1a3773b40119a7682fcb6ea5d1ae87976b6ac8ecb168bed23a8b0fd5cf2a6007

Analysis

max time kernel
185s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 14:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a3773b40119a7682fcb6ea5d1ae87976b6ac8ecb168bed23a8b0fd5cf2a6007.exe
Size

296KB
MD5

b2b7ef34a4fb9b4bf862f01e3c7943d1
SHA1

2f971fe1bec2a70a03293d91e0e6536be89b59a6
SHA256

1a3773b40119a7682fcb6ea5d1ae87976b6ac8ecb168bed23a8b0fd5cf2a6007
SHA512

aa58e2a10c746d531759109e97b6caa20d9762c968b968c35071eb7cc989bad3a148ae69d0a4c429539b6dfb0a4e0fd6d7906846acebb3e3e360f3bb5c29d083
SSDEEP

6144:NyNeH4vkOjMUeNZlzDVcHZ7116DhmK10GiZShjLV:NyNeH4CUeNZJZcHrUQGioh/V

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4464	osbuyr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	osbuyr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Osbuyr = "C:\\Users\\Admin\\AppData\\Roaming\\Utdy\\osbuyr.exe"	osbuyr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 1772	2380	1a3773b40119a7682fcb6ea5d1ae87976b6ac8ecb168bed23a8b0fd5cf2a6007.exe	80

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe
4464	osbuyr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 4464	2380	1a3773b40119a7682fcb6ea5d1ae87976b6ac8ecb168bed23a8b0fd5cf2a6007.exe	79
PID 2380 wrote to memory of 4464	2380	1a3773b40119a7682fcb6ea5d1ae87976b6ac8ecb168bed23a8b0fd5cf2a6007.exe	79
PID 2380 wrote to memory of 4464	2380	1a3773b40119a7682fcb6ea5d1ae87976b6ac8ecb168bed23a8b0fd5cf2a6007.exe	79
PID 4464 wrote to memory of 2436	4464	osbuyr.exe	24
PID 4464 wrote to memory of 2436	4464	osbuyr.exe	24
PID 4464 wrote to memory of 2436	4464	osbuyr.exe	24
PID 4464 wrote to memory of 2436	4464	osbuyr.exe	24
PID 4464 wrote to memory of 2436	4464	osbuyr.exe	24
PID 4464 wrote to memory of 2444	4464	osbuyr.exe	57
PID 4464 wrote to memory of 2444	4464	osbuyr.exe	57
PID 4464 wrote to memory of 2444	4464	osbuyr.exe	57
PID 4464 wrote to memory of 2444	4464	osbuyr.exe	57
PID 4464 wrote to memory of 2444	4464	osbuyr.exe	57
PID 4464 wrote to memory of 2580	4464	osbuyr.exe	55
PID 4464 wrote to memory of 2580	4464	osbuyr.exe	55
PID 4464 wrote to memory of 2580	4464	osbuyr.exe	55
PID 4464 wrote to memory of 2580	4464	osbuyr.exe	55
PID 4464 wrote to memory of 2580	4464	osbuyr.exe	55
PID 4464 wrote to memory of 3076	4464	osbuyr.exe	50
PID 4464 wrote to memory of 3076	4464	osbuyr.exe	50
PID 4464 wrote to memory of 3076	4464	osbuyr.exe	50
PID 4464 wrote to memory of 3076	4464	osbuyr.exe	50
PID 4464 wrote to memory of 3076	4464	osbuyr.exe	50
PID 4464 wrote to memory of 3216	4464	osbuyr.exe	49
PID 4464 wrote to memory of 3216	4464	osbuyr.exe	49
PID 4464 wrote to memory of 3216	4464	osbuyr.exe	49
PID 4464 wrote to memory of 3216	4464	osbuyr.exe	49
PID 4464 wrote to memory of 3216	4464	osbuyr.exe	49
PID 4464 wrote to memory of 3416	4464	osbuyr.exe	48
PID 4464 wrote to memory of 3416	4464	osbuyr.exe	48
PID 4464 wrote to memory of 3416	4464	osbuyr.exe	48
PID 4464 wrote to memory of 3416	4464	osbuyr.exe	48
PID 4464 wrote to memory of 3416	4464	osbuyr.exe	48
PID 4464 wrote to memory of 3508	4464	osbuyr.exe	47
PID 4464 wrote to memory of 3508	4464	osbuyr.exe	47
PID 4464 wrote to memory of 3508	4464	osbuyr.exe	47
PID 4464 wrote to memory of 3508	4464	osbuyr.exe	47
PID 4464 wrote to memory of 3508	4464	osbuyr.exe	47
PID 4464 wrote to memory of 3572	4464	osbuyr.exe	46
PID 4464 wrote to memory of 3572	4464	osbuyr.exe	46
PID 4464 wrote to memory of 3572	4464	osbuyr.exe	46
PID 4464 wrote to memory of 3572	4464	osbuyr.exe	46
PID 4464 wrote to memory of 3572	4464	osbuyr.exe	46
PID 4464 wrote to memory of 3660	4464	osbuyr.exe	45
PID 4464 wrote to memory of 3660	4464	osbuyr.exe	45
PID 4464 wrote to memory of 3660	4464	osbuyr.exe	45
PID 4464 wrote to memory of 3660	4464	osbuyr.exe	45
PID 4464 wrote to memory of 3660	4464	osbuyr.exe	45
PID 4464 wrote to memory of 3832	4464	osbuyr.exe	44
PID 4464 wrote to memory of 3832	4464	osbuyr.exe	44
PID 4464 wrote to memory of 3832	4464	osbuyr.exe	44
PID 4464 wrote to memory of 3832	4464	osbuyr.exe	44
PID 4464 wrote to memory of 3832	4464	osbuyr.exe	44
PID 4464 wrote to memory of 4604	4464	osbuyr.exe	28
PID 4464 wrote to memory of 4604	4464	osbuyr.exe	28
PID 4464 wrote to memory of 4604	4464	osbuyr.exe	28
PID 4464 wrote to memory of 4604	4464	osbuyr.exe	28
PID 4464 wrote to memory of 4604	4464	osbuyr.exe	28
PID 4464 wrote to memory of 2380	4464	osbuyr.exe	78
PID 4464 wrote to memory of 2380	4464	osbuyr.exe	78
PID 4464 wrote to memory of 2380	4464	osbuyr.exe	78
PID 4464 wrote to memory of 2380	4464	osbuyr.exe	78
PID 4464 wrote to memory of 2380	4464	osbuyr.exe	78
PID 2380 wrote to memory of 1772	2380	1a3773b40119a7682fcb6ea5d1ae87976b6ac8ecb168bed23a8b0fd5cf2a6007.exe	80

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4604

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3660

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3216

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\1a3773b40119a7682fcb6ea5d1ae87976b6ac8ecb168bed23a8b0fd5cf2a6007.exe
  "C:\Users\Admin\AppData\Local\Temp\1a3773b40119a7682fcb6ea5d1ae87976b6ac8ecb168bed23a8b0fd5cf2a6007.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Roaming\Utdy\osbuyr.exe
    "C:\Users\Admin\AppData\Roaming\Utdy\osbuyr.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FGBB76A.bat"
    3⤵
    PID:1772

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FGBB76A.bat

Filesize
303B

MD5
3d7b4266370a594b7dc4e84361a61fca

SHA1
348585287202f57549dfc5db3bfbe9a51ee1fd04

SHA256
9734ec8c43f25eb2fb376fc113bb9e2c40181848b89820370e1e6e494ca3eab3

SHA512
e2e94d4a396dadcfe356c7e9dc0d5a1094618ca734d6471f77780a4bca0c372aaf89076617bca7673e03b344c7fcb27ae6e317cf78b127bf42d71373a108a15d

Download Submit
C:\Users\Admin\AppData\Roaming\Utdy\osbuyr.exe

Filesize
296KB

MD5
7986ca52671cc84a12985e845501afb6

SHA1
f47222f1fcb5e26ca4e723ee6d2692279164213f

SHA256
db3b10340b217b0621e754e41af1f8c7b583b67be15b0186587e41c9fdafca26

SHA512
084e06f676b80198264fee1f43e0734c58b87a447d3957f7dffac99ddc7e0b6a8460e09302aa8c24b7a861b79da9fa6a884f48c8f2b4c74526ad5b2d38e8a2f4

Download Submit
C:\Users\Admin\AppData\Roaming\Utdy\osbuyr.exe

Filesize
296KB

MD5
7986ca52671cc84a12985e845501afb6

SHA1
f47222f1fcb5e26ca4e723ee6d2692279164213f

SHA256
db3b10340b217b0621e754e41af1f8c7b583b67be15b0186587e41c9fdafca26

SHA512
084e06f676b80198264fee1f43e0734c58b87a447d3957f7dffac99ddc7e0b6a8460e09302aa8c24b7a861b79da9fa6a884f48c8f2b4c74526ad5b2d38e8a2f4

Download Submit
memory/1772-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-157-0x0000000001100000-0x0000000001149000-memory.dmp

Filesize
292KB

Download
memory/1772-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1772-147-0x0000000001100000-0x0000000001149000-memory.dmp

Filesize
292KB

Download
memory/2380-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2380-145-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2380-148-0x0000000000B00000-0x0000000000B49000-memory.dmp

Filesize
292KB

Download
memory/2380-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2380-142-0x0000000000B00000-0x0000000000B49000-memory.dmp

Filesize
292KB

Download
memory/2380-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2380-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2380-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2380-132-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2380-133-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/4464-137-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download