6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
Size

199KB
MD5

8cb62a156971ce47e5240a25932faa45
SHA1

29519ab6377f6dda653f5a06b57d0bef90e71163
SHA256

6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8
SHA512

deb05bd443cb5665d8b4588af86521d0835be6b3e79730e69a910ad1868e79b8eaafb0746d637a0dfade0b7fe996ad84171af00aa9c29bd3c5dd50ec5433a6d7
SSDEEP

3072:mk+Hn2oM3TUULfoAGrLGBgNGGoJKG7ERRbuemXhJGTr5cxXgj2:OnhM3BoHpoGoJKzRg1EcxQq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 17 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\puy.exe\" -a \"%1\" %*"	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\ = "Application"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\DefaultIcon	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\DefaultIcon\ = "%1"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	puy.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1388	puy.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
1388	puy.exe

Loads dropped DLL 2 IoCs

pid	Process
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe"	puy.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	puy.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\runas\command	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\puy.exe\" -a \"%1\" %*"	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\ = "exefile"	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\DefaultIcon\ = "%1"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\ = "Application"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	puy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\open	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\Content Type = "application/x-msdownload"	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\runas	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\start\command	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\DefaultIcon\ = "%1"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\DefaultIcon	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\puy.exe\" -a \"%1\" %*"	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\start	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*"	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\open\command	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\DefaultIcon	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	puy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command	puy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	puy.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
1388	puy.exe
1388	puy.exe
1388	puy.exe
1388	puy.exe
1388	puy.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: 33	1552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1552	AUDIODG.EXE
Token: 33	1552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1552	AUDIODG.EXE
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
1388	puy.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
1388	puy.exe
936	explorer.exe
936	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
1388	puy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1388	1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe	27
PID 1508 wrote to memory of 1388	1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe	27
PID 1508 wrote to memory of 1388	1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe	27
PID 1508 wrote to memory of 1388	1508	6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe	27

C:\Users\Admin\AppData\Local\Temp\6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
"C:\Users\Admin\AppData\Local\Temp\6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\puy.exe
  "C:\Users\Admin\AppData\Local\puy.exe" -gav C:\Users\Admin\AppData\Local\Temp\6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1388

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\puy.exe

Filesize
199KB

MD5
8cb62a156971ce47e5240a25932faa45

SHA1
29519ab6377f6dda653f5a06b57d0bef90e71163

SHA256
6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8

SHA512
deb05bd443cb5665d8b4588af86521d0835be6b3e79730e69a910ad1868e79b8eaafb0746d637a0dfade0b7fe996ad84171af00aa9c29bd3c5dd50ec5433a6d7

Download Submit
C:\Users\Admin\AppData\Local\puy.exe

Filesize
199KB

MD5
8cb62a156971ce47e5240a25932faa45

SHA1
29519ab6377f6dda653f5a06b57d0bef90e71163

SHA256
6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8

SHA512
deb05bd443cb5665d8b4588af86521d0835be6b3e79730e69a910ad1868e79b8eaafb0746d637a0dfade0b7fe996ad84171af00aa9c29bd3c5dd50ec5433a6d7

Download Submit
\Users\Admin\AppData\Local\puy.exe

Filesize
199KB

MD5
8cb62a156971ce47e5240a25932faa45

SHA1
29519ab6377f6dda653f5a06b57d0bef90e71163

SHA256
6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8

SHA512
deb05bd443cb5665d8b4588af86521d0835be6b3e79730e69a910ad1868e79b8eaafb0746d637a0dfade0b7fe996ad84171af00aa9c29bd3c5dd50ec5433a6d7

Download Submit
\Users\Admin\AppData\Local\puy.exe

Filesize
199KB

MD5
8cb62a156971ce47e5240a25932faa45

SHA1
29519ab6377f6dda653f5a06b57d0bef90e71163

SHA256
6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8

SHA512
deb05bd443cb5665d8b4588af86521d0835be6b3e79730e69a910ad1868e79b8eaafb0746d637a0dfade0b7fe996ad84171af00aa9c29bd3c5dd50ec5433a6d7

Download Submit
memory/936-65-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

Filesize
8KB

Download
memory/1388-70-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1388-69-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1388-71-0x0000000074061000-0x0000000074063000-memory.dmp

Filesize
8KB

Download
memory/1388-72-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1508-59-0x0000000002280000-0x0000000002537000-memory.dmp

Filesize
2.7MB

Download
memory/1508-58-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1508-54-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1508-57-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1508-64-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1508-56-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1508-55-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download