bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064

Analysis

max time kernel
156s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 07:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe
Size

231KB
MD5

ffa8e78e634fa8b2b98922f41acb02eb
SHA1

c325a7146fee2181b115e646d3f67d103d7baaf0
SHA256

bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064
SHA512

01ce9daf8a44ce64205392772cd9969d1828846ac84ccc8efd370cb69434f36071c64cbd8ecbde888fdd367cfa30d90c3f3d75a7dcdc1fd58ed0f6b0c426c228
SSDEEP

3072:/lexJLhbZkMe/C8yJ2STHRsXSNwLoqggaICZayLt87g09T2RZM:/gNXe5yJ2STxPC4gyZZz09T2Z

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2232	Mdyraa.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Mdyraa.exe	bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Mdyraa.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Mdyraa.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe
File created	C:\Windows\Mdyraa.exe	bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	Mdyraa.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\International	Mdyraa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe
2232	Mdyraa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4060	bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe
2232	Mdyraa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2232	4060	bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe	79
PID 4060 wrote to memory of 2232	4060	bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe	79
PID 4060 wrote to memory of 2232	4060	bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe	79

C:\Users\Admin\AppData\Local\Temp\bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe
"C:\Users\Admin\AppData\Local\Temp\bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\Mdyraa.exe
  C:\Windows\Mdyraa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Mdyraa.exe

Filesize
231KB

MD5
ffa8e78e634fa8b2b98922f41acb02eb

SHA1
c325a7146fee2181b115e646d3f67d103d7baaf0

SHA256
bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064

SHA512
01ce9daf8a44ce64205392772cd9969d1828846ac84ccc8efd370cb69434f36071c64cbd8ecbde888fdd367cfa30d90c3f3d75a7dcdc1fd58ed0f6b0c426c228

Download Submit
C:\Windows\Mdyraa.exe

Filesize
231KB

MD5
ffa8e78e634fa8b2b98922f41acb02eb

SHA1
c325a7146fee2181b115e646d3f67d103d7baaf0

SHA256
bfe1b8e0bc3b213fcfec704d4f89f4310c47287482f689b31527ddd464a84064

SHA512
01ce9daf8a44ce64205392772cd9969d1828846ac84ccc8efd370cb69434f36071c64cbd8ecbde888fdd367cfa30d90c3f3d75a7dcdc1fd58ed0f6b0c426c228

Download Submit
C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
426B

MD5
1526eb9f3c9dfa8f4f556baeef1583c8

SHA1
a3533eaaa5e000ef3d87b6ba9118787c375d72f8

SHA256
79fc94e05072b989339097ea335cf37e3c86c512de6a5aff715aec541ad6d515

SHA512
fc0d2e6b7377ef619068a461c0463c894bcfe679fca5cfeb34f88a4eaf865dfed94408ce5db4dd509f0578e92b54da7457f967be12de55eaeb0eb7413aca0da5

Download Submit
memory/2232-138-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2232-140-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4060-132-0x0000000000730000-0x0000000000757000-memory.dmp

Filesize
156KB

Download
memory/4060-133-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4060-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4060-141-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download