5ec198ff9c73d9a678840540d2f58f67976f80c8801efd4a762c32476508b81e

Analysis

max time kernel
6s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
Size

133KB
MD5

42e15a6ef1dc6d2cc85a6b42b6cb8260
SHA1

cd228accdd47da7b6318811de1043705562d2924
SHA256

5ec198ff9c73d9a678840540d2f58f67976f80c8801efd4a762c32476508b81e
SHA512

3aee5dc0536104c6e02e91038017cc5a66acc706dcdf0f8bf5e8a63a913d429d6a6d4f6b831032dbea63a90d19f8d08da9e5a402512e480a9a9fffee00a39027
SSDEEP

3072:KBFbrajR/V9xuVQTVuR/8PWrJkdiqyj5KzctLO:EFHgHxuVQSkPW6diqy1a

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2980	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gskqb.exe	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gskqb.exe	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gskqb.exe	iftyor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gskqb.exe	iftyor.exe

Executes dropped EXE 6 IoCs

pid	Process
1772	iftyor.exe
4168	iftyor.exe
4052	iftyor.exe
1392	iftyor.exe
3812	iftyor.exe
3844	iftyor.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrihgiel = "C:\\Users\\Admin\\AppData\\Local\\iftyor.exe"	iftyor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrihgiel = "C:\\Users\\Admin\\AppData\\Local\\iftyor.exe"	iftyor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrihgiel = "C:\\Users\\Admin\\AppData\\Local\\iftyor.exe"	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrihgiel = "C:\\Users\\Admin\\AppData\\Local\\iftyor.exe"	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4568 set thread context of 3740	4568	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	36
PID 3812 set thread context of 3844	3812	iftyor.exe	56

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 4500	1284	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	34
PID 1284 wrote to memory of 4500	1284	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	34
PID 1284 wrote to memory of 4500	1284	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	34
PID 4500 wrote to memory of 1776	4500	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	35
PID 4500 wrote to memory of 1776	4500	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	35
PID 4500 wrote to memory of 1776	4500	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	35
PID 1776 wrote to memory of 1120	1776	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	38
PID 1776 wrote to memory of 1120	1776	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	38
PID 1776 wrote to memory of 1120	1776	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	38
PID 1120 wrote to memory of 4568	1120	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	37
PID 1120 wrote to memory of 4568	1120	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	37
PID 1120 wrote to memory of 4568	1120	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	37
PID 4568 wrote to memory of 3740	4568	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	36
PID 4568 wrote to memory of 3740	4568	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	36
PID 4568 wrote to memory of 3740	4568	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	36
PID 4568 wrote to memory of 3740	4568	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	36
PID 4568 wrote to memory of 3740	4568	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	36
PID 4568 wrote to memory of 3740	4568	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	36
PID 4568 wrote to memory of 3740	4568	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	36
PID 3740 wrote to memory of 2980	3740	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	55
PID 3740 wrote to memory of 2980	3740	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	55
PID 3740 wrote to memory of 2980	3740	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	55
PID 3740 wrote to memory of 1772	3740	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	61
PID 3740 wrote to memory of 1772	3740	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	61
PID 3740 wrote to memory of 1772	3740	42e15a6ef1dc6d2cc85a6b42b6cb8260.exe	61
PID 1772 wrote to memory of 4168	1772	iftyor.exe	60
PID 1772 wrote to memory of 4168	1772	iftyor.exe	60
PID 1772 wrote to memory of 4168	1772	iftyor.exe	60
PID 4168 wrote to memory of 4052	4168	iftyor.exe	59
PID 4168 wrote to memory of 4052	4168	iftyor.exe	59
PID 4168 wrote to memory of 4052	4168	iftyor.exe	59
PID 4052 wrote to memory of 1392	4052	iftyor.exe	58
PID 4052 wrote to memory of 1392	4052	iftyor.exe	58
PID 4052 wrote to memory of 1392	4052	iftyor.exe	58
PID 1392 wrote to memory of 3812	1392	iftyor.exe	57
PID 1392 wrote to memory of 3812	1392	iftyor.exe	57
PID 1392 wrote to memory of 3812	1392	iftyor.exe	57
PID 3812 wrote to memory of 3844	3812	iftyor.exe	56
PID 3812 wrote to memory of 3844	3812	iftyor.exe	56
PID 3812 wrote to memory of 3844	3812	iftyor.exe	56
PID 3812 wrote to memory of 3844	3812	iftyor.exe	56
PID 3812 wrote to memory of 3844	3812	iftyor.exe	56
PID 3812 wrote to memory of 3844	3812	iftyor.exe	56
PID 3812 wrote to memory of 3844	3812	iftyor.exe	56

C:\Users\Admin\AppData\Local\Temp\42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
"C:\Users\Admin\AppData\Local\Temp\42e15a6ef1dc6d2cc85a6b42b6cb8260.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
  1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
    3
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
      5
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1120

C:\Users\Admin\AppData\Local\Temp\42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
C:\Users\Admin\AppData\Local\Temp\42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram 1.exe 1 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2980
- C:\Users\Admin\AppData\Local\iftyor.exe
  "C:\Users\Admin\AppData\Local\iftyor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1772

C:\Users\Admin\AppData\Local\Temp\42e15a6ef1dc6d2cc85a6b42b6cb8260.exe
7
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\iftyor.exe
C:\Users\Admin\AppData\Local\iftyor.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:3844

C:\Users\Admin\AppData\Local\iftyor.exe
7
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\iftyor.exe
5
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\iftyor.exe
3
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\iftyor.exe
1
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\iftyor.exe

Filesize
37KB

MD5
17699deb03fb13304f6952fa925a6542

SHA1
2cd631e8c99fd9e8b24b131d6cff68af11715bea

SHA256
e536d84944b7d6d0d0d2e6c86010016c66821353ae435a4d0c64defe5426aa10

SHA512
e18adfd08176f385cca31b67025e045182bd913f838c98f0bea7025f0c32d70ab12dfb60917685770af936cf63565a83e86570e517b6f015c3aff56d20e2b645

Download Submit
C:\Users\Admin\AppData\Local\iftyor.exe

Filesize
43KB

MD5
f9f7e8fbcfbd1ec16ae2455a04fac8b5

SHA1
bdf8cef47a797a524edefca01ed55bf62206d97a

SHA256
ce6295b500b4a1f64f4ab64d9390d623dde41dcecd9e46c414998c05e1e7f1fd

SHA512
53ce700e6ad31b847b1eaf696d4ada396093c856903fbaf0f080fb4079e48b2335f03d58aef87fce2d703c74dd425a9e1f185698597c1aa276f8cc61d81201aa

Download Submit
C:\Users\Admin\AppData\Local\iftyor.exe

Filesize
64KB

MD5
c887c58d764a0987ed7f38c2fffe8dc6

SHA1
f31dea83b65c0707f63e38f0a22c7a82473521a4

SHA256
20f07d60e9dff8159cc7f54b68f3ac5a40efc3c39bd08856e252cff5314e575a

SHA512
593a4517583f1130e12d053be13be7fbd3e0697b81e44243600bbaa4e5699eb70dd682b5cf245ee26f8076ff04ea05c269771110f5490462f59874f235731c74

Download Submit
C:\Users\Admin\AppData\Local\iftyor.exe

Filesize
14KB

MD5
7567818038f0c990176255925c9a7f8a

SHA1
12e6c2412596ae5c2f20e751783b6dd954d7de7f

SHA256
b4e776dee90f4cc647a4d23c65484f39991660adc8a3cc1c2eb8a1110d9c4ead

SHA512
c1e6677dcac099dd5e2c53d7d45809e82664174dffc815f7f20a58c5adaaa570315d365814be43461f175277623fa39fdc498e9d25746628ad9f8d949ac1075b

Download Submit
C:\Users\Admin\AppData\Local\iftyor.exe

Filesize
124KB

MD5
e0d1beb6947cd1505aa41fb16e103578

SHA1
eecb048bc4c9835a32b119d54dbe9a6a177ccfe4

SHA256
566166f637a9fee91fa02011901899f6166fd731797c9b9e6cb5b35a82309a6e

SHA512
589e16dba32a82e42740546410c9bb87e953ca192db6ec91c450c4eb1b0dc34afcd9d6020e8a40736d0326c3df90ca113e67271bc231f8f991991a3da7f5c15d

Download Submit
C:\Users\Admin\AppData\Local\iftyor.exe

Filesize
102KB

MD5
5ce1ed47b8d35230b9f5bf044b5f43f7

SHA1
cc4671cf81edad527870eadf29f6074e0bf36d9a

SHA256
313573453d6b97654b7a58123defe87c0d229ee7d9c615bf4d6bdb35947f5cf7

SHA512
294cbbe2b5eea4bc4faa467ff9574164985fae733cad97a7813d8cfa2fdc9221ed2e5c9a7590052a095e16684cf7e369cc467b75f3d394f4d1d0548fbe575c3f

Download Submit
C:\Users\Admin\AppData\Local\iftyor.exe

Filesize
26KB

MD5
72b77401add2b70093748a8c26324114

SHA1
623749d799a601653aba5106a78276e0f51a55eb

SHA256
c32ed739e9f08c85a4f89c6a687d773d34c8ed19461001dc01361727410f4989

SHA512
4aa5a1723de1425d3effb3c6072fba5e7e03d26554357b413abd1f1a0275c55d417098f68a79435c485cc2b41e6424db5a2f8eb16e8bb0cf5c3158b14329e68d

Download Submit
C:\Users\Admin\AppData\Local\iftyor.exe

Filesize
35KB

MD5
ca67947b86d494b6ca6f1577f755e381

SHA1
23d5d227429dbce948628ef3de6bd62c4ee091de

SHA256
77ad4023e4efef031f06a3c8a6931c5f9dab0821499e485809e303763ef40204

SHA512
5f036aece53a5cbfa168bef30e424a730a0285feee0a73730352d96108109530e85d8e123b72fe404fec630db8c05d458a1525e6e46d75577172feba12b097a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gskqb.exe

Filesize
35KB

MD5
5fe309a4f6f1cb679f976aac4dca1038

SHA1
e25d8b42ccdfb92c5abad2c59e55164687508e86

SHA256
2a03f61c102e387a9786e80e720b71fa8a59e6506aa55560a21f1ad70e8f4059

SHA512
5b763e4253e66a77a715a84eba7eb90bc6a84cb2b03553897b07ea26b3b7d5ac587964e2ff3f32f4c824997d4dd110bf1316179ec05e4ea8865865fa61ff7690

Download Submit
memory/3740-96-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3740-38-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3740-42-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3740-41-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3812-89-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/3812-87-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/3812-98-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/3812-107-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/3844-109-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-111-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-104-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-119-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-103-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-106-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-108-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-101-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-110-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-118-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-112-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-113-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-114-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-115-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-116-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-117-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4568-40-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/4568-105-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads