15b31d40af72d86a72e628c0ce55384d3d2a11bea1d7c1f99f708381d6b1d8b8

Analysis

max time kernel
15s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1955c8b19af2f4cc6ab2ba4a94b4bc22.exe
Size

377KB
MD5

1955c8b19af2f4cc6ab2ba4a94b4bc22
SHA1

8dbc581ce21a7a40a9fd45c45066ff8ee79be9aa
SHA256

15b31d40af72d86a72e628c0ce55384d3d2a11bea1d7c1f99f708381d6b1d8b8
SHA512

a7a6ed94e5b50d0c6b01c93019b1113785e5c6f1d99a4dc2054a9d36238871dccb3b8665b8f4cd580068b4ed034e7ebd92d52a9a068acd666759bb983be09802
SSDEEP

6144:1BP/zmsZcI6NEK0188Zvw+NEh6sDqQ2NZpK1imHlTbaNQittqTFLkZNeCaK:j/zmrNG3Y+NgHD12NfoJSmkr5L

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
368	lyoq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{45DFC956-556D-BCA0-0A70-46C3C7855CC1} = "C:\\Users\\Admin\\AppData\\Roaming\\Hetyf\\lyoq.exe"	lyoq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 3308	1048	1955c8b19af2f4cc6ab2ba4a94b4bc22.exe	20

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
368	lyoq.exe
368	lyoq.exe
368	lyoq.exe
368	lyoq.exe
368	lyoq.exe
368	lyoq.exe
368	lyoq.exe
368	lyoq.exe
368	lyoq.exe
368	lyoq.exe
368	lyoq.exe
368	lyoq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 368	1048	1955c8b19af2f4cc6ab2ba4a94b4bc22.exe	17
PID 1048 wrote to memory of 368	1048	1955c8b19af2f4cc6ab2ba4a94b4bc22.exe	17
PID 1048 wrote to memory of 368	1048	1955c8b19af2f4cc6ab2ba4a94b4bc22.exe	17
PID 368 wrote to memory of 2520	368	lyoq.exe	65
PID 368 wrote to memory of 2520	368	lyoq.exe	65
PID 368 wrote to memory of 2520	368	lyoq.exe	65
PID 368 wrote to memory of 2520	368	lyoq.exe	65
PID 368 wrote to memory of 2520	368	lyoq.exe	65
PID 368 wrote to memory of 2536	368	lyoq.exe	64
PID 368 wrote to memory of 2536	368	lyoq.exe	64
PID 368 wrote to memory of 2536	368	lyoq.exe	64
PID 368 wrote to memory of 2536	368	lyoq.exe	64
PID 368 wrote to memory of 2536	368	lyoq.exe	64
PID 368 wrote to memory of 2680	368	lyoq.exe	61
PID 368 wrote to memory of 2680	368	lyoq.exe	61
PID 368 wrote to memory of 2680	368	lyoq.exe	61
PID 368 wrote to memory of 2680	368	lyoq.exe	61
PID 368 wrote to memory of 2680	368	lyoq.exe	61
PID 368 wrote to memory of 3476	368	lyoq.exe	51
PID 368 wrote to memory of 3476	368	lyoq.exe	51
PID 368 wrote to memory of 3476	368	lyoq.exe	51
PID 368 wrote to memory of 3476	368	lyoq.exe	51
PID 368 wrote to memory of 3476	368	lyoq.exe	51
PID 368 wrote to memory of 3608	368	lyoq.exe	50
PID 368 wrote to memory of 3608	368	lyoq.exe	50
PID 368 wrote to memory of 3608	368	lyoq.exe	50
PID 368 wrote to memory of 3608	368	lyoq.exe	50
PID 368 wrote to memory of 3608	368	lyoq.exe	50
PID 368 wrote to memory of 3816	368	lyoq.exe	49
PID 368 wrote to memory of 3816	368	lyoq.exe	49
PID 368 wrote to memory of 3816	368	lyoq.exe	49
PID 368 wrote to memory of 3816	368	lyoq.exe	49
PID 368 wrote to memory of 3816	368	lyoq.exe	49
PID 368 wrote to memory of 3908	368	lyoq.exe	48
PID 368 wrote to memory of 3908	368	lyoq.exe	48
PID 368 wrote to memory of 3908	368	lyoq.exe	48
PID 368 wrote to memory of 3908	368	lyoq.exe	48
PID 368 wrote to memory of 3908	368	lyoq.exe	48
PID 368 wrote to memory of 3976	368	lyoq.exe	47
PID 368 wrote to memory of 3976	368	lyoq.exe	47
PID 368 wrote to memory of 3976	368	lyoq.exe	47
PID 368 wrote to memory of 3976	368	lyoq.exe	47
PID 368 wrote to memory of 3976	368	lyoq.exe	47
PID 368 wrote to memory of 4060	368	lyoq.exe	46
PID 368 wrote to memory of 4060	368	lyoq.exe	46
PID 368 wrote to memory of 4060	368	lyoq.exe	46
PID 368 wrote to memory of 4060	368	lyoq.exe	46
PID 368 wrote to memory of 4060	368	lyoq.exe	46
PID 368 wrote to memory of 3628	368	lyoq.exe	45
PID 368 wrote to memory of 3628	368	lyoq.exe	45
PID 368 wrote to memory of 3628	368	lyoq.exe	45
PID 368 wrote to memory of 3628	368	lyoq.exe	45
PID 368 wrote to memory of 3628	368	lyoq.exe	45
PID 368 wrote to memory of 4004	368	lyoq.exe	33
PID 368 wrote to memory of 4004	368	lyoq.exe	33
PID 368 wrote to memory of 4004	368	lyoq.exe	33
PID 368 wrote to memory of 4004	368	lyoq.exe	33
PID 368 wrote to memory of 4004	368	lyoq.exe	33
PID 368 wrote to memory of 2312	368	lyoq.exe	32
PID 368 wrote to memory of 2312	368	lyoq.exe	32
PID 368 wrote to memory of 2312	368	lyoq.exe	32
PID 368 wrote to memory of 2312	368	lyoq.exe	32
PID 368 wrote to memory of 2312	368	lyoq.exe	32
PID 368 wrote to memory of 1960	368	lyoq.exe	24

C:\Users\Admin\AppData\Local\Temp\1955c8b19af2f4cc6ab2ba4a94b4bc22.exe
"C:\Users\Admin\AppData\Local\Temp\1955c8b19af2f4cc6ab2ba4a94b4bc22.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Roaming\Hetyf\lyoq.exe
  "C:\Users\Admin\AppData\Roaming\Hetyf\lyoq.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp91dc30ed.bat"
  2⤵
  PID:3308

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:3332

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1956

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4488

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2352

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:1960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2312

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3908

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3608

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2536

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2520

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp91dc30ed.bat

Filesize
243B

MD5
80323436d3387e0fd756ad5ddff0d89f

SHA1
1e95658b289f691e247e041307e1a518ef518dc0

SHA256
7b35822ad3cd2e4d695d67573201ba441a9033b8fc8c94bc5d50d9d60065f8e8

SHA512
4a313426364001a44853bcb59d00e82228ad989d1d6094421c24f9b7662130bc38af1463598a450c61817d57ecf2ca4288dd8a83178408c31f8fc86addbb8231

Download Submit
C:\Users\Admin\AppData\Roaming\Hetyf\lyoq.exe

Filesize
45KB

MD5
1206e1cb6320a648416f011902879d08

SHA1
ba380be86192ffa297abfa3be099d91fa0a1bcfe

SHA256
942f7468be7e0af5233692888029c4d8c5af5801b7118ac366f3b139f7126b04

SHA512
2b03024ca22be3f0aaae13acd5d8b453cbf936a269f6e7243bb906b0a9838c7123e0035c62d2aefa33630936d603d8bb2a970d2a23f198e722ae99ad193215c7

Download Submit
C:\Users\Admin\AppData\Roaming\Hetyf\lyoq.exe

Filesize
1KB

MD5
7c42d60544846227cb60f2be91144ec1

SHA1
e40830ef7432c18da198ea3860224255796f6a7e

SHA256
7080fe433ec607cd647a5b901a83e8c7dc44a2159550bb958515bd1d357e9996

SHA512
4d05c9f35e6eb7651fd66aa345cea43824e6e05ff80a9a18c14beb090641946d212f0e20aa4978391504886575b06ea079a56872bead29897f454501cc0247c6

Download Submit
memory/368-25-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/368-44-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/368-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/368-43-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/368-10-0x00000000020D0000-0x000000000211C000-memory.dmp

Filesize
304KB

Download
memory/368-11-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1048-20-0x0000000002320000-0x000000000236C000-memory.dmp

Filesize
304KB

Download
memory/1048-14-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1048-12-0x0000000002320000-0x000000000236C000-memory.dmp

Filesize
304KB

Download
memory/1048-28-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1048-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1048-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1048-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1048-0-0x0000000002240000-0x000000000228C000-memory.dmp

Filesize
304KB

Download
memory/1048-19-0x0000000002320000-0x000000000236C000-memory.dmp

Filesize
304KB

Download
memory/1048-18-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1048-17-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1048-16-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1048-15-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1048-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1048-13-0x0000000002320000-0x000000000236C000-memory.dmp

Filesize
304KB

Download
memory/1048-32-0x0000000002240000-0x000000000228C000-memory.dmp

Filesize
304KB

Download
memory/3308-39-0x0000000000600000-0x000000000064C000-memory.dmp

Filesize
304KB

Download
memory/3308-40-0x0000000000600000-0x000000000064C000-memory.dmp

Filesize
304KB

Download
memory/3308-38-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3308-36-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3308-23-0x0000000000600000-0x000000000064C000-memory.dmp

Filesize
304KB

Download
memory/3308-37-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3308-33-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3308-34-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3308-35-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download