b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe
Size

378KB
MD5

e6793f83747d2053b09298793c746a37
SHA1

8ecb2cb194efb58b7e6cd095e8889d329eb378e5
SHA256

b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767
SHA512

33ffc4d03fd4b0d784d85d94773f996e910d249f83a73fc63bea32f012d9fb4b08d695e11179b738a06c5d091139bc3c7dc38f59e872fab50961ce9eca9d1ccb
SSDEEP

6144:9GnWWZnUWJt0fTxgBwfM8pWc1f63pxdR/qZiwDlpqa2qqL0th4vEd:SWCtBn8fBcxdMZ7hMDFuhIEd

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
904	etdywy.exe

Deletes itself 1 IoCs

pid	Process
1832	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe
996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	etdywy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Zoqa\\etdywy.exe"	etdywy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 996 set thread context of 1832	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	28

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe
904	etdywy.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe
904	etdywy.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 904	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	27
PID 996 wrote to memory of 904	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	27
PID 996 wrote to memory of 904	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	27
PID 996 wrote to memory of 904	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	27
PID 904 wrote to memory of 1132	904	etdywy.exe	15
PID 904 wrote to memory of 1132	904	etdywy.exe	15
PID 904 wrote to memory of 1132	904	etdywy.exe	15
PID 904 wrote to memory of 1132	904	etdywy.exe	15
PID 904 wrote to memory of 1132	904	etdywy.exe	15
PID 904 wrote to memory of 1232	904	etdywy.exe	14
PID 904 wrote to memory of 1232	904	etdywy.exe	14
PID 904 wrote to memory of 1232	904	etdywy.exe	14
PID 904 wrote to memory of 1232	904	etdywy.exe	14
PID 904 wrote to memory of 1232	904	etdywy.exe	14
PID 904 wrote to memory of 1304	904	etdywy.exe	13
PID 904 wrote to memory of 1304	904	etdywy.exe	13
PID 904 wrote to memory of 1304	904	etdywy.exe	13
PID 904 wrote to memory of 1304	904	etdywy.exe	13
PID 904 wrote to memory of 1304	904	etdywy.exe	13
PID 904 wrote to memory of 996	904	etdywy.exe	26
PID 904 wrote to memory of 996	904	etdywy.exe	26
PID 904 wrote to memory of 996	904	etdywy.exe	26
PID 904 wrote to memory of 996	904	etdywy.exe	26
PID 904 wrote to memory of 996	904	etdywy.exe	26
PID 996 wrote to memory of 1832	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	28
PID 996 wrote to memory of 1832	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	28
PID 996 wrote to memory of 1832	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	28
PID 996 wrote to memory of 1832	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	28
PID 996 wrote to memory of 1832	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	28
PID 996 wrote to memory of 1832	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	28
PID 996 wrote to memory of 1832	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	28
PID 996 wrote to memory of 1832	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	28
PID 996 wrote to memory of 1832	996	b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe
  "C:\Users\Admin\AppData\Local\Temp\b9fb5289de82d44893f8e1b71d2140a92436852e1b386874f91889131bafc767.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Roaming\Zoqa\etdywy.exe
    "C:\Users\Admin\AppData\Roaming\Zoqa\etdywy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe4f7f037.bat"
    3⤵
    - Deletes itself
    PID:1832

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe4f7f037.bat

Filesize
307B

MD5
f935679a9c00f3275cb1eeb8b7f2d678

SHA1
9b078660aeb47dbef5138d9d930d925d2b060090

SHA256
cc80dc6d69059203d0dca9da3557f37b6526f06c875bbed4da3320a9469e124d

SHA512
25f27bd5892f3bd51189f7ae1bbb803fba59eb7941f01e8d482ea4dbbda07f8019bbe40c195a59e40512b171f6fe0d2a78431035d0268a33b6a4e8d55e2758dd

Download Submit
C:\Users\Admin\AppData\Roaming\Zoqa\etdywy.exe

Filesize
378KB

MD5
72de16a9a1cc59b2b71dea2f61dd1837

SHA1
2c4b13b93c2aad5444b6c76df3d0293cef4f3688

SHA256
b3a0bd1bc43dcd064554cd095ba91893ebd140c50db2531f555c22f8a5ece517

SHA512
0d4f2783f481dc377433642d93296d8e046ea0d42236e886c050cbc5946b45339ac795456bd769951debe424da91a264222871198bec07325494b8eea779d4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Zoqa\etdywy.exe

Filesize
378KB

MD5
72de16a9a1cc59b2b71dea2f61dd1837

SHA1
2c4b13b93c2aad5444b6c76df3d0293cef4f3688

SHA256
b3a0bd1bc43dcd064554cd095ba91893ebd140c50db2531f555c22f8a5ece517

SHA512
0d4f2783f481dc377433642d93296d8e046ea0d42236e886c050cbc5946b45339ac795456bd769951debe424da91a264222871198bec07325494b8eea779d4f6

Download Submit
\Users\Admin\AppData\Roaming\Zoqa\etdywy.exe

Filesize
378KB

MD5
72de16a9a1cc59b2b71dea2f61dd1837

SHA1
2c4b13b93c2aad5444b6c76df3d0293cef4f3688

SHA256
b3a0bd1bc43dcd064554cd095ba91893ebd140c50db2531f555c22f8a5ece517

SHA512
0d4f2783f481dc377433642d93296d8e046ea0d42236e886c050cbc5946b45339ac795456bd769951debe424da91a264222871198bec07325494b8eea779d4f6

Download Submit
\Users\Admin\AppData\Roaming\Zoqa\etdywy.exe

Filesize
378KB

MD5
72de16a9a1cc59b2b71dea2f61dd1837

SHA1
2c4b13b93c2aad5444b6c76df3d0293cef4f3688

SHA256
b3a0bd1bc43dcd064554cd095ba91893ebd140c50db2531f555c22f8a5ece517

SHA512
0d4f2783f481dc377433642d93296d8e046ea0d42236e886c050cbc5946b45339ac795456bd769951debe424da91a264222871198bec07325494b8eea779d4f6

Download Submit
memory/904-105-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/904-103-0x0000000000300000-0x000000000034C000-memory.dmp

Filesize
304KB

Download
memory/904-104-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/996-97-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/996-84-0x0000000000810000-0x000000000085C000-memory.dmp

Filesize
304KB

Download
memory/996-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/996-98-0x0000000000810000-0x000000000085C000-memory.dmp

Filesize
304KB

Download
memory/996-96-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/996-83-0x0000000000810000-0x000000000085C000-memory.dmp

Filesize
304KB

Download
memory/996-95-0x00000000006D0000-0x000000000071C000-memory.dmp

Filesize
304KB

Download
memory/996-86-0x0000000000810000-0x000000000085C000-memory.dmp

Filesize
304KB

Download
memory/996-85-0x0000000000810000-0x000000000085C000-memory.dmp

Filesize
304KB

Download
memory/996-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/996-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1132-66-0x0000000001C60000-0x0000000001CAC000-memory.dmp

Filesize
304KB

Download
memory/1132-63-0x0000000001C60000-0x0000000001CAC000-memory.dmp

Filesize
304KB

Download
memory/1132-65-0x0000000001C60000-0x0000000001CAC000-memory.dmp

Filesize
304KB

Download
memory/1132-68-0x0000000001C60000-0x0000000001CAC000-memory.dmp

Filesize
304KB

Download
memory/1132-67-0x0000000001C60000-0x0000000001CAC000-memory.dmp

Filesize
304KB

Download
memory/1232-72-0x0000000000340000-0x000000000038C000-memory.dmp

Filesize
304KB

Download
memory/1232-74-0x0000000000340000-0x000000000038C000-memory.dmp

Filesize
304KB

Download
memory/1232-73-0x0000000000340000-0x000000000038C000-memory.dmp

Filesize
304KB

Download
memory/1232-71-0x0000000000340000-0x000000000038C000-memory.dmp

Filesize
304KB

Download
memory/1304-80-0x00000000029C0000-0x0000000002A0C000-memory.dmp

Filesize
304KB

Download
memory/1304-77-0x00000000029C0000-0x0000000002A0C000-memory.dmp

Filesize
304KB

Download
memory/1304-78-0x00000000029C0000-0x0000000002A0C000-memory.dmp

Filesize
304KB

Download
memory/1304-79-0x00000000029C0000-0x0000000002A0C000-memory.dmp

Filesize
304KB

Download
memory/1832-89-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1832-92-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1832-100-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1832-93-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1832-102-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1832-91-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download