3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
19/11/2023, 20:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe
Size

194KB
MD5

d0ac2224fdca9099d141574a72f79688
SHA1

9f02ebe924e7d02426fb876a7b2fbd54e1ec1047
SHA256

3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f
SHA512

dbeddf33beab9eda7668e705ef89eb8518ab962f81f5011f52dd2ce89028bf6acb8c634c72ed221340c8c2277ad76ab4aacc45b62673b7cb876af8e7cea56da0
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOE:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	iuyhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\iuyhost.exe	3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe
File opened for modification	C:\Windows\Debug\iuyhost.exe	3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iuyhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	iuyhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2976	3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3004	2976	3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe	29
PID 2976 wrote to memory of 3004	2976	3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe	29
PID 2976 wrote to memory of 3004	2976	3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe	29
PID 2976 wrote to memory of 3004	2976	3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe	29

C:\Users\Admin\AppData\Local\Temp\3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe
"C:\Users\Admin\AppData\Local\Temp\3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3F3C74~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3004

C:\Windows\Debug\iuyhost.exe
C:\Windows\Debug\iuyhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\iuyhost.exe

Filesize
194KB

MD5
f3fdfb5a862055a305325dc7dda44615

SHA1
2ed64af2d184fe884002fb8518ff555501c09096

SHA256
2e251bcb9f1ecbe43bce86f5cbfad176d58ce0ce890636a4b696c82e27922042

SHA512
740356b9bae51de688dba2a498ac5f7c3515f77fb40de30532368594ff9caa0ffce232e63c936a454443f5b04cd7a6497cda65f8af52e15255e62fd4c0a065b2

Download Submit
C:\Windows\debug\iuyhost.exe

Filesize
194KB

MD5
f3fdfb5a862055a305325dc7dda44615

SHA1
2ed64af2d184fe884002fb8518ff555501c09096

SHA256
2e251bcb9f1ecbe43bce86f5cbfad176d58ce0ce890636a4b696c82e27922042

SHA512
740356b9bae51de688dba2a498ac5f7c3515f77fb40de30532368594ff9caa0ffce232e63c936a454443f5b04cd7a6497cda65f8af52e15255e62fd4c0a065b2

Download Submit