1a20340553a873245d7428fba68b15ddebd5a2d4d3af431f9b13869ed4725d50

Analysis

max time kernel
357s
max time network
380s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a20340553a873245d7428fba68b15ddebd5a2d4d3af431f9b13869ed4725d50.exe
Size

425KB
MD5

7c656ac84e58498facd22f610451596e
SHA1

89d915dd96ca83d2c49cbe463c012a83932e3eba
SHA256

1a20340553a873245d7428fba68b15ddebd5a2d4d3af431f9b13869ed4725d50
SHA512

dc5b706ddd3c4f803eb35cf8c19f296f981b74e64399ab4e6c577dd3038d00381e3fc41282695dc5a3876cddf6b8bfc71672c4cc9524632f61e8afbb8f0c4d1f
SSDEEP

6144:M1DskyJMObY5at4+iQOMth6N6aiZt9Z9ODlP3bqP:M1zyN3tcTYainT9ODlmP

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3844	cyrog.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\Currentversion\Run	cyrog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{C3909E9C-556D-BCA0-EB70-2FF2268535F0} = "C:\\Users\\Admin\\AppData\\Roaming\\Nyytep\\cyrog.exe"	cyrog.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 2292	1628	1a20340553a873245d7428fba68b15ddebd5a2d4d3af431f9b13869ed4725d50.exe	81

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe
3844	cyrog.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3844	1628	1a20340553a873245d7428fba68b15ddebd5a2d4d3af431f9b13869ed4725d50.exe	80
PID 1628 wrote to memory of 3844	1628	1a20340553a873245d7428fba68b15ddebd5a2d4d3af431f9b13869ed4725d50.exe	80
PID 1628 wrote to memory of 3844	1628	1a20340553a873245d7428fba68b15ddebd5a2d4d3af431f9b13869ed4725d50.exe	80
PID 3844 wrote to memory of 2476	3844	cyrog.exe	37
PID 3844 wrote to memory of 2476	3844	cyrog.exe	37
PID 3844 wrote to memory of 2476	3844	cyrog.exe	37
PID 3844 wrote to memory of 2476	3844	cyrog.exe	37
PID 3844 wrote to memory of 2476	3844	cyrog.exe	37
PID 3844 wrote to memory of 2544	3844	cyrog.exe	38
PID 3844 wrote to memory of 2544	3844	cyrog.exe	38
PID 3844 wrote to memory of 2544	3844	cyrog.exe	38
PID 3844 wrote to memory of 2544	3844	cyrog.exe	38
PID 3844 wrote to memory of 2544	3844	cyrog.exe	38
PID 3844 wrote to memory of 2620	3844	cyrog.exe	49
PID 3844 wrote to memory of 2620	3844	cyrog.exe	49
PID 3844 wrote to memory of 2620	3844	cyrog.exe	49
PID 3844 wrote to memory of 2620	3844	cyrog.exe	49
PID 3844 wrote to memory of 2620	3844	cyrog.exe	49
PID 3844 wrote to memory of 1936	3844	cyrog.exe	54
PID 3844 wrote to memory of 1936	3844	cyrog.exe	54
PID 3844 wrote to memory of 1936	3844	cyrog.exe	54
PID 3844 wrote to memory of 1936	3844	cyrog.exe	54
PID 3844 wrote to memory of 1936	3844	cyrog.exe	54
PID 3844 wrote to memory of 3084	3844	cyrog.exe	55
PID 3844 wrote to memory of 3084	3844	cyrog.exe	55
PID 3844 wrote to memory of 3084	3844	cyrog.exe	55
PID 3844 wrote to memory of 3084	3844	cyrog.exe	55
PID 3844 wrote to memory of 3084	3844	cyrog.exe	55
PID 3844 wrote to memory of 3280	3844	cyrog.exe	56
PID 3844 wrote to memory of 3280	3844	cyrog.exe	56
PID 3844 wrote to memory of 3280	3844	cyrog.exe	56
PID 3844 wrote to memory of 3280	3844	cyrog.exe	56
PID 3844 wrote to memory of 3280	3844	cyrog.exe	56
PID 3844 wrote to memory of 3372	3844	cyrog.exe	57
PID 3844 wrote to memory of 3372	3844	cyrog.exe	57
PID 3844 wrote to memory of 3372	3844	cyrog.exe	57
PID 3844 wrote to memory of 3372	3844	cyrog.exe	57
PID 3844 wrote to memory of 3372	3844	cyrog.exe	57
PID 3844 wrote to memory of 3452	3844	cyrog.exe	58
PID 3844 wrote to memory of 3452	3844	cyrog.exe	58
PID 3844 wrote to memory of 3452	3844	cyrog.exe	58
PID 3844 wrote to memory of 3452	3844	cyrog.exe	58
PID 3844 wrote to memory of 3452	3844	cyrog.exe	58
PID 3844 wrote to memory of 3540	3844	cyrog.exe	59
PID 3844 wrote to memory of 3540	3844	cyrog.exe	59
PID 3844 wrote to memory of 3540	3844	cyrog.exe	59
PID 3844 wrote to memory of 3540	3844	cyrog.exe	59
PID 3844 wrote to memory of 3540	3844	cyrog.exe	59
PID 3844 wrote to memory of 3704	3844	cyrog.exe	60
PID 3844 wrote to memory of 3704	3844	cyrog.exe	60
PID 3844 wrote to memory of 3704	3844	cyrog.exe	60
PID 3844 wrote to memory of 3704	3844	cyrog.exe	60
PID 3844 wrote to memory of 3704	3844	cyrog.exe	60
PID 3844 wrote to memory of 4628	3844	cyrog.exe	74
PID 3844 wrote to memory of 4628	3844	cyrog.exe	74
PID 3844 wrote to memory of 4628	3844	cyrog.exe	74
PID 3844 wrote to memory of 4628	3844	cyrog.exe	74
PID 3844 wrote to memory of 4628	3844	cyrog.exe	74
PID 3844 wrote to memory of 3488	3844	cyrog.exe	77
PID 3844 wrote to memory of 3488	3844	cyrog.exe	77
PID 3844 wrote to memory of 3488	3844	cyrog.exe	77
PID 3844 wrote to memory of 3488	3844	cyrog.exe	77
PID 3844 wrote to memory of 3488	3844	cyrog.exe	77
PID 3844 wrote to memory of 1628	3844	cyrog.exe	79

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2544

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2620

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1936
- C:\Users\Admin\AppData\Local\Temp\1a20340553a873245d7428fba68b15ddebd5a2d4d3af431f9b13869ed4725d50.exe
  "C:\Users\Admin\AppData\Local\Temp\1a20340553a873245d7428fba68b15ddebd5a2d4d3af431f9b13869ed4725d50.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Roaming\Nyytep\cyrog.exe
    "C:\Users\Admin\AppData\Roaming\Nyytep\cyrog.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6e2dd099.bat"
    3⤵
    PID:2292
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3084

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3704

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4628

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3488

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5104

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1264

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6e2dd099.bat

Filesize
307B

MD5
1cf5404a1bd0e83f1bb47b4324435a9a

SHA1
8855151228ba6081b3e162cc559373c38a6c28a5

SHA256
3d16a3c0beb853d59717f20f72e36fc05acecc7cf36f8bd0f3bef1a26e41a513

SHA512
ee034e8f83212c2a1fa13fec519485c068be52480520f923efdc81b8fa643afa9b2b08ecf7f4b3729209d717019886848e476dee1f1b7f29d6486d8c4ac96c79

Download Submit
C:\Users\Admin\AppData\Roaming\Nyytep\cyrog.exe

Filesize
425KB

MD5
5b65f24514baa83347d142be148ee830

SHA1
80b8954d2730123aa2f6cded7d5115cc2145d389

SHA256
e9beb2977c02bf31ab6a79bc379b9f90434d675be5f2b549e94cf6862014a267

SHA512
2e697518eaf3cb256dfea10f61290e9222aa9272c87437f778e593ca485b4dd86f89cd2b0666ee74e8a3e33bd7eb99fa0a8bdfe428dccdb4b7e671b084400b57

Download Submit
C:\Users\Admin\AppData\Roaming\Nyytep\cyrog.exe

Filesize
425KB

MD5
5b65f24514baa83347d142be148ee830

SHA1
80b8954d2730123aa2f6cded7d5115cc2145d389

SHA256
e9beb2977c02bf31ab6a79bc379b9f90434d675be5f2b549e94cf6862014a267

SHA512
2e697518eaf3cb256dfea10f61290e9222aa9272c87437f778e593ca485b4dd86f89cd2b0666ee74e8a3e33bd7eb99fa0a8bdfe428dccdb4b7e671b084400b57

Download Submit
memory/1628-146-0x0000000002210000-0x0000000002256000-memory.dmp

Filesize
280KB

Download
memory/1628-148-0x00000000022D0000-0x0000000002316000-memory.dmp

Filesize
280KB

Download
memory/1628-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1628-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1628-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-133-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1628-147-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1628-132-0x0000000002210000-0x0000000002256000-memory.dmp

Filesize
280KB

Download
memory/2292-156-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2292-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2292-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2292-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2292-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2292-145-0x0000000000E90000-0x0000000000ED6000-memory.dmp

Filesize
280KB

Download
memory/2292-157-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2292-159-0x0000000000E90000-0x0000000000ED6000-memory.dmp

Filesize
280KB

Download
memory/3844-149-0x0000000001FF0000-0x0000000002036000-memory.dmp

Filesize
280KB

Download
memory/3844-150-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3844-151-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download