42a63fe99861ed6bb09167730a383db9b4c2e829bd0e122d662648b0bfa5dddc

General

Target

4a6e402b32e9aa511971fe9fed794e3d.exe
Size

144KB
MD5

4a6e402b32e9aa511971fe9fed794e3d
SHA1

d0a06b802a768cef53420db8d2cac5fe89394839
SHA256

42a63fe99861ed6bb09167730a383db9b4c2e829bd0e122d662648b0bfa5dddc
SHA512

42c42c7aa850818227f0eaa61aefd800691274999fcca40a68bf38449a7391ba63f735a1f1776ecf20276aae026c962295a235e3ec792eb0c217a7a933f7628a
SSDEEP

3072:tv/q95gcctBXqO7Gdxl2430X8+xWyiXWVGb6awiM7b:w+6zf24A8+xidLwBb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
764	Hyiriy.exe
4084	Hyiriy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hyiriy = "C:\\Users\\Admin\\AppData\\Roaming\\Hyiriy.exe"	4a6e402b32e9aa511971fe9fed794e3d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2168	2116	4a6e402b32e9aa511971fe9fed794e3d.exe	20
PID 764 set thread context of 4084	764	Hyiriy.exe	96

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2168	4a6e402b32e9aa511971fe9fed794e3d.exe
2168	4a6e402b32e9aa511971fe9fed794e3d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4084	Hyiriy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2116	4a6e402b32e9aa511971fe9fed794e3d.exe
764	Hyiriy.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2168	2116	4a6e402b32e9aa511971fe9fed794e3d.exe	20
PID 2116 wrote to memory of 2168	2116	4a6e402b32e9aa511971fe9fed794e3d.exe	20
PID 2116 wrote to memory of 2168	2116	4a6e402b32e9aa511971fe9fed794e3d.exe	20
PID 2116 wrote to memory of 2168	2116	4a6e402b32e9aa511971fe9fed794e3d.exe	20
PID 2116 wrote to memory of 2168	2116	4a6e402b32e9aa511971fe9fed794e3d.exe	20
PID 2116 wrote to memory of 2168	2116	4a6e402b32e9aa511971fe9fed794e3d.exe	20
PID 2116 wrote to memory of 2168	2116	4a6e402b32e9aa511971fe9fed794e3d.exe	20
PID 2116 wrote to memory of 2168	2116	4a6e402b32e9aa511971fe9fed794e3d.exe	20
PID 2116 wrote to memory of 2168	2116	4a6e402b32e9aa511971fe9fed794e3d.exe	20
PID 2168 wrote to memory of 764	2168	4a6e402b32e9aa511971fe9fed794e3d.exe	97
PID 2168 wrote to memory of 764	2168	4a6e402b32e9aa511971fe9fed794e3d.exe	97
PID 2168 wrote to memory of 764	2168	4a6e402b32e9aa511971fe9fed794e3d.exe	97
PID 764 wrote to memory of 4084	764	Hyiriy.exe	96
PID 764 wrote to memory of 4084	764	Hyiriy.exe	96
PID 764 wrote to memory of 4084	764	Hyiriy.exe	96
PID 764 wrote to memory of 4084	764	Hyiriy.exe	96
PID 764 wrote to memory of 4084	764	Hyiriy.exe	96
PID 764 wrote to memory of 4084	764	Hyiriy.exe	96
PID 764 wrote to memory of 4084	764	Hyiriy.exe	96
PID 764 wrote to memory of 4084	764	Hyiriy.exe	96
PID 764 wrote to memory of 4084	764	Hyiriy.exe	96
PID 4084 wrote to memory of 4260	4084	Hyiriy.exe	102
PID 4084 wrote to memory of 4260	4084	Hyiriy.exe	102
PID 4084 wrote to memory of 4260	4084	Hyiriy.exe	102
PID 4260 wrote to memory of 1152	4260	iexplore.exe	101
PID 4260 wrote to memory of 1152	4260	iexplore.exe	101

C:\Users\Admin\AppData\Local\Temp\4a6e402b32e9aa511971fe9fed794e3d.exe
"C:\Users\Admin\AppData\Local\Temp\4a6e402b32e9aa511971fe9fed794e3d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\4a6e402b32e9aa511971fe9fed794e3d.exe
  C:\Users\Admin\AppData\Local\Temp\4a6e402b32e9aa511971fe9fed794e3d.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Roaming\Hyiriy.exe
    "C:\Users\Admin\AppData\Roaming\Hyiriy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:764

C:\Users\Admin\AppData\Roaming\Hyiriy.exe
C:\Users\Admin\AppData\Roaming\Hyiriy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
- Modifies Internet Explorer settings
PID:1152
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:17410 /prefetch:2
  2⤵
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2168-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2168-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2168-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4084-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4084-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4084-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads