11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8

General

Target

8c1b36b24a67666740ebed501c1280c5.exe
Size

277KB
MD5

8c1b36b24a67666740ebed501c1280c5
SHA1

180af0ea1cd6c180ae5dcf91fbe13c585af40282
SHA256

11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8
SHA512

fb58aa4aef8e0c4f239884ca229405934de696c36d5a44cf36bb4b91a60ef3b0428b70cbaedc3a8f735771ea049f9631a06b5860473c49f008108e3d47935dab
SSDEEP

6144:EoNNYv4tGVEHZtnHBdsrQqHuas8Y2YhEMA3zNydomVDzzHLMKamJhpY:Ek04tGe3nHbsrNOPKYKt3xkomdz74Kam

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

936 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

exlat.exe

pid process

2940 exlat.exe
Loads dropped DLL 2 IoCs

Processes:

8c1b36b24a67666740ebed501c1280c5.exe

pid process

2000 8c1b36b24a67666740ebed501c1280c5.exe
2000 8c1b36b24a67666740ebed501c1280c5.exe

pid	process
936	cmd.exe

pid	process
2000	8c1b36b24a67666740ebed501c1280c5.exe
2000	8c1b36b24a67666740ebed501c1280c5.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2000-0-0x0000000000400000-0x0000000000827000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Niymdo\exlat.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

exlat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6CF0A0C8-CEE0-AD4E-46DF-EAE75CAEC9FA} = "C:\\Users\\Admin\\AppData\\Roaming\\Niymdo\\exlat.exe"	exlat.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8c1b36b24a67666740ebed501c1280c5.exe

description pid process target process

PID 2000 set thread context of 936 2000 8c1b36b24a67666740ebed501c1280c5.exe cmd.exe

description	pid	process	target process
PID 2000 set thread context of 936	2000	8c1b36b24a67666740ebed501c1280c5.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

8c1b36b24a67666740ebed501c1280c5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Privacy	8c1b36b24a67666740ebed501c1280c5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	8c1b36b24a67666740ebed501c1280c5.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

exlat.exe

pid	process
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe
2940	exlat.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8c1b36b24a67666740ebed501c1280c5.exe

description	pid	process
Token: SeSecurityPrivilege	2000	8c1b36b24a67666740ebed501c1280c5.exe
Token: SeSecurityPrivilege	2000	8c1b36b24a67666740ebed501c1280c5.exe
Token: SeSecurityPrivilege	2000	8c1b36b24a67666740ebed501c1280c5.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

8c1b36b24a67666740ebed501c1280c5.exeexlat.exe

description	pid	process	target process
PID 2000 wrote to memory of 2940	2000	8c1b36b24a67666740ebed501c1280c5.exe	exlat.exe
PID 2000 wrote to memory of 2940	2000	8c1b36b24a67666740ebed501c1280c5.exe	exlat.exe
PID 2000 wrote to memory of 2940	2000	8c1b36b24a67666740ebed501c1280c5.exe	exlat.exe
PID 2000 wrote to memory of 2940	2000	8c1b36b24a67666740ebed501c1280c5.exe	exlat.exe
PID 2940 wrote to memory of 1256	2940	exlat.exe	taskhost.exe
PID 2940 wrote to memory of 1256	2940	exlat.exe	taskhost.exe
PID 2940 wrote to memory of 1256	2940	exlat.exe	taskhost.exe
PID 2940 wrote to memory of 1256	2940	exlat.exe	taskhost.exe
PID 2940 wrote to memory of 1256	2940	exlat.exe	taskhost.exe
PID 2940 wrote to memory of 1340	2940	exlat.exe	Dwm.exe
PID 2940 wrote to memory of 1340	2940	exlat.exe	Dwm.exe
PID 2940 wrote to memory of 1340	2940	exlat.exe	Dwm.exe
PID 2940 wrote to memory of 1340	2940	exlat.exe	Dwm.exe
PID 2940 wrote to memory of 1340	2940	exlat.exe	Dwm.exe
PID 2940 wrote to memory of 1404	2940	exlat.exe	Explorer.EXE
PID 2940 wrote to memory of 1404	2940	exlat.exe	Explorer.EXE
PID 2940 wrote to memory of 1404	2940	exlat.exe	Explorer.EXE
PID 2940 wrote to memory of 1404	2940	exlat.exe	Explorer.EXE
PID 2940 wrote to memory of 1404	2940	exlat.exe	Explorer.EXE
PID 2940 wrote to memory of 2520	2940	exlat.exe	DllHost.exe
PID 2940 wrote to memory of 2520	2940	exlat.exe	DllHost.exe
PID 2940 wrote to memory of 2520	2940	exlat.exe	DllHost.exe
PID 2940 wrote to memory of 2520	2940	exlat.exe	DllHost.exe
PID 2940 wrote to memory of 2520	2940	exlat.exe	DllHost.exe
PID 2940 wrote to memory of 2000	2940	exlat.exe	8c1b36b24a67666740ebed501c1280c5.exe
PID 2940 wrote to memory of 2000	2940	exlat.exe	8c1b36b24a67666740ebed501c1280c5.exe
PID 2940 wrote to memory of 2000	2940	exlat.exe	8c1b36b24a67666740ebed501c1280c5.exe
PID 2940 wrote to memory of 2000	2940	exlat.exe	8c1b36b24a67666740ebed501c1280c5.exe
PID 2940 wrote to memory of 2000	2940	exlat.exe	8c1b36b24a67666740ebed501c1280c5.exe
PID 2000 wrote to memory of 936	2000	8c1b36b24a67666740ebed501c1280c5.exe	cmd.exe
PID 2000 wrote to memory of 936	2000	8c1b36b24a67666740ebed501c1280c5.exe	cmd.exe
PID 2000 wrote to memory of 936	2000	8c1b36b24a67666740ebed501c1280c5.exe	cmd.exe
PID 2000 wrote to memory of 936	2000	8c1b36b24a67666740ebed501c1280c5.exe	cmd.exe
PID 2000 wrote to memory of 936	2000	8c1b36b24a67666740ebed501c1280c5.exe	cmd.exe
PID 2000 wrote to memory of 936	2000	8c1b36b24a67666740ebed501c1280c5.exe	cmd.exe
PID 2000 wrote to memory of 936	2000	8c1b36b24a67666740ebed501c1280c5.exe	cmd.exe
PID 2000 wrote to memory of 936	2000	8c1b36b24a67666740ebed501c1280c5.exe	cmd.exe
PID 2000 wrote to memory of 936	2000	8c1b36b24a67666740ebed501c1280c5.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\8c1b36b24a67666740ebed501c1280c5.exe
"C:\Users\Admin\AppData\Local\Temp\8c1b36b24a67666740ebed501c1280c5.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Roaming\Niymdo\exlat.exe
"C:\Users\Admin\AppData\Roaming\Niymdo\exlat.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp631787f3.bat"
3⤵
- Deletes itself
PID:936

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp631787f3.bat
Filesize
243B

MD5
5e7d11663c84e0e4477240970ce2cbf5

SHA1
62e5666216383c3d7f3ef115eea1577beb5d27e0

SHA256
8bb2c3b1a978f01c536d3806f2859820adadb95469f42fa7bd5915abea623d33

SHA512
7467ac0a811bd6a88f2e36d10091d58a8828c149963b7fa6feb1db22102b2bc565464ba5f6acffdfc48df1e5bed3a39504652ae33e61182eec1fcd830f81e992

Download Submit
C:\Users\Admin\AppData\Roaming\Xaeg\ajux.uvy
Filesize
366B

MD5
fa1d1bc6a3730e1d58ac51b9709ec39c

SHA1
ec67f93c9a2322b31a914c3c9c2ecda4278e76a1

SHA256
67ca672bf9686bd0835c102a3cdbb0f1405a138963b5be34c080cdf8e1dc968a

SHA512
08ecab5c7ad76f026471b21dd7882f683b0c7b691ade28b886181de0513a057298e3fb748512ab39efb9d13eeb32067b66a2331d8c552a47637f5e9bfd653f24

Download Submit
\Users\Admin\AppData\Roaming\Niymdo\exlat.exe
Filesize
277KB

MD5
83d37407e16eb82657a3af7bc5cfcf7c

SHA1
0b5a0c16ead140a6e2ccc12a4906283d4bbba82b

SHA256
e86aa86008975941c632c4564ac213dce60855d6ba03f60537c91173dd16c1ae

SHA512
8bc7b9ce25f56a4b4f21d22b63663da5c2e426a4b18988b232ac7710811f06a5335cb9b218a12233f6818492f1a013b489b5967e7feff69ae927ad5768b3b1b4

Download Submit
memory/936-167-0x0000000077CA0000-0x0000000077CA1000-memory.dmp

Filesize
4KB

Download
memory/936-158-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/936-266-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/936-263-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/936-262-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/1256-21-0x0000000001DD0000-0x0000000001E0D000-memory.dmp

Filesize
244KB

Download
memory/1256-20-0x0000000001DD0000-0x0000000001E0D000-memory.dmp

Filesize
244KB

Download
memory/1256-19-0x0000000001DD0000-0x0000000001E0D000-memory.dmp

Filesize
244KB

Download
memory/1256-17-0x0000000001DD0000-0x0000000001E0D000-memory.dmp

Filesize
244KB

Download
memory/1256-16-0x0000000001DD0000-0x0000000001E0D000-memory.dmp

Filesize
244KB

Download
memory/1340-23-0x0000000000120000-0x000000000015D000-memory.dmp

Filesize
244KB

Download
memory/1340-26-0x0000000000120000-0x000000000015D000-memory.dmp

Filesize
244KB

Download
memory/1340-25-0x0000000000120000-0x000000000015D000-memory.dmp

Filesize
244KB

Download
memory/1340-24-0x0000000000120000-0x000000000015D000-memory.dmp

Filesize
244KB

Download
memory/1404-29-0x0000000002550000-0x000000000258D000-memory.dmp

Filesize
244KB

Download
memory/1404-31-0x0000000002550000-0x000000000258D000-memory.dmp

Filesize
244KB

Download
memory/1404-33-0x0000000002550000-0x000000000258D000-memory.dmp

Filesize
244KB

Download
memory/1404-35-0x0000000002550000-0x000000000258D000-memory.dmp

Filesize
244KB

Download
memory/2000-53-0x0000000077CA0000-0x0000000077CA1000-memory.dmp

Filesize
4KB

Download
memory/2000-73-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-43-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2000-45-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2000-44-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2000-46-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2000-47-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2000-50-0x0000000077CA0000-0x0000000077CA1000-memory.dmp

Filesize
4KB

Download
memory/2000-49-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2000-0-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/2000-52-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-48-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-55-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-57-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-59-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-61-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-63-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-65-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-67-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-69-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-71-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2000-75-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-77-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-79-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-81-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-83-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-145-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2000-2-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/2000-159-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/2000-3-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/2000-163-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2000-165-0x0000000002910000-0x0000000002D37000-memory.dmp

Filesize
4.2MB

Download
memory/2000-14-0x0000000002910000-0x0000000002D37000-memory.dmp

Filesize
4.2MB

Download
memory/2520-38-0x0000000001B90000-0x0000000001BCD000-memory.dmp

Filesize
244KB

Download
memory/2520-39-0x0000000001B90000-0x0000000001BCD000-memory.dmp

Filesize
244KB

Download
memory/2520-41-0x0000000001B90000-0x0000000001BCD000-memory.dmp

Filesize
244KB

Download
memory/2520-40-0x0000000001B90000-0x0000000001BCD000-memory.dmp

Filesize
244KB

Download
memory/2940-13-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/2940-18-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/2940-261-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads