3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd

General

Target

5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Size

116KB
MD5

21102185c207602505d45019f5d782b9
SHA1

5dab5108857805f7535aaf5b8cb54ba289827e61
SHA256

3edf6c1c8d5cdde00dc21d20523fc815816165d951cea34ff2ebcd6f00b16ffd
SHA512

0e23dc3ad9171c86a74f58452d8b7871a147b3d1cdd4550df93bf5c74b1a3661e76da106b1f6ea9b080b2f7cec4d66ba8f1cffbf757d049ed5f1a0c68dcbe247
SSDEEP

3072:77Z/40Gq94BICd5X2NShaMJ0ejq6+l0Yt2EKL4niDjd:7z4BjdqMaoHB194Gx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ycisy.exe

pid process

752 ycisy.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

920 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid process

1512 5dab5108857805f7535aaf5b8cb54ba289827e61.exe

pid	process
920	cmd.exe

pid	process
1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ycisy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	ycisy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{479145D4-30A2-795B-BE43-DA13CF383B18} = "C:\\Users\\Admin\\AppData\\Roaming\\Ritoa\\ycisy.exe"	ycisy.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description pid process target process

PID 1512 set thread context of 920 1512 5dab5108857805f7535aaf5b8cb54ba289827e61.exe cmd.exe

description	pid	process	target process
PID 1512 set thread context of 920	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

ycisy.exe

pid	process
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe
752	ycisy.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exe

description	pid	process
Token: SeSecurityPrivilege	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
Token: SeSecurityPrivilege	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

5dab5108857805f7535aaf5b8cb54ba289827e61.exeycisy.exe

description	pid	process	target process
PID 1512 wrote to memory of 752	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	ycisy.exe
PID 1512 wrote to memory of 752	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	ycisy.exe
PID 1512 wrote to memory of 752	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	ycisy.exe
PID 1512 wrote to memory of 752	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	ycisy.exe
PID 752 wrote to memory of 1140	752	ycisy.exe	taskhost.exe
PID 752 wrote to memory of 1140	752	ycisy.exe	taskhost.exe
PID 752 wrote to memory of 1140	752	ycisy.exe	taskhost.exe
PID 752 wrote to memory of 1140	752	ycisy.exe	taskhost.exe
PID 752 wrote to memory of 1140	752	ycisy.exe	taskhost.exe
PID 752 wrote to memory of 1228	752	ycisy.exe	Dwm.exe
PID 752 wrote to memory of 1228	752	ycisy.exe	Dwm.exe
PID 752 wrote to memory of 1228	752	ycisy.exe	Dwm.exe
PID 752 wrote to memory of 1228	752	ycisy.exe	Dwm.exe
PID 752 wrote to memory of 1228	752	ycisy.exe	Dwm.exe
PID 752 wrote to memory of 1284	752	ycisy.exe	Explorer.EXE
PID 752 wrote to memory of 1284	752	ycisy.exe	Explorer.EXE
PID 752 wrote to memory of 1284	752	ycisy.exe	Explorer.EXE
PID 752 wrote to memory of 1284	752	ycisy.exe	Explorer.EXE
PID 752 wrote to memory of 1284	752	ycisy.exe	Explorer.EXE
PID 752 wrote to memory of 1512	752	ycisy.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 752 wrote to memory of 1512	752	ycisy.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 752 wrote to memory of 1512	752	ycisy.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 752 wrote to memory of 1512	752	ycisy.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 752 wrote to memory of 1512	752	ycisy.exe	5dab5108857805f7535aaf5b8cb54ba289827e61.exe
PID 1512 wrote to memory of 920	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1512 wrote to memory of 920	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1512 wrote to memory of 920	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1512 wrote to memory of 920	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1512 wrote to memory of 920	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1512 wrote to memory of 920	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1512 wrote to memory of 920	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1512 wrote to memory of 920	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 1512 wrote to memory of 920	1512	5dab5108857805f7535aaf5b8cb54ba289827e61.exe	cmd.exe
PID 752 wrote to memory of 1080	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1080	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1080	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1080	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1080	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1396	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1396	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1396	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1396	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1396	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1772	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1772	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1772	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1772	752	ycisy.exe	DllHost.exe
PID 752 wrote to memory of 1772	752	ycisy.exe	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe
"C:\Users\Admin\AppData\Local\Temp\5dab5108857805f7535aaf5b8cb54ba289827e61.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Roaming\Ritoa\ycisy.exe
"C:\Users\Admin\AppData\Roaming\Ritoa\ycisy.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6d2367eb.bat"
2⤵
- Deletes itself
PID:920

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6d2367eb.bat
Filesize
259B

MD5
c6daae366240434fad03b195c83543ec

SHA1
f8d1d33af0b8eb6dc602584efc13b068d0175ec5

SHA256
81592dd963b925e217bf92387c756b3980d93143a9ca6b5348fa651f3c3fe406

SHA512
a6ab0b63e1f1c14fc002ce3ea59749d6487e266aab19647580e2c1bef9bc04f7ed52955b09cd926fd0348c0642955807587a462b26dc8311a1f8c8922e1ac78a

Download Submit
C:\Users\Admin\AppData\Roaming\Navu\deqax.uti
Filesize
374B

MD5
ce5714537eeeaa66d3a3404b1d6f02ef

SHA1
28da8e30980bfa3106df771f104153e783120e32

SHA256
f5bd9d20db8e8517b7aaf2b58a4e68ace82d9c9abfdae07172d16f79cb009a49

SHA512
e7b1683aedf1c32c412fcccf0e5b9475032facd61cff5f4ce07205d2e35b534d2857466d34c89fbefdb8d6aef93ea2a8b70520390bffa224f8a74f676bfbcfa4

Download Submit
C:\Users\Admin\AppData\Roaming\Ritoa\ycisy.exe
Filesize
116KB

MD5
23733ff915e3edb9ee7a640fe2022ce8

SHA1
ee1e656a929d8e83ecbae4c88657c1b955e34a5e

SHA256
913eb583276a6c56c36d9d48cda39dc2c1df522accad1ee76f22996edf42d27f

SHA512
c06fca04e63d20c9a53a3fbb81731de0a6bb1ae20e39dc0dda35c666be0ac6c6165a679f343bc18034e3172600c7ad7176cc86c6505c5629f84a6c7d0dd6cdde

Download Submit
C:\Users\Admin\AppData\Roaming\Ritoa\ycisy.exe
Filesize
116KB

MD5
23733ff915e3edb9ee7a640fe2022ce8

SHA1
ee1e656a929d8e83ecbae4c88657c1b955e34a5e

SHA256
913eb583276a6c56c36d9d48cda39dc2c1df522accad1ee76f22996edf42d27f

SHA512
c06fca04e63d20c9a53a3fbb81731de0a6bb1ae20e39dc0dda35c666be0ac6c6165a679f343bc18034e3172600c7ad7176cc86c6505c5629f84a6c7d0dd6cdde

Download Submit
\Users\Admin\AppData\Roaming\Ritoa\ycisy.exe
Filesize
116KB

MD5
23733ff915e3edb9ee7a640fe2022ce8

SHA1
ee1e656a929d8e83ecbae4c88657c1b955e34a5e

SHA256
913eb583276a6c56c36d9d48cda39dc2c1df522accad1ee76f22996edf42d27f

SHA512
c06fca04e63d20c9a53a3fbb81731de0a6bb1ae20e39dc0dda35c666be0ac6c6165a679f343bc18034e3172600c7ad7176cc86c6505c5629f84a6c7d0dd6cdde

Download Submit
memory/752-89-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/752-87-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/752-59-0x0000000000000000-mapping.dmp

Download
memory/920-97-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/920-102-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/920-98-0x00000000001B5A36-mapping.dmp

Download
memory/920-96-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/920-95-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/920-93-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/1080-105-0x0000000000110000-0x0000000000135000-memory.dmp

Filesize
148KB

Download
memory/1080-106-0x0000000000110000-0x0000000000135000-memory.dmp

Filesize
148KB

Download
memory/1080-107-0x0000000000110000-0x0000000000135000-memory.dmp

Filesize
148KB

Download
memory/1080-108-0x0000000000110000-0x0000000000135000-memory.dmp

Filesize
148KB

Download
memory/1140-68-0x0000000001D30000-0x0000000001D55000-memory.dmp

Filesize
148KB

Download
memory/1140-66-0x0000000001D30000-0x0000000001D55000-memory.dmp

Filesize
148KB

Download
memory/1140-65-0x0000000001D30000-0x0000000001D55000-memory.dmp

Filesize
148KB

Download
memory/1140-67-0x0000000001D30000-0x0000000001D55000-memory.dmp

Filesize
148KB

Download
memory/1140-63-0x0000000001D30000-0x0000000001D55000-memory.dmp

Filesize
148KB

Download
memory/1228-71-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/1228-72-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/1228-73-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/1228-74-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/1284-77-0x0000000002A60000-0x0000000002A85000-memory.dmp

Filesize
148KB

Download
memory/1284-79-0x0000000002A60000-0x0000000002A85000-memory.dmp

Filesize
148KB

Download
memory/1284-78-0x0000000002A60000-0x0000000002A85000-memory.dmp

Filesize
148KB

Download
memory/1284-80-0x0000000002A60000-0x0000000002A85000-memory.dmp

Filesize
148KB

Download
memory/1396-111-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1396-112-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1396-113-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1396-114-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1512-88-0x0000000000350000-0x0000000000375000-memory.dmp

Filesize
148KB

Download
memory/1512-99-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1512-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1512-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1512-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1512-55-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1512-83-0x0000000000350000-0x0000000000375000-memory.dmp

Filesize
148KB

Download
memory/1512-85-0x0000000000350000-0x0000000000375000-memory.dmp

Filesize
148KB

Download
memory/1512-86-0x0000000000350000-0x0000000000375000-memory.dmp

Filesize
148KB

Download
memory/1512-84-0x0000000000350000-0x0000000000375000-memory.dmp

Filesize
148KB

Download
memory/1772-120-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1772-119-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1772-118-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1772-117-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads