4b5d91ccba0ff2c1440fd4354e7b2005b4717637cfcc8c32e8ec22b55ba9b379

Analysis

max time kernel
160s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b5d91ccba0ff2c1440fd4354e7b2005b4717637cfcc8c32e8ec22b55ba9b379.exe
Size

301KB
MD5

55fea3c9a445f27f79d3ec0e9a440f60
SHA1

c09d2795ea32a604e453b8f812948b55c9aed77f
SHA256

4b5d91ccba0ff2c1440fd4354e7b2005b4717637cfcc8c32e8ec22b55ba9b379
SHA512

8bbfd11d43f803607e6ff751ea13e15db0bf50e34ee9f7598b5509bb022f9a3ccf19151f1af684b6ab5599ddbfef5e618c636ef127518643cf923a54090956e1
SSDEEP

6144:vvoVPod3g5b+pCF8YsYWwW83XL0XvVhhX3UEWZZ6Gy54YSlSG/sPY:vgxg3g5b+1DYjWQITFEE0MGy54YSlVUw

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5100	ryaxj.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	ryaxj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ryaxj = "C:\\Users\\Admin\\AppData\\Roaming\\Uncyzo\\ryaxj.exe"	ryaxj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 4196	212	4b5d91ccba0ff2c1440fd4354e7b2005b4717637cfcc8c32e8ec22b55ba9b379.exe	90

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe
5100	ryaxj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 5100	212	4b5d91ccba0ff2c1440fd4354e7b2005b4717637cfcc8c32e8ec22b55ba9b379.exe	87
PID 212 wrote to memory of 5100	212	4b5d91ccba0ff2c1440fd4354e7b2005b4717637cfcc8c32e8ec22b55ba9b379.exe	87
PID 212 wrote to memory of 5100	212	4b5d91ccba0ff2c1440fd4354e7b2005b4717637cfcc8c32e8ec22b55ba9b379.exe	87
PID 5100 wrote to memory of 2376	5100	ryaxj.exe	16
PID 5100 wrote to memory of 2376	5100	ryaxj.exe	16
PID 5100 wrote to memory of 2376	5100	ryaxj.exe	16
PID 5100 wrote to memory of 2376	5100	ryaxj.exe	16
PID 5100 wrote to memory of 2376	5100	ryaxj.exe	16
PID 5100 wrote to memory of 2396	5100	ryaxj.exe	57
PID 5100 wrote to memory of 2396	5100	ryaxj.exe	57
PID 5100 wrote to memory of 2396	5100	ryaxj.exe	57
PID 5100 wrote to memory of 2396	5100	ryaxj.exe	57
PID 5100 wrote to memory of 2396	5100	ryaxj.exe	57
PID 5100 wrote to memory of 2516	5100	ryaxj.exe	55
PID 5100 wrote to memory of 2516	5100	ryaxj.exe	55
PID 5100 wrote to memory of 2516	5100	ryaxj.exe	55
PID 5100 wrote to memory of 2516	5100	ryaxj.exe	55
PID 5100 wrote to memory of 2516	5100	ryaxj.exe	55
PID 5100 wrote to memory of 1704	5100	ryaxj.exe	51
PID 5100 wrote to memory of 1704	5100	ryaxj.exe	51
PID 5100 wrote to memory of 1704	5100	ryaxj.exe	51
PID 5100 wrote to memory of 1704	5100	ryaxj.exe	51
PID 5100 wrote to memory of 1704	5100	ryaxj.exe	51
PID 5100 wrote to memory of 3176	5100	ryaxj.exe	50
PID 5100 wrote to memory of 3176	5100	ryaxj.exe	50
PID 5100 wrote to memory of 3176	5100	ryaxj.exe	50
PID 5100 wrote to memory of 3176	5100	ryaxj.exe	50
PID 5100 wrote to memory of 3176	5100	ryaxj.exe	50
PID 5100 wrote to memory of 3372	5100	ryaxj.exe	22
PID 5100 wrote to memory of 3372	5100	ryaxj.exe	22
PID 5100 wrote to memory of 3372	5100	ryaxj.exe	22
PID 5100 wrote to memory of 3372	5100	ryaxj.exe	22
PID 5100 wrote to memory of 3372	5100	ryaxj.exe	22
PID 5100 wrote to memory of 3476	5100	ryaxj.exe	49
PID 5100 wrote to memory of 3476	5100	ryaxj.exe	49
PID 5100 wrote to memory of 3476	5100	ryaxj.exe	49
PID 5100 wrote to memory of 3476	5100	ryaxj.exe	49
PID 5100 wrote to memory of 3476	5100	ryaxj.exe	49
PID 5100 wrote to memory of 3540	5100	ryaxj.exe	23
PID 5100 wrote to memory of 3540	5100	ryaxj.exe	23
PID 5100 wrote to memory of 3540	5100	ryaxj.exe	23
PID 5100 wrote to memory of 3540	5100	ryaxj.exe	23
PID 5100 wrote to memory of 3540	5100	ryaxj.exe	23
PID 5100 wrote to memory of 3632	5100	ryaxj.exe	48
PID 5100 wrote to memory of 3632	5100	ryaxj.exe	48
PID 5100 wrote to memory of 3632	5100	ryaxj.exe	48
PID 5100 wrote to memory of 3632	5100	ryaxj.exe	48
PID 5100 wrote to memory of 3632	5100	ryaxj.exe	48
PID 5100 wrote to memory of 3776	5100	ryaxj.exe	24
PID 5100 wrote to memory of 3776	5100	ryaxj.exe	24
PID 5100 wrote to memory of 3776	5100	ryaxj.exe	24
PID 5100 wrote to memory of 3776	5100	ryaxj.exe	24
PID 5100 wrote to memory of 3776	5100	ryaxj.exe	24
PID 5100 wrote to memory of 4732	5100	ryaxj.exe	25
PID 5100 wrote to memory of 4732	5100	ryaxj.exe	25
PID 5100 wrote to memory of 4732	5100	ryaxj.exe	25
PID 5100 wrote to memory of 4732	5100	ryaxj.exe	25
PID 5100 wrote to memory of 4732	5100	ryaxj.exe	25
PID 5100 wrote to memory of 2628	5100	ryaxj.exe	33
PID 5100 wrote to memory of 2628	5100	ryaxj.exe	33
PID 5100 wrote to memory of 2628	5100	ryaxj.exe	33
PID 5100 wrote to memory of 2628	5100	ryaxj.exe	33
PID 5100 wrote to memory of 2628	5100	ryaxj.exe	33
PID 5100 wrote to memory of 212	5100	ryaxj.exe	84

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4732

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1704
- C:\Users\Admin\AppData\Local\Temp\4b5d91ccba0ff2c1440fd4354e7b2005b4717637cfcc8c32e8ec22b55ba9b379.exe
  "C:\Users\Admin\AppData\Local\Temp\4b5d91ccba0ff2c1440fd4354e7b2005b4717637cfcc8c32e8ec22b55ba9b379.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Roaming\Uncyzo\ryaxj.exe
    "C:\Users\Admin\AppData\Roaming\Uncyzo\ryaxj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\MEI6399.bat"
    3⤵
    PID:4196
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:872

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2396

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5012

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2328

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MEI6399.bat

Filesize
303B

MD5
a5d366ac59b1ba93ddae10cdc7d265de

SHA1
5d905add7dd15a611a4afffb65cf846484071832

SHA256
118c4b9f00b4373c58401e2428c20940de57633dfdf95038bd9548fc99eb312c

SHA512
1749678376c46b569097aa1ac1f6dc6a2b7ff302801c6ab5bfb59e6ade7d62931d938d5f317708f0c120161646c249d581659efc803bd943f4f31397019dd7a3

Download Submit
C:\Users\Admin\AppData\Roaming\Uncyzo\ryaxj.exe

Filesize
301KB

MD5
c707d0e7ccd07774c3b06699bba3371a

SHA1
e119f53d3c23362e10fb06a72e28b43ed98db408

SHA256
43947ff367fa8926da8331694fbf50c7231fd343d400aaff80545afe232df1db

SHA512
385c9fbd829da45d74b09cb19c1fb50b6ad98b31d78be509f84b7fc797e1b1c8d63623742a3863c52cb5e2fbbf1f0d1c9c20fcfd0176d2ad5aa68cf7d805ecdd

Download Submit
C:\Users\Admin\AppData\Roaming\Uncyzo\ryaxj.exe

Filesize
301KB

MD5
c707d0e7ccd07774c3b06699bba3371a

SHA1
e119f53d3c23362e10fb06a72e28b43ed98db408

SHA256
43947ff367fa8926da8331694fbf50c7231fd343d400aaff80545afe232df1db

SHA512
385c9fbd829da45d74b09cb19c1fb50b6ad98b31d78be509f84b7fc797e1b1c8d63623742a3863c52cb5e2fbbf1f0d1c9c20fcfd0176d2ad5aa68cf7d805ecdd

Download Submit
memory/212-145-0x0000000000980000-0x00000000009C9000-memory.dmp

Filesize
292KB

Download
memory/212-132-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/212-133-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/212-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/212-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/212-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/212-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/212-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/212-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4196-147-0x0000000000B00000-0x0000000000B49000-memory.dmp

Filesize
292KB

Download
memory/4196-148-0x0000000000B00000-0x0000000000B49000-memory.dmp

Filesize
292KB

Download
memory/4196-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4196-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4196-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4196-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4196-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4196-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4196-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4196-157-0x0000000000B00000-0x0000000000B49000-memory.dmp

Filesize
292KB

Download
memory/5100-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download