1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe
Size

296KB
MD5

5ca14e99d748f71d726d813bf574b11e
SHA1

fb3eb15fb5d97236625591fd6511459019b8214f
SHA256

1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38
SHA512

be208be98964ee7b2ece5c0a2e5207b7e34406b4b23638168e6185a32dd2f6cf437bc908f39e15c81921174e14e4cc52969e3004ceabb458787eec38faa1a947
SSDEEP

6144:IoOeH4vkd5jIxRFKA5tl1mnLZrWz3ZnnW/Mq3gg+FGtFrKs0MjDTQP/6oHp:IfeH4K5jal4yW/MMnwGtFmsy3P

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
896	niylb.exe

Deletes itself 1 IoCs

pid	Process
1496	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe
1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	niylb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niylb = "C:\\Users\\Admin\\AppData\\Roaming\\Adkoy\\niylb.exe"	niylb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 1496	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	29

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe
896	niylb.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 896	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	28
PID 1764 wrote to memory of 896	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	28
PID 1764 wrote to memory of 896	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	28
PID 1764 wrote to memory of 896	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	28
PID 896 wrote to memory of 1120	896	niylb.exe	19
PID 896 wrote to memory of 1120	896	niylb.exe	19
PID 896 wrote to memory of 1120	896	niylb.exe	19
PID 896 wrote to memory of 1120	896	niylb.exe	19
PID 896 wrote to memory of 1120	896	niylb.exe	19
PID 896 wrote to memory of 1176	896	niylb.exe	18
PID 896 wrote to memory of 1176	896	niylb.exe	18
PID 896 wrote to memory of 1176	896	niylb.exe	18
PID 896 wrote to memory of 1176	896	niylb.exe	18
PID 896 wrote to memory of 1176	896	niylb.exe	18
PID 896 wrote to memory of 1204	896	niylb.exe	17
PID 896 wrote to memory of 1204	896	niylb.exe	17
PID 896 wrote to memory of 1204	896	niylb.exe	17
PID 896 wrote to memory of 1204	896	niylb.exe	17
PID 896 wrote to memory of 1204	896	niylb.exe	17
PID 896 wrote to memory of 1764	896	niylb.exe	27
PID 896 wrote to memory of 1764	896	niylb.exe	27
PID 896 wrote to memory of 1764	896	niylb.exe	27
PID 896 wrote to memory of 1764	896	niylb.exe	27
PID 896 wrote to memory of 1764	896	niylb.exe	27
PID 1764 wrote to memory of 1496	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	29
PID 1764 wrote to memory of 1496	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	29
PID 1764 wrote to memory of 1496	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	29
PID 1764 wrote to memory of 1496	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	29
PID 1764 wrote to memory of 1496	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	29
PID 1764 wrote to memory of 1496	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	29
PID 1764 wrote to memory of 1496	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	29
PID 1764 wrote to memory of 1496	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	29
PID 1764 wrote to memory of 1496	1764	1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe
  "C:\Users\Admin\AppData\Local\Temp\1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Roaming\Adkoy\niylb.exe
    "C:\Users\Admin\AppData\Roaming\Adkoy\niylb.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\RSQ906C.bat"
    3⤵
    - Deletes itself
    PID:1496

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RSQ906C.bat

Filesize
303B

MD5
4ce61661f04672a10949dd908d99b433

SHA1
6a8d8686308255cf17f8e5a9857c50fff306e056

SHA256
a93d4bc0394fd71f1fbbfcb9109ff109f4a2b55c97985b3d85e7b251c7737d82

SHA512
2a61c125593d126cc9576556fbc44a762eb39cbd7d951bffa7e363a636df8f0bf372f11bc1412a4593d424b8f3cd6e6ff53c045a70f667c88e9b5bbb1a03f06f

Download Submit
C:\Users\Admin\AppData\Roaming\Adkoy\niylb.exe

Filesize
296KB

MD5
149bd411ddad6fa0227552402822791c

SHA1
5d33d9c29409d4f670ba7ee40f29df366d0c9c3d

SHA256
4db55e61d47fffb49cedf7b19d85a5c70fb35f72ed99bee33acfb802dd8bb83e

SHA512
e1456797f5595fcca4a2aa6d986a073b77159bce8ace9bf61bfa0073dc633de27c425d2516f81d8f4ffa9d30f92f372adaefa39c91a10f2231546ca1f1a7ec09

Download Submit
C:\Users\Admin\AppData\Roaming\Adkoy\niylb.exe

Filesize
296KB

MD5
149bd411ddad6fa0227552402822791c

SHA1
5d33d9c29409d4f670ba7ee40f29df366d0c9c3d

SHA256
4db55e61d47fffb49cedf7b19d85a5c70fb35f72ed99bee33acfb802dd8bb83e

SHA512
e1456797f5595fcca4a2aa6d986a073b77159bce8ace9bf61bfa0073dc633de27c425d2516f81d8f4ffa9d30f92f372adaefa39c91a10f2231546ca1f1a7ec09

Download Submit
\Users\Admin\AppData\Roaming\Adkoy\niylb.exe

Filesize
296KB

MD5
149bd411ddad6fa0227552402822791c

SHA1
5d33d9c29409d4f670ba7ee40f29df366d0c9c3d

SHA256
4db55e61d47fffb49cedf7b19d85a5c70fb35f72ed99bee33acfb802dd8bb83e

SHA512
e1456797f5595fcca4a2aa6d986a073b77159bce8ace9bf61bfa0073dc633de27c425d2516f81d8f4ffa9d30f92f372adaefa39c91a10f2231546ca1f1a7ec09

Download Submit
\Users\Admin\AppData\Roaming\Adkoy\niylb.exe

Filesize
296KB

MD5
149bd411ddad6fa0227552402822791c

SHA1
5d33d9c29409d4f670ba7ee40f29df366d0c9c3d

SHA256
4db55e61d47fffb49cedf7b19d85a5c70fb35f72ed99bee33acfb802dd8bb83e

SHA512
e1456797f5595fcca4a2aa6d986a073b77159bce8ace9bf61bfa0073dc633de27c425d2516f81d8f4ffa9d30f92f372adaefa39c91a10f2231546ca1f1a7ec09

Download Submit
memory/896-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1120-67-0x00000000004A0000-0x00000000004E9000-memory.dmp

Filesize
292KB

Download
memory/1120-65-0x00000000004A0000-0x00000000004E9000-memory.dmp

Filesize
292KB

Download
memory/1120-69-0x00000000004A0000-0x00000000004E9000-memory.dmp

Filesize
292KB

Download
memory/1120-68-0x00000000004A0000-0x00000000004E9000-memory.dmp

Filesize
292KB

Download
memory/1120-70-0x00000000004A0000-0x00000000004E9000-memory.dmp

Filesize
292KB

Download
memory/1176-73-0x0000000001B50000-0x0000000001B99000-memory.dmp

Filesize
292KB

Download
memory/1176-74-0x0000000001B50000-0x0000000001B99000-memory.dmp

Filesize
292KB

Download
memory/1176-75-0x0000000001B50000-0x0000000001B99000-memory.dmp

Filesize
292KB

Download
memory/1176-76-0x0000000001B50000-0x0000000001B99000-memory.dmp

Filesize
292KB

Download
memory/1204-79-0x0000000002950000-0x0000000002999000-memory.dmp

Filesize
292KB

Download
memory/1204-80-0x0000000002950000-0x0000000002999000-memory.dmp

Filesize
292KB

Download
memory/1204-81-0x0000000002950000-0x0000000002999000-memory.dmp

Filesize
292KB

Download
memory/1204-82-0x0000000002950000-0x0000000002999000-memory.dmp

Filesize
292KB

Download
memory/1496-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1496-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1496-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1496-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1496-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1496-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1496-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1496-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1496-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1496-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1496-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1496-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1764-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-85-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1764-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-103-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1764-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-54-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1764-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-56-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1764-88-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1764-86-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1764-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1764-87-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download