868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221

Analysis

max time kernel
189s
max time network
246s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe
Size

280KB
MD5

973263d4e6f2ea9e009e247db916b820
SHA1

2fd8a15c4e4ed6c6d19bd9303b07f513efdc157c
SHA256

868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221
SHA512

83017690df5fc91c5591abe03d10d5f8027ef536e423a48e85e291dd48a7ffa74099119598f5dd09f09ab7f19457a53818239f47489f2a67aefa7ca5e019c34e
SSDEEP

6144:wl666666zJ7wj51kynAaE8RarkR8O68cCQLzAeqyQnrf1:g666666zJ7KkyHOkR7cnAnPrf1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1716	ofybyh.exe
388	ofybyh.exe

Deletes itself 1 IoCs

pid	Process
1160	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1040	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe
1040	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	ofybyh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Astady\\ofybyh.exe"	ofybyh.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 1040	1420	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	28
PID 1716 set thread context of 388	1716	ofybyh.exe	30

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe
388	ofybyh.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1040	1420	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	28
PID 1420 wrote to memory of 1040	1420	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	28
PID 1420 wrote to memory of 1040	1420	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	28
PID 1420 wrote to memory of 1040	1420	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	28
PID 1420 wrote to memory of 1040	1420	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	28
PID 1420 wrote to memory of 1040	1420	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	28
PID 1420 wrote to memory of 1040	1420	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	28
PID 1420 wrote to memory of 1040	1420	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	28
PID 1420 wrote to memory of 1040	1420	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	28
PID 1040 wrote to memory of 1716	1040	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	29
PID 1040 wrote to memory of 1716	1040	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	29
PID 1040 wrote to memory of 1716	1040	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	29
PID 1040 wrote to memory of 1716	1040	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	29
PID 1716 wrote to memory of 388	1716	ofybyh.exe	30
PID 1716 wrote to memory of 388	1716	ofybyh.exe	30
PID 1716 wrote to memory of 388	1716	ofybyh.exe	30
PID 1716 wrote to memory of 388	1716	ofybyh.exe	30
PID 1716 wrote to memory of 388	1716	ofybyh.exe	30
PID 1716 wrote to memory of 388	1716	ofybyh.exe	30
PID 1716 wrote to memory of 388	1716	ofybyh.exe	30
PID 1716 wrote to memory of 388	1716	ofybyh.exe	30
PID 1716 wrote to memory of 388	1716	ofybyh.exe	30
PID 1040 wrote to memory of 1160	1040	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	31
PID 1040 wrote to memory of 1160	1040	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	31
PID 1040 wrote to memory of 1160	1040	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	31
PID 1040 wrote to memory of 1160	1040	868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe	31
PID 388 wrote to memory of 1120	388	ofybyh.exe	17
PID 388 wrote to memory of 1120	388	ofybyh.exe	17
PID 388 wrote to memory of 1120	388	ofybyh.exe	17
PID 388 wrote to memory of 1120	388	ofybyh.exe	17
PID 388 wrote to memory of 1120	388	ofybyh.exe	17
PID 388 wrote to memory of 1196	388	ofybyh.exe	16
PID 388 wrote to memory of 1196	388	ofybyh.exe	16
PID 388 wrote to memory of 1196	388	ofybyh.exe	16
PID 388 wrote to memory of 1196	388	ofybyh.exe	16
PID 388 wrote to memory of 1196	388	ofybyh.exe	16
PID 388 wrote to memory of 1224	388	ofybyh.exe	15
PID 388 wrote to memory of 1224	388	ofybyh.exe	15
PID 388 wrote to memory of 1224	388	ofybyh.exe	15
PID 388 wrote to memory of 1224	388	ofybyh.exe	15
PID 388 wrote to memory of 1224	388	ofybyh.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe
  "C:\Users\Admin\AppData\Local\Temp\868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe
    "C:\Users\Admin\AppData\Local\Temp\868fd1881686d2073b6cd6f479be0b33cd5868f9519f9d3683bd61d18c85a221.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Users\Admin\AppData\Roaming\Astady\ofybyh.exe
      "C:\Users\Admin\AppData\Roaming\Astady\ofybyh.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Users\Admin\AppData\Roaming\Astady\ofybyh.exe
        
        "C:\Users\Admin\AppData\Roaming\Astady\ofybyh.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:388
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa29d7135.bat"
      4⤵
      Deletes itself
      PID:1160

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1196

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa29d7135.bat

Filesize
307B

MD5
39c702e74b958b4a81fda1493d2ee0dd

SHA1
fa182f8f9a40e5946892fe3c060717c71bd930fa

SHA256
b6c24a14d688fb37456b1cb05c6cfb110314efaf3c13a8ccf866779ba2246129

SHA512
d9071431e05c1c36e744d088920d2a1a614079ca48449426d6fe91a1b804dc5e7fc47a47fa27c81b42fd08b693a2441ba236233cd6b488de4de69f25c8765d6a

Download Submit
C:\Users\Admin\AppData\Roaming\Astady\ofybyh.exe

Filesize
280KB

MD5
4fc27c660d4125668c5ee30465b561f3

SHA1
b33eaff5017bcf8ecf8fe1e316716bc45a299660

SHA256
b6044003c76eba61fe3ae78cf691c1c6b2ff455dc79bef85731e76c329ecafb0

SHA512
e6a55e169d0aebd7102b56197fc62eede365a05c347aa698308efe3796e0aac5d3eaeb59da40f23fa417997167825fe440f5f3af105ebffe6ed6f471347d6a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Astady\ofybyh.exe

Filesize
280KB

MD5
4fc27c660d4125668c5ee30465b561f3

SHA1
b33eaff5017bcf8ecf8fe1e316716bc45a299660

SHA256
b6044003c76eba61fe3ae78cf691c1c6b2ff455dc79bef85731e76c329ecafb0

SHA512
e6a55e169d0aebd7102b56197fc62eede365a05c347aa698308efe3796e0aac5d3eaeb59da40f23fa417997167825fe440f5f3af105ebffe6ed6f471347d6a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Astady\ofybyh.exe

Filesize
280KB

MD5
4fc27c660d4125668c5ee30465b561f3

SHA1
b33eaff5017bcf8ecf8fe1e316716bc45a299660

SHA256
b6044003c76eba61fe3ae78cf691c1c6b2ff455dc79bef85731e76c329ecafb0

SHA512
e6a55e169d0aebd7102b56197fc62eede365a05c347aa698308efe3796e0aac5d3eaeb59da40f23fa417997167825fe440f5f3af105ebffe6ed6f471347d6a4f

Download Submit
\Users\Admin\AppData\Roaming\Astady\ofybyh.exe

Filesize
280KB

MD5
4fc27c660d4125668c5ee30465b561f3

SHA1
b33eaff5017bcf8ecf8fe1e316716bc45a299660

SHA256
b6044003c76eba61fe3ae78cf691c1c6b2ff455dc79bef85731e76c329ecafb0

SHA512
e6a55e169d0aebd7102b56197fc62eede365a05c347aa698308efe3796e0aac5d3eaeb59da40f23fa417997167825fe440f5f3af105ebffe6ed6f471347d6a4f

Download Submit
\Users\Admin\AppData\Roaming\Astady\ofybyh.exe

Filesize
280KB

MD5
4fc27c660d4125668c5ee30465b561f3

SHA1
b33eaff5017bcf8ecf8fe1e316716bc45a299660

SHA256
b6044003c76eba61fe3ae78cf691c1c6b2ff455dc79bef85731e76c329ecafb0

SHA512
e6a55e169d0aebd7102b56197fc62eede365a05c347aa698308efe3796e0aac5d3eaeb59da40f23fa417997167825fe440f5f3af105ebffe6ed6f471347d6a4f

Download Submit
memory/388-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-72-0x0000000001FA0000-0x0000000001FEC000-memory.dmp

Filesize
304KB

Download
memory/1040-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-71-0x0000000001FA0000-0x0000000001FEC000-memory.dmp

Filesize
304KB

Download
memory/1040-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-65-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1120-94-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1120-91-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1120-93-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1120-92-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1196-100-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1196-98-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1196-99-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1196-101-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1224-104-0x0000000002A30000-0x0000000002A74000-memory.dmp

Filesize
272KB

Download
memory/1224-105-0x0000000002A30000-0x0000000002A74000-memory.dmp

Filesize
272KB

Download
memory/1224-106-0x0000000002A30000-0x0000000002A74000-memory.dmp

Filesize
272KB

Download
memory/1224-107-0x0000000002A30000-0x0000000002A74000-memory.dmp

Filesize
272KB

Download
memory/1420-54-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1420-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1716-85-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1716-73-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download