8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512

Analysis

max time kernel
184s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe
Size

94KB
MD5

cb82b19806471254c8856d8737bc0103
SHA1

587a720a718bba14447169b53b6393ca0690dcd6
SHA256

8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512
SHA512

bd9bcbc53dd95754d1c5edc8b41d8cd47502edd95b2a73f5fc3fd5d821550a4562d7b2add0ea31d3ce138665c977899e3e6e86dc1aa8f6dbb434893ab6aae8bd
SSDEEP

1536:HktydJiBH5SlyVzvYJ+uEN6JeCXs5gzUguVm0+t4w+gKj7:wydJq5oyVzs+h0Jv85ZgSmkwWj7

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4620	kyh.exe
4908	kyh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4620	3192	8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe	84
PID 3192 wrote to memory of 4620	3192	8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe	84
PID 3192 wrote to memory of 4620	3192	8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe	84
PID 3192 wrote to memory of 4908	3192	8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe	85
PID 3192 wrote to memory of 4908	3192	8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe	85
PID 3192 wrote to memory of 4908	3192	8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe	85

C:\Users\Admin\AppData\Local\Temp\8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe
"C:\Users\Admin\AppData\Local\Temp\8631e9b1fb5d38c3c678ae651546326df461730fb66f40c9d7b2db10efe23512.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kyh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kyh.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kyh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kyh.exe
  2⤵
  - Executes dropped EXE
  PID:4908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kyh.exe

Filesize
25KB

MD5
e83470aed564d4472f63da94216f3862

SHA1
b84c6dd8c487f4586ee67041d589caba847d2f5b

SHA256
1c808600901e61e8f8da90f9a35a1676f69d065cde7a1f9bcfea0fe931dba7bb

SHA512
412f746f2d1f6b4036fc40efa99afc2fc4edb05252ba8035659efc86a98a1bb6c7dadc214537bf7fc807860d8de9128fa83fef51a8da81dc9240eab50719445a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kyh.exe

Filesize
25KB

MD5
e83470aed564d4472f63da94216f3862

SHA1
b84c6dd8c487f4586ee67041d589caba847d2f5b

SHA256
1c808600901e61e8f8da90f9a35a1676f69d065cde7a1f9bcfea0fe931dba7bb

SHA512
412f746f2d1f6b4036fc40efa99afc2fc4edb05252ba8035659efc86a98a1bb6c7dadc214537bf7fc807860d8de9128fa83fef51a8da81dc9240eab50719445a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kyh.exe

Filesize
25KB

MD5
e83470aed564d4472f63da94216f3862

SHA1
b84c6dd8c487f4586ee67041d589caba847d2f5b

SHA256
1c808600901e61e8f8da90f9a35a1676f69d065cde7a1f9bcfea0fe931dba7bb

SHA512
412f746f2d1f6b4036fc40efa99afc2fc4edb05252ba8035659efc86a98a1bb6c7dadc214537bf7fc807860d8de9128fa83fef51a8da81dc9240eab50719445a

Download Submit
memory/4620-135-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4908-138-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download