cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801

Analysis

max time kernel
152s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe
Size

244KB
MD5

1170f916e6936acf12104d0d9cffe1a2
SHA1

ff0521f4d69f881b4fa02969a31566eedefa8395
SHA256

cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801
SHA512

e8194b5a8e74c631a9baa8c2aa3475511288eb456c5a715b7f8552546e17577e318cb86d4f0c5b140201274c4d9e7438ff4ad632cabcffd97c3baf54b0078354
SSDEEP

6144:O+Ba3zA0qjRc4KSxjcaqfZlIXQkFtI+aZWi0vE:bBoOtc4KSjcaqfZlSXnI+aZW0

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cy70EmV6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dueyom.exe

Executes dropped EXE 8 IoCs

pid	Process
936	cy70EmV6.exe
1292	dueyom.exe
1736	2kua.exe
964	2kua.exe
376	2kua.exe
1472	2kua.exe
576	2kua.exe
1752	3kua.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/964-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/964-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/964-85-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/376-92-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/964-91-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/376-95-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/964-94-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/376-97-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/376-104-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/376-106-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1472-107-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1472-108-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1472-109-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/576-115-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1472-113-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1472-118-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/576-117-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/576-119-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/576-126-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/576-127-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/576-131-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/964-132-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/376-133-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1472-134-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/964-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/376-142-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
972	cmd.exe

Loads dropped DLL 8 IoCs

pid	Process
1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe
1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe
936	cy70EmV6.exe
936	cy70EmV6.exe
1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe
1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe
1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe
1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /B"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /N"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /m"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /A"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /O"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /c"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /V"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /v"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /p"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /Q"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /l"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /a"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /w"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /M"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /X"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /q"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /j"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /g"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /Y"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /Z"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /z"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /n"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /o"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /I"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /h"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /b"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /G"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /i"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /R"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /y"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /K"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /H"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /s"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /C"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /f"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /L"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /e"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /J"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /T"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /P"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /W"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /t"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /U"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /k"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /r"	dueyom.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cy70EmV6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /D"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /S"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /V"	cy70EmV6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /x"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /E"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /F"	dueyom.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /d"	dueyom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dueyom = "C:\\Users\\Admin\\dueyom.exe /u"	dueyom.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2kua.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2kua.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 964	1736	2kua.exe	32
PID 1736 set thread context of 376	1736	2kua.exe	33
PID 1736 set thread context of 1472	1736	2kua.exe	35
PID 1736 set thread context of 576	1736	2kua.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1796	tasklist.exe
896	tasklist.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	3kua.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
936	cy70EmV6.exe
936	cy70EmV6.exe
376	2kua.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
376	2kua.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe
1292	dueyom.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	tasklist.exe
Token: SeDebugPrivilege	896	tasklist.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe
936	cy70EmV6.exe
1292	dueyom.exe
1736	2kua.exe
964	2kua.exe
1472	2kua.exe
576	2kua.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 936	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	27
PID 1368 wrote to memory of 936	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	27
PID 1368 wrote to memory of 936	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	27
PID 1368 wrote to memory of 936	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	27
PID 936 wrote to memory of 1292	936	cy70EmV6.exe	28
PID 936 wrote to memory of 1292	936	cy70EmV6.exe	28
PID 936 wrote to memory of 1292	936	cy70EmV6.exe	28
PID 936 wrote to memory of 1292	936	cy70EmV6.exe	28
PID 936 wrote to memory of 616	936	cy70EmV6.exe	29
PID 936 wrote to memory of 616	936	cy70EmV6.exe	29
PID 936 wrote to memory of 616	936	cy70EmV6.exe	29
PID 936 wrote to memory of 616	936	cy70EmV6.exe	29
PID 1368 wrote to memory of 1736	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	30
PID 1368 wrote to memory of 1736	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	30
PID 1368 wrote to memory of 1736	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	30
PID 1368 wrote to memory of 1736	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	30
PID 1736 wrote to memory of 964	1736	2kua.exe	32
PID 1736 wrote to memory of 964	1736	2kua.exe	32
PID 1736 wrote to memory of 964	1736	2kua.exe	32
PID 1736 wrote to memory of 964	1736	2kua.exe	32
PID 1736 wrote to memory of 964	1736	2kua.exe	32
PID 1736 wrote to memory of 964	1736	2kua.exe	32
PID 1736 wrote to memory of 964	1736	2kua.exe	32
PID 1736 wrote to memory of 964	1736	2kua.exe	32
PID 1736 wrote to memory of 376	1736	2kua.exe	33
PID 1736 wrote to memory of 376	1736	2kua.exe	33
PID 1736 wrote to memory of 376	1736	2kua.exe	33
PID 1736 wrote to memory of 376	1736	2kua.exe	33
PID 616 wrote to memory of 1796	616	cmd.exe	34
PID 616 wrote to memory of 1796	616	cmd.exe	34
PID 616 wrote to memory of 1796	616	cmd.exe	34
PID 616 wrote to memory of 1796	616	cmd.exe	34
PID 1736 wrote to memory of 376	1736	2kua.exe	33
PID 1736 wrote to memory of 376	1736	2kua.exe	33
PID 1736 wrote to memory of 376	1736	2kua.exe	33
PID 1736 wrote to memory of 376	1736	2kua.exe	33
PID 1736 wrote to memory of 1472	1736	2kua.exe	35
PID 1736 wrote to memory of 1472	1736	2kua.exe	35
PID 1736 wrote to memory of 1472	1736	2kua.exe	35
PID 1736 wrote to memory of 1472	1736	2kua.exe	35
PID 1736 wrote to memory of 1472	1736	2kua.exe	35
PID 1736 wrote to memory of 1472	1736	2kua.exe	35
PID 1736 wrote to memory of 1472	1736	2kua.exe	35
PID 1736 wrote to memory of 1472	1736	2kua.exe	35
PID 1736 wrote to memory of 576	1736	2kua.exe	36
PID 1736 wrote to memory of 576	1736	2kua.exe	36
PID 1736 wrote to memory of 576	1736	2kua.exe	36
PID 1736 wrote to memory of 576	1736	2kua.exe	36
PID 1736 wrote to memory of 576	1736	2kua.exe	36
PID 1736 wrote to memory of 576	1736	2kua.exe	36
PID 1736 wrote to memory of 576	1736	2kua.exe	36
PID 1736 wrote to memory of 576	1736	2kua.exe	36
PID 1368 wrote to memory of 1752	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	37
PID 1368 wrote to memory of 1752	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	37
PID 1368 wrote to memory of 1752	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	37
PID 1368 wrote to memory of 1752	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	37
PID 1292 wrote to memory of 1796	1292	dueyom.exe	34
PID 1292 wrote to memory of 1796	1292	dueyom.exe	34
PID 1368 wrote to memory of 972	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	39
PID 1368 wrote to memory of 972	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	39
PID 1368 wrote to memory of 972	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	39
PID 1368 wrote to memory of 972	1368	cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe	39
PID 972 wrote to memory of 896	972	cmd.exe	41
PID 972 wrote to memory of 896	972	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe
"C:\Users\Admin\AppData\Local\Temp\cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\cy70EmV6.exe
  C:\Users\Admin\cy70EmV6.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\dueyom.exe
    "C:\Users\Admin\dueyom.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del cy70EmV6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1796
- C:\Users\Admin\2kua.exe
  C:\Users\Admin\2kua.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\2kua.exe
    "C:\Users\Admin\2kua.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:964
- - C:\Users\Admin\2kua.exe
    "C:\Users\Admin\2kua.exe"
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    PID:376
- - C:\Users\Admin\2kua.exe
    "C:\Users\Admin\2kua.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1472
- - C:\Users\Admin\2kua.exe
    "C:\Users\Admin\2kua.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:576
- C:\Users\Admin\3kua.exe
  C:\Users\Admin\3kua.exe
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del cb7f52cd207598d5a3a72e3f86d35c493f562ef4bf02368609667c0a4dd48801.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2kua.exe

Filesize
124KB

MD5
fc7b0b59d12bd90f35ad7039ad4ef0b3

SHA1
773ac4373e459930d59d8630f79657ba8e60ea9f

SHA256
a039610bd18552fc39b3c2b8f67deef6ab9635e951fbb28a905f3bd5b5fd10bc

SHA512
48c553c2fb8da4074830a3f06ac9b298aec8912223d5a44fd25f6b032c7ca05a9c14f4b3d0423648c330fa4b474480050c5fe97ed5414bbc493138b15921a8f9

Download Submit
C:\Users\Admin\2kua.exe

Filesize
124KB

MD5
fc7b0b59d12bd90f35ad7039ad4ef0b3

SHA1
773ac4373e459930d59d8630f79657ba8e60ea9f

SHA256
a039610bd18552fc39b3c2b8f67deef6ab9635e951fbb28a905f3bd5b5fd10bc

SHA512
48c553c2fb8da4074830a3f06ac9b298aec8912223d5a44fd25f6b032c7ca05a9c14f4b3d0423648c330fa4b474480050c5fe97ed5414bbc493138b15921a8f9

Download Submit
C:\Users\Admin\2kua.exe

Filesize
124KB

MD5
fc7b0b59d12bd90f35ad7039ad4ef0b3

SHA1
773ac4373e459930d59d8630f79657ba8e60ea9f

SHA256
a039610bd18552fc39b3c2b8f67deef6ab9635e951fbb28a905f3bd5b5fd10bc

SHA512
48c553c2fb8da4074830a3f06ac9b298aec8912223d5a44fd25f6b032c7ca05a9c14f4b3d0423648c330fa4b474480050c5fe97ed5414bbc493138b15921a8f9

Download Submit
C:\Users\Admin\2kua.exe

Filesize
124KB

MD5
fc7b0b59d12bd90f35ad7039ad4ef0b3

SHA1
773ac4373e459930d59d8630f79657ba8e60ea9f

SHA256
a039610bd18552fc39b3c2b8f67deef6ab9635e951fbb28a905f3bd5b5fd10bc

SHA512
48c553c2fb8da4074830a3f06ac9b298aec8912223d5a44fd25f6b032c7ca05a9c14f4b3d0423648c330fa4b474480050c5fe97ed5414bbc493138b15921a8f9

Download Submit
C:\Users\Admin\2kua.exe

Filesize
124KB

MD5
fc7b0b59d12bd90f35ad7039ad4ef0b3

SHA1
773ac4373e459930d59d8630f79657ba8e60ea9f

SHA256
a039610bd18552fc39b3c2b8f67deef6ab9635e951fbb28a905f3bd5b5fd10bc

SHA512
48c553c2fb8da4074830a3f06ac9b298aec8912223d5a44fd25f6b032c7ca05a9c14f4b3d0423648c330fa4b474480050c5fe97ed5414bbc493138b15921a8f9

Download Submit
C:\Users\Admin\2kua.exe

Filesize
124KB

MD5
fc7b0b59d12bd90f35ad7039ad4ef0b3

SHA1
773ac4373e459930d59d8630f79657ba8e60ea9f

SHA256
a039610bd18552fc39b3c2b8f67deef6ab9635e951fbb28a905f3bd5b5fd10bc

SHA512
48c553c2fb8da4074830a3f06ac9b298aec8912223d5a44fd25f6b032c7ca05a9c14f4b3d0423648c330fa4b474480050c5fe97ed5414bbc493138b15921a8f9

Download Submit
C:\Users\Admin\3kua.exe

Filesize
39KB

MD5
2e7ffefb1aa2f3cfd394886b4d825206

SHA1
c09401b54ec9eb82e6f931e117f218c0dbba2d11

SHA256
d21884af92a77968b379be4d50d37dbcf13212aba989a1fae1737e0f6823719f

SHA512
814ef71d67bd243faec482ce0696363fe1bc129d0b11cecddf97d1dc7bb9c222eca2cf72814916167552baf1ea1ae460e5ae071f4f292a2de4fe94e49b154ef4

Download Submit
C:\Users\Admin\cy70EmV6.exe

Filesize
156KB

MD5
fd068f54698e065d71d97c0409ce76ec

SHA1
22b502115bbd5a12002d2046a57618535ef0d386

SHA256
e875c6efd68018cae15a5046d24eaccc86b4be7b741e75863f2f365914824f46

SHA512
da9ef7ef7b9a9ae05b159468614349f8df8d075fc125c384bace44fdd6cdc8436bcf2644517f9d340a30151d707471f0c4d987ce0cb2420cd9c68a9dcdbd5853

Download Submit
C:\Users\Admin\cy70EmV6.exe

Filesize
156KB

MD5
fd068f54698e065d71d97c0409ce76ec

SHA1
22b502115bbd5a12002d2046a57618535ef0d386

SHA256
e875c6efd68018cae15a5046d24eaccc86b4be7b741e75863f2f365914824f46

SHA512
da9ef7ef7b9a9ae05b159468614349f8df8d075fc125c384bace44fdd6cdc8436bcf2644517f9d340a30151d707471f0c4d987ce0cb2420cd9c68a9dcdbd5853

Download Submit
C:\Users\Admin\dueyom.exe

Filesize
156KB

MD5
d220ec956103bf246f8940eb29da2fe6

SHA1
7ecb1d02e6cf5f0d9f91c46cf756a6fb03bd38e9

SHA256
367894d151a56d161a25e28bf884502b17305161234ad1b71bddcba12d065c97

SHA512
ddfc2e950f7872e127d08de7660dd5264b093395743d60590fb3df19fe247d413d33debdb830c5fe7adad436c160fb54e37ef85ba813cfb8c6061bf3fb1513f1

Download Submit
C:\Users\Admin\dueyom.exe

Filesize
156KB

MD5
d220ec956103bf246f8940eb29da2fe6

SHA1
7ecb1d02e6cf5f0d9f91c46cf756a6fb03bd38e9

SHA256
367894d151a56d161a25e28bf884502b17305161234ad1b71bddcba12d065c97

SHA512
ddfc2e950f7872e127d08de7660dd5264b093395743d60590fb3df19fe247d413d33debdb830c5fe7adad436c160fb54e37ef85ba813cfb8c6061bf3fb1513f1

Download Submit
\Users\Admin\2kua.exe

Filesize
124KB

MD5
fc7b0b59d12bd90f35ad7039ad4ef0b3

SHA1
773ac4373e459930d59d8630f79657ba8e60ea9f

SHA256
a039610bd18552fc39b3c2b8f67deef6ab9635e951fbb28a905f3bd5b5fd10bc

SHA512
48c553c2fb8da4074830a3f06ac9b298aec8912223d5a44fd25f6b032c7ca05a9c14f4b3d0423648c330fa4b474480050c5fe97ed5414bbc493138b15921a8f9

Download Submit
\Users\Admin\2kua.exe

Filesize
124KB

MD5
fc7b0b59d12bd90f35ad7039ad4ef0b3

SHA1
773ac4373e459930d59d8630f79657ba8e60ea9f

SHA256
a039610bd18552fc39b3c2b8f67deef6ab9635e951fbb28a905f3bd5b5fd10bc

SHA512
48c553c2fb8da4074830a3f06ac9b298aec8912223d5a44fd25f6b032c7ca05a9c14f4b3d0423648c330fa4b474480050c5fe97ed5414bbc493138b15921a8f9

Download Submit
\Users\Admin\3kua.exe

Filesize
39KB

MD5
2e7ffefb1aa2f3cfd394886b4d825206

SHA1
c09401b54ec9eb82e6f931e117f218c0dbba2d11

SHA256
d21884af92a77968b379be4d50d37dbcf13212aba989a1fae1737e0f6823719f

SHA512
814ef71d67bd243faec482ce0696363fe1bc129d0b11cecddf97d1dc7bb9c222eca2cf72814916167552baf1ea1ae460e5ae071f4f292a2de4fe94e49b154ef4

Download Submit
\Users\Admin\3kua.exe

Filesize
39KB

MD5
2e7ffefb1aa2f3cfd394886b4d825206

SHA1
c09401b54ec9eb82e6f931e117f218c0dbba2d11

SHA256
d21884af92a77968b379be4d50d37dbcf13212aba989a1fae1737e0f6823719f

SHA512
814ef71d67bd243faec482ce0696363fe1bc129d0b11cecddf97d1dc7bb9c222eca2cf72814916167552baf1ea1ae460e5ae071f4f292a2de4fe94e49b154ef4

Download Submit
\Users\Admin\cy70EmV6.exe

Filesize
156KB

MD5
fd068f54698e065d71d97c0409ce76ec

SHA1
22b502115bbd5a12002d2046a57618535ef0d386

SHA256
e875c6efd68018cae15a5046d24eaccc86b4be7b741e75863f2f365914824f46

SHA512
da9ef7ef7b9a9ae05b159468614349f8df8d075fc125c384bace44fdd6cdc8436bcf2644517f9d340a30151d707471f0c4d987ce0cb2420cd9c68a9dcdbd5853

Download Submit
\Users\Admin\cy70EmV6.exe

Filesize
156KB

MD5
fd068f54698e065d71d97c0409ce76ec

SHA1
22b502115bbd5a12002d2046a57618535ef0d386

SHA256
e875c6efd68018cae15a5046d24eaccc86b4be7b741e75863f2f365914824f46

SHA512
da9ef7ef7b9a9ae05b159468614349f8df8d075fc125c384bace44fdd6cdc8436bcf2644517f9d340a30151d707471f0c4d987ce0cb2420cd9c68a9dcdbd5853

Download Submit
\Users\Admin\dueyom.exe

Filesize
156KB

MD5
d220ec956103bf246f8940eb29da2fe6

SHA1
7ecb1d02e6cf5f0d9f91c46cf756a6fb03bd38e9

SHA256
367894d151a56d161a25e28bf884502b17305161234ad1b71bddcba12d065c97

SHA512
ddfc2e950f7872e127d08de7660dd5264b093395743d60590fb3df19fe247d413d33debdb830c5fe7adad436c160fb54e37ef85ba813cfb8c6061bf3fb1513f1

Download Submit
\Users\Admin\dueyom.exe

Filesize
156KB

MD5
d220ec956103bf246f8940eb29da2fe6

SHA1
7ecb1d02e6cf5f0d9f91c46cf756a6fb03bd38e9

SHA256
367894d151a56d161a25e28bf884502b17305161234ad1b71bddcba12d065c97

SHA512
ddfc2e950f7872e127d08de7660dd5264b093395743d60590fb3df19fe247d413d33debdb830c5fe7adad436c160fb54e37ef85ba813cfb8c6061bf3fb1513f1

Download Submit
memory/376-95-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/376-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/376-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/376-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/376-106-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/376-104-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/376-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/376-97-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/576-114-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/576-115-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/576-131-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/576-127-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/576-126-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/576-119-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/576-117-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/964-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-91-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-85-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-94-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1368-57-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1368-54-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1368-144-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1472-134-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1472-105-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1472-108-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1472-107-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1472-118-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1472-113-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1472-109-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1752-140-0x00000000001E0000-0x00000000001EB000-memory.dmp

Filesize
44KB

Download
memory/1752-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download