5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050

General

Target

0a646c7eddb377017672fd782a89c081.exe
Size

323KB
MD5

0a646c7eddb377017672fd782a89c081
SHA1

e39e1758fbb1a10b94e1e5dfdd2a6849fa66901e
SHA256

5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050
SHA512

50dbe326b60716554615daf9cf68f82a189d67bb3f84739251d8aa85ca1ea282e8a2d017dd04d6b4edf907f415979589b19a0aa8fcfd72b1f34edb96628580b9
SSDEEP

6144:Dqfawfwd99vxoYC7+Li9IBCiiortLeY9ZvLmE7JWAN:Wfaos9DodvorsYzCQJBN

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pyyf.exe

pid process

2700 pyyf.exe
Loads dropped DLL 4 IoCs

Processes:

0a646c7eddb377017672fd782a89c081.exepyyf.exe

pid process

2696 0a646c7eddb377017672fd782a89c081.exe
2700 pyyf.exe
2700 pyyf.exe
2700 pyyf.exe

pid	process
2696	0a646c7eddb377017672fd782a89c081.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pyyf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\{334A3548-CEF1-AD4E-EADF-D61AC06FF507} = "C:\\Users\\Admin\\AppData\\Roaming\\Alocq\\pyyf.exe"	pyyf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0a646c7eddb377017672fd782a89c081.exe

description pid process target process

PID 2696 set thread context of 2856 2696 0a646c7eddb377017672fd782a89c081.exe cmd.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1768 2856 WerFault.exe cmd.exe
1636 1768 WerFault.exe WerFault.exe

description	pid	process	target process
PID 2696 set thread context of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe

pid	pid_target	process	target process
1768	2856	WerFault.exe	cmd.exe
1636	1768	WerFault.exe	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

0a646c7eddb377017672fd782a89c081.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Privacy	0a646c7eddb377017672fd782a89c081.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	0a646c7eddb377017672fd782a89c081.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

pyyf.exe

pid	process
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe
2700	pyyf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0a646c7eddb377017672fd782a89c081.exe

description	pid	process
Token: SeSecurityPrivilege	2696	0a646c7eddb377017672fd782a89c081.exe
Token: SeSecurityPrivilege	2696	0a646c7eddb377017672fd782a89c081.exe
Token: SeSecurityPrivilege	2696	0a646c7eddb377017672fd782a89c081.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

0a646c7eddb377017672fd782a89c081.exepyyf.exe

pid process

2696 0a646c7eddb377017672fd782a89c081.exe
2700 pyyf.exe

pid	process
2696	0a646c7eddb377017672fd782a89c081.exe
2700	pyyf.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

0a646c7eddb377017672fd782a89c081.exepyyf.execmd.exeWerFault.exe

description	pid	process	target process
PID 2696 wrote to memory of 2700	2696	0a646c7eddb377017672fd782a89c081.exe	pyyf.exe
PID 2696 wrote to memory of 2700	2696	0a646c7eddb377017672fd782a89c081.exe	pyyf.exe
PID 2696 wrote to memory of 2700	2696	0a646c7eddb377017672fd782a89c081.exe	pyyf.exe
PID 2696 wrote to memory of 2700	2696	0a646c7eddb377017672fd782a89c081.exe	pyyf.exe
PID 2696 wrote to memory of 2700	2696	0a646c7eddb377017672fd782a89c081.exe	pyyf.exe
PID 2696 wrote to memory of 2700	2696	0a646c7eddb377017672fd782a89c081.exe	pyyf.exe
PID 2696 wrote to memory of 2700	2696	0a646c7eddb377017672fd782a89c081.exe	pyyf.exe
PID 2700 wrote to memory of 1120	2700	pyyf.exe	taskhost.exe
PID 2700 wrote to memory of 1120	2700	pyyf.exe	taskhost.exe
PID 2700 wrote to memory of 1120	2700	pyyf.exe	taskhost.exe
PID 2700 wrote to memory of 1120	2700	pyyf.exe	taskhost.exe
PID 2700 wrote to memory of 1120	2700	pyyf.exe	taskhost.exe
PID 2700 wrote to memory of 1184	2700	pyyf.exe	Dwm.exe
PID 2700 wrote to memory of 1184	2700	pyyf.exe	Dwm.exe
PID 2700 wrote to memory of 1184	2700	pyyf.exe	Dwm.exe
PID 2700 wrote to memory of 1184	2700	pyyf.exe	Dwm.exe
PID 2700 wrote to memory of 1184	2700	pyyf.exe	Dwm.exe
PID 2700 wrote to memory of 1212	2700	pyyf.exe	Explorer.EXE
PID 2700 wrote to memory of 1212	2700	pyyf.exe	Explorer.EXE
PID 2700 wrote to memory of 1212	2700	pyyf.exe	Explorer.EXE
PID 2700 wrote to memory of 1212	2700	pyyf.exe	Explorer.EXE
PID 2700 wrote to memory of 1212	2700	pyyf.exe	Explorer.EXE
PID 2700 wrote to memory of 2696	2700	pyyf.exe	0a646c7eddb377017672fd782a89c081.exe
PID 2700 wrote to memory of 2696	2700	pyyf.exe	0a646c7eddb377017672fd782a89c081.exe
PID 2700 wrote to memory of 2696	2700	pyyf.exe	0a646c7eddb377017672fd782a89c081.exe
PID 2700 wrote to memory of 2696	2700	pyyf.exe	0a646c7eddb377017672fd782a89c081.exe
PID 2700 wrote to memory of 2696	2700	pyyf.exe	0a646c7eddb377017672fd782a89c081.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2696 wrote to memory of 2856	2696	0a646c7eddb377017672fd782a89c081.exe	cmd.exe
PID 2856 wrote to memory of 1768	2856	cmd.exe	WerFault.exe
PID 2856 wrote to memory of 1768	2856	cmd.exe	WerFault.exe
PID 2856 wrote to memory of 1768	2856	cmd.exe	WerFault.exe
PID 2856 wrote to memory of 1768	2856	cmd.exe	WerFault.exe
PID 2856 wrote to memory of 1768	2856	cmd.exe	WerFault.exe
PID 2856 wrote to memory of 1768	2856	cmd.exe	WerFault.exe
PID 2856 wrote to memory of 1768	2856	cmd.exe	WerFault.exe
PID 2700 wrote to memory of 1692	2700	pyyf.exe	conhost.exe
PID 2700 wrote to memory of 1692	2700	pyyf.exe	conhost.exe
PID 2700 wrote to memory of 1692	2700	pyyf.exe	conhost.exe
PID 2700 wrote to memory of 1692	2700	pyyf.exe	conhost.exe
PID 2700 wrote to memory of 1692	2700	pyyf.exe	conhost.exe
PID 2700 wrote to memory of 1768	2700	pyyf.exe	WerFault.exe
PID 2700 wrote to memory of 1768	2700	pyyf.exe	WerFault.exe
PID 2700 wrote to memory of 1768	2700	pyyf.exe	WerFault.exe
PID 2700 wrote to memory of 1768	2700	pyyf.exe	WerFault.exe
PID 2700 wrote to memory of 1768	2700	pyyf.exe	WerFault.exe
PID 1768 wrote to memory of 1636	1768	WerFault.exe	WerFault.exe
PID 1768 wrote to memory of 1636	1768	WerFault.exe	WerFault.exe
PID 1768 wrote to memory of 1636	1768	WerFault.exe	WerFault.exe
PID 1768 wrote to memory of 1636	1768	WerFault.exe	WerFault.exe
PID 1768 wrote to memory of 1636	1768	WerFault.exe	WerFault.exe
PID 1768 wrote to memory of 1636	1768	WerFault.exe	WerFault.exe
PID 1768 wrote to memory of 1636	1768	WerFault.exe	WerFault.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\0a646c7eddb377017672fd782a89c081.exe
"C:\Users\Admin\AppData\Local\Temp\0a646c7eddb377017672fd782a89c081.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2bde2d72.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 280
3⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 624
4⤵
- Program crash
PID:1636

C:\Users\Admin\AppData\Roaming\Alocq\pyyf.exe
"C:\Users\Admin\AppData\Roaming\Alocq\pyyf.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1911132591-1103227712-923490638183460746-1588632991650499513-18613508221492680288"
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Alocq\pyyf.exe
Filesize
92KB

MD5
0d30557f85829a01333a0e2addcd9cab

SHA1
14c31788650cde959b068121a3f3b1937813a792

SHA256
75d72e28a01b01956100148128834da05237c50cb0e3896d38786fb8db448d09

SHA512
7d4dc44d2f2dab08b23f2affeed6414b957e135fbd62881f1d12e2febb6116570bcf09782111aea4647aaa13903ff90e94db3c00eec53338226a8d5a6c8c397c

Download Submit
\Users\Admin\AppData\Roaming\Alocq\pyyf.exe
Filesize
323KB

MD5
5fbf9a65f26a8171fc0bc17ce90bfd88

SHA1
19ef42b6217d158c7a8d2f4bcd05a52e0795de62

SHA256
bd450b6be0f84d76c59d49980a3f9afadd7081faa38c3323a7a104b74f002ea1

SHA512
c1f4f7b69489a34a052e4f57e0015508c894fbf1e3da06e0fdf464e93da604b93722ecba64952841e7ed081826d0253e0db821f02c63e86143be7d5c2d669af0

Download Submit
memory/1120-22-0x0000000000170000-0x00000000001B1000-memory.dmp

Filesize
260KB

Download
memory/1120-21-0x0000000000170000-0x00000000001B1000-memory.dmp

Filesize
260KB

Download
memory/1120-20-0x0000000000170000-0x00000000001B1000-memory.dmp

Filesize
260KB

Download
memory/1120-16-0x0000000000170000-0x00000000001B1000-memory.dmp

Filesize
260KB

Download
memory/1120-18-0x0000000000170000-0x00000000001B1000-memory.dmp

Filesize
260KB

Download
memory/1184-24-0x0000000001CB0000-0x0000000001CF1000-memory.dmp

Filesize
260KB

Download
memory/1184-25-0x0000000001CB0000-0x0000000001CF1000-memory.dmp

Filesize
260KB

Download
memory/1184-27-0x0000000001CB0000-0x0000000001CF1000-memory.dmp

Filesize
260KB

Download
memory/1184-26-0x0000000001CB0000-0x0000000001CF1000-memory.dmp

Filesize
260KB

Download
memory/1212-32-0x00000000029B0000-0x00000000029F1000-memory.dmp

Filesize
260KB

Download
memory/1212-29-0x00000000029B0000-0x00000000029F1000-memory.dmp

Filesize
260KB

Download
memory/1212-30-0x00000000029B0000-0x00000000029F1000-memory.dmp

Filesize
260KB

Download
memory/1212-31-0x00000000029B0000-0x00000000029F1000-memory.dmp

Filesize
260KB

Download
memory/2696-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-43-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-73-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-71-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-69-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-178-0x0000000000700000-0x0000000000741000-memory.dmp

Filesize
260KB

Download
memory/2696-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-176-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2696-67-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-65-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-63-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-0-0x0000000000360000-0x00000000003A1000-memory.dmp

Filesize
260KB

Download
memory/2696-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-57-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-53-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-51-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-49-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-47-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-45-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-75-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-40-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-39-0x0000000000700000-0x0000000000741000-memory.dmp

Filesize
260KB

Download
memory/2696-38-0x0000000000700000-0x0000000000741000-memory.dmp

Filesize
260KB

Download
memory/2696-36-0x0000000000700000-0x0000000000741000-memory.dmp

Filesize
260KB

Download
memory/2696-37-0x0000000000700000-0x0000000000741000-memory.dmp

Filesize
260KB

Download
memory/2696-77-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-79-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-55-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-41-0x0000000000700000-0x0000000000741000-memory.dmp

Filesize
260KB

Download
memory/2696-35-0x0000000000700000-0x0000000000741000-memory.dmp

Filesize
260KB

Download
memory/2696-1-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2696-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2700-15-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2700-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2700-17-0x0000000000350000-0x00000000003A3000-memory.dmp

Filesize
332KB

Download
memory/2700-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads