16b4906b0d7e62d8d65ce8e8428acacccb56b72f74f82f7ad9a9d44b7ec1c9e9

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bc95bed82a1d5ece16614c1ad6f47ed.exe
Size

410KB
MD5

5bc95bed82a1d5ece16614c1ad6f47ed
SHA1

a2c39bd194170119dc8aa01d5d48db5b813956e5
SHA256

16b4906b0d7e62d8d65ce8e8428acacccb56b72f74f82f7ad9a9d44b7ec1c9e9
SHA512

efb6c4583980d0753e7d507d9faaa66a555f491756419996110fbcbdabff7838a26ecfa189525b2c7c659659e313a9485ba5ad5ccf61cf74039bd2df8ac48e71
SSDEEP

12288:g7SOoqLdsGPAm5KzTIwiKHiUeWEUjbsloBi8:g74qLiaCdHfeWaoc8

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1560	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	fyjyvy.exe

Loads dropped DLL 1 IoCs

pid	Process
1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\{94926AC8-CECC-AD4E-05C4-B4AE0A3C97B3} = "C:\\Users\\Admin\\AppData\\Roaming\\Liitho\\fyjyvy.exe"	fyjyvy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 1560	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	29

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe
2904	fyjyvy.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe
2904	fyjyvy.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2904	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	28
PID 1692 wrote to memory of 2904	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	28
PID 1692 wrote to memory of 2904	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	28
PID 1692 wrote to memory of 2904	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	28
PID 2904 wrote to memory of 1128	2904	fyjyvy.exe	11
PID 2904 wrote to memory of 1128	2904	fyjyvy.exe	11
PID 2904 wrote to memory of 1128	2904	fyjyvy.exe	11
PID 2904 wrote to memory of 1128	2904	fyjyvy.exe	11
PID 2904 wrote to memory of 1128	2904	fyjyvy.exe	11
PID 2904 wrote to memory of 1180	2904	fyjyvy.exe	10
PID 2904 wrote to memory of 1180	2904	fyjyvy.exe	10
PID 2904 wrote to memory of 1180	2904	fyjyvy.exe	10
PID 2904 wrote to memory of 1180	2904	fyjyvy.exe	10
PID 2904 wrote to memory of 1180	2904	fyjyvy.exe	10
PID 2904 wrote to memory of 1212	2904	fyjyvy.exe	8
PID 2904 wrote to memory of 1212	2904	fyjyvy.exe	8
PID 2904 wrote to memory of 1212	2904	fyjyvy.exe	8
PID 2904 wrote to memory of 1212	2904	fyjyvy.exe	8
PID 2904 wrote to memory of 1212	2904	fyjyvy.exe	8
PID 2904 wrote to memory of 2520	2904	fyjyvy.exe	7
PID 2904 wrote to memory of 2520	2904	fyjyvy.exe	7
PID 2904 wrote to memory of 2520	2904	fyjyvy.exe	7
PID 2904 wrote to memory of 2520	2904	fyjyvy.exe	7
PID 2904 wrote to memory of 2520	2904	fyjyvy.exe	7
PID 2904 wrote to memory of 1692	2904	fyjyvy.exe	9
PID 2904 wrote to memory of 1692	2904	fyjyvy.exe	9
PID 2904 wrote to memory of 1692	2904	fyjyvy.exe	9
PID 2904 wrote to memory of 1692	2904	fyjyvy.exe	9
PID 2904 wrote to memory of 1692	2904	fyjyvy.exe	9
PID 1692 wrote to memory of 1560	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	29
PID 1692 wrote to memory of 1560	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	29
PID 1692 wrote to memory of 1560	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	29
PID 1692 wrote to memory of 1560	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	29
PID 1692 wrote to memory of 1560	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	29
PID 1692 wrote to memory of 1560	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	29
PID 1692 wrote to memory of 1560	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	29
PID 1692 wrote to memory of 1560	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	29
PID 1692 wrote to memory of 1560	1692	5bc95bed82a1d5ece16614c1ad6f47ed.exe	29

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2520

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\5bc95bed82a1d5ece16614c1ad6f47ed.exe
  "C:\Users\Admin\AppData\Local\Temp\5bc95bed82a1d5ece16614c1ad6f47ed.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Roaming\Liitho\fyjyvy.exe
    "C:\Users\Admin\AppData\Roaming\Liitho\fyjyvy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd5bb883e.bat"
    3⤵
    - Deletes itself
    PID:1560

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Liitho\fyjyvy.exe

Filesize
139KB

MD5
61579be7cd679f448126aa7bf50dd34b

SHA1
7b56142993b7fac88c5c12a1435f0793f2a3dd59

SHA256
b89bb94a86f862d3425b808329db223688555217d0d7e3dd1c67576eecf3eb9f

SHA512
99045364d623fbcf443b3740cf0504e9cfcfe914b95aa6071c15fa45e82a5b428aecf9325038dc20b6bfc330eac91bfba3f9bb51e9a9edfcb2a2c28f404c2a38

Download Submit
C:\Users\Admin\AppData\Roaming\Liitho\fyjyvy.exe

Filesize
93KB

MD5
de74ac16da15a82a37c750dcdbe3d219

SHA1
424db8c60e04f6a9d5abf5460db7fdb92138ec0b

SHA256
36137a9369b75ce4173375d2ddafdaba247f95d9a7e3b3d19bcc59912ce6129b

SHA512
7c8121aaa47cce339d7bec0395805f5f478b2649ce4148f730562b173879c3338253cb65f1ce40a3b41fc15b9410954fbe3cd49489dfdf8eb902855a0483fb0a

Download Submit
\Users\Admin\AppData\Roaming\Liitho\fyjyvy.exe

Filesize
320KB

MD5
6de776e51cffe965b55c8873cf52dc1d

SHA1
6645fcb287212f55e64cee2d3a5a710ec08e2be3

SHA256
c23b23e4faeb6c4b82b966448b9c2a5393e8d2880186ae15801c72a89a6b8f84

SHA512
d1ebcea307c3cdc8e19a5b991cae4b9fc2c461b7b4d7a5c844cf0d5108281a9112ef82d15bb3efabf8e85c0c4acb9e3899f2d018b584c0f76bcf62257d6aa14c

Download Submit
memory/1128-18-0x0000000001ED0000-0x0000000001F1D000-memory.dmp

Filesize
308KB

Download
memory/1128-14-0x0000000001ED0000-0x0000000001F1D000-memory.dmp

Filesize
308KB

Download
memory/1128-15-0x0000000001ED0000-0x0000000001F1D000-memory.dmp

Filesize
308KB

Download
memory/1128-16-0x0000000001ED0000-0x0000000001F1D000-memory.dmp

Filesize
308KB

Download
memory/1128-17-0x0000000001ED0000-0x0000000001F1D000-memory.dmp

Filesize
308KB

Download
memory/1180-20-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1180-21-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1180-22-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1180-23-0x0000000000120000-0x000000000016D000-memory.dmp

Filesize
308KB

Download
memory/1212-25-0x00000000029C0000-0x0000000002A0D000-memory.dmp

Filesize
308KB

Download
memory/1212-26-0x00000000029C0000-0x0000000002A0D000-memory.dmp

Filesize
308KB

Download
memory/1212-27-0x00000000029C0000-0x0000000002A0D000-memory.dmp

Filesize
308KB

Download
memory/1212-28-0x00000000029C0000-0x0000000002A0D000-memory.dmp

Filesize
308KB

Download
memory/1560-144-0x0000000077C50000-0x0000000077C51000-memory.dmp

Filesize
4KB

Download
memory/1560-138-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/1560-201-0x0000000000050000-0x000000000009D000-memory.dmp

Filesize
308KB

Download
memory/1692-73-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-40-0x0000000002290000-0x00000000022DD000-memory.dmp

Filesize
308KB

Download
memory/1692-69-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-67-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-65-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-61-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-59-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-57-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-55-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-53-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-51-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-49-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-48-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1692-47-0x0000000077C50000-0x0000000077C51000-memory.dmp

Filesize
4KB

Download
memory/1692-46-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1692-45-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1692-42-0x0000000002290000-0x00000000022DD000-memory.dmp

Filesize
308KB

Download
memory/1692-38-0x0000000002290000-0x00000000022DD000-memory.dmp

Filesize
308KB

Download
memory/1692-36-0x0000000002290000-0x00000000022DD000-memory.dmp

Filesize
308KB

Download
memory/1692-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1692-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1692-3-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1692-136-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1692-71-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-0-0x0000000000280000-0x00000000002CD000-memory.dmp

Filesize
308KB

Download
memory/1692-75-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-63-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1692-44-0x0000000002290000-0x00000000022DD000-memory.dmp

Filesize
308KB

Download
memory/1692-135-0x0000000000280000-0x00000000002CD000-memory.dmp

Filesize
308KB

Download
memory/1692-4-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2520-32-0x0000000001CA0000-0x0000000001CED000-memory.dmp

Filesize
308KB

Download
memory/2520-31-0x0000000001CA0000-0x0000000001CED000-memory.dmp

Filesize
308KB

Download
memory/2520-30-0x0000000001CA0000-0x0000000001CED000-memory.dmp

Filesize
308KB

Download
memory/2520-33-0x0000000001CA0000-0x0000000001CED000-memory.dmp

Filesize
308KB

Download
memory/2904-12-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2904-11-0x00000000004E0000-0x000000000052D000-memory.dmp

Filesize
308KB

Download
memory/2904-202-0x00000000004E0000-0x000000000052D000-memory.dmp

Filesize
308KB

Download
memory/2904-204-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download