e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e

General

Target

e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
Size

158KB
MD5

5a01c350dcb66ffb4b627ac59c8ce794
SHA1

520a17593a4c0cb8ad27a4e6c033882724d126df
SHA256

e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e
SHA512

290beea3065af278ac92c53663b71ecf72f0c582d15ee0d224eb308e582091e1e75d2e3af1e9d952d50924183b2b8d87484f13523d4f2f3611d5d22bb82ec35e
SSDEEP

3072:2jvXGphAjSteGi0p+XsRf8yNqXBehq+8Qa8X0/j/PrAQfS7SAD0:kPGphAjjb0IXCfGec+w8dHzD

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

wuyg.exe

pid process

848 wuyg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Isanyg\wuyg.exe	upx
C:\Users\Admin\AppData\Roaming\Isanyg\wuyg.exe	upx
\Users\Admin\AppData\Roaming\Isanyg\wuyg.exe	upx
C:\Users\Admin\AppData\Roaming\Isanyg\wuyg.exe	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1352 cmd.exe

pid	process
1352	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe

pid	process
1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wuyg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	wuyg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{09D573D8-C43F-2CA3-A2E5-2EB119A08933} = "C:\\Users\\Admin\\AppData\\Roaming\\Isanyg\\wuyg.exe"	wuyg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe

description	pid	process	target process
PID 1740 set thread context of 1352	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

wuyg.exe

pid	process
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe
848	wuyg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe

description	pid	process
Token: SeSecurityPrivilege	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
Token: SeSecurityPrivilege	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
Token: SeSecurityPrivilege	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exewuyg.exe

description	pid	process	target process
PID 1740 wrote to memory of 848	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	wuyg.exe
PID 1740 wrote to memory of 848	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	wuyg.exe
PID 1740 wrote to memory of 848	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	wuyg.exe
PID 1740 wrote to memory of 848	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	wuyg.exe
PID 848 wrote to memory of 1120	848	wuyg.exe	taskhost.exe
PID 848 wrote to memory of 1120	848	wuyg.exe	taskhost.exe
PID 848 wrote to memory of 1120	848	wuyg.exe	taskhost.exe
PID 848 wrote to memory of 1120	848	wuyg.exe	taskhost.exe
PID 848 wrote to memory of 1120	848	wuyg.exe	taskhost.exe
PID 848 wrote to memory of 1172	848	wuyg.exe	Dwm.exe
PID 848 wrote to memory of 1172	848	wuyg.exe	Dwm.exe
PID 848 wrote to memory of 1172	848	wuyg.exe	Dwm.exe
PID 848 wrote to memory of 1172	848	wuyg.exe	Dwm.exe
PID 848 wrote to memory of 1172	848	wuyg.exe	Dwm.exe
PID 848 wrote to memory of 1204	848	wuyg.exe	Explorer.EXE
PID 848 wrote to memory of 1204	848	wuyg.exe	Explorer.EXE
PID 848 wrote to memory of 1204	848	wuyg.exe	Explorer.EXE
PID 848 wrote to memory of 1204	848	wuyg.exe	Explorer.EXE
PID 848 wrote to memory of 1204	848	wuyg.exe	Explorer.EXE
PID 848 wrote to memory of 1740	848	wuyg.exe	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
PID 848 wrote to memory of 1740	848	wuyg.exe	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
PID 848 wrote to memory of 1740	848	wuyg.exe	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
PID 848 wrote to memory of 1740	848	wuyg.exe	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
PID 848 wrote to memory of 1740	848	wuyg.exe	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
PID 1740 wrote to memory of 1352	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	cmd.exe
PID 1740 wrote to memory of 1352	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	cmd.exe
PID 1740 wrote to memory of 1352	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	cmd.exe
PID 1740 wrote to memory of 1352	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	cmd.exe
PID 1740 wrote to memory of 1352	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	cmd.exe
PID 1740 wrote to memory of 1352	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	cmd.exe
PID 1740 wrote to memory of 1352	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	cmd.exe
PID 1740 wrote to memory of 1352	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	cmd.exe
PID 1740 wrote to memory of 1352	1740	e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe	cmd.exe
PID 848 wrote to memory of 904	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 904	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 904	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 904	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 904	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 552	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 552	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 552	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 552	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 552	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 1672	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 1672	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 1672	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 1672	848	wuyg.exe	DllHost.exe
PID 848 wrote to memory of 1672	848	wuyg.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe
"C:\Users\Admin\AppData\Local\Temp\e1755eab1c4b2710cc304ea33727b5770de39cf265a575c0f4250ddb1594960e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Roaming\Isanyg\wuyg.exe
"C:\Users\Admin\AppData\Roaming\Isanyg\wuyg.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp066e7640.bat"
3⤵
- Deletes itself
PID:1352

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp066e7640.bat
Filesize
307B

MD5
9d7899a71ffc7e4188cb3577b0f1ad33

SHA1
70b6dcf0ed0ffc3bc870d2604df5667501954176

SHA256
60c75a1a094dfcacfce8e5a2fd6516e6d04798ffc994dc3566c5399207cac261

SHA512
08ce722da1c9c5270062eb721488c6c161900c8055cab903517c48b47ead51abd5e81e102dc0f2a4b69e4fdc31480b39160638629d7ace92d72279b86a739f7b

Download Submit
C:\Users\Admin\AppData\Roaming\Isanyg\wuyg.exe
Filesize
158KB

MD5
309897091b402df1cb47c4243c1d2da9

SHA1
0575ad0c3daea2893c86a4067380aa3458c72cbf

SHA256
2f4ac3dff950421cf6550b71f4264618eacbd9e16e1b9d740ffdcad8337cf653

SHA512
90840a55f68b6ba3cb119758bb369fec4503741d42bbcbe00a0b471f3e3427e07e39a8f9dccb17ab053f5d1616e489c60604bd7e14aa0cd0507f15f9bea6e2bb

Download Submit
C:\Users\Admin\AppData\Roaming\Isanyg\wuyg.exe
Filesize
158KB

MD5
309897091b402df1cb47c4243c1d2da9

SHA1
0575ad0c3daea2893c86a4067380aa3458c72cbf

SHA256
2f4ac3dff950421cf6550b71f4264618eacbd9e16e1b9d740ffdcad8337cf653

SHA512
90840a55f68b6ba3cb119758bb369fec4503741d42bbcbe00a0b471f3e3427e07e39a8f9dccb17ab053f5d1616e489c60604bd7e14aa0cd0507f15f9bea6e2bb

Download Submit
C:\Users\Admin\AppData\Roaming\Oqsa\fuys.uba
Filesize
398B

MD5
c481cc65d27997dfd8faf9c1b5e2209c

SHA1
a6713ab444c597b62cb5b730c0dc34f73841ba8e

SHA256
bb35f0af60132b061bba46b699d902324490070fb5794dc2fa9eec08c5e1ee1c

SHA512
c0cd0aa47f9a5a73209074f237ab6ca00b223a732ef18fba8315e8ce0cd6630ce4a376e6ad7579965b82a3603866a1865b0b76042be8b8600a72ebf4ab55b9e6

Download Submit
\Users\Admin\AppData\Roaming\Isanyg\wuyg.exe
Filesize
158KB

MD5
309897091b402df1cb47c4243c1d2da9

SHA1
0575ad0c3daea2893c86a4067380aa3458c72cbf

SHA256
2f4ac3dff950421cf6550b71f4264618eacbd9e16e1b9d740ffdcad8337cf653

SHA512
90840a55f68b6ba3cb119758bb369fec4503741d42bbcbe00a0b471f3e3427e07e39a8f9dccb17ab053f5d1616e489c60604bd7e14aa0cd0507f15f9bea6e2bb

Download Submit
\Users\Admin\AppData\Roaming\Isanyg\wuyg.exe
Filesize
158KB

MD5
309897091b402df1cb47c4243c1d2da9

SHA1
0575ad0c3daea2893c86a4067380aa3458c72cbf

SHA256
2f4ac3dff950421cf6550b71f4264618eacbd9e16e1b9d740ffdcad8337cf653

SHA512
90840a55f68b6ba3cb119758bb369fec4503741d42bbcbe00a0b471f3e3427e07e39a8f9dccb17ab053f5d1616e489c60604bd7e14aa0cd0507f15f9bea6e2bb

Download Submit
memory/552-115-0x0000000003A50000-0x0000000003A76000-memory.dmp

Filesize
152KB

Download
memory/552-116-0x0000000003A50000-0x0000000003A76000-memory.dmp

Filesize
152KB

Download
memory/552-117-0x0000000003A50000-0x0000000003A76000-memory.dmp

Filesize
152KB

Download
memory/552-114-0x0000000003A50000-0x0000000003A76000-memory.dmp

Filesize
152KB

Download
memory/848-102-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/848-59-0x0000000000000000-mapping.dmp

Download
memory/848-86-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/904-108-0x0000000000310000-0x0000000000336000-memory.dmp

Filesize
152KB

Download
memory/904-109-0x0000000000310000-0x0000000000336000-memory.dmp

Filesize
152KB

Download
memory/904-110-0x0000000000310000-0x0000000000336000-memory.dmp

Filesize
152KB

Download
memory/904-111-0x0000000000310000-0x0000000000336000-memory.dmp

Filesize
152KB

Download
memory/1120-68-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/1120-67-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/1120-66-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/1120-65-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/1120-63-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/1172-73-0x0000000001B60000-0x0000000001B86000-memory.dmp

Filesize
152KB

Download
memory/1172-74-0x0000000001B60000-0x0000000001B86000-memory.dmp

Filesize
152KB

Download
memory/1172-72-0x0000000001B60000-0x0000000001B86000-memory.dmp

Filesize
152KB

Download
memory/1172-71-0x0000000001B60000-0x0000000001B86000-memory.dmp

Filesize
152KB

Download
memory/1204-78-0x00000000029D0000-0x00000000029F6000-memory.dmp

Filesize
152KB

Download
memory/1204-79-0x00000000029D0000-0x00000000029F6000-memory.dmp

Filesize
152KB

Download
memory/1204-80-0x00000000029D0000-0x00000000029F6000-memory.dmp

Filesize
152KB

Download
memory/1204-77-0x00000000029D0000-0x00000000029F6000-memory.dmp

Filesize
152KB

Download
memory/1352-105-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/1352-99-0x0000000000060C03-mapping.dmp

Download
memory/1352-97-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/1352-95-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/1352-96-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/1352-93-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/1672-120-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/1672-123-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/1672-122-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/1672-121-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/1740-90-0x00000000002C0000-0x00000000002FA000-memory.dmp

Filesize
232KB

Download
memory/1740-83-0x00000000002C0000-0x00000000002FA000-memory.dmp

Filesize
232KB

Download
memory/1740-81-0x00000000002C0000-0x00000000002FA000-memory.dmp

Filesize
232KB

Download
memory/1740-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1740-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1740-89-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/1740-100-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1740-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1740-101-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads