3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd

General

Target

5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Size

116KB
MD5

21102185c207602505d45019f5d782b9
SHA1

5dab5108857805f7535aaf5b8cb54ba289827e61
SHA256

3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd
SHA512

0e23dc3ad9171c86a74f58452d8b7871a147b3d1cdd4550df93bf5c74b1a3661e76da106b1f6ea9b080b2f7cec4d66ba8f1cffbf757d049ed5f1a0c68dcbe247
SSDEEP

3072:77Z/40Gq94BICd5X2NShaMJ0ejq6+l0Yt2EKL4niDjd:7z4BjdqMaoHB194Gx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

utywi.exe

pid process

672 utywi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1176 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid process

576 5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid	process
1176	cmd.exe

pid	process
576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

utywi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	utywi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{07485E54-30A2-795B-6989-374937CFD642} = "C:\\Users\\Admin\\AppData\\Roaming\\Waihiw\\utywi.exe"	utywi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description pid process target process

PID 576 set thread context of 1176 576 5dab5108857805f7535aaf5b8cb54ba289827e61.exe cmd.exe

description	pid	process	target process
PID 576 set thread context of 1176	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

utywi.exe

pid	process
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe
672	utywi.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	pid	process
Token: SeSecurityPrivilege	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exeutywi.exe

description	pid	process	target process
PID 576 wrote to memory of 672	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	utywi.exe
PID 576 wrote to memory of 672	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	utywi.exe
PID 576 wrote to memory of 672	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	utywi.exe
PID 576 wrote to memory of 672	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	utywi.exe
PID 672 wrote to memory of 1128	672	utywi.exe	taskhost.exe
PID 672 wrote to memory of 1128	672	utywi.exe	taskhost.exe
PID 672 wrote to memory of 1128	672	utywi.exe	taskhost.exe
PID 672 wrote to memory of 1128	672	utywi.exe	taskhost.exe
PID 672 wrote to memory of 1128	672	utywi.exe	taskhost.exe
PID 672 wrote to memory of 1180	672	utywi.exe	Dwm.exe
PID 672 wrote to memory of 1180	672	utywi.exe	Dwm.exe
PID 672 wrote to memory of 1180	672	utywi.exe	Dwm.exe
PID 672 wrote to memory of 1180	672	utywi.exe	Dwm.exe
PID 672 wrote to memory of 1180	672	utywi.exe	Dwm.exe
PID 672 wrote to memory of 1232	672	utywi.exe	Explorer.EXE
PID 672 wrote to memory of 1232	672	utywi.exe	Explorer.EXE
PID 672 wrote to memory of 1232	672	utywi.exe	Explorer.EXE
PID 672 wrote to memory of 1232	672	utywi.exe	Explorer.EXE
PID 672 wrote to memory of 1232	672	utywi.exe	Explorer.EXE
PID 672 wrote to memory of 576	672	utywi.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 672 wrote to memory of 576	672	utywi.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 672 wrote to memory of 576	672	utywi.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 672 wrote to memory of 576	672	utywi.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 672 wrote to memory of 576	672	utywi.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 576 wrote to memory of 1176	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 576 wrote to memory of 1176	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 576 wrote to memory of 1176	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 576 wrote to memory of 1176	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 576 wrote to memory of 1176	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 576 wrote to memory of 1176	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 576 wrote to memory of 1176	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 576 wrote to memory of 1176	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 576 wrote to memory of 1176	576	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 672 wrote to memory of 688	672	utywi.exe	conhost.exe
PID 672 wrote to memory of 688	672	utywi.exe	conhost.exe
PID 672 wrote to memory of 688	672	utywi.exe	conhost.exe
PID 672 wrote to memory of 688	672	utywi.exe	conhost.exe
PID 672 wrote to memory of 688	672	utywi.exe	conhost.exe
PID 672 wrote to memory of 1060	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 1060	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 1060	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 1060	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 1060	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 468	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 468	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 468	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 468	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 468	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 916	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 916	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 916	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 916	672	utywi.exe	DllHost.exe
PID 672 wrote to memory of 916	672	utywi.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe
"C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Roaming\Waihiw\utywi.exe
"C:\Users\Admin\AppData\Roaming\Waihiw\utywi.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbb14a242.bat"
3⤵
- Deletes itself
PID:1176

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1517510178-55249343711145101207557165259333975312404730021179678755-1251756109"
1⤵
PID:688

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1060

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbb14a242.bat
Filesize
259B

MD5
5558d13cef2fe8c8c221df1c28585335

SHA1
173d37ce89562a165f511e6e03ad5ac2e8edee75

SHA256
ec9afe12d0d848e1595cbe065a6ee6ed46b8cf708188f90e7edc8dac4e0a9b26

SHA512
aa10b7592abc89ddc356acdab92db574103c97acfee8bcb7b9cacddfd9a07bbebed083d7118cb0788aad8fdc08a1e9f751d7ec51620da949862de20ab4dd2fa4

Download Submit
C:\Users\Admin\AppData\Roaming\Waihiw\utywi.exe
Filesize
116KB

MD5
bb8349722dde39368b374bca0025a636

SHA1
f476865bb898dc7e91a5d8e4a731327cae5b0bb0

SHA256
2d34a2d3434f536fd43c3db64fa4294707b5def8c9d9a71565b0a5ca27a6821a

SHA512
d59761057fa96213fd79ca240adc58be1074a801404e3711361c8fc3a386b1be8b6cffac27abd1bba12e72eecfdcee0db46d5fb3ac641c896ed1697d021a1e1b

Download Submit
C:\Users\Admin\AppData\Roaming\Waihiw\utywi.exe
Filesize
116KB

MD5
bb8349722dde39368b374bca0025a636

SHA1
f476865bb898dc7e91a5d8e4a731327cae5b0bb0

SHA256
2d34a2d3434f536fd43c3db64fa4294707b5def8c9d9a71565b0a5ca27a6821a

SHA512
d59761057fa96213fd79ca240adc58be1074a801404e3711361c8fc3a386b1be8b6cffac27abd1bba12e72eecfdcee0db46d5fb3ac641c896ed1697d021a1e1b

Download Submit
C:\Users\Admin\AppData\Roaming\Yrri\tevu.aze
Filesize
374B

MD5
8d50448d191b85cbfe21d14e313fc16a

SHA1
4a4795caec637992da32e829db6bc02ced453944

SHA256
8b615dd9748595ab77289baa71b27e67da2fa5013de90d1f0bbf52df2b8e85a7

SHA512
5328724c809e89fe3052d2dfbf434cbcfa42b673d01c467da8dbf04344faca5ec108e76ae6c6c3a8e257208317cd9b943d8bd66f4f6fe6af4c98e413d88760ab

Download Submit
\Users\Admin\AppData\Roaming\Waihiw\utywi.exe
Filesize
116KB

MD5
bb8349722dde39368b374bca0025a636

SHA1
f476865bb898dc7e91a5d8e4a731327cae5b0bb0

SHA256
2d34a2d3434f536fd43c3db64fa4294707b5def8c9d9a71565b0a5ca27a6821a

SHA512
d59761057fa96213fd79ca240adc58be1074a801404e3711361c8fc3a386b1be8b6cffac27abd1bba12e72eecfdcee0db46d5fb3ac641c896ed1697d021a1e1b

Download Submit
memory/468-123-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/468-122-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/468-121-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/468-120-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/576-86-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/576-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/576-101-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/576-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/576-99-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/576-55-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/576-89-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/576-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/672-98-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/672-88-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/672-87-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/672-59-0x0000000000000000-mapping.dmp

Download
memory/688-107-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/688-105-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/688-106-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/688-104-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/916-128-0x0000000000300000-0x0000000000325000-memory.dmp

Filesize
148KB

Download
memory/916-129-0x0000000000300000-0x0000000000325000-memory.dmp

Filesize
148KB

Download
memory/916-127-0x0000000000300000-0x0000000000325000-memory.dmp

Filesize
148KB

Download
memory/916-126-0x0000000000300000-0x0000000000325000-memory.dmp

Filesize
148KB

Download
memory/1060-117-0x0000000000100000-0x0000000000125000-memory.dmp

Filesize
148KB

Download
memory/1060-116-0x0000000000100000-0x0000000000125000-memory.dmp

Filesize
148KB

Download
memory/1060-115-0x0000000000100000-0x0000000000125000-memory.dmp

Filesize
148KB

Download
memory/1060-114-0x0000000000100000-0x0000000000125000-memory.dmp

Filesize
148KB

Download
memory/1128-68-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/1128-67-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/1128-66-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/1128-65-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/1128-63-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/1176-109-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1176-111-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1176-97-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1176-92-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1176-96-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1176-94-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1176-100-0x0000000000055A36-mapping.dmp

Download
memory/1180-74-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1180-71-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1180-72-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1180-73-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1232-80-0x00000000029B0000-0x00000000029D5000-memory.dmp

Filesize
148KB

Download
memory/1232-77-0x00000000029B0000-0x00000000029D5000-memory.dmp

Filesize
148KB

Download
memory/1232-78-0x00000000029B0000-0x00000000029D5000-memory.dmp

Filesize
148KB

Download
memory/1232-79-0x00000000029B0000-0x00000000029D5000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads