cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3

Analysis

max time kernel
171s
max time network
216s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe
Size

304KB
MD5

603803a45e8b51d6738666c64fe51966
SHA1

2c909fba9e435cf75633b0c069177d7e42c3a2c2
SHA256

cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3
SHA512

1fc76af148d21e6fedef4383d3b17a4658a8f10c341a534356ae9958534cb2385e7d35e840a55c2c933481357d11bd8b49e8abe74edf40ab0a34e604231b17f2
SSDEEP

6144:o6wdmt+S8iXtGZ4FtTfK1bcfwK8jNCm69EfzSWDHhftl1KQi9gSnZoAI1GNk:HPC4tFFticoxz69E+GV0JZoPGm

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
948	wyevn.exe

Deletes itself 1 IoCs

pid	Process
1936	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe
1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	wyevn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Igfei\\wyevn.exe"	wyevn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1796 set thread context of 1936	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	29

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe
948	wyevn.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 948	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	28
PID 1796 wrote to memory of 948	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	28
PID 1796 wrote to memory of 948	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	28
PID 1796 wrote to memory of 948	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	28
PID 948 wrote to memory of 1124	948	wyevn.exe	14
PID 948 wrote to memory of 1124	948	wyevn.exe	14
PID 948 wrote to memory of 1124	948	wyevn.exe	14
PID 948 wrote to memory of 1124	948	wyevn.exe	14
PID 948 wrote to memory of 1124	948	wyevn.exe	14
PID 948 wrote to memory of 1184	948	wyevn.exe	13
PID 948 wrote to memory of 1184	948	wyevn.exe	13
PID 948 wrote to memory of 1184	948	wyevn.exe	13
PID 948 wrote to memory of 1184	948	wyevn.exe	13
PID 948 wrote to memory of 1184	948	wyevn.exe	13
PID 948 wrote to memory of 1272	948	wyevn.exe	12
PID 948 wrote to memory of 1272	948	wyevn.exe	12
PID 948 wrote to memory of 1272	948	wyevn.exe	12
PID 948 wrote to memory of 1272	948	wyevn.exe	12
PID 948 wrote to memory of 1272	948	wyevn.exe	12
PID 948 wrote to memory of 1796	948	wyevn.exe	10
PID 948 wrote to memory of 1796	948	wyevn.exe	10
PID 948 wrote to memory of 1796	948	wyevn.exe	10
PID 948 wrote to memory of 1796	948	wyevn.exe	10
PID 948 wrote to memory of 1796	948	wyevn.exe	10
PID 1796 wrote to memory of 1936	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	29
PID 1796 wrote to memory of 1936	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	29
PID 1796 wrote to memory of 1936	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	29
PID 1796 wrote to memory of 1936	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	29
PID 1796 wrote to memory of 1936	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	29
PID 1796 wrote to memory of 1936	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	29
PID 1796 wrote to memory of 1936	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	29
PID 1796 wrote to memory of 1936	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	29
PID 1796 wrote to memory of 1936	1796	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	29
PID 948 wrote to memory of 1996	948	wyevn.exe	31
PID 948 wrote to memory of 1996	948	wyevn.exe	31
PID 948 wrote to memory of 1996	948	wyevn.exe	31
PID 948 wrote to memory of 1996	948	wyevn.exe	31
PID 948 wrote to memory of 1996	948	wyevn.exe	31
PID 948 wrote to memory of 1552	948	wyevn.exe	32
PID 948 wrote to memory of 1552	948	wyevn.exe	32
PID 948 wrote to memory of 1552	948	wyevn.exe	32
PID 948 wrote to memory of 1552	948	wyevn.exe	32
PID 948 wrote to memory of 1552	948	wyevn.exe	32

C:\Users\Admin\AppData\Local\Temp\cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe
"C:\Users\Admin\AppData\Local\Temp\cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Roaming\Igfei\wyevn.exe
  "C:\Users\Admin\AppData\Roaming\Igfei\wyevn.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcd0c7f6b.bat"
  2⤵
  - Deletes itself
  PID:1936

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcd0c7f6b.bat

Filesize
307B

MD5
9cf40a1de07da6851994056e54344858

SHA1
61a785998226b298cf4537d2f8758fb6d10f14ce

SHA256
8acde324d3aae8364848b3349774897e2008af0d284583835ecf1eb1cef19e45

SHA512
46a75929b0eeabf858f6e41e71697dc08c459da1db81e0bc5934580e4f7cae4f33926431dadf05c79fdc291c4890653bd5fd9a219b62b13951ab86951ba1f34d

Download Submit
C:\Users\Admin\AppData\Roaming\Igfei\wyevn.exe

Filesize
304KB

MD5
ec247b5ce0dce9baeebdf8dd716714e4

SHA1
6c31c45a69634be8cae9e2f7a71b44f0e36bfb0f

SHA256
59ea8b0acd93ac4cee62f014e8b4a315ab0d6133357c5d6920af5e077b0f4e54

SHA512
bc20767adb0122470217f439a4837bbcd33fc1381166aa21be9df78d13786e73d08da7245eda4bb08fb2d41d50647e57c84a93fdd1c5831f12af96f3faaedb2d

Download Submit
C:\Users\Admin\AppData\Roaming\Igfei\wyevn.exe

Filesize
304KB

MD5
ec247b5ce0dce9baeebdf8dd716714e4

SHA1
6c31c45a69634be8cae9e2f7a71b44f0e36bfb0f

SHA256
59ea8b0acd93ac4cee62f014e8b4a315ab0d6133357c5d6920af5e077b0f4e54

SHA512
bc20767adb0122470217f439a4837bbcd33fc1381166aa21be9df78d13786e73d08da7245eda4bb08fb2d41d50647e57c84a93fdd1c5831f12af96f3faaedb2d

Download Submit
\Users\Admin\AppData\Roaming\Igfei\wyevn.exe

Filesize
304KB

MD5
ec247b5ce0dce9baeebdf8dd716714e4

SHA1
6c31c45a69634be8cae9e2f7a71b44f0e36bfb0f

SHA256
59ea8b0acd93ac4cee62f014e8b4a315ab0d6133357c5d6920af5e077b0f4e54

SHA512
bc20767adb0122470217f439a4837bbcd33fc1381166aa21be9df78d13786e73d08da7245eda4bb08fb2d41d50647e57c84a93fdd1c5831f12af96f3faaedb2d

Download Submit
\Users\Admin\AppData\Roaming\Igfei\wyevn.exe

Filesize
304KB

MD5
ec247b5ce0dce9baeebdf8dd716714e4

SHA1
6c31c45a69634be8cae9e2f7a71b44f0e36bfb0f

SHA256
59ea8b0acd93ac4cee62f014e8b4a315ab0d6133357c5d6920af5e077b0f4e54

SHA512
bc20767adb0122470217f439a4837bbcd33fc1381166aa21be9df78d13786e73d08da7245eda4bb08fb2d41d50647e57c84a93fdd1c5831f12af96f3faaedb2d

Download Submit
memory/948-59-0x0000000000000000-mapping.dmp

Download
memory/948-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1124-65-0x0000000001DC0000-0x0000000001E0C000-memory.dmp

Filesize
304KB

Download
memory/1124-67-0x0000000001DC0000-0x0000000001E0C000-memory.dmp

Filesize
304KB

Download
memory/1124-68-0x0000000001DC0000-0x0000000001E0C000-memory.dmp

Filesize
304KB

Download
memory/1124-69-0x0000000001DC0000-0x0000000001E0C000-memory.dmp

Filesize
304KB

Download
memory/1124-70-0x0000000001DC0000-0x0000000001E0C000-memory.dmp

Filesize
304KB

Download
memory/1184-74-0x0000000001BA0000-0x0000000001BEC000-memory.dmp

Filesize
304KB

Download
memory/1184-75-0x0000000001BA0000-0x0000000001BEC000-memory.dmp

Filesize
304KB

Download
memory/1184-76-0x0000000001BA0000-0x0000000001BEC000-memory.dmp

Filesize
304KB

Download
memory/1184-73-0x0000000001BA0000-0x0000000001BEC000-memory.dmp

Filesize
304KB

Download
memory/1272-80-0x0000000002AE0000-0x0000000002B2C000-memory.dmp

Filesize
304KB

Download
memory/1272-82-0x0000000002AE0000-0x0000000002B2C000-memory.dmp

Filesize
304KB

Download
memory/1272-81-0x0000000002AE0000-0x0000000002B2C000-memory.dmp

Filesize
304KB

Download
memory/1272-79-0x0000000002AE0000-0x0000000002B2C000-memory.dmp

Filesize
304KB

Download
memory/1552-124-0x0000000003A50000-0x0000000003A9C000-memory.dmp

Filesize
304KB

Download
memory/1552-123-0x0000000003A50000-0x0000000003A9C000-memory.dmp

Filesize
304KB

Download
memory/1552-122-0x0000000003A50000-0x0000000003A9C000-memory.dmp

Filesize
304KB

Download
memory/1552-121-0x0000000003A50000-0x0000000003A9C000-memory.dmp

Filesize
304KB

Download
memory/1796-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-88-0x00000000003A0000-0x00000000003EC000-memory.dmp

Filesize
304KB

Download
memory/1796-87-0x00000000003A0000-0x00000000003EC000-memory.dmp

Filesize
304KB

Download
memory/1796-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-55-0x0000000000401000-0x0000000000445000-memory.dmp

Filesize
272KB

Download
memory/1796-54-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1796-56-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1796-85-0x00000000003A0000-0x00000000003EC000-memory.dmp

Filesize
304KB

Download
memory/1796-101-0x00000000003A0000-0x00000000003EF000-memory.dmp

Filesize
316KB

Download
memory/1796-103-0x00000000003A0000-0x00000000003EC000-memory.dmp

Filesize
304KB

Download
memory/1796-86-0x00000000003A0000-0x00000000003EC000-memory.dmp

Filesize
304KB

Download
memory/1936-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1936-112-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1936-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1936-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1936-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1936-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1936-102-0x000000000005BB88-mapping.dmp

Download
memory/1936-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1936-98-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1936-99-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1936-96-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1936-100-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1996-115-0x0000000000420000-0x000000000046C000-memory.dmp

Filesize
304KB

Download
memory/1996-116-0x0000000000420000-0x000000000046C000-memory.dmp

Filesize
304KB

Download
memory/1996-117-0x0000000000420000-0x000000000046C000-memory.dmp

Filesize
304KB

Download
memory/1996-118-0x0000000000420000-0x000000000046C000-memory.dmp

Filesize
304KB

Download