a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe
Size

220KB
MD5

76e7d0f84518c0ec1a7abaac8c41f0d6
SHA1

a5b5bbe70aaeafd27ad835d782d0456a9f56785f
SHA256

a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45
SHA512

9a261f0faab304c0bc3cdf8834cd587b655de0c6e713ce14b44e9d462192922e980422c3503c851797c4aed7f1043a8a60a9688cc845c66999f9e4f6f4795dd1
SSDEEP

6144:xVS8anC7Pe0B+5jMUKHo2Wd4H/Bn+HRHgI957aRon2t:xVSLC7Pe0uMUSo1d4H/BnMRB57aRon2t

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
936	ybhaj.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012329-56.dat	upx
behavioral1/files/0x000c000000012329-57.dat	upx
behavioral1/files/0x000c000000012329-59.dat	upx
behavioral1/memory/936-61-0x0000000000400000-0x0000000000817000-memory.dmp	upx
behavioral1/files/0x000c000000012329-62.dat	upx

Deletes itself 1 IoCs

pid	Process
324	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe
900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	ybhaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Veyjv\\ybhaj.exe"	ybhaj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 324	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe
936	ybhaj.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe
Token: SeSecurityPrivilege	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe
Token: SeSecurityPrivilege	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 936	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	27
PID 900 wrote to memory of 936	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	27
PID 900 wrote to memory of 936	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	27
PID 900 wrote to memory of 936	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	27
PID 936 wrote to memory of 1260	936	ybhaj.exe	12
PID 936 wrote to memory of 1260	936	ybhaj.exe	12
PID 936 wrote to memory of 1260	936	ybhaj.exe	12
PID 936 wrote to memory of 1260	936	ybhaj.exe	12
PID 936 wrote to memory of 1260	936	ybhaj.exe	12
PID 936 wrote to memory of 1396	936	ybhaj.exe	11
PID 936 wrote to memory of 1396	936	ybhaj.exe	11
PID 936 wrote to memory of 1396	936	ybhaj.exe	11
PID 936 wrote to memory of 1396	936	ybhaj.exe	11
PID 936 wrote to memory of 1396	936	ybhaj.exe	11
PID 936 wrote to memory of 1424	936	ybhaj.exe	10
PID 936 wrote to memory of 1424	936	ybhaj.exe	10
PID 936 wrote to memory of 1424	936	ybhaj.exe	10
PID 936 wrote to memory of 1424	936	ybhaj.exe	10
PID 936 wrote to memory of 1424	936	ybhaj.exe	10
PID 936 wrote to memory of 900	936	ybhaj.exe	26
PID 936 wrote to memory of 900	936	ybhaj.exe	26
PID 936 wrote to memory of 900	936	ybhaj.exe	26
PID 936 wrote to memory of 900	936	ybhaj.exe	26
PID 936 wrote to memory of 900	936	ybhaj.exe	26
PID 900 wrote to memory of 324	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	28
PID 900 wrote to memory of 324	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	28
PID 900 wrote to memory of 324	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	28
PID 900 wrote to memory of 324	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	28
PID 900 wrote to memory of 324	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	28
PID 900 wrote to memory of 324	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	28
PID 900 wrote to memory of 324	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	28
PID 900 wrote to memory of 324	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	28
PID 900 wrote to memory of 324	900	a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1424
- C:\Users\Admin\AppData\Local\Temp\a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe
  "C:\Users\Admin\AppData\Local\Temp\a1637c63ed41916f9bf75b3b246287a29d22cfc94ffdebc00741be7369373a45.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Roaming\Veyjv\ybhaj.exe
    "C:\Users\Admin\AppData\Roaming\Veyjv\ybhaj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp54577234.bat"
    3⤵
    - Deletes itself
    PID:324

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1396

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp54577234.bat

Filesize
307B

MD5
bef6c59730d5019c58f9e989c7491dea

SHA1
204be8da8b8f1cf8c58d650ea6aaf34448edd252

SHA256
91b1d3e5232ee0448ce695127bf26512f38ec10136c8d97073de99efaf211238

SHA512
5663c6a7ed1ece303385950d004d5af0fd982873a56556befdf41b5563d73142fa098f6293fb44cd93ff912f7cc4df4b3bbf425ddbf3d6c580d05a5fb28c06e0

Download Submit
C:\Users\Admin\AppData\Roaming\Juzu\maasm.otu

Filesize
398B

MD5
5398f9354436b721a91bcb07e5ed436f

SHA1
6af1c09d9dc8212a3123f72a6ab551caeb9cc983

SHA256
acd892beace97a051d0f0e3ca6d5f09c9fa3f4a90eeeaf695403dbf4952ba1ec

SHA512
4363bccaa27e4ff5375d48e7a7953e8c0f0dfd49c5f9e9b240efe6991c9fd6b66dae88db57cc4b118ed98c098d4d7c5fe58350b7a621305705e01a95af33853c

Download Submit
C:\Users\Admin\AppData\Roaming\Veyjv\ybhaj.exe

Filesize
220KB

MD5
7d5943ba50e7c2efbdef1e6d1219d57e

SHA1
f186e343dee8ab81791a1747f81ad4520172180d

SHA256
59c1d10934302451a55367027e7e141f5c05f61420534cc2666ebea55261b8c6

SHA512
175bba9f9a367b4c1be447ea4804219cd81ffaed36467e3d36a009cf5f74dad6b769e0d1dbae32dbfa75de99eb4bc52c7923e9ba28a5242bf54f2d7ffd79eec1

Download Submit
C:\Users\Admin\AppData\Roaming\Veyjv\ybhaj.exe

Filesize
220KB

MD5
7d5943ba50e7c2efbdef1e6d1219d57e

SHA1
f186e343dee8ab81791a1747f81ad4520172180d

SHA256
59c1d10934302451a55367027e7e141f5c05f61420534cc2666ebea55261b8c6

SHA512
175bba9f9a367b4c1be447ea4804219cd81ffaed36467e3d36a009cf5f74dad6b769e0d1dbae32dbfa75de99eb4bc52c7923e9ba28a5242bf54f2d7ffd79eec1

Download Submit
\Users\Admin\AppData\Roaming\Veyjv\ybhaj.exe

Filesize
220KB

MD5
7d5943ba50e7c2efbdef1e6d1219d57e

SHA1
f186e343dee8ab81791a1747f81ad4520172180d

SHA256
59c1d10934302451a55367027e7e141f5c05f61420534cc2666ebea55261b8c6

SHA512
175bba9f9a367b4c1be447ea4804219cd81ffaed36467e3d36a009cf5f74dad6b769e0d1dbae32dbfa75de99eb4bc52c7923e9ba28a5242bf54f2d7ffd79eec1

Download Submit
\Users\Admin\AppData\Roaming\Veyjv\ybhaj.exe

Filesize
220KB

MD5
7d5943ba50e7c2efbdef1e6d1219d57e

SHA1
f186e343dee8ab81791a1747f81ad4520172180d

SHA256
59c1d10934302451a55367027e7e141f5c05f61420534cc2666ebea55261b8c6

SHA512
175bba9f9a367b4c1be447ea4804219cd81ffaed36467e3d36a009cf5f74dad6b769e0d1dbae32dbfa75de99eb4bc52c7923e9ba28a5242bf54f2d7ffd79eec1

Download Submit
memory/324-102-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/324-92-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/324-93-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/324-94-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/324-90-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/900-86-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/900-95-0x0000000007910000-0x0000000007D27000-memory.dmp

Filesize
4.1MB

Download
memory/900-55-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/900-99-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/900-97-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/900-83-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/900-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/900-85-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/900-84-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/936-96-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/936-61-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/936-103-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1260-68-0x0000000001E40000-0x0000000001E7D000-memory.dmp

Filesize
244KB

Download
memory/1260-66-0x0000000001E40000-0x0000000001E7D000-memory.dmp

Filesize
244KB

Download
memory/1260-63-0x0000000001E40000-0x0000000001E7D000-memory.dmp

Filesize
244KB

Download
memory/1260-67-0x0000000001E40000-0x0000000001E7D000-memory.dmp

Filesize
244KB

Download
memory/1260-65-0x0000000001E40000-0x0000000001E7D000-memory.dmp

Filesize
244KB

Download
memory/1396-71-0x0000000001B40000-0x0000000001B7D000-memory.dmp

Filesize
244KB

Download
memory/1396-72-0x0000000001B40000-0x0000000001B7D000-memory.dmp

Filesize
244KB

Download
memory/1396-74-0x0000000001B40000-0x0000000001B7D000-memory.dmp

Filesize
244KB

Download
memory/1396-73-0x0000000001B40000-0x0000000001B7D000-memory.dmp

Filesize
244KB

Download
memory/1424-80-0x0000000002710000-0x000000000274D000-memory.dmp

Filesize
244KB

Download
memory/1424-77-0x0000000002710000-0x000000000274D000-memory.dmp

Filesize
244KB

Download
memory/1424-78-0x0000000002710000-0x000000000274D000-memory.dmp

Filesize
244KB

Download
memory/1424-79-0x0000000002710000-0x000000000274D000-memory.dmp

Filesize
244KB

Download