911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f

Analysis

max time kernel
292s
max time network
398s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe
Size

236KB
MD5

bf8b8a8d6538f99d9ee709a3658c4735
SHA1

0b0eadb4db1f2c5448097ab306166194fc26d4e1
SHA256

911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f
SHA512

b8cbc322663938fb829138a3dc61e183376fcdec2c7663f9a6b923c44ddfb1a313256dab700d3ff11ca6caedc1c21139899552c12eaa0b6fe2500d89c74a1e1c
SSDEEP

6144:nE/V92MxPRjKlpRBI2JDBYlwh4nCCQImearMT:nE7x3GTc2RSwh4CCYN

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
468	lyens.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012701-57.dat	upx
behavioral1/memory/584-58-0x0000000000330000-0x000000000036D000-memory.dmp	upx
behavioral1/files/0x0009000000012701-59.dat	upx
behavioral1/files/0x0009000000012701-61.dat	upx
behavioral1/files/0x0009000000012701-63.dat	upx

Deletes itself 1 IoCs

pid	Process
812	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe
584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	lyens.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{198AA462-ACC1-91F1-D283-C1D1854C718D} = "C:\\Users\\Admin\\AppData\\Roaming\\Yqivby\\lyens.exe"	lyens.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 584 set thread context of 812	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe
468	lyens.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe
Token: SeSecurityPrivilege	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe
Token: SeSecurityPrivilege	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 468	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	28
PID 584 wrote to memory of 468	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	28
PID 584 wrote to memory of 468	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	28
PID 584 wrote to memory of 468	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	28
PID 468 wrote to memory of 1120	468	lyens.exe	17
PID 468 wrote to memory of 1120	468	lyens.exe	17
PID 468 wrote to memory of 1120	468	lyens.exe	17
PID 468 wrote to memory of 1120	468	lyens.exe	17
PID 468 wrote to memory of 1120	468	lyens.exe	17
PID 468 wrote to memory of 1172	468	lyens.exe	16
PID 468 wrote to memory of 1172	468	lyens.exe	16
PID 468 wrote to memory of 1172	468	lyens.exe	16
PID 468 wrote to memory of 1172	468	lyens.exe	16
PID 468 wrote to memory of 1172	468	lyens.exe	16
PID 468 wrote to memory of 1200	468	lyens.exe	15
PID 468 wrote to memory of 1200	468	lyens.exe	15
PID 468 wrote to memory of 1200	468	lyens.exe	15
PID 468 wrote to memory of 1200	468	lyens.exe	15
PID 468 wrote to memory of 1200	468	lyens.exe	15
PID 468 wrote to memory of 584	468	lyens.exe	18
PID 468 wrote to memory of 584	468	lyens.exe	18
PID 468 wrote to memory of 584	468	lyens.exe	18
PID 468 wrote to memory of 584	468	lyens.exe	18
PID 468 wrote to memory of 584	468	lyens.exe	18
PID 584 wrote to memory of 812	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	29
PID 584 wrote to memory of 812	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	29
PID 584 wrote to memory of 812	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	29
PID 584 wrote to memory of 812	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	29
PID 584 wrote to memory of 812	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	29
PID 584 wrote to memory of 812	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	29
PID 584 wrote to memory of 812	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	29
PID 584 wrote to memory of 812	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	29
PID 584 wrote to memory of 812	584	911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe	29
PID 468 wrote to memory of 1744	468	lyens.exe	31
PID 468 wrote to memory of 1744	468	lyens.exe	31
PID 468 wrote to memory of 1744	468	lyens.exe	31
PID 468 wrote to memory of 1744	468	lyens.exe	31
PID 468 wrote to memory of 1744	468	lyens.exe	31
PID 468 wrote to memory of 816	468	lyens.exe	32
PID 468 wrote to memory of 816	468	lyens.exe	32
PID 468 wrote to memory of 816	468	lyens.exe	32
PID 468 wrote to memory of 816	468	lyens.exe	32
PID 468 wrote to memory of 816	468	lyens.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe
  "C:\Users\Admin\AppData\Local\Temp\911a54439bbc1d943c54679b2619a7bca68312141a12898c3f459e1be9e6de1f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Users\Admin\AppData\Roaming\Yqivby\lyens.exe
    "C:\Users\Admin\AppData\Roaming\Yqivby\lyens.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa08b6268.bat"
    3⤵
    - Deletes itself
    PID:812

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa08b6268.bat

Filesize
307B

MD5
f4827eee69a90559e46602ae1e7e328c

SHA1
5dc45375ff656bf3c4561d453539c9a76e8379b0

SHA256
6db7814c5a790f00cbbf0fbd5daea7b496fc0caca5d61be4a1e019824355cd03

SHA512
e6ceb48c24340c2300b5662c68b36e6b04302a22cda953800ec1d425ec3e123f04b624cd30c4a8d192fbc7c877e06f5f4da30fa3409fb3347d199e3ce8707de5

Download Submit
C:\Users\Admin\AppData\Roaming\Axegz\yptup.oxh

Filesize
398B

MD5
473bae43db0f89235d03899560c4a985

SHA1
98dc1ecd4f489061d5e4b613e5a956ae4f59d927

SHA256
f217de020768e1e93d807b1af01f3d108cea923e24faa58e3a7ada8162033198

SHA512
d4f9a8381afcd5e0d136a74489eaacac0286478cbfb95d8f3925016036ffa00fa70df3c83d6296fd0fb6bf43a5058d518b275a90117a1fbcb63be1b7fafe2613

Download Submit
C:\Users\Admin\AppData\Roaming\Yqivby\lyens.exe

Filesize
236KB

MD5
0f57719592532b73d6bffaeb6f9ed9bc

SHA1
f20afadc043eb901fe814fb0a4e6812b24ce49c0

SHA256
49777e1cacd18563cbdcc2dff6b2cd7c0c1718607662036a9e49508dcb142665

SHA512
f26e9abc05070546d85213de4e6c3afa4f43953a3c4e099c444f2b81450ae459d728676ce1405b8b65c55312a1f4b5b9db5859a9233a0a7e45f17877aab471fe

Download Submit
C:\Users\Admin\AppData\Roaming\Yqivby\lyens.exe

Filesize
236KB

MD5
0f57719592532b73d6bffaeb6f9ed9bc

SHA1
f20afadc043eb901fe814fb0a4e6812b24ce49c0

SHA256
49777e1cacd18563cbdcc2dff6b2cd7c0c1718607662036a9e49508dcb142665

SHA512
f26e9abc05070546d85213de4e6c3afa4f43953a3c4e099c444f2b81450ae459d728676ce1405b8b65c55312a1f4b5b9db5859a9233a0a7e45f17877aab471fe

Download Submit
\Users\Admin\AppData\Roaming\Yqivby\lyens.exe

Filesize
236KB

MD5
0f57719592532b73d6bffaeb6f9ed9bc

SHA1
f20afadc043eb901fe814fb0a4e6812b24ce49c0

SHA256
49777e1cacd18563cbdcc2dff6b2cd7c0c1718607662036a9e49508dcb142665

SHA512
f26e9abc05070546d85213de4e6c3afa4f43953a3c4e099c444f2b81450ae459d728676ce1405b8b65c55312a1f4b5b9db5859a9233a0a7e45f17877aab471fe

Download Submit
\Users\Admin\AppData\Roaming\Yqivby\lyens.exe

Filesize
236KB

MD5
0f57719592532b73d6bffaeb6f9ed9bc

SHA1
f20afadc043eb901fe814fb0a4e6812b24ce49c0

SHA256
49777e1cacd18563cbdcc2dff6b2cd7c0c1718607662036a9e49508dcb142665

SHA512
f26e9abc05070546d85213de4e6c3afa4f43953a3c4e099c444f2b81450ae459d728676ce1405b8b65c55312a1f4b5b9db5859a9233a0a7e45f17877aab471fe

Download Submit
memory/468-89-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/468-93-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/584-102-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/584-84-0x0000000000280000-0x00000000002A6000-memory.dmp

Filesize
152KB

Download
memory/584-54-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download
memory/584-58-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/584-92-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/584-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/584-90-0x0000000000280000-0x00000000002A6000-memory.dmp

Filesize
152KB

Download
memory/584-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/584-88-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/584-87-0x0000000000280000-0x00000000002A6000-memory.dmp

Filesize
152KB

Download
memory/584-86-0x0000000000280000-0x00000000002A6000-memory.dmp

Filesize
152KB

Download
memory/584-85-0x0000000000280000-0x00000000002A6000-memory.dmp

Filesize
152KB

Download
memory/812-96-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/812-105-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/812-100-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/812-99-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/812-98-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/816-117-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/816-116-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/816-115-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/816-114-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/1120-68-0x0000000000420000-0x0000000000446000-memory.dmp

Filesize
152KB

Download
memory/1120-66-0x0000000000420000-0x0000000000446000-memory.dmp

Filesize
152KB

Download
memory/1120-64-0x0000000000420000-0x0000000000446000-memory.dmp

Filesize
152KB

Download
memory/1120-69-0x0000000000420000-0x0000000000446000-memory.dmp

Filesize
152KB

Download
memory/1120-67-0x0000000000420000-0x0000000000446000-memory.dmp

Filesize
152KB

Download
memory/1172-73-0x0000000001B40000-0x0000000001B66000-memory.dmp

Filesize
152KB

Download
memory/1172-72-0x0000000001B40000-0x0000000001B66000-memory.dmp

Filesize
152KB

Download
memory/1172-74-0x0000000001B40000-0x0000000001B66000-memory.dmp

Filesize
152KB

Download
memory/1172-75-0x0000000001B40000-0x0000000001B66000-memory.dmp

Filesize
152KB

Download
memory/1200-81-0x0000000002970000-0x0000000002996000-memory.dmp

Filesize
152KB

Download
memory/1200-78-0x0000000002970000-0x0000000002996000-memory.dmp

Filesize
152KB

Download
memory/1200-79-0x0000000002970000-0x0000000002996000-memory.dmp

Filesize
152KB

Download
memory/1200-80-0x0000000002970000-0x0000000002996000-memory.dmp

Filesize
152KB

Download
memory/1744-108-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download
memory/1744-109-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download
memory/1744-110-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download
memory/1744-111-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download