d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00

Analysis

max time kernel
4s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe
Size

16KB
MD5

ce9deff846866c2ae98450377b60c038
SHA1

5b7158706142c10fb8166bdc178adb655391f8fa
SHA256

d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00
SHA512

ca2142eab1d9d198cbc57494902445c11b3faf93d4489e0554dfc5b7cedf33c9818d47772f627aff292544c8ea9152694f1acdeda5cb8e3be746ef1e19797bc3
SSDEEP

384:kU/soECZv8fA8w6leg3MxuMkEb/erdjrEo7Zhqv/VVU:HEaQvogWKWv/U

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	LYLOADER.EXE

Executes dropped EXE 1 IoCs

pid	Process
1884	LYLOADER.EXE

Deletes itself 1 IoCs

pid	Process
1884	LYLOADER.EXE

Loads dropped DLL 2 IoCs

pid	Process
1684	d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe
1684	d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\REGKEY.hiv	LYLOADER.EXE
File created	C:\Windows\SysWOW64\LYMANGR.DLL	LYLOADER.EXE
File created	C:\Windows\SysWOW64\MSDEG32.DLL	LYLOADER.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1884	LYLOADER.EXE
1884	LYLOADER.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1884	LYLOADER.EXE
Token: SeDebugPrivilege	1884	LYLOADER.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1884	1684	d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe	28
PID 1684 wrote to memory of 1884	1684	d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe	28
PID 1684 wrote to memory of 1884	1684	d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe	28
PID 1684 wrote to memory of 1884	1684	d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe	28
PID 1884 wrote to memory of 460	1884	LYLOADER.EXE	2
PID 1884 wrote to memory of 1268	1884	LYLOADER.EXE	18

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe
"C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE
  C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE "C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Deletes itself
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1884

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE

Filesize
12KB

MD5
438bd710f35da05dab5f74a5c1eaadc8

SHA1
e2e16112fe04df81d37b6aa0524bfb6cde0330ad

SHA256
aa49b3263cc648c88ed1e855913a1fb3b97794785d86e5531d11cdb9c9e88858

SHA512
cb98c5552b77c24547c70e938ba01ecfc01a7d3002b7bd801d420f61428faccff5949ae2ff055963485f2b80f4b8f4fc77864c71161b57380a823cf2e6d81229

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE

Filesize
12KB

MD5
438bd710f35da05dab5f74a5c1eaadc8

SHA1
e2e16112fe04df81d37b6aa0524bfb6cde0330ad

SHA256
aa49b3263cc648c88ed1e855913a1fb3b97794785d86e5531d11cdb9c9e88858

SHA512
cb98c5552b77c24547c70e938ba01ecfc01a7d3002b7bd801d420f61428faccff5949ae2ff055963485f2b80f4b8f4fc77864c71161b57380a823cf2e6d81229

Download Submit
\Users\Admin\AppData\Local\Temp\LYLOADER.EXE

Filesize
12KB

MD5
438bd710f35da05dab5f74a5c1eaadc8

SHA1
e2e16112fe04df81d37b6aa0524bfb6cde0330ad

SHA256
aa49b3263cc648c88ed1e855913a1fb3b97794785d86e5531d11cdb9c9e88858

SHA512
cb98c5552b77c24547c70e938ba01ecfc01a7d3002b7bd801d420f61428faccff5949ae2ff055963485f2b80f4b8f4fc77864c71161b57380a823cf2e6d81229

Download Submit
\Users\Admin\AppData\Local\Temp\LYLOADER.EXE

Filesize
12KB

MD5
438bd710f35da05dab5f74a5c1eaadc8

SHA1
e2e16112fe04df81d37b6aa0524bfb6cde0330ad

SHA256
aa49b3263cc648c88ed1e855913a1fb3b97794785d86e5531d11cdb9c9e88858

SHA512
cb98c5552b77c24547c70e938ba01ecfc01a7d3002b7bd801d420f61428faccff5949ae2ff055963485f2b80f4b8f4fc77864c71161b57380a823cf2e6d81229

Download Submit