946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a

Analysis

max time kernel
152s
max time network
188s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe
Size

335KB
MD5

54146c020d991c1d88887f531b824bf6
SHA1

ff952191109c3ba612c0156a8b1c96674805d201
SHA256

946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a
SHA512

5ce717ae8e10a22d4e173ef3cc88c9f976a5408ff822db3c72eb6e99e9f0ffc26f8d506e2fdbe0d4057a1987b8bede882dc80cc04ed3421576e3f7992207229d
SSDEEP

6144:7DXDvsQnb8iRqNx7rYx+UG6yb1nGdLR97h3UXd7qbmU4Sbt:7DXDVnbBqNuxF/s1GRR97h3UtmbmU4Sp

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
772	ysxuk.exe
1084	ysxuk.exe

Deletes itself 1 IoCs

pid	Process
1424	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe
940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	ysxuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Ohev\\ysxuk.exe"	ysxuk.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 940	1888	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	28
PID 772 set thread context of 1084	772	ysxuk.exe	30
PID 940 set thread context of 1424	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe
1084	ysxuk.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 940	1888	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	28
PID 1888 wrote to memory of 940	1888	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	28
PID 1888 wrote to memory of 940	1888	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	28
PID 1888 wrote to memory of 940	1888	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	28
PID 1888 wrote to memory of 940	1888	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	28
PID 1888 wrote to memory of 940	1888	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	28
PID 1888 wrote to memory of 940	1888	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	28
PID 1888 wrote to memory of 940	1888	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	28
PID 1888 wrote to memory of 940	1888	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	28
PID 940 wrote to memory of 772	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	29
PID 940 wrote to memory of 772	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	29
PID 940 wrote to memory of 772	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	29
PID 940 wrote to memory of 772	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	29
PID 772 wrote to memory of 1084	772	ysxuk.exe	30
PID 772 wrote to memory of 1084	772	ysxuk.exe	30
PID 772 wrote to memory of 1084	772	ysxuk.exe	30
PID 772 wrote to memory of 1084	772	ysxuk.exe	30
PID 772 wrote to memory of 1084	772	ysxuk.exe	30
PID 772 wrote to memory of 1084	772	ysxuk.exe	30
PID 772 wrote to memory of 1084	772	ysxuk.exe	30
PID 772 wrote to memory of 1084	772	ysxuk.exe	30
PID 772 wrote to memory of 1084	772	ysxuk.exe	30
PID 1084 wrote to memory of 1128	1084	ysxuk.exe	18
PID 1084 wrote to memory of 1128	1084	ysxuk.exe	18
PID 1084 wrote to memory of 1128	1084	ysxuk.exe	18
PID 1084 wrote to memory of 1128	1084	ysxuk.exe	18
PID 1084 wrote to memory of 1128	1084	ysxuk.exe	18
PID 1084 wrote to memory of 1224	1084	ysxuk.exe	16
PID 1084 wrote to memory of 1224	1084	ysxuk.exe	16
PID 1084 wrote to memory of 1224	1084	ysxuk.exe	16
PID 1084 wrote to memory of 1224	1084	ysxuk.exe	16
PID 1084 wrote to memory of 1224	1084	ysxuk.exe	16
PID 1084 wrote to memory of 1276	1084	ysxuk.exe	15
PID 1084 wrote to memory of 1276	1084	ysxuk.exe	15
PID 1084 wrote to memory of 1276	1084	ysxuk.exe	15
PID 1084 wrote to memory of 1276	1084	ysxuk.exe	15
PID 1084 wrote to memory of 1276	1084	ysxuk.exe	15
PID 1084 wrote to memory of 940	1084	ysxuk.exe	28
PID 1084 wrote to memory of 940	1084	ysxuk.exe	28
PID 1084 wrote to memory of 940	1084	ysxuk.exe	28
PID 1084 wrote to memory of 940	1084	ysxuk.exe	28
PID 1084 wrote to memory of 940	1084	ysxuk.exe	28
PID 940 wrote to memory of 1424	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	31
PID 940 wrote to memory of 1424	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	31
PID 940 wrote to memory of 1424	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	31
PID 940 wrote to memory of 1424	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	31
PID 940 wrote to memory of 1424	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	31
PID 940 wrote to memory of 1424	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	31
PID 940 wrote to memory of 1424	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	31
PID 940 wrote to memory of 1424	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	31
PID 940 wrote to memory of 1424	940	946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe	31
PID 1084 wrote to memory of 852	1084	ysxuk.exe	32
PID 1084 wrote to memory of 852	1084	ysxuk.exe	32
PID 1084 wrote to memory of 852	1084	ysxuk.exe	32
PID 1084 wrote to memory of 852	1084	ysxuk.exe	32
PID 1084 wrote to memory of 852	1084	ysxuk.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe
  "C:\Users\Admin\AppData\Local\Temp\946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe
    "C:\Users\Admin\AppData\Local\Temp\946899e5c04546963addf5e384c656fa138fad3972ccd7de54bfd623de4f149a.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Roaming\Ohev\ysxuk.exe
      "C:\Users\Admin\AppData\Roaming\Ohev\ysxuk.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Users\Admin\AppData\Roaming\Ohev\ysxuk.exe
        
        "C:\Users\Admin\AppData\Roaming\Ohev\ysxuk.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe0852c1b.bat"
      4⤵
      Deletes itself
      PID:1424

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1822157377-614470190119780098-973487695469261956-12314532321411569134876411351"
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe0852c1b.bat

Filesize
307B

MD5
7c3c429770b699622f8c6b9698cfd0a1

SHA1
b39e003c17b9eab3cf9888813a89b70e65413e97

SHA256
d8ec994d2099947b9ef087623fdcc30a679c32fdeaac396d0654339c619a5abc

SHA512
4f80f33e03472b35540db960c90fca0ed3e150dda41a1e88658bbf57e0ea7897aaf2d6d1a559c03e2e40356f9107de1401caa104e3c1b5a0736e08168737e723

Download Submit
C:\Users\Admin\AppData\Roaming\Ohev\ysxuk.exe

Filesize
335KB

MD5
e91da33f4258232574a6869150652476

SHA1
6c055f52826f2444ba10bea4f8565de5556d17b9

SHA256
58e4a5755defb1f767f720ea2897a321de19930e1b587fce4cfd232e4712bac2

SHA512
5023012682141aee4dea2255d696dcb9d82bdd4b59a8c9c6cf196efb869ce291e6f8fc6e69cbdc26a1a2f5583ccff717b95b51b2b7eb38653f386b8ac876d685

Download Submit
C:\Users\Admin\AppData\Roaming\Ohev\ysxuk.exe

Filesize
335KB

MD5
e91da33f4258232574a6869150652476

SHA1
6c055f52826f2444ba10bea4f8565de5556d17b9

SHA256
58e4a5755defb1f767f720ea2897a321de19930e1b587fce4cfd232e4712bac2

SHA512
5023012682141aee4dea2255d696dcb9d82bdd4b59a8c9c6cf196efb869ce291e6f8fc6e69cbdc26a1a2f5583ccff717b95b51b2b7eb38653f386b8ac876d685

Download Submit
C:\Users\Admin\AppData\Roaming\Ohev\ysxuk.exe

Filesize
335KB

MD5
e91da33f4258232574a6869150652476

SHA1
6c055f52826f2444ba10bea4f8565de5556d17b9

SHA256
58e4a5755defb1f767f720ea2897a321de19930e1b587fce4cfd232e4712bac2

SHA512
5023012682141aee4dea2255d696dcb9d82bdd4b59a8c9c6cf196efb869ce291e6f8fc6e69cbdc26a1a2f5583ccff717b95b51b2b7eb38653f386b8ac876d685

Download Submit
\Users\Admin\AppData\Roaming\Ohev\ysxuk.exe

Filesize
335KB

MD5
e91da33f4258232574a6869150652476

SHA1
6c055f52826f2444ba10bea4f8565de5556d17b9

SHA256
58e4a5755defb1f767f720ea2897a321de19930e1b587fce4cfd232e4712bac2

SHA512
5023012682141aee4dea2255d696dcb9d82bdd4b59a8c9c6cf196efb869ce291e6f8fc6e69cbdc26a1a2f5583ccff717b95b51b2b7eb38653f386b8ac876d685

Download Submit
\Users\Admin\AppData\Roaming\Ohev\ysxuk.exe

Filesize
335KB

MD5
e91da33f4258232574a6869150652476

SHA1
6c055f52826f2444ba10bea4f8565de5556d17b9

SHA256
58e4a5755defb1f767f720ea2897a321de19930e1b587fce4cfd232e4712bac2

SHA512
5023012682141aee4dea2255d696dcb9d82bdd4b59a8c9c6cf196efb869ce291e6f8fc6e69cbdc26a1a2f5583ccff717b95b51b2b7eb38653f386b8ac876d685

Download Submit
memory/772-83-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/852-128-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/852-127-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/852-126-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/852-125-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/940-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/940-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/940-66-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/940-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/940-106-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/940-64-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/940-107-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/940-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/940-105-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/940-68-0x0000000000370000-0x00000000003C8000-memory.dmp

Filesize
352KB

Download
memory/940-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/940-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/940-120-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/940-110-0x0000000000370000-0x00000000003C8000-memory.dmp

Filesize
352KB

Download
memory/940-108-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1084-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1084-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-90-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1128-87-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1128-88-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1128-89-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1224-94-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1224-93-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1224-95-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1224-96-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1276-101-0x00000000029B0000-0x00000000029F4000-memory.dmp

Filesize
272KB

Download
memory/1276-100-0x00000000029B0000-0x00000000029F4000-memory.dmp

Filesize
272KB

Download
memory/1276-99-0x00000000029B0000-0x00000000029F4000-memory.dmp

Filesize
272KB

Download
memory/1276-102-0x00000000029B0000-0x00000000029F4000-memory.dmp

Filesize
272KB

Download
memory/1424-117-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1424-122-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1424-118-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1424-116-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1424-114-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1888-54-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1888-65-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download