d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00

Analysis

max time kernel
142s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe
Size

16KB
MD5

ce9deff846866c2ae98450377b60c038
SHA1

5b7158706142c10fb8166bdc178adb655391f8fa
SHA256

d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00
SHA512

ca2142eab1d9d198cbc57494902445c11b3faf93d4489e0554dfc5b7cedf33c9818d47772f627aff292544c8ea9152694f1acdeda5cb8e3be746ef1e19797bc3
SSDEEP

384:kU/soECZv8fA8w6leg3MxuMkEb/erdjrEo7Zhqv/VVU:HEaQvogWKWv/U

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	LYLOADER.EXE

Executes dropped EXE 1 IoCs

pid	Process
3776	LYLOADER.EXE

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LYMANGR.DLL	LYLOADER.EXE
File created	C:\Windows\SysWOW64\MSDEG32.DLL	LYLOADER.EXE
File created	C:\Windows\SysWOW64\REGKEY.hiv	LYLOADER.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3776	LYLOADER.EXE
3776	LYLOADER.EXE
3776	LYLOADER.EXE
3776	LYLOADER.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	3776	LYLOADER.EXE
Token: SeDebugPrivilege	3776	LYLOADER.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 3776	4532	d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe	78
PID 4532 wrote to memory of 3776	4532	d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe	78
PID 4532 wrote to memory of 3776	4532	d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe	78
PID 3776 wrote to memory of 372	3776	LYLOADER.EXE	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:372
- C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe
  "C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE
    C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE "C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE

Filesize
12KB

MD5
438bd710f35da05dab5f74a5c1eaadc8

SHA1
e2e16112fe04df81d37b6aa0524bfb6cde0330ad

SHA256
aa49b3263cc648c88ed1e855913a1fb3b97794785d86e5531d11cdb9c9e88858

SHA512
cb98c5552b77c24547c70e938ba01ecfc01a7d3002b7bd801d420f61428faccff5949ae2ff055963485f2b80f4b8f4fc77864c71161b57380a823cf2e6d81229

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE

Filesize
12KB

MD5
438bd710f35da05dab5f74a5c1eaadc8

SHA1
e2e16112fe04df81d37b6aa0524bfb6cde0330ad

SHA256
aa49b3263cc648c88ed1e855913a1fb3b97794785d86e5531d11cdb9c9e88858

SHA512
cb98c5552b77c24547c70e938ba01ecfc01a7d3002b7bd801d420f61428faccff5949ae2ff055963485f2b80f4b8f4fc77864c71161b57380a823cf2e6d81229

Download Submit