memory of 1420	2000	anfu.exe	14
PID 2000 wrote to memory of 1420	2000	anfu.exe	14
PID 2000 wrote to memory of 1420	2000	anfu.exe	14
PID 2000 wrote to memory of 1420	2000	anfu.exe	14
PID 2000 wrote to memory of 1420	2000	anfu.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1420
- C:\Users\Admin\AppData\Local\Temp\74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe
  "C:\Users\Admin\AppData\Local\Temp\74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe
    "C:\Users\Admin\AppData\Local\Temp\74ee5c3d4522602d2537d902875d706cda37fdfc41b53a4e20e494d5b3f6504f.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Users\Admin\AppData\Roaming\Ytyxaw\anfu.exe
      "C:\Users\Admin\AppData\Roaming\Ytyxaw\anfu.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Users\Admin\AppData\Roaming\Ytyxaw\anfu.exe
        
        "C:\Users\Admin\AppData\Roaming\Ytyxaw\anfu.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9061a2b3.bat"
      4⤵
      Deletes itself
      PID:1084

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1364

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9061a2b3.bat

Filesize
307B

MD5
46873716f7a6a1694d278de6be8aaec5

SHA1
8b6754a3b887e0a90d4e75754268797dceef8fd1

SHA256
4d1d6b6f6f2a6be672e38e69a4777296924e15909bbcac277d28b917a1f28cf8

SHA512
6ecb1e76631a0eeed57f8666c5f0fdec4674c4ce91ee7751cd8b5ab5796b9e33db93d4a6035c14b63a41386c7a5c85879de0eca03e9becf318f1dfcc158f111a

Download Submit
C:\Users\Admin\AppData\Roaming\Ytyxaw\anfu.exe

Filesize
322KB

MD5
0b989401554ab5828a5e368b5e247060

SHA1
7bab84c0cd8122b94bc9ac65bfaf5706cd5e9273

SHA256
0c9546bba68c653655924b9c38f29d17d018a2d43b54ae1bb92c04773fd0e42a

SHA512
38671cda43f3712785c1e00e8a7a5ba1d6f0542754d1cf24e3647d29dd668af0e7ad3ddba107e829cc003eee8edc54c9397eb72969857958d889fb539f26d8e7

Download Submit
C:\Users\Admin\AppData\Roaming\Ytyxaw\anfu.exe

Filesize
322KB

MD5
0b989401554ab5828a5e368b5e247060

SHA1
7bab84c0cd8122b94bc9ac65bfaf5706cd5e9273

SHA256
0c9546bba68c653655924b9c38f29d17d018a2d43b54ae1bb92c04773fd0e42a

SHA512
38671cda43f3712785c1e00e8a7a5ba1d6f0542754d1cf24e3647d29dd668af0e7ad3ddba107e829cc003eee8edc54c9397eb72969857958d889fb539f26d8e7

Download Submit
C:\Users\Admin\AppData\Roaming\Ytyxaw\anfu.exe

Filesize
322KB

MD5
0b989401554ab5828a5e368b5e247060

SHA1
7bab84c0cd8122b94bc9ac65bfaf5706cd5e9273

SHA256
0c9546bba68c653655924b9c38f29d17d018a2d43b54ae1bb92c04773fd0e42a

SHA512
38671cda43f3712785c1e00e8a7a5ba1d6f0542754d1cf24e3647d29dd668af0e7ad3ddba107e829cc003eee8edc54c9397eb72969857958d889fb539f26d8e7

Download Submit
\Users\Admin\AppData\Roaming\Ytyxaw\anfu.exe

Filesize
322KB

MD5
0b989401554ab5828a5e368b5e247060

SHA1
7bab84c0cd8122b94bc9ac65bfaf5706cd5e9273

SHA256
0c9546bba68c653655924b9c38f29d17d018a2d43b54ae1bb92c04773fd0e42a

SHA512
38671cda43f3712785c1e00e8a7a5ba1d6f0542754d1cf24e3647d29dd668af0e7ad3ddba107e829cc003eee8edc54c9397eb72969857958d889fb539f26d8e7

Download Submit
\Users\Admin\AppData\Roaming\Ytyxaw\anfu.exe

Filesize
322KB

MD5
0b989401554ab5828a5e368b5e247060

SHA1
7bab84c0cd8122b94bc9ac65bfaf5706cd5e9273

SHA256
0c9546bba68c653655924b9c38f29d17d018a2d43b54ae1bb92c04773fd0e42a

SHA512
38671cda43f3712785c1e00e8a7a5ba1d6f0542754d1cf24e3647d29dd668af0e7ad3ddba107e829cc003eee8edc54c9397eb72969857958d889fb539f26d8e7

Download Submit
memory/780-64-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/780-54-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/780-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/780-58-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/780-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/780-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/780-88-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/900-63-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1260-84-0x0000000002000000-0x000000000204C000-memory.dmp

Filesize
304KB

Download
memory/1260-85-0x0000000002000000-0x000000000204C000-memory.dmp

Filesize
304KB

Download
memory/1260-87-0x0000000002000000-0x000000000204C000-memory.dmp

Filesize
304KB

Download
memory/1260-89-0x0000000002000000-0x000000000204C000-memory.dmp

Filesize
304KB

Download
memory/1364-93-0x0000000001AE0000-0x0000000001B2C000-memory.dmp

Filesize
304KB

Download
memory/1364-92-0x0000000001AE0000-0x0000000001B2C000-memory.dmp

Filesize
304KB

Download
memory/1364-94-0x0000000001AE0000-0x0000000001B2C000-memory.dmp

Filesize
304KB

Download
memory/1364-95-0x0000000001AE0000-0x0000000001B2C000-memory.dmp

Filesize
304KB

Download
memory/1420-99-0x00000000026B0000-0x00000000026FC000-memory.dmp

Filesize
304KB

Download
memory/1420-101-0x00000000026B0000-0x00000000026FC000-memory.dmp

Filesize
304KB

Download
memory/1420-100-0x00000000026B0000-0x00000000026FC000-memory.dmp

Filesize
304KB

Download
memory/1420-102-0x00000000026B0000-0x00000000026FC000-memory.dmp

Filesize
304KB

Download
memory/1896-79-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2000-103-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download