55615de80f5c8c8ea9b34d5a867ac74852594a0f3802e8b5c4d88061263817ca

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8631c4bf2f86f0c7f6aacd5ee9720d70.exe
Size

363KB
MD5

8631c4bf2f86f0c7f6aacd5ee9720d70
SHA1

fbf422cb6832ee7973900d9452e7efffaa37792c
SHA256

55615de80f5c8c8ea9b34d5a867ac74852594a0f3802e8b5c4d88061263817ca
SHA512

b82c72f7fef8203ea569e12c5293d6d05706cd5ded80611c704cc0087f0f3ffe63566fa4ee277098d3efba74c13b43b639add0611e7172c76fa952739d271cac
SSDEEP

6144:7Qq+qilUKQWwsctuEDBHlC8w9WuKc9mfhTNSBLJeQAT+u:7/+5lJvwVdNdeuphkBNRq+u

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1944 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

syugi.exe

pid process

3040 syugi.exe
Loads dropped DLL 1 IoCs

Processes:

8631c4bf2f86f0c7f6aacd5ee9720d70.exe

pid process

1704 8631c4bf2f86f0c7f6aacd5ee9720d70.exe

pid	process
1944	cmd.exe

pid	process
1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

syugi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9DB029C8-CEC5-AD4E-0EA6-58580BF07B45} = "C:\\Users\\Admin\\AppData\\Roaming\\Oleq\\syugi.exe"	syugi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8631c4bf2f86f0c7f6aacd5ee9720d70.exe

description pid process target process

PID 1704 set thread context of 1944 1704 8631c4bf2f86f0c7f6aacd5ee9720d70.exe cmd.exe

description	pid	process	target process
PID 1704 set thread context of 1944	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

8631c4bf2f86f0c7f6aacd5ee9720d70.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	8631c4bf2f86f0c7f6aacd5ee9720d70.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Privacy	8631c4bf2f86f0c7f6aacd5ee9720d70.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

syugi.exe

pid	process
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe
3040	syugi.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

8631c4bf2f86f0c7f6aacd5ee9720d70.exesyugi.exe

pid process

1704 8631c4bf2f86f0c7f6aacd5ee9720d70.exe
3040 syugi.exe

pid	process
1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe
3040	syugi.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

8631c4bf2f86f0c7f6aacd5ee9720d70.exesyugi.exe

description	pid	process	target process
PID 1704 wrote to memory of 3040	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	syugi.exe
PID 1704 wrote to memory of 3040	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	syugi.exe
PID 1704 wrote to memory of 3040	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	syugi.exe
PID 1704 wrote to memory of 3040	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	syugi.exe
PID 3040 wrote to memory of 1108	3040	syugi.exe	taskhost.exe
PID 3040 wrote to memory of 1108	3040	syugi.exe	taskhost.exe
PID 3040 wrote to memory of 1108	3040	syugi.exe	taskhost.exe
PID 3040 wrote to memory of 1108	3040	syugi.exe	taskhost.exe
PID 3040 wrote to memory of 1108	3040	syugi.exe	taskhost.exe
PID 3040 wrote to memory of 1176	3040	syugi.exe	Dwm.exe
PID 3040 wrote to memory of 1176	3040	syugi.exe	Dwm.exe
PID 3040 wrote to memory of 1176	3040	syugi.exe	Dwm.exe
PID 3040 wrote to memory of 1176	3040	syugi.exe	Dwm.exe
PID 3040 wrote to memory of 1176	3040	syugi.exe	Dwm.exe
PID 3040 wrote to memory of 1200	3040	syugi.exe	Explorer.EXE
PID 3040 wrote to memory of 1200	3040	syugi.exe	Explorer.EXE
PID 3040 wrote to memory of 1200	3040	syugi.exe	Explorer.EXE
PID 3040 wrote to memory of 1200	3040	syugi.exe	Explorer.EXE
PID 3040 wrote to memory of 1200	3040	syugi.exe	Explorer.EXE
PID 3040 wrote to memory of 2136	3040	syugi.exe	DllHost.exe
PID 3040 wrote to memory of 2136	3040	syugi.exe	DllHost.exe
PID 3040 wrote to memory of 2136	3040	syugi.exe	DllHost.exe
PID 3040 wrote to memory of 2136	3040	syugi.exe	DllHost.exe
PID 3040 wrote to memory of 2136	3040	syugi.exe	DllHost.exe
PID 3040 wrote to memory of 1704	3040	syugi.exe	8631c4bf2f86f0c7f6aacd5ee9720d70.exe
PID 3040 wrote to memory of 1704	3040	syugi.exe	8631c4bf2f86f0c7f6aacd5ee9720d70.exe
PID 3040 wrote to memory of 1704	3040	syugi.exe	8631c4bf2f86f0c7f6aacd5ee9720d70.exe
PID 3040 wrote to memory of 1704	3040	syugi.exe	8631c4bf2f86f0c7f6aacd5ee9720d70.exe
PID 3040 wrote to memory of 1704	3040	syugi.exe	8631c4bf2f86f0c7f6aacd5ee9720d70.exe
PID 1704 wrote to memory of 1944	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	cmd.exe
PID 1704 wrote to memory of 1944	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	cmd.exe
PID 1704 wrote to memory of 1944	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	cmd.exe
PID 1704 wrote to memory of 1944	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	cmd.exe
PID 1704 wrote to memory of 1944	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	cmd.exe
PID 1704 wrote to memory of 1944	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	cmd.exe
PID 1704 wrote to memory of 1944	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	cmd.exe
PID 1704 wrote to memory of 1944	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	cmd.exe
PID 1704 wrote to memory of 1944	1704	8631c4bf2f86f0c7f6aacd5ee9720d70.exe	cmd.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2136

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\8631c4bf2f86f0c7f6aacd5ee9720d70.exe
"C:\Users\Admin\AppData\Local\Temp\8631c4bf2f86f0c7f6aacd5ee9720d70.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Roaming\Oleq\syugi.exe
"C:\Users\Admin\AppData\Roaming\Oleq\syugi.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcf34b3e5.bat"
3⤵
- Deletes itself
PID:1944

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcf34b3e5.bat

Filesize
243B

MD5
8000b3e89e7e201451d17d1ddd5c246f

SHA1
ce4c0dfdf4876e0127f4661f59997e4ea2471f2d

SHA256
47b9d304549605e1e92a8d3f1f9a582f0c6c72e9cff2d3bb8d0cd21aae99b97a

SHA512
53ae24296144d2b4eaab85f3f0cc0a1b36a7650a2faae1a61041fe7f602d791159eae35efc651febe02f406ec07e2bd1f50f3308b10d5bbcbad80f42bb308706

Download Submit
C:\Users\Admin\AppData\Roaming\Oleq\syugi.exe

Filesize
363KB

MD5
c46c61221a4e286cc88e174ea16d1749

SHA1
34f53d63bf928f4954342649f73c5aa84a154992

SHA256
f8cf21fab99c966ad24ecad16ad69581bfb6ea1ca37e377e72147a91b6ff39a1

SHA512
1c6b26c1d2f2ef38c7ba9231ec6f37320985f8560a4f402b368678901f5aff64f68f4f9e50d34838c0b2b1b067c4431402b5bda354f63c03f3f7836ab9837002

Download Submit
memory/1108-21-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1108-19-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1108-23-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1108-16-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1108-17-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1176-29-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/1176-27-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/1176-31-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/1176-33-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/1200-38-0x0000000002B60000-0x0000000002BA2000-memory.dmp

Filesize
264KB

Download
memory/1200-36-0x0000000002B60000-0x0000000002BA2000-memory.dmp

Filesize
264KB

Download
memory/1200-37-0x0000000002B60000-0x0000000002BA2000-memory.dmp

Filesize
264KB

Download
memory/1200-39-0x0000000002B60000-0x0000000002BA2000-memory.dmp

Filesize
264KB

Download
memory/1704-58-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/1704-73-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-1-0x0000000000520000-0x000000000057F000-memory.dmp

Filesize
380KB

Download
memory/1704-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1704-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1704-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1704-51-0x0000000001D60000-0x0000000001DA2000-memory.dmp

Filesize
264KB

Download
memory/1704-53-0x0000000001D60000-0x0000000001DA2000-memory.dmp

Filesize
264KB

Download
memory/1704-55-0x0000000001D60000-0x0000000001DA2000-memory.dmp

Filesize
264KB

Download
memory/1704-54-0x0000000001D60000-0x0000000001DA2000-memory.dmp

Filesize
264KB

Download
memory/1704-57-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-0-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/1704-56-0x0000000001D60000-0x0000000001DA2000-memory.dmp

Filesize
264KB

Download
memory/1704-61-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/1704-60-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-71-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-79-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-77-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-75-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-170-0x0000000001D60000-0x0000000001DA2000-memory.dmp

Filesize
264KB

Download
memory/1704-151-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-69-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-67-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-65-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-63-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1704-52-0x0000000001D60000-0x0000000001DA2000-memory.dmp

Filesize
264KB

Download
memory/1704-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1944-179-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/1944-269-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1944-272-0x00000000001A0000-0x00000000001E2000-memory.dmp

Filesize
264KB

Download
memory/1944-178-0x00000000001A0000-0x00000000001E2000-memory.dmp

Filesize
264KB

Download
memory/2136-48-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2136-46-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2136-42-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2136-44-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/3040-14-0x0000000000460000-0x00000000004BF000-memory.dmp

Filesize
380KB

Download
memory/3040-12-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/3040-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-273-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/3040-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download