3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd

General

Target

5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Size

116KB
MD5

21102185c207602505d45019f5d782b9
SHA1

5dab5108857805f7535aaf5b8cb54ba289827e61
SHA256

3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd
SHA512

0e23dc3ad9171c86a74f58452d8b7871a147b3d1cdd4550df93bf5c74b1a3661e76da106b1f6ea9b080b2f7cec4d66ba8f1cffbf757d049ed5f1a0c68dcbe247
SSDEEP

3072:77Z/40Gq94BICd5X2NShaMJ0ejq6+l0Yt2EKL4niDjd:7z4BjdqMaoHB194Gx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tynu.exe

pid process

764 tynu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

304 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid process

1736 5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid	process
304	cmd.exe

pid	process
1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tynu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	tynu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{479145D4-30A2-795B-BE43-DA13CF383B18} = "C:\\Users\\Admin\\AppData\\Roaming\\Woycxu\\tynu.exe"	tynu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description pid process target process

PID 1736 set thread context of 304 1736 5dab5108857805f7535aaf5b8cb54ba289827e61.exe cmd.exe

description	pid	process	target process
PID 1736 set thread context of 304	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

tynu.exe

pid	process
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe
764	tynu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	pid	process
Token: SeSecurityPrivilege	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exetynu.exe

description	pid	process	target process
PID 1736 wrote to memory of 764	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	tynu.exe
PID 1736 wrote to memory of 764	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	tynu.exe
PID 1736 wrote to memory of 764	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	tynu.exe
PID 1736 wrote to memory of 764	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	tynu.exe
PID 764 wrote to memory of 1120	764	tynu.exe	taskhost.exe
PID 764 wrote to memory of 1120	764	tynu.exe	taskhost.exe
PID 764 wrote to memory of 1120	764	tynu.exe	taskhost.exe
PID 764 wrote to memory of 1120	764	tynu.exe	taskhost.exe
PID 764 wrote to memory of 1120	764	tynu.exe	taskhost.exe
PID 764 wrote to memory of 1184	764	tynu.exe	Dwm.exe
PID 764 wrote to memory of 1184	764	tynu.exe	Dwm.exe
PID 764 wrote to memory of 1184	764	tynu.exe	Dwm.exe
PID 764 wrote to memory of 1184	764	tynu.exe	Dwm.exe
PID 764 wrote to memory of 1184	764	tynu.exe	Dwm.exe
PID 764 wrote to memory of 1264	764	tynu.exe	Explorer.EXE
PID 764 wrote to memory of 1264	764	tynu.exe	Explorer.EXE
PID 764 wrote to memory of 1264	764	tynu.exe	Explorer.EXE
PID 764 wrote to memory of 1264	764	tynu.exe	Explorer.EXE
PID 764 wrote to memory of 1264	764	tynu.exe	Explorer.EXE
PID 764 wrote to memory of 1736	764	tynu.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 764 wrote to memory of 1736	764	tynu.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 764 wrote to memory of 1736	764	tynu.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 764 wrote to memory of 1736	764	tynu.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 764 wrote to memory of 1736	764	tynu.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 1736 wrote to memory of 304	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1736 wrote to memory of 304	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1736 wrote to memory of 304	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1736 wrote to memory of 304	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1736 wrote to memory of 304	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1736 wrote to memory of 304	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1736 wrote to memory of 304	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1736 wrote to memory of 304	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1736 wrote to memory of 304	1736	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 764 wrote to memory of 856	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 856	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 856	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 856	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 856	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 1972	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 1972	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 1972	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 1972	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 1972	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 944	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 944	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 944	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 944	764	tynu.exe	DllHost.exe
PID 764 wrote to memory of 944	764	tynu.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe
"C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\Woycxu\tynu.exe
"C:\Users\Admin\AppData\Roaming\Woycxu\tynu.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9d684040.bat"
3⤵
- Deletes itself
PID:304

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9d684040.bat
Filesize
259B

MD5
a21b3ae40d889b0fbd6cd40b3a8e41de

SHA1
d56961d91bd325b0640572aa06b4271deda21344

SHA256
90822b0c6771b47f22892bc5a3d5599d70d788d82fb35adcc25f5efe5bf38ef7

SHA512
48ae390e9aa53a3fb9369421ce83137875b8a7ea50903b0e4347e3461db7300d67be105b349aaaf084edbceff10bb4b5d2869b522e1589ebbd73f015e8be6b60

Download Submit
C:\Users\Admin\AppData\Roaming\Guwyu\ycowb.hyg
Filesize
374B

MD5
4bc16183e57d60a9b59ac05ad5935482

SHA1
0b94345e60ce5bb3a243df53563f7cf9576d1cc2

SHA256
35c7256ca35e440baa5a59be662204376871eac22d3b6dd13acc151e9fbadbd8

SHA512
53b453229a12a28e8156b5d689e7a7e40d64cb44bc2ab3b7e8e045e6c96b9726e076b64f547f35f53c0ba467eef26581214792a1e641f7622ef54f1fa22f33bf

Download Submit
C:\Users\Admin\AppData\Roaming\Woycxu\tynu.exe
Filesize
116KB

MD5
e7c8a1476cc6295a3921ed7121a09b6a

SHA1
55769203f2bf82881d0f675616c45159c8d7c6c1

SHA256
905895ba6d6b6502cc3500eaf41fd7aba0ce1baf5da86df5f05a9a36903ead1b

SHA512
14f80d7c27425b3d9313387b6f1ca23ae9cb0589ecfde1980f7bee892e3fe4b4c679c2ee5186e306fc96b7f23c9c209a5497ff2a52ce3e46bf6fcaca4f5c4e20

Download Submit
C:\Users\Admin\AppData\Roaming\Woycxu\tynu.exe
Filesize
116KB

MD5
e7c8a1476cc6295a3921ed7121a09b6a

SHA1
55769203f2bf82881d0f675616c45159c8d7c6c1

SHA256
905895ba6d6b6502cc3500eaf41fd7aba0ce1baf5da86df5f05a9a36903ead1b

SHA512
14f80d7c27425b3d9313387b6f1ca23ae9cb0589ecfde1980f7bee892e3fe4b4c679c2ee5186e306fc96b7f23c9c209a5497ff2a52ce3e46bf6fcaca4f5c4e20

Download Submit
\Users\Admin\AppData\Roaming\Woycxu\tynu.exe
Filesize
116KB

MD5
e7c8a1476cc6295a3921ed7121a09b6a

SHA1
55769203f2bf82881d0f675616c45159c8d7c6c1

SHA256
905895ba6d6b6502cc3500eaf41fd7aba0ce1baf5da86df5f05a9a36903ead1b

SHA512
14f80d7c27425b3d9313387b6f1ca23ae9cb0589ecfde1980f7bee892e3fe4b4c679c2ee5186e306fc96b7f23c9c209a5497ff2a52ce3e46bf6fcaca4f5c4e20

Download Submit
memory/304-100-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/304-90-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/304-92-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/304-93-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/304-94-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/304-95-0x0000000000055A36-mapping.dmp

Download
memory/764-59-0x0000000000000000-mapping.dmp

Download
memory/764-102-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/764-101-0x0000000000430000-0x0000000000455000-memory.dmp

Filesize
148KB

Download
memory/856-105-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/856-106-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/856-108-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/856-107-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/944-119-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/944-120-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/944-118-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/944-117-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/1120-68-0x0000000001B40000-0x0000000001B65000-memory.dmp

Filesize
148KB

Download
memory/1120-63-0x0000000001B40000-0x0000000001B65000-memory.dmp

Filesize
148KB

Download
memory/1120-65-0x0000000001B40000-0x0000000001B65000-memory.dmp

Filesize
148KB

Download
memory/1120-66-0x0000000001B40000-0x0000000001B65000-memory.dmp

Filesize
148KB

Download
memory/1120-67-0x0000000001B40000-0x0000000001B65000-memory.dmp

Filesize
148KB

Download
memory/1184-73-0x0000000000130000-0x0000000000155000-memory.dmp

Filesize
148KB

Download
memory/1184-71-0x0000000000130000-0x0000000000155000-memory.dmp

Filesize
148KB

Download
memory/1184-72-0x0000000000130000-0x0000000000155000-memory.dmp

Filesize
148KB

Download
memory/1184-74-0x0000000000130000-0x0000000000155000-memory.dmp

Filesize
148KB

Download
memory/1264-78-0x0000000002160000-0x0000000002185000-memory.dmp

Filesize
148KB

Download
memory/1264-79-0x0000000002160000-0x0000000002185000-memory.dmp

Filesize
148KB

Download
memory/1264-80-0x0000000002160000-0x0000000002185000-memory.dmp

Filesize
148KB

Download
memory/1264-77-0x0000000002160000-0x0000000002185000-memory.dmp

Filesize
148KB

Download
memory/1736-84-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1736-86-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1736-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1736-96-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1736-83-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1736-97-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1736-55-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1736-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1736-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1736-85-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1972-114-0x0000000003B70000-0x0000000003B95000-memory.dmp

Filesize
148KB

Download
memory/1972-113-0x0000000003B70000-0x0000000003B95000-memory.dmp

Filesize
148KB

Download
memory/1972-112-0x0000000003B70000-0x0000000003B95000-memory.dmp

Filesize
148KB

Download
memory/1972-111-0x0000000003B70000-0x0000000003B95000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads