30bf6454376a8f98b06073ce40aa031a1d140aedbae63cf2a9207b093871c60a

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e6df19d56ae0ea8637a06906fbada4.exe
Size

333KB
MD5

97e6df19d56ae0ea8637a06906fbada4
SHA1

f1a62c4b3d19bfd52531455266908606562697c2
SHA256

30bf6454376a8f98b06073ce40aa031a1d140aedbae63cf2a9207b093871c60a
SHA512

2c9b407a00ff464d93b7f0a684fca274c3501bba115500b7900b2f0458d37f2af4eb4a0a07d2af695a966eec61aaab07aa447297d125be1eb0d7c260855c6762
SSDEEP

6144:2gfeN1MeWJmucextjTwWKe9gCA/Tyj+knm:TCMZJmzefWT9mqkm

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	myusu.exe
2752	myusu.exe

Loads dropped DLL 3 IoCs

pid	Process
2540	97e6df19d56ae0ea8637a06906fbada4.exe
2540	97e6df19d56ae0ea8637a06906fbada4.exe
2812	myusu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8D03B3C8-CEC5-AD4E-9D6C-4FF59E096CE8} = "C:\\Users\\Admin\\AppData\\Roaming\\Dyxa\\myusu.exe"	myusu.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 2540	1728	97e6df19d56ae0ea8637a06906fbada4.exe	28
PID 2812 set thread context of 2752	2812	myusu.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy	97e6df19d56ae0ea8637a06906fbada4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	97e6df19d56ae0ea8637a06906fbada4.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe
2752	myusu.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2540	1728	97e6df19d56ae0ea8637a06906fbada4.exe	28
PID 1728 wrote to memory of 2540	1728	97e6df19d56ae0ea8637a06906fbada4.exe	28
PID 1728 wrote to memory of 2540	1728	97e6df19d56ae0ea8637a06906fbada4.exe	28
PID 1728 wrote to memory of 2540	1728	97e6df19d56ae0ea8637a06906fbada4.exe	28
PID 1728 wrote to memory of 2540	1728	97e6df19d56ae0ea8637a06906fbada4.exe	28
PID 1728 wrote to memory of 2540	1728	97e6df19d56ae0ea8637a06906fbada4.exe	28
PID 1728 wrote to memory of 2540	1728	97e6df19d56ae0ea8637a06906fbada4.exe	28
PID 1728 wrote to memory of 2540	1728	97e6df19d56ae0ea8637a06906fbada4.exe	28
PID 1728 wrote to memory of 2540	1728	97e6df19d56ae0ea8637a06906fbada4.exe	28
PID 2540 wrote to memory of 2812	2540	97e6df19d56ae0ea8637a06906fbada4.exe	29
PID 2540 wrote to memory of 2812	2540	97e6df19d56ae0ea8637a06906fbada4.exe	29
PID 2540 wrote to memory of 2812	2540	97e6df19d56ae0ea8637a06906fbada4.exe	29
PID 2540 wrote to memory of 2812	2540	97e6df19d56ae0ea8637a06906fbada4.exe	29
PID 2812 wrote to memory of 2752	2812	myusu.exe	30
PID 2812 wrote to memory of 2752	2812	myusu.exe	30
PID 2812 wrote to memory of 2752	2812	myusu.exe	30
PID 2812 wrote to memory of 2752	2812	myusu.exe	30
PID 2812 wrote to memory of 2752	2812	myusu.exe	30
PID 2812 wrote to memory of 2752	2812	myusu.exe	30
PID 2812 wrote to memory of 2752	2812	myusu.exe	30
PID 2812 wrote to memory of 2752	2812	myusu.exe	30
PID 2812 wrote to memory of 2752	2812	myusu.exe	30
PID 2752 wrote to memory of 1128	2752	myusu.exe	12
PID 2752 wrote to memory of 1128	2752	myusu.exe	12
PID 2752 wrote to memory of 1128	2752	myusu.exe	12
PID 2752 wrote to memory of 1128	2752	myusu.exe	12
PID 2752 wrote to memory of 1128	2752	myusu.exe	12
PID 2752 wrote to memory of 1216	2752	myusu.exe	11
PID 2752 wrote to memory of 1216	2752	myusu.exe	11
PID 2752 wrote to memory of 1216	2752	myusu.exe	11
PID 2752 wrote to memory of 1216	2752	myusu.exe	11
PID 2752 wrote to memory of 1216	2752	myusu.exe	11
PID 2752 wrote to memory of 1256	2752	myusu.exe	10
PID 2752 wrote to memory of 1256	2752	myusu.exe	10
PID 2752 wrote to memory of 1256	2752	myusu.exe	10
PID 2752 wrote to memory of 1256	2752	myusu.exe	10
PID 2752 wrote to memory of 1256	2752	myusu.exe	10
PID 2752 wrote to memory of 1632	2752	myusu.exe	8
PID 2752 wrote to memory of 1632	2752	myusu.exe	8
PID 2752 wrote to memory of 1632	2752	myusu.exe	8
PID 2752 wrote to memory of 1632	2752	myusu.exe	8
PID 2752 wrote to memory of 1632	2752	myusu.exe	8
PID 2752 wrote to memory of 2540	2752	myusu.exe	28
PID 2752 wrote to memory of 2540	2752	myusu.exe	28
PID 2752 wrote to memory of 2540	2752	myusu.exe	28
PID 2752 wrote to memory of 2540	2752	myusu.exe	28
PID 2752 wrote to memory of 2540	2752	myusu.exe	28
PID 2540 wrote to memory of 2932	2540	97e6df19d56ae0ea8637a06906fbada4.exe	31
PID 2540 wrote to memory of 2932	2540	97e6df19d56ae0ea8637a06906fbada4.exe	31
PID 2540 wrote to memory of 2932	2540	97e6df19d56ae0ea8637a06906fbada4.exe	31
PID 2540 wrote to memory of 2932	2540	97e6df19d56ae0ea8637a06906fbada4.exe	31
PID 2752 wrote to memory of 2932	2752	myusu.exe	31

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1632

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\97e6df19d56ae0ea8637a06906fbada4.exe
  "C:\Users\Admin\AppData\Local\Temp\97e6df19d56ae0ea8637a06906fbada4.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\97e6df19d56ae0ea8637a06906fbada4.exe
    "C:\Users\Admin\AppData\Local\Temp\97e6df19d56ae0ea8637a06906fbada4.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Users\Admin\AppData\Roaming\Dyxa\myusu.exe
      "C:\Users\Admin\AppData\Roaming\Dyxa\myusu.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Users\Admin\AppData\Roaming\Dyxa\myusu.exe
        
        "C:\Users\Admin\AppData\Roaming\Dyxa\myusu.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe12327d4.bat"
      4⤵
      Deletes itself
      PID:2932

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe12327d4.bat

Filesize
243B

MD5
1dcae46aa26118825c6eede713ef0095

SHA1
149935ba20bc666c3ef3f92ec11a5732d6fa86cb

SHA256
2e23f9a5821d2c9ef13daf4373942903a93b88d8538824d4168beac8bee18e40

SHA512
704deea608cbc347a4a43f2da5195bb69d497aaa34d4d24a7891af8414d2cba9432a68293217048808ceede85580b59e9d54e1610580bfcdb30ac64a75ee48b1

Download Submit
\Users\Admin\AppData\Roaming\Dyxa\myusu.exe

Filesize
333KB

MD5
e2fa1d7154a4b5f224370f5ffef0b6b8

SHA1
78802e8cfe2c2bcd687df937d26edffd6882b0ae

SHA256
e1508a1a50ca1e5173e2fde8a7375c4504bedb2c1bbebcdd50820b38ff189b20

SHA512
f24e44e69c73356a441de9f76890dff7a83ae560593022ba8b07e2f19a219effc80481d72105f0233b34cc135e28e6b10b1228e5c1c9eb0e225a2233e82f384e

Download Submit
memory/1128-53-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1128-52-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1128-55-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1128-54-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1216-59-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1216-57-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1216-58-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1216-60-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1256-63-0x0000000002B20000-0x0000000002B64000-memory.dmp

Filesize
272KB

Download
memory/1256-65-0x0000000002B20000-0x0000000002B64000-memory.dmp

Filesize
272KB

Download
memory/1256-62-0x0000000002B20000-0x0000000002B64000-memory.dmp

Filesize
272KB

Download
memory/1256-64-0x0000000002B20000-0x0000000002B64000-memory.dmp

Filesize
272KB

Download
memory/1632-67-0x0000000001CF0000-0x0000000001D34000-memory.dmp

Filesize
272KB

Download
memory/1632-68-0x0000000001CF0000-0x0000000001D34000-memory.dmp

Filesize
272KB

Download
memory/1632-70-0x0000000001CF0000-0x0000000001D34000-memory.dmp

Filesize
272KB

Download
memory/1632-69-0x0000000001CF0000-0x0000000001D34000-memory.dmp

Filesize
272KB

Download
memory/1728-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1728-13-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2540-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-75-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2540-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-178-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2540-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-29-0x0000000000450000-0x00000000004A8000-memory.dmp

Filesize
352KB

Download
memory/2540-28-0x0000000000450000-0x00000000004A8000-memory.dmp

Filesize
352KB

Download
memory/2540-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-73-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2540-74-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2540-76-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2540-175-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2540-77-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2540-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-85-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2540-93-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/2540-83-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2540-81-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2540-79-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2540-78-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2540-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2752-50-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2752-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2812-30-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2812-34-0x0000000000320000-0x0000000000378000-memory.dmp

Filesize
352KB

Download
memory/2812-46-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download