17bbf9a7c7d843240fec508e0ee3095aae4fd5d180ec2e80f8f58f9b42c7077f

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17fdeae424ee8a8c173da81d61214492.exe
Size

275KB
MD5

17fdeae424ee8a8c173da81d61214492
SHA1

11cbf760492aa2f8600b960c9fee2370740437c8
SHA256

17bbf9a7c7d843240fec508e0ee3095aae4fd5d180ec2e80f8f58f9b42c7077f
SHA512

4eddcd544f6da5750c7ebdcb62c1640ece6d944046f80ebca6d284bd2ebd813f6d106a426e3e875a5398077afae42776385ee0c5f7b6e726830459c91ab34617
SSDEEP

6144:qvyVyBhl40pPbMHLdL1hALe+2NirdrQdZ5wUKD04N6RE:qvAy14wbMdoLT2NKcfwHNN

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3060	ybitiw.exe

Loads dropped DLL 1 IoCs

pid	Process
2644	17fdeae424ee8a8c173da81d61214492.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6F76ACC8-CEF3-AD4E-FF1F-3295E8F41188} = "C:\\Users\\Admin\\AppData\\Roaming\\Izuz\\ybitiw.exe"	ybitiw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 1924	2644	17fdeae424ee8a8c173da81d61214492.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
616	1924	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	17fdeae424ee8a8c173da81d61214492.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Privacy	17fdeae424ee8a8c173da81d61214492.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe
3060	ybitiw.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 3060	2644	17fdeae424ee8a8c173da81d61214492.exe	28
PID 2644 wrote to memory of 3060	2644	17fdeae424ee8a8c173da81d61214492.exe	28
PID 2644 wrote to memory of 3060	2644	17fdeae424ee8a8c173da81d61214492.exe	28
PID 2644 wrote to memory of 3060	2644	17fdeae424ee8a8c173da81d61214492.exe	28
PID 3060 wrote to memory of 1132	3060	ybitiw.exe	16
PID 3060 wrote to memory of 1132	3060	ybitiw.exe	16
PID 3060 wrote to memory of 1132	3060	ybitiw.exe	16
PID 3060 wrote to memory of 1132	3060	ybitiw.exe	16
PID 3060 wrote to memory of 1132	3060	ybitiw.exe	16
PID 3060 wrote to memory of 1220	3060	ybitiw.exe	15
PID 3060 wrote to memory of 1220	3060	ybitiw.exe	15
PID 3060 wrote to memory of 1220	3060	ybitiw.exe	15
PID 3060 wrote to memory of 1220	3060	ybitiw.exe	15
PID 3060 wrote to memory of 1220	3060	ybitiw.exe	15
PID 3060 wrote to memory of 1240	3060	ybitiw.exe	14
PID 3060 wrote to memory of 1240	3060	ybitiw.exe	14
PID 3060 wrote to memory of 1240	3060	ybitiw.exe	14
PID 3060 wrote to memory of 1240	3060	ybitiw.exe	14
PID 3060 wrote to memory of 1240	3060	ybitiw.exe	14
PID 3060 wrote to memory of 2644	3060	ybitiw.exe	20
PID 3060 wrote to memory of 2644	3060	ybitiw.exe	20
PID 3060 wrote to memory of 2644	3060	ybitiw.exe	20
PID 3060 wrote to memory of 2644	3060	ybitiw.exe	20
PID 3060 wrote to memory of 2644	3060	ybitiw.exe	20
PID 2644 wrote to memory of 1924	2644	17fdeae424ee8a8c173da81d61214492.exe	29
PID 2644 wrote to memory of 1924	2644	17fdeae424ee8a8c173da81d61214492.exe	29
PID 2644 wrote to memory of 1924	2644	17fdeae424ee8a8c173da81d61214492.exe	29
PID 2644 wrote to memory of 1924	2644	17fdeae424ee8a8c173da81d61214492.exe	29
PID 2644 wrote to memory of 1924	2644	17fdeae424ee8a8c173da81d61214492.exe	29
PID 2644 wrote to memory of 1924	2644	17fdeae424ee8a8c173da81d61214492.exe	29
PID 2644 wrote to memory of 1924	2644	17fdeae424ee8a8c173da81d61214492.exe	29
PID 2644 wrote to memory of 1924	2644	17fdeae424ee8a8c173da81d61214492.exe	29
PID 2644 wrote to memory of 1924	2644	17fdeae424ee8a8c173da81d61214492.exe	29
PID 1924 wrote to memory of 616	1924	cmd.exe	31
PID 1924 wrote to memory of 616	1924	cmd.exe	31
PID 1924 wrote to memory of 616	1924	cmd.exe	31
PID 1924 wrote to memory of 616	1924	cmd.exe	31
PID 3060 wrote to memory of 2396	3060	ybitiw.exe	30
PID 3060 wrote to memory of 2396	3060	ybitiw.exe	30
PID 3060 wrote to memory of 2396	3060	ybitiw.exe	30
PID 3060 wrote to memory of 2396	3060	ybitiw.exe	30
PID 3060 wrote to memory of 2396	3060	ybitiw.exe	30
PID 3060 wrote to memory of 616	3060	ybitiw.exe	31
PID 3060 wrote to memory of 616	3060	ybitiw.exe	31
PID 3060 wrote to memory of 616	3060	ybitiw.exe	31
PID 3060 wrote to memory of 616	3060	ybitiw.exe	31
PID 3060 wrote to memory of 616	3060	ybitiw.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\17fdeae424ee8a8c173da81d61214492.exe
  "C:\Users\Admin\AppData\Local\Temp\17fdeae424ee8a8c173da81d61214492.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Roaming\Izuz\ybitiw.exe
    "C:\Users\Admin\AppData\Roaming\Izuz\ybitiw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1c0b7876.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 116
      4⤵
      Program crash
      PID:616

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1880978585-19380642411915708924301836941498389081412369954-1531272726-879312812"
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\agawi.cyo

Filesize
744B

MD5
f87816e582e2345931f4f9a32b4e11df

SHA1
2a0891bdd21016b2e27ce02907394aaba645dbbd

SHA256
38bfd3e867f3468712604055aa8a7e5571b32c806802950835d0c77e3f90ae5a

SHA512
d7f1b80e7e48922e47694bdef0916fbd4a52d5aabfed9e13d3e8ebde5021fce8985a391ec93616fe1571804078db9bf1b7da0a5eca3eba6ce58c707d653d1a21

Download Submit
\Users\Admin\AppData\Roaming\Izuz\ybitiw.exe

Filesize
275KB

MD5
afa1dde8f076d8712e93c8bc13553a46

SHA1
309fa18e499fd42dcf0e842e6d52d78ee92b3373

SHA256
bf1e95226cd09f1e886224edcfee2491f3be94bc7ec33c774fe9f44c5eebaf7d

SHA512
dcd7536f300233d3934f6c328fd6c407f3d7ba260860fbcc7d4d5e84c26b70106aee677c7a876b55ac04612f11d7c0652f062fa7f4f710e73862195dcc776aac

Download Submit
memory/616-275-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/616-179-0x0000000000460000-0x00000000004A4000-memory.dmp

Filesize
272KB

Download
memory/616-181-0x0000000077660000-0x0000000077661000-memory.dmp

Filesize
4KB

Download
memory/616-283-0x0000000000460000-0x00000000004A4000-memory.dmp

Filesize
272KB

Download
memory/1132-18-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1132-17-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1132-16-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1132-15-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1132-19-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1220-21-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1220-23-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1220-25-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1220-27-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1240-32-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1240-33-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1240-30-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1240-31-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/2644-41-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-60-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-35-0x0000000000970000-0x00000000009B4000-memory.dmp

Filesize
272KB

Download
memory/2644-36-0x0000000000970000-0x00000000009B4000-memory.dmp

Filesize
272KB

Download
memory/2644-37-0x0000000000970000-0x00000000009B4000-memory.dmp

Filesize
272KB

Download
memory/2644-38-0x0000000000970000-0x00000000009B4000-memory.dmp

Filesize
272KB

Download
memory/2644-39-0x0000000000970000-0x00000000009B4000-memory.dmp

Filesize
272KB

Download
memory/2644-40-0x0000000000970000-0x00000000009B4000-memory.dmp

Filesize
272KB

Download
memory/2644-42-0x0000000077660000-0x0000000077661000-memory.dmp

Filesize
4KB

Download
memory/2644-9-0x0000000000970000-0x00000000009BA000-memory.dmp

Filesize
296KB

Download
memory/2644-44-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-46-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-49-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-48-0x0000000077660000-0x0000000077661000-memory.dmp

Filesize
4KB

Download
memory/2644-51-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-53-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-55-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-57-0x0000000000DB0000-0x0000000000DFA000-memory.dmp

Filesize
296KB

Download
memory/2644-58-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-0-0x0000000000DB0000-0x0000000000DFA000-memory.dmp

Filesize
296KB

Download
memory/2644-62-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-64-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2644-65-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-67-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-69-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-71-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-73-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-75-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-77-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-79-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-142-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2644-163-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2644-164-0x0000000000970000-0x00000000009B4000-memory.dmp

Filesize
272KB

Download
memory/2644-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2644-4-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2644-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2644-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/3060-176-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/3060-14-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/3060-12-0x0000000001390000-0x00000000013DA000-memory.dmp

Filesize
296KB

Download