248a6afab849a9bd5149f0923bceed37c962264570a085017042f84305a6be62

Analysis

max time kernel
188s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248a6afab849a9bd5149f0923bceed37c962264570a085017042f84305a6be62.exe
Size

426KB
MD5

04a70c1e4bf0e18f5ac4f8744e091af4
SHA1

f966dadc74fe920f0e0e3b5a8bf4e6748762fd43
SHA256

248a6afab849a9bd5149f0923bceed37c962264570a085017042f84305a6be62
SHA512

0e3912c4d65fc597115f35119548446b414aaf96dbeea23df0be7aa9bb876f8d3198fc039dd03cfbeaac820027f6ce4b487df547baa2ce24b50237c9070f069f
SSDEEP

6144:Z1DseJMObY5a94KniQOMth6N6aiZt9Z9ODyP3bpr:Z1jN39QTYainT9OD6Nr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
212	uzxeu.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\Currentversion\Run	uzxeu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{C3916187-556D-BCA0-4F67-978E82928D8C} = "C:\\Users\\Admin\\AppData\\Roaming\\Gyyq\\uzxeu.exe"	uzxeu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 1852	2344	248a6afab849a9bd5149f0923bceed37c962264570a085017042f84305a6be62.exe	87

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe
212	uzxeu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 212	2344	248a6afab849a9bd5149f0923bceed37c962264570a085017042f84305a6be62.exe	86
PID 2344 wrote to memory of 212	2344	248a6afab849a9bd5149f0923bceed37c962264570a085017042f84305a6be62.exe	86
PID 2344 wrote to memory of 212	2344	248a6afab849a9bd5149f0923bceed37c962264570a085017042f84305a6be62.exe	86
PID 212 wrote to memory of 2536	212	uzxeu.exe	32
PID 212 wrote to memory of 2536	212	uzxeu.exe	32
PID 212 wrote to memory of 2536	212	uzxeu.exe	32
PID 212 wrote to memory of 2536	212	uzxeu.exe	32
PID 212 wrote to memory of 2536	212	uzxeu.exe	32
PID 212 wrote to memory of 2552	212	uzxeu.exe	70
PID 212 wrote to memory of 2552	212	uzxeu.exe	70
PID 212 wrote to memory of 2552	212	uzxeu.exe	70
PID 212 wrote to memory of 2552	212	uzxeu.exe	70
PID 212 wrote to memory of 2552	212	uzxeu.exe	70
PID 212 wrote to memory of 2672	212	uzxeu.exe	34
PID 212 wrote to memory of 2672	212	uzxeu.exe	34
PID 212 wrote to memory of 2672	212	uzxeu.exe	34
PID 212 wrote to memory of 2672	212	uzxeu.exe	34
PID 212 wrote to memory of 2672	212	uzxeu.exe	34
PID 212 wrote to memory of 1036	212	uzxeu.exe	63
PID 212 wrote to memory of 1036	212	uzxeu.exe	63
PID 212 wrote to memory of 1036	212	uzxeu.exe	63
PID 212 wrote to memory of 1036	212	uzxeu.exe	63
PID 212 wrote to memory of 1036	212	uzxeu.exe	63
PID 212 wrote to memory of 3084	212	uzxeu.exe	35
PID 212 wrote to memory of 3084	212	uzxeu.exe	35
PID 212 wrote to memory of 3084	212	uzxeu.exe	35
PID 212 wrote to memory of 3084	212	uzxeu.exe	35
PID 212 wrote to memory of 3084	212	uzxeu.exe	35
PID 212 wrote to memory of 3296	212	uzxeu.exe	62
PID 212 wrote to memory of 3296	212	uzxeu.exe	62
PID 212 wrote to memory of 3296	212	uzxeu.exe	62
PID 212 wrote to memory of 3296	212	uzxeu.exe	62
PID 212 wrote to memory of 3296	212	uzxeu.exe	62
PID 212 wrote to memory of 3392	212	uzxeu.exe	61
PID 212 wrote to memory of 3392	212	uzxeu.exe	61
PID 212 wrote to memory of 3392	212	uzxeu.exe	61
PID 212 wrote to memory of 3392	212	uzxeu.exe	61
PID 212 wrote to memory of 3392	212	uzxeu.exe	61
PID 212 wrote to memory of 3456	212	uzxeu.exe	36
PID 212 wrote to memory of 3456	212	uzxeu.exe	36
PID 212 wrote to memory of 3456	212	uzxeu.exe	36
PID 212 wrote to memory of 3456	212	uzxeu.exe	36
PID 212 wrote to memory of 3456	212	uzxeu.exe	36
PID 212 wrote to memory of 3536	212	uzxeu.exe	60
PID 212 wrote to memory of 3536	212	uzxeu.exe	60
PID 212 wrote to memory of 3536	212	uzxeu.exe	60
PID 212 wrote to memory of 3536	212	uzxeu.exe	60
PID 212 wrote to memory of 3536	212	uzxeu.exe	60
PID 212 wrote to memory of 3880	212	uzxeu.exe	58
PID 212 wrote to memory of 3880	212	uzxeu.exe	58
PID 212 wrote to memory of 3880	212	uzxeu.exe	58
PID 212 wrote to memory of 3880	212	uzxeu.exe	58
PID 212 wrote to memory of 3880	212	uzxeu.exe	58
PID 212 wrote to memory of 4840	212	uzxeu.exe	37
PID 212 wrote to memory of 4840	212	uzxeu.exe	37
PID 212 wrote to memory of 4840	212	uzxeu.exe	37
PID 212 wrote to memory of 4840	212	uzxeu.exe	37
PID 212 wrote to memory of 4840	212	uzxeu.exe	37
PID 212 wrote to memory of 5040	212	uzxeu.exe	44
PID 212 wrote to memory of 5040	212	uzxeu.exe	44
PID 212 wrote to memory of 5040	212	uzxeu.exe	44
PID 212 wrote to memory of 5040	212	uzxeu.exe	44
PID 212 wrote to memory of 5040	212	uzxeu.exe	44
PID 212 wrote to memory of 4956	212	uzxeu.exe	43

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2536

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3860

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4956

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:5040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3296

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\248a6afab849a9bd5149f0923bceed37c962264570a085017042f84305a6be62.exe
  "C:\Users\Admin\AppData\Local\Temp\248a6afab849a9bd5149f0923bceed37c962264570a085017042f84305a6be62.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Roaming\Gyyq\uzxeu.exe
    "C:\Users\Admin\AppData\Roaming\Gyyq\uzxeu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa62207fb.bat"
    3⤵
    PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2552

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:540

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa62207fb.bat

Filesize
307B

MD5
30eb1dc4a59d905312b0cb631f7ad1c5

SHA1
89416d4855b64081e205b54e4564ee8e81870606

SHA256
70eec450c28ac6c62e7c444225207ba9c5d59d76debbdbf5c6b9fc922cd8726c

SHA512
b65bf4b0b93f2e261aad719a8c025b44e12bf46e1232331105e4ada6f2182b42e1321e8fec9ba802dce4387f3737f9f1a74e5aba4eef6de895fe2832bf44f67a

Download Submit
C:\Users\Admin\AppData\Roaming\Gyyq\uzxeu.exe

Filesize
426KB

MD5
3595f8af3de923e7349307546aaabbe2

SHA1
841ebba4bd0bfd13adab16dd3d270394ac6e558e

SHA256
da0eef63ff7bd4a8c07e7ca878bb0aad9364d154d2b6ffa3e4d97a333e3d2e83

SHA512
d2c455129231288c3e22a5d2b3d5a93a009ca76905511a4255a4ed454a5ee5367c850f149ec1b55f4156aeef86e2d5b63f85d8bcf08677a97eb39c728faa8333

Download Submit
C:\Users\Admin\AppData\Roaming\Gyyq\uzxeu.exe

Filesize
426KB

MD5
3595f8af3de923e7349307546aaabbe2

SHA1
841ebba4bd0bfd13adab16dd3d270394ac6e558e

SHA256
da0eef63ff7bd4a8c07e7ca878bb0aad9364d154d2b6ffa3e4d97a333e3d2e83

SHA512
d2c455129231288c3e22a5d2b3d5a93a009ca76905511a4255a4ed454a5ee5367c850f149ec1b55f4156aeef86e2d5b63f85d8bcf08677a97eb39c728faa8333

Download Submit
memory/212-155-0x0000000000640000-0x0000000000686000-memory.dmp

Filesize
280KB

Download
memory/212-159-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/212-156-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1852-157-0x0000000000380000-0x00000000003C6000-memory.dmp

Filesize
280KB

Download
memory/1852-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1852-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1852-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1852-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1852-145-0x0000000000380000-0x00000000003C6000-memory.dmp

Filesize
280KB

Download
memory/1852-146-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1852-147-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2344-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2344-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2344-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2344-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2344-152-0x0000000002220000-0x0000000002266000-memory.dmp

Filesize
280KB

Download
memory/2344-153-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2344-154-0x00000000026D0000-0x0000000002716000-memory.dmp

Filesize
280KB

Download
memory/2344-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2344-132-0x0000000002220000-0x0000000002266000-memory.dmp

Filesize
280KB

Download
memory/2344-135-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2344-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2344-133-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download