3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd

General

Target

5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Size

116KB
MD5

21102185c207602505d45019f5d782b9
SHA1

5dab5108857805f7535aaf5b8cb54ba289827e61
SHA256

3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd
SHA512

0e23dc3ad9171c86a74f58452d8b7871a147b3d1cdd4550df93bf5c74b1a3661e76da106b1f6ea9b080b2f7cec4d66ba8f1cffbf757d049ed5f1a0c68dcbe247
SSDEEP

3072:77Z/40Gq94BICd5X2NShaMJ0ejq6+l0Yt2EKL4niDjd:7z4BjdqMaoHB194Gx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ydsa.exe

pid process

836 ydsa.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

920 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid process

1348 5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid	process
920	cmd.exe

pid	process
1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ydsa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	ydsa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{479145D4-30A2-795B-BE43-DA13CF383B18} = "C:\\Users\\Admin\\AppData\\Roaming\\Ozymiv\\ydsa.exe"	ydsa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description pid process target process

PID 1348 set thread context of 920 1348 5dab5108857805f7535aaf5b8cb54ba289827e61.exe cmd.exe

description	pid	process	target process
PID 1348 set thread context of 920	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

ydsa.exe

pid	process
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe
836	ydsa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	pid	process
Token: SeSecurityPrivilege	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exeydsa.exe

description	pid	process	target process
PID 1348 wrote to memory of 836	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	ydsa.exe
PID 1348 wrote to memory of 836	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	ydsa.exe
PID 1348 wrote to memory of 836	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	ydsa.exe
PID 1348 wrote to memory of 836	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	ydsa.exe
PID 836 wrote to memory of 1124	836	ydsa.exe	taskhost.exe
PID 836 wrote to memory of 1124	836	ydsa.exe	taskhost.exe
PID 836 wrote to memory of 1124	836	ydsa.exe	taskhost.exe
PID 836 wrote to memory of 1124	836	ydsa.exe	taskhost.exe
PID 836 wrote to memory of 1124	836	ydsa.exe	taskhost.exe
PID 836 wrote to memory of 1192	836	ydsa.exe	Dwm.exe
PID 836 wrote to memory of 1192	836	ydsa.exe	Dwm.exe
PID 836 wrote to memory of 1192	836	ydsa.exe	Dwm.exe
PID 836 wrote to memory of 1192	836	ydsa.exe	Dwm.exe
PID 836 wrote to memory of 1192	836	ydsa.exe	Dwm.exe
PID 836 wrote to memory of 1268	836	ydsa.exe	Explorer.EXE
PID 836 wrote to memory of 1268	836	ydsa.exe	Explorer.EXE
PID 836 wrote to memory of 1268	836	ydsa.exe	Explorer.EXE
PID 836 wrote to memory of 1268	836	ydsa.exe	Explorer.EXE
PID 836 wrote to memory of 1268	836	ydsa.exe	Explorer.EXE
PID 836 wrote to memory of 1348	836	ydsa.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 836 wrote to memory of 1348	836	ydsa.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 836 wrote to memory of 1348	836	ydsa.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 836 wrote to memory of 1348	836	ydsa.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 836 wrote to memory of 1348	836	ydsa.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 1348 wrote to memory of 920	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1348 wrote to memory of 920	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1348 wrote to memory of 920	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1348 wrote to memory of 920	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1348 wrote to memory of 920	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1348 wrote to memory of 920	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1348 wrote to memory of 920	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1348 wrote to memory of 920	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1348 wrote to memory of 920	1348	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 836 wrote to memory of 1156	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1156	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1156	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1156	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1156	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1952	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1952	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1952	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1952	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1952	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1324	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1324	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1324	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1324	836	ydsa.exe	DllHost.exe
PID 836 wrote to memory of 1324	836	ydsa.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe
"C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Roaming\Ozymiv\ydsa.exe
"C:\Users\Admin\AppData\Roaming\Ozymiv\ydsa.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb71d61f6.bat"
3⤵
- Deletes itself
PID:920

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1156

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb71d61f6.bat
Filesize
259B

MD5
e176fa70cb535acdebb7ea5a88c65b51

SHA1
64b4be474571f491feda23a67135b3eed12898ed

SHA256
84b16233ed0a825c6d03ce79a7dd2b1f38fa2eb961a875bace262b9a718f0158

SHA512
5ed62f638d39f07d702b8acd3c7584241e874d821e86ecb16b2946303a6740e2916e5cd53ea23c9e2ef7c4750f6ca3e15d744ccce6d5b5058665c551db4d900c

Download Submit
C:\Users\Admin\AppData\Roaming\Ongiac\ipxo.vie
Filesize
374B

MD5
13e219b91782253cbc8f33ce989a0a82

SHA1
66abe6c64f1dcb735e66430b715fa1e934fedfc0

SHA256
270a19021900a74edf6ad0caeeae6f4ff2138ffbffebc0b1406836e051e19375

SHA512
66b7c8ab956d84f23365c2bfec04c9c3774b0a87e0a194a9244a32874cabb45fa11fc59a4e844ec0ac90c3a87500562a85bba0978d231c98db10c516110c3795

Download Submit
C:\Users\Admin\AppData\Roaming\Ozymiv\ydsa.exe
Filesize
116KB

MD5
0bcbf11514a40605b8306006b715052b

SHA1
d631bf3b5b07b2667f81d00c4a5db60ecc596db5

SHA256
816a2edbf281ba8d68543cc583ad3b36a1698b16314e704d8ff516af57e12370

SHA512
a1be1f546509de8adf435706ff4c2371ef208a5783cd4dd254114b3a3d880c9f27b9ae02182c3bc7ffd58bd77df621bbd4802438efe92abfea974e757db111a5

Download Submit
C:\Users\Admin\AppData\Roaming\Ozymiv\ydsa.exe
Filesize
116KB

MD5
0bcbf11514a40605b8306006b715052b

SHA1
d631bf3b5b07b2667f81d00c4a5db60ecc596db5

SHA256
816a2edbf281ba8d68543cc583ad3b36a1698b16314e704d8ff516af57e12370

SHA512
a1be1f546509de8adf435706ff4c2371ef208a5783cd4dd254114b3a3d880c9f27b9ae02182c3bc7ffd58bd77df621bbd4802438efe92abfea974e757db111a5

Download Submit
\Users\Admin\AppData\Roaming\Ozymiv\ydsa.exe
Filesize
116KB

MD5
0bcbf11514a40605b8306006b715052b

SHA1
d631bf3b5b07b2667f81d00c4a5db60ecc596db5

SHA256
816a2edbf281ba8d68543cc583ad3b36a1698b16314e704d8ff516af57e12370

SHA512
a1be1f546509de8adf435706ff4c2371ef208a5783cd4dd254114b3a3d880c9f27b9ae02182c3bc7ffd58bd77df621bbd4802438efe92abfea974e757db111a5

Download Submit
memory/836-59-0x0000000000000000-mapping.dmp

Download
memory/836-87-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/836-115-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/836-88-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/920-102-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/920-98-0x0000000000055A36-mapping.dmp

Download
memory/920-97-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/920-95-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/920-96-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/920-93-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1124-68-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1124-67-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1124-63-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1124-65-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1124-66-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1156-108-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1156-106-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1156-105-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1156-107-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1192-73-0x0000000001AD0000-0x0000000001AF5000-memory.dmp

Filesize
148KB

Download
memory/1192-72-0x0000000001AD0000-0x0000000001AF5000-memory.dmp

Filesize
148KB

Download
memory/1192-71-0x0000000001AD0000-0x0000000001AF5000-memory.dmp

Filesize
148KB

Download
memory/1192-74-0x0000000001AD0000-0x0000000001AF5000-memory.dmp

Filesize
148KB

Download
memory/1268-78-0x0000000002BB0000-0x0000000002BD5000-memory.dmp

Filesize
148KB

Download
memory/1268-77-0x0000000002BB0000-0x0000000002BD5000-memory.dmp

Filesize
148KB

Download
memory/1268-80-0x0000000002BB0000-0x0000000002BD5000-memory.dmp

Filesize
148KB

Download
memory/1268-79-0x0000000002BB0000-0x0000000002BD5000-memory.dmp

Filesize
148KB

Download
memory/1324-121-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1324-118-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1324-120-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1324-119-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1348-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1348-89-0x00000000003B0000-0x00000000003D5000-memory.dmp

Filesize
148KB

Download
memory/1348-83-0x00000000003B0000-0x00000000003D5000-memory.dmp

Filesize
148KB

Download
memory/1348-99-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1348-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1348-84-0x00000000003B0000-0x00000000003D5000-memory.dmp

Filesize
148KB

Download
memory/1348-85-0x00000000003B0000-0x00000000003D5000-memory.dmp

Filesize
148KB

Download
memory/1348-86-0x00000000003B0000-0x00000000003D5000-memory.dmp

Filesize
148KB

Download
memory/1348-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1348-55-0x0000000000240000-0x0000000000265000-memory.dmp

Filesize
148KB

Download
memory/1952-114-0x0000000003A60000-0x0000000003A85000-memory.dmp

Filesize
148KB

Download
memory/1952-113-0x0000000003A60000-0x0000000003A85000-memory.dmp

Filesize
148KB

Download
memory/1952-112-0x0000000003A60000-0x0000000003A85000-memory.dmp

Filesize
148KB

Download
memory/1952-111-0x0000000003A60000-0x0000000003A85000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads