463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c

Analysis

max time kernel
181s
max time network
207s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe
Size

298KB
MD5

eeecff7b4c01b63c03e0a31aa814c016
SHA1

8faec0d274677c9a9fa8610d3603c1423fd4765e
SHA256

463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c
SHA512

6ee444f4ed5159f904f2bf99c611a21a258b38de72ebfe42666857def33b5686d78ecf16a80b842347d3d97d54162d8d9e4c40098345c4230d99cc108f8e4b49
SSDEEP

6144:PZDPnPsHhCC7fSxXBSXkr17rFfv7duydTmU0BXe5aRucLXEWhcX4s0l/:ZPnP0EXcUtTuE8u5/cQWhcX475

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1360	myahu.exe

Deletes itself 1 IoCs

pid	Process
1356	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe
2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	myahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myahu = "C:\\Users\\Admin\\AppData\\Roaming\\Tybom\\myahu.exe"	myahu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1356	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	29

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe
1360	myahu.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1360	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	28
PID 2004 wrote to memory of 1360	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	28
PID 2004 wrote to memory of 1360	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	28
PID 2004 wrote to memory of 1360	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	28
PID 1360 wrote to memory of 1124	1360	myahu.exe	10
PID 1360 wrote to memory of 1124	1360	myahu.exe	10
PID 1360 wrote to memory of 1124	1360	myahu.exe	10
PID 1360 wrote to memory of 1124	1360	myahu.exe	10
PID 1360 wrote to memory of 1124	1360	myahu.exe	10
PID 1360 wrote to memory of 1236	1360	myahu.exe	9
PID 1360 wrote to memory of 1236	1360	myahu.exe	9
PID 1360 wrote to memory of 1236	1360	myahu.exe	9
PID 1360 wrote to memory of 1236	1360	myahu.exe	9
PID 1360 wrote to memory of 1236	1360	myahu.exe	9
PID 1360 wrote to memory of 1304	1360	myahu.exe	8
PID 1360 wrote to memory of 1304	1360	myahu.exe	8
PID 1360 wrote to memory of 1304	1360	myahu.exe	8
PID 1360 wrote to memory of 1304	1360	myahu.exe	8
PID 1360 wrote to memory of 1304	1360	myahu.exe	8
PID 1360 wrote to memory of 2004	1360	myahu.exe	1
PID 1360 wrote to memory of 2004	1360	myahu.exe	1
PID 1360 wrote to memory of 2004	1360	myahu.exe	1
PID 1360 wrote to memory of 2004	1360	myahu.exe	1
PID 1360 wrote to memory of 2004	1360	myahu.exe	1
PID 2004 wrote to memory of 1356	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	29
PID 2004 wrote to memory of 1356	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	29
PID 2004 wrote to memory of 1356	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	29
PID 2004 wrote to memory of 1356	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	29
PID 2004 wrote to memory of 1356	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	29
PID 2004 wrote to memory of 1356	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	29
PID 2004 wrote to memory of 1356	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	29
PID 2004 wrote to memory of 1356	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	29
PID 2004 wrote to memory of 1356	2004	463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe	29

C:\Users\Admin\AppData\Local\Temp\463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe
"C:\Users\Admin\AppData\Local\Temp\463d6f48295dbf12f97549814b20facef94684247fc250a98f6546c76be7e21c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Roaming\Tybom\myahu.exe
  "C:\Users\Admin\AppData\Roaming\Tybom\myahu.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\LHLF891.bat"
  2⤵
  - Deletes itself
  PID:1356

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LHLF891.bat

Filesize
303B

MD5
82644ee0736c78606c0efcb0ef50956f

SHA1
8bfc41aa9da425b084327c5ebeb69ca3adf7ad5a

SHA256
48284edf51065b9ad59d29f76dfac0283533ba90a0c137f7a021f46d23d41ba7

SHA512
49c6f65241fa9c91cd123c58636313e6b3cd9b0e9948bc76cc371c90c246053fd58d6045db54597ddd6312af1ec6223c2d587a05c762433811bbdd71263f90b4

Download Submit
C:\Users\Admin\AppData\Roaming\Tybom\myahu.exe

Filesize
298KB

MD5
b494b970a6f47ff9f3879d9eeebb05a2

SHA1
32000b2009efddcffdb8f55ec3aadfeaf0026203

SHA256
19da867ae3b742d2ea5c139fbf65333de7d7ac78ebb0881e09efd3281293cbfc

SHA512
1f95a66bedb0ca961e1e86d7bb71ebde7b0835e26b3580bfa92f74b002eab24f8f46a79b27fea3688660ca5e0ccccb69dd28ac7121dec9451075ea40084c07b9

Download Submit
C:\Users\Admin\AppData\Roaming\Tybom\myahu.exe

Filesize
298KB

MD5
b494b970a6f47ff9f3879d9eeebb05a2

SHA1
32000b2009efddcffdb8f55ec3aadfeaf0026203

SHA256
19da867ae3b742d2ea5c139fbf65333de7d7ac78ebb0881e09efd3281293cbfc

SHA512
1f95a66bedb0ca961e1e86d7bb71ebde7b0835e26b3580bfa92f74b002eab24f8f46a79b27fea3688660ca5e0ccccb69dd28ac7121dec9451075ea40084c07b9

Download Submit
\Users\Admin\AppData\Roaming\Tybom\myahu.exe

Filesize
298KB

MD5
b494b970a6f47ff9f3879d9eeebb05a2

SHA1
32000b2009efddcffdb8f55ec3aadfeaf0026203

SHA256
19da867ae3b742d2ea5c139fbf65333de7d7ac78ebb0881e09efd3281293cbfc

SHA512
1f95a66bedb0ca961e1e86d7bb71ebde7b0835e26b3580bfa92f74b002eab24f8f46a79b27fea3688660ca5e0ccccb69dd28ac7121dec9451075ea40084c07b9

Download Submit
\Users\Admin\AppData\Roaming\Tybom\myahu.exe

Filesize
298KB

MD5
b494b970a6f47ff9f3879d9eeebb05a2

SHA1
32000b2009efddcffdb8f55ec3aadfeaf0026203

SHA256
19da867ae3b742d2ea5c139fbf65333de7d7ac78ebb0881e09efd3281293cbfc

SHA512
1f95a66bedb0ca961e1e86d7bb71ebde7b0835e26b3580bfa92f74b002eab24f8f46a79b27fea3688660ca5e0ccccb69dd28ac7121dec9451075ea40084c07b9

Download Submit
memory/1124-70-0x0000000000410000-0x0000000000459000-memory.dmp

Filesize
292KB

Download
memory/1124-65-0x0000000000410000-0x0000000000459000-memory.dmp

Filesize
292KB

Download
memory/1124-67-0x0000000000410000-0x0000000000459000-memory.dmp

Filesize
292KB

Download
memory/1124-68-0x0000000000410000-0x0000000000459000-memory.dmp

Filesize
292KB

Download
memory/1124-69-0x0000000000410000-0x0000000000459000-memory.dmp

Filesize
292KB

Download
memory/1236-73-0x0000000001B90000-0x0000000001BD9000-memory.dmp

Filesize
292KB

Download
memory/1236-74-0x0000000001B90000-0x0000000001BD9000-memory.dmp

Filesize
292KB

Download
memory/1236-75-0x0000000001B90000-0x0000000001BD9000-memory.dmp

Filesize
292KB

Download
memory/1236-76-0x0000000001B90000-0x0000000001BD9000-memory.dmp

Filesize
292KB

Download
memory/1304-81-0x0000000002B30000-0x0000000002B79000-memory.dmp

Filesize
292KB

Download
memory/1304-82-0x0000000002B30000-0x0000000002B79000-memory.dmp

Filesize
292KB

Download
memory/1304-80-0x0000000002B30000-0x0000000002B79000-memory.dmp

Filesize
292KB

Download
memory/1304-79-0x0000000002B30000-0x0000000002B79000-memory.dmp

Filesize
292KB

Download
memory/1356-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1356-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1356-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1356-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1356-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1356-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1356-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1356-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1356-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1356-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1356-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1356-103-0x0000000000083B6A-mapping.dmp

Download
memory/1356-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1360-59-0x0000000000000000-mapping.dmp

Download
memory/2004-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-95-0x0000000001EE0000-0x0000000001F29000-memory.dmp

Filesize
292KB

Download
memory/2004-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/2004-88-0x0000000001EE0000-0x0000000001F29000-memory.dmp

Filesize
292KB

Download
memory/2004-87-0x0000000001EE0000-0x0000000001F29000-memory.dmp

Filesize
292KB

Download
memory/2004-86-0x0000000001EE0000-0x0000000001F29000-memory.dmp

Filesize
292KB

Download
memory/2004-85-0x0000000001EE0000-0x0000000001F29000-memory.dmp

Filesize
292KB

Download
memory/2004-55-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2004-56-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download