ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a

Analysis

max time kernel
186s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe
Size

313KB
MD5

eadb3bf1c491a14b11ea029ee995c89d
SHA1

d6a35ac9a12a9b2f3d63c3a42dcb795032bf35d1
SHA256

ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a
SHA512

aab6bc5c621e21122b37d214a6178d14f3ce1801d06dc265cd8396fa7c3ab5691d7340e32e637aa54f6e7ed3e36e92a6e1e3d337107f31433d230d4cced01a4f
SSDEEP

6144:yzjGe0QzQTyVrO+mDiKpMSIqmUKtwj5+nHNs9RsiYsyiRO3VZNZY:yPYQcTUqBDigRdmUQ8QXOOnNZ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	ykifha.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	ykifha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ykifha = "C:\\Users\\Admin\\AppData\\Roaming\\Uwxue\\ykifha.exe"	ykifha.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 684 set thread context of 4128	684	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	81

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe
2828	ykifha.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 2828	684	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	80
PID 684 wrote to memory of 2828	684	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	80
PID 684 wrote to memory of 2828	684	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	80
PID 2828 wrote to memory of 2432	2828	ykifha.exe	44
PID 2828 wrote to memory of 2432	2828	ykifha.exe	44
PID 2828 wrote to memory of 2432	2828	ykifha.exe	44
PID 2828 wrote to memory of 2432	2828	ykifha.exe	44
PID 2828 wrote to memory of 2432	2828	ykifha.exe	44
PID 2828 wrote to memory of 2452	2828	ykifha.exe	45
PID 2828 wrote to memory of 2452	2828	ykifha.exe	45
PID 2828 wrote to memory of 2452	2828	ykifha.exe	45
PID 2828 wrote to memory of 2452	2828	ykifha.exe	45
PID 2828 wrote to memory of 2452	2828	ykifha.exe	45
PID 2828 wrote to memory of 2720	2828	ykifha.exe	60
PID 2828 wrote to memory of 2720	2828	ykifha.exe	60
PID 2828 wrote to memory of 2720	2828	ykifha.exe	60
PID 2828 wrote to memory of 2720	2828	ykifha.exe	60
PID 2828 wrote to memory of 2720	2828	ykifha.exe	60
PID 2828 wrote to memory of 3064	2828	ykifha.exe	57
PID 2828 wrote to memory of 3064	2828	ykifha.exe	57
PID 2828 wrote to memory of 3064	2828	ykifha.exe	57
PID 2828 wrote to memory of 3064	2828	ykifha.exe	57
PID 2828 wrote to memory of 3064	2828	ykifha.exe	57
PID 2828 wrote to memory of 2984	2828	ykifha.exe	56
PID 2828 wrote to memory of 2984	2828	ykifha.exe	56
PID 2828 wrote to memory of 2984	2828	ykifha.exe	56
PID 2828 wrote to memory of 2984	2828	ykifha.exe	56
PID 2828 wrote to memory of 2984	2828	ykifha.exe	56
PID 2828 wrote to memory of 3260	2828	ykifha.exe	47
PID 2828 wrote to memory of 3260	2828	ykifha.exe	47
PID 2828 wrote to memory of 3260	2828	ykifha.exe	47
PID 2828 wrote to memory of 3260	2828	ykifha.exe	47
PID 2828 wrote to memory of 3260	2828	ykifha.exe	47
PID 2828 wrote to memory of 3360	2828	ykifha.exe	54
PID 2828 wrote to memory of 3360	2828	ykifha.exe	54
PID 2828 wrote to memory of 3360	2828	ykifha.exe	54
PID 2828 wrote to memory of 3360	2828	ykifha.exe	54
PID 2828 wrote to memory of 3360	2828	ykifha.exe	54
PID 2828 wrote to memory of 3428	2828	ykifha.exe	48
PID 2828 wrote to memory of 3428	2828	ykifha.exe	48
PID 2828 wrote to memory of 3428	2828	ykifha.exe	48
PID 2828 wrote to memory of 3428	2828	ykifha.exe	48
PID 2828 wrote to memory of 3428	2828	ykifha.exe	48
PID 2828 wrote to memory of 3512	2828	ykifha.exe	50
PID 2828 wrote to memory of 3512	2828	ykifha.exe	50
PID 2828 wrote to memory of 3512	2828	ykifha.exe	50
PID 2828 wrote to memory of 3512	2828	ykifha.exe	50
PID 2828 wrote to memory of 3512	2828	ykifha.exe	50
PID 2828 wrote to memory of 3668	2828	ykifha.exe	49
PID 2828 wrote to memory of 3668	2828	ykifha.exe	49
PID 2828 wrote to memory of 3668	2828	ykifha.exe	49
PID 2828 wrote to memory of 3668	2828	ykifha.exe	49
PID 2828 wrote to memory of 3668	2828	ykifha.exe	49
PID 2828 wrote to memory of 4800	2828	ykifha.exe	53
PID 2828 wrote to memory of 4800	2828	ykifha.exe	53
PID 2828 wrote to memory of 4800	2828	ykifha.exe	53
PID 2828 wrote to memory of 4800	2828	ykifha.exe	53
PID 2828 wrote to memory of 4800	2828	ykifha.exe	53
PID 2828 wrote to memory of 684	2828	ykifha.exe	78
PID 2828 wrote to memory of 684	2828	ykifha.exe	78
PID 2828 wrote to memory of 684	2828	ykifha.exe	78
PID 2828 wrote to memory of 684	2828	ykifha.exe	78
PID 2828 wrote to memory of 684	2828	ykifha.exe	78
PID 684 wrote to memory of 4128	684	ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe	81

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2452

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3668

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3512

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2984

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe
  "C:\Users\Admin\AppData\Local\Temp\ff9685611993f987520cac9180f8b49afbb84adc109bfc912712254b85b5094a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Roaming\Uwxue\ykifha.exe
    "C:\Users\Admin\AppData\Roaming\Uwxue\ykifha.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\KJLDA83.bat"
    3⤵
    PID:4128

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KJLDA83.bat

Filesize
303B

MD5
00764bff8f58987233e546188b888a77

SHA1
844268dab5b15ffac7bcd04c5a9e2a354692d913

SHA256
4745fb514094c63fe452b9cdfd7ea6a30d2fc944df16792c3e3c9689499d4051

SHA512
41afe281cf263a1d71f52acd8272b142aa839b721c03a206efd1ed515a3b535a75bb1cc198924f63bd69513631d50e9728049c615a036fffa7a440ef0beb7cd6

Download Submit
C:\Users\Admin\AppData\Roaming\Uwxue\ykifha.exe

Filesize
313KB

MD5
f4449c43f176be0bcf9ad88c29834c10

SHA1
83d32e0bae8ae147a619a20acddced32716cbadd

SHA256
91600d4bc114082e192a85ac84c4841e6dcbee7ab5d1b36d47a28422975f620b

SHA512
cb86d775661b469b1204345a1e8446cc5c89dbe5e124297015f8bf4154684672efa7ccd6032dec8c653dfc8ea32fdd11843e96c5e3f460a97f071b77e5bdcd3c

Download Submit
C:\Users\Admin\AppData\Roaming\Uwxue\ykifha.exe

Filesize
313KB

MD5
f4449c43f176be0bcf9ad88c29834c10

SHA1
83d32e0bae8ae147a619a20acddced32716cbadd

SHA256
91600d4bc114082e192a85ac84c4841e6dcbee7ab5d1b36d47a28422975f620b

SHA512
cb86d775661b469b1204345a1e8446cc5c89dbe5e124297015f8bf4154684672efa7ccd6032dec8c653dfc8ea32fdd11843e96c5e3f460a97f071b77e5bdcd3c

Download Submit
memory/684-145-0x0000000000A70000-0x0000000000AB9000-memory.dmp

Filesize
292KB

Download
memory/684-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-132-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/684-133-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/2828-137-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4128-147-0x0000000000D70000-0x0000000000DB9000-memory.dmp

Filesize
292KB

Download
memory/4128-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4128-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4128-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4128-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4128-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4128-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4128-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4128-155-0x0000000000D70000-0x0000000000DB9000-memory.dmp

Filesize
292KB

Download