cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3

Analysis

max time kernel
151s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 17:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe
Size

304KB
MD5

603803a45e8b51d6738666c64fe51966
SHA1

2c909fba9e435cf75633b0c069177d7e42c3a2c2
SHA256

cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3
SHA512

1fc76af148d21e6fedef4383d3b17a4658a8f10c341a534356ae9958534cb2385e7d35e840a55c2c933481357d11bd8b49e8abe74edf40ab0a34e604231b17f2
SSDEEP

6144:o6wdmt+S8iXtGZ4FtTfK1bcfwK8jNCm69EfzSWDHhftl1KQi9gSnZoAI1GNk:HPC4tFFticoxz69E+GV0JZoPGm

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2116	inmeu.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\Currentversion\Run	inmeu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{176762F4-556D-BCA0-3AE4-8903F7119301} = "C:\\Users\\Admin\\AppData\\Roaming\\Syoxny\\inmeu.exe"	inmeu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3668 set thread context of 4312	3668	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	80

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe
2116	inmeu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 2116	3668	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	79
PID 3668 wrote to memory of 2116	3668	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	79
PID 3668 wrote to memory of 2116	3668	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	79
PID 2116 wrote to memory of 2828	2116	inmeu.exe	41
PID 2116 wrote to memory of 2828	2116	inmeu.exe	41
PID 2116 wrote to memory of 2828	2116	inmeu.exe	41
PID 2116 wrote to memory of 2828	2116	inmeu.exe	41
PID 2116 wrote to memory of 2828	2116	inmeu.exe	41
PID 2116 wrote to memory of 2844	2116	inmeu.exe	40
PID 2116 wrote to memory of 2844	2116	inmeu.exe	40
PID 2116 wrote to memory of 2844	2116	inmeu.exe	40
PID 2116 wrote to memory of 2844	2116	inmeu.exe	40
PID 2116 wrote to memory of 2844	2116	inmeu.exe	40
PID 2116 wrote to memory of 2896	2116	inmeu.exe	39
PID 2116 wrote to memory of 2896	2116	inmeu.exe	39
PID 2116 wrote to memory of 2896	2116	inmeu.exe	39
PID 2116 wrote to memory of 2896	2116	inmeu.exe	39
PID 2116 wrote to memory of 2896	2116	inmeu.exe	39
PID 2116 wrote to memory of 2616	2116	inmeu.exe	38
PID 2116 wrote to memory of 2616	2116	inmeu.exe	38
PID 2116 wrote to memory of 2616	2116	inmeu.exe	38
PID 2116 wrote to memory of 2616	2116	inmeu.exe	38
PID 2116 wrote to memory of 2616	2116	inmeu.exe	38
PID 2116 wrote to memory of 2956	2116	inmeu.exe	37
PID 2116 wrote to memory of 2956	2116	inmeu.exe	37
PID 2116 wrote to memory of 2956	2116	inmeu.exe	37
PID 2116 wrote to memory of 2956	2116	inmeu.exe	37
PID 2116 wrote to memory of 2956	2116	inmeu.exe	37
PID 2116 wrote to memory of 3276	2116	inmeu.exe	36
PID 2116 wrote to memory of 3276	2116	inmeu.exe	36
PID 2116 wrote to memory of 3276	2116	inmeu.exe	36
PID 2116 wrote to memory of 3276	2116	inmeu.exe	36
PID 2116 wrote to memory of 3276	2116	inmeu.exe	36
PID 2116 wrote to memory of 3392	2116	inmeu.exe	35
PID 2116 wrote to memory of 3392	2116	inmeu.exe	35
PID 2116 wrote to memory of 3392	2116	inmeu.exe	35
PID 2116 wrote to memory of 3392	2116	inmeu.exe	35
PID 2116 wrote to memory of 3392	2116	inmeu.exe	35
PID 2116 wrote to memory of 3456	2116	inmeu.exe	34
PID 2116 wrote to memory of 3456	2116	inmeu.exe	34
PID 2116 wrote to memory of 3456	2116	inmeu.exe	34
PID 2116 wrote to memory of 3456	2116	inmeu.exe	34
PID 2116 wrote to memory of 3456	2116	inmeu.exe	34
PID 2116 wrote to memory of 3540	2116	inmeu.exe	33
PID 2116 wrote to memory of 3540	2116	inmeu.exe	33
PID 2116 wrote to memory of 3540	2116	inmeu.exe	33
PID 2116 wrote to memory of 3540	2116	inmeu.exe	33
PID 2116 wrote to memory of 3540	2116	inmeu.exe	33
PID 2116 wrote to memory of 3744	2116	inmeu.exe	32
PID 2116 wrote to memory of 3744	2116	inmeu.exe	32
PID 2116 wrote to memory of 3744	2116	inmeu.exe	32
PID 2116 wrote to memory of 3744	2116	inmeu.exe	32
PID 2116 wrote to memory of 3744	2116	inmeu.exe	32
PID 2116 wrote to memory of 3668	2116	inmeu.exe	71
PID 2116 wrote to memory of 3668	2116	inmeu.exe	71
PID 2116 wrote to memory of 3668	2116	inmeu.exe	71
PID 2116 wrote to memory of 3668	2116	inmeu.exe	71
PID 2116 wrote to memory of 3668	2116	inmeu.exe	71
PID 3668 wrote to memory of 4312	3668	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	80
PID 3668 wrote to memory of 4312	3668	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	80
PID 3668 wrote to memory of 4312	3668	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	80
PID 3668 wrote to memory of 4312	3668	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	80
PID 3668 wrote to memory of 4312	3668	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	80
PID 3668 wrote to memory of 4312	3668	cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe	80

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2956

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2616
- C:\Users\Admin\AppData\Local\Temp\cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe
  "C:\Users\Admin\AppData\Local\Temp\cbef9ded11aa13ffefb50ff55a814b4c811c7f622046477e5cb25c54c5d7dff3.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Roaming\Syoxny\inmeu.exe
    "C:\Users\Admin\AppData\Roaming\Syoxny\inmeu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb9d22563.bat"
    3⤵
    PID:4312

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2844

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb9d22563.bat

Filesize
307B

MD5
1e277cac1413a3e2dd475acfdb293747

SHA1
09fb85a90177b07cd3b7131a700244d267a2aa59

SHA256
541d445fb3b9a4b60a7b7754098c80fcee89bf1ee4a771110c1002f80ed20969

SHA512
902cfb66dab05998ec5589cdbdc96df69dff8132246f9c3f3c08c9fbb0d93345b9be538bce3a58eb733f1f246d5991ed38526e1e6329b9395fa704fc922c871a

Download Submit
C:\Users\Admin\AppData\Roaming\Syoxny\inmeu.exe

Filesize
304KB

MD5
a2aa371d96532a9b17f4a30c6047abea

SHA1
e410b98b75b85470572b7e429e6a03fc324b9b73

SHA256
b4e419594315b031dd90e61bbf2d3227a223c55f63fedbe70572c0e42f3bdf4d

SHA512
0bb6a494354f76b79587190acb29a0fb70d2b48b743b5ca0372d5420ce372e257195097bc54fb50e7caa2429937e0078352e11e16ad34a693ea2417c748ac3d3

Download Submit
C:\Users\Admin\AppData\Roaming\Syoxny\inmeu.exe

Filesize
304KB

MD5
a2aa371d96532a9b17f4a30c6047abea

SHA1
e410b98b75b85470572b7e429e6a03fc324b9b73

SHA256
b4e419594315b031dd90e61bbf2d3227a223c55f63fedbe70572c0e42f3bdf4d

SHA512
0bb6a494354f76b79587190acb29a0fb70d2b48b743b5ca0372d5420ce372e257195097bc54fb50e7caa2429937e0078352e11e16ad34a693ea2417c748ac3d3

Download Submit
memory/2116-137-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3668-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3668-146-0x0000000002210000-0x000000000225C000-memory.dmp

Filesize
304KB

Download
memory/3668-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3668-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3668-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3668-132-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3668-133-0x0000000000401000-0x0000000000445000-memory.dmp

Filesize
272KB

Download
memory/3668-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4312-147-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4312-145-0x0000000000D90000-0x0000000000DDC000-memory.dmp

Filesize
304KB

Download
memory/4312-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4312-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4312-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4312-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4312-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4312-154-0x0000000000D90000-0x0000000000DDC000-memory.dmp

Filesize
304KB

Download