763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc

Analysis

max time kernel
207s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 18:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Size

221KB
MD5

0b8e611a5d9820e5709dabac3728afc0
SHA1

af8a4552eb2c1accc38b2c3953b1e9b32f64527a
SHA256

763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc
SHA512

c4627ffab3314c3d26a5467f197a8762c91305d1abc1fdd89f8153fa57a0f3f4e88d05c6f7b5211152732bb5da08649912fc564e0513d8d363c543b549040459
SSDEEP

6144:w0i0DhlSlqqDLPyO06ODvcDjoG1oPKajg3GqVmnO76kL:w0i0DhlBqnGcDjoGyPKaE3Dd7XL

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
316	gayh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\Currentversion\Run	gayh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	gayh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doynom = "C:\\Users\\Admin\\AppData\\Roaming\\Apecm\\gayh.exe"	gayh.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 4092	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	87

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Privacy	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe
316	gayh.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
Token: SeSecurityPrivilege	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 316	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	83
PID 2088 wrote to memory of 316	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	83
PID 2088 wrote to memory of 316	2088	763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe	83
PID 316 wrote to memory of 2336	316	gayh.exe	26
PID 316 wrote to memory of 2336	316	gayh.exe	26
PID 316 wrote to memory of 2336	316	gayh.exe	26
PID 316 wrote to memory of 2336	316	gayh.exe	26
PID 316 wrote to memory of 2336	316	gayh.exe	26
PID 316 wrote to memory of 2396	316	gayh.exe	56
PID 316 wrote to memory of 2396	316	gayh.exe	56
PID 316 wrote to memory of 2396	316	gayh.exe	56
PID 316 wrote to memory of 2396	316	gayh.exe	56
PID 316 wrote to memory of 2396	316	gayh.exe	56
PID 316 wrote to memory of 2500	316	gayh.exe	32
PID 316 wrote to memory of 2500	316	gayh.exe	32
PID 316 wrote to memory of 2500	316	gayh.exe	32
PID 316 wrote to memory of 2500	316	gayh.exe	32
PID 316 wrote to memory of 2500	316	gayh.exe	32
PID 316 wrote to memory of 2724	316	gayh.exe	46
PID 316 wrote to memory of 2724	316	gayh.exe	46
PID 316 wrote to memory of 2724	316	gayh.exe	46
PID 316 wrote to memory of 2724	316	gayh.exe	46
PID 316 wrote to memory of 2724	316	gayh.exe	46
PID 316 wrote to memory of 772	316	gayh.exe	45
PID 316 wrote to memory of 772	316	gayh.exe	45
PID 316 wrote to memory of 772	316	gayh.exe	45
PID 316 wrote to memory of 772	316	gayh.exe	45
PID 316 wrote to memory of 772	316	gayh.exe	45
PID 316 wrote to memory of 3264	316	gayh.exe	38
PID 316 wrote to memory of 3264	316	gayh.exe	38
PID 316 wrote to memory of 3264	316	gayh.exe	38
PID 316 wrote to memory of 3264	316	gayh.exe	38
PID 316 wrote to memory of 3264	316	gayh.exe	38
PID 316 wrote to memory of 3372	316	gayh.exe	37
PID 316 wrote to memory of 3372	316	gayh.exe	37
PID 316 wrote to memory of 3372	316	gayh.exe	37
PID 316 wrote to memory of 3372	316	gayh.exe	37
PID 316 wrote to memory of 3372	316	gayh.exe	37
PID 316 wrote to memory of 3440	316	gayh.exe	35
PID 316 wrote to memory of 3440	316	gayh.exe	35
PID 316 wrote to memory of 3440	316	gayh.exe	35
PID 316 wrote to memory of 3440	316	gayh.exe	35
PID 316 wrote to memory of 3440	316	gayh.exe	35
PID 316 wrote to memory of 3516	316	gayh.exe	36
PID 316 wrote to memory of 3516	316	gayh.exe	36
PID 316 wrote to memory of 3516	316	gayh.exe	36
PID 316 wrote to memory of 3516	316	gayh.exe	36
PID 316 wrote to memory of 3516	316	gayh.exe	36
PID 316 wrote to memory of 3628	316	gayh.exe	39
PID 316 wrote to memory of 3628	316	gayh.exe	39
PID 316 wrote to memory of 3628	316	gayh.exe	39
PID 316 wrote to memory of 3628	316	gayh.exe	39
PID 316 wrote to memory of 3628	316	gayh.exe	39
PID 316 wrote to memory of 4620	316	gayh.exe	40
PID 316 wrote to memory of 4620	316	gayh.exe	40
PID 316 wrote to memory of 4620	316	gayh.exe	40
PID 316 wrote to memory of 4620	316	gayh.exe	40
PID 316 wrote to memory of 4620	316	gayh.exe	40
PID 316 wrote to memory of 2088	316	gayh.exe	80
PID 316 wrote to memory of 2088	316	gayh.exe	80
PID 316 wrote to memory of 2088	316	gayh.exe	80
PID 316 wrote to memory of 2088	316	gayh.exe	80
PID 316 wrote to memory of 2088	316	gayh.exe	80
PID 316 wrote to memory of 4524	316	gayh.exe	82

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2336

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3264

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3628

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:772

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2724
- C:\Users\Admin\AppData\Local\Temp\763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe
  "C:\Users\Admin\AppData\Local\Temp\763225adfc440ff496e5fb3ddfadf95057f1a20b9cd29fbefb2d72b5ab44b3fc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Roaming\Apecm\gayh.exe
    "C:\Users\Admin\AppData\Roaming\Apecm\gayh.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp23803097.bat"
    3⤵
    PID:4092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2396

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4524

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:732

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3388

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2324

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Apecm\gayh.exe

Filesize
221KB

MD5
d90b8e9284de05a8f2f7cba0f82a411d

SHA1
059021d8a3374317ebed1809b6c82cb16dcc5381

SHA256
fa600ed8628b50bef53bc9c5991f8feb0606bff99b90885c8bee512fdacc3b2f

SHA512
0d2f80eb7af9f6f9f7e13d6e2ae07e37f70859095b2e677f8900a48385e73bfc34b0b035c28a9e3110ededa59f3affc7c3012d41997186aabc841529067b8720

Download Submit
C:\Users\Admin\AppData\Roaming\Apecm\gayh.exe

Filesize
221KB

MD5
d90b8e9284de05a8f2f7cba0f82a411d

SHA1
059021d8a3374317ebed1809b6c82cb16dcc5381

SHA256
fa600ed8628b50bef53bc9c5991f8feb0606bff99b90885c8bee512fdacc3b2f

SHA512
0d2f80eb7af9f6f9f7e13d6e2ae07e37f70859095b2e677f8900a48385e73bfc34b0b035c28a9e3110ededa59f3affc7c3012d41997186aabc841529067b8720

Download Submit
C:\Users\Admin\AppData\Roaming\Yxmyte\uxof.fay

Filesize
3KB

MD5
447271510aff2c59db1f45800ea180a2

SHA1
151e4f901bc34953a1eb382f3209cf84506643a6

SHA256
9adc78dc71d21614a1293672c6aae974e9f2d2da4ed50cc2d6dc1e8aeb55af02

SHA512
89e150a6170e93352404f0d7951747470a6713eba1001212249cdd4a647d798e726e813254c0d0c223965a6bdb76d9c845fe45801dc347e86295ea53263e0499

Download Submit
memory/2088-135-0x00000000021B0000-0x00000000021EB000-memory.dmp

Filesize
236KB

Download
memory/2088-139-0x00000000021B0000-0x00000000021EB000-memory.dmp

Filesize
236KB

Download
memory/4092-137-0x0000000001180000-0x00000000011BB000-memory.dmp

Filesize
236KB

Download
memory/4092-140-0x0000000001180000-0x00000000011BB000-memory.dmp

Filesize
236KB

Download
memory/4092-141-0x0000000001180000-0x00000000011BB000-memory.dmp

Filesize
236KB

Download