67c120af3c7f5313ee2c250077edc0b84da2c7e708efcdffbfc0941bb9b9361c

General

Target

a84dbdb10d158b76edaafe7020925562.exe
Size

373KB
MD5

a84dbdb10d158b76edaafe7020925562
SHA1

ef8b764c74b008d4d4d3b13d687d149346bbac4c
SHA256

67c120af3c7f5313ee2c250077edc0b84da2c7e708efcdffbfc0941bb9b9361c
SHA512

cd7c0ccda30d1b645502c57e0f64fe0a8b08727650de1c61bd66504fffd0713815eac3b0114dc30d3d64ff0d8a3be8af0fefc9ac0875f2189964851491c5cc77
SSDEEP

6144:qHjB/+bC0n/m31/2jJEUUsNEEZKOIf62QGNnnOTqGQCJX14j4i+pfl0:mR+bC0nOF/2jyUQEZK1RQGNnSYoX11pd

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

jitok.exe

pid process

2988 jitok.exe
Loads dropped DLL 2 IoCs

Processes:

a84dbdb10d158b76edaafe7020925562.exe

pid process

2932 a84dbdb10d158b76edaafe7020925562.exe
2932 a84dbdb10d158b76edaafe7020925562.exe

pid	process
2932	a84dbdb10d158b76edaafe7020925562.exe
2932	a84dbdb10d158b76edaafe7020925562.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2932-0-0x0000000000400000-0x0000000000537000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Hyyk\jitok.exe	upx
behavioral1/memory/2988-15-0x0000000000400000-0x0000000000537000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jitok.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E97AF648-8469-AD4E-B6B3-012D8E7B2230} = "C:\\Users\\Admin\\AppData\\Roaming\\Hyyk\\jitok.exe"	jitok.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a84dbdb10d158b76edaafe7020925562.exe

description pid process target process

PID 2932 set thread context of 2704 2932 a84dbdb10d158b76edaafe7020925562.exe cmd.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1028 2704 WerFault.exe cmd.exe
2884 1028 WerFault.exe WerFault.exe

description	pid	process	target process
PID 2932 set thread context of 2704	2932	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe

pid	pid_target	process	target process
1028	2704	WerFault.exe	cmd.exe
2884	1028	WerFault.exe	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

a84dbdb10d158b76edaafe7020925562.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a84dbdb10d158b76edaafe7020925562.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy	a84dbdb10d158b76edaafe7020925562.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

jitok.exe

pid	process
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe
2988	jitok.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a84dbdb10d158b76edaafe7020925562.exe

description	pid	process
Token: SeSecurityPrivilege	2932	a84dbdb10d158b76edaafe7020925562.exe
Token: SeSecurityPrivilege	2932	a84dbdb10d158b76edaafe7020925562.exe
Token: SeSecurityPrivilege	2932	a84dbdb10d158b76edaafe7020925562.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

a84dbdb10d158b76edaafe7020925562.exejitok.execmd.exeWerFault.exe

description	pid	process	target process
PID 2932 wrote to memory of 2988	2932	a84dbdb10d158b76edaafe7020925562.exe	jitok.exe
PID 2932 wrote to memory of 2988	2932	a84dbdb10d158b76edaafe7020925562.exe	jitok.exe
PID 2932 wrote to memory of 2988	2932	a84dbdb10d158b76edaafe7020925562.exe	jitok.exe
PID 2932 wrote to memory of 2988	2932	a84dbdb10d158b76edaafe7020925562.exe	jitok.exe
PID 2988 wrote to memory of 1120	2988	jitok.exe	taskhost.exe
PID 2988 wrote to memory of 1120	2988	jitok.exe	taskhost.exe
PID 2988 wrote to memory of 1120	2988	jitok.exe	taskhost.exe
PID 2988 wrote to memory of 1120	2988	jitok.exe	taskhost.exe
PID 2988 wrote to memory of 1120	2988	jitok.exe	taskhost.exe
PID 2988 wrote to memory of 1172	2988	jitok.exe	Dwm.exe
PID 2988 wrote to memory of 1172	2988	jitok.exe	Dwm.exe
PID 2988 wrote to memory of 1172	2988	jitok.exe	Dwm.exe
PID 2988 wrote to memory of 1172	2988	jitok.exe	Dwm.exe
PID 2988 wrote to memory of 1172	2988	jitok.exe	Dwm.exe
PID 2988 wrote to memory of 1212	2988	jitok.exe	Explorer.EXE
PID 2988 wrote to memory of 1212	2988	jitok.exe	Explorer.EXE
PID 2988 wrote to memory of 1212	2988	jitok.exe	Explorer.EXE
PID 2988 wrote to memory of 1212	2988	jitok.exe	Explorer.EXE
PID 2988 wrote to memory of 1212	2988	jitok.exe	Explorer.EXE
PID 2988 wrote to memory of 320	2988	jitok.exe	DllHost.exe
PID 2988 wrote to memory of 320	2988	jitok.exe	DllHost.exe
PID 2988 wrote to memory of 320	2988	jitok.exe	DllHost.exe
PID 2988 wrote to memory of 320	2988	jitok.exe	DllHost.exe
PID 2988 wrote to memory of 320	2988	jitok.exe	DllHost.exe
PID 2988 wrote to memory of 2932	2988	jitok.exe	a84dbdb10d158b76edaafe7020925562.exe
PID 2988 wrote to memory of 2932	2988	jitok.exe	a84dbdb10d158b76edaafe7020925562.exe
PID 2988 wrote to memory of 2932	2988	jitok.exe	a84dbdb10d158b76edaafe7020925562.exe
PID 2988 wrote to memory of 2932	2988	jitok.exe	a84dbdb10d158b76edaafe7020925562.exe
PID 2988 wrote to memory of 2932	2988	jitok.exe	a84dbdb10d158b76edaafe7020925562.exe
PID 2932 wrote to memory of 2704	2932	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe
PID 2932 wrote to memory of 2704	2932	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe
PID 2932 wrote to memory of 2704	2932	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe
PID 2932 wrote to memory of 2704	2932	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe
PID 2932 wrote to memory of 2704	2932	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe
PID 2932 wrote to memory of 2704	2932	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe
PID 2932 wrote to memory of 2704	2932	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe
PID 2932 wrote to memory of 2704	2932	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe
PID 2932 wrote to memory of 2704	2932	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe
PID 2704 wrote to memory of 1028	2704	cmd.exe	WerFault.exe
PID 2704 wrote to memory of 1028	2704	cmd.exe	WerFault.exe
PID 2704 wrote to memory of 1028	2704	cmd.exe	WerFault.exe
PID 2704 wrote to memory of 1028	2704	cmd.exe	WerFault.exe
PID 2988 wrote to memory of 2804	2988	jitok.exe	conhost.exe
PID 2988 wrote to memory of 2804	2988	jitok.exe	conhost.exe
PID 2988 wrote to memory of 2804	2988	jitok.exe	conhost.exe
PID 2988 wrote to memory of 2804	2988	jitok.exe	conhost.exe
PID 2988 wrote to memory of 2804	2988	jitok.exe	conhost.exe
PID 2988 wrote to memory of 1028	2988	jitok.exe	WerFault.exe
PID 2988 wrote to memory of 1028	2988	jitok.exe	WerFault.exe
PID 2988 wrote to memory of 1028	2988	jitok.exe	WerFault.exe
PID 2988 wrote to memory of 1028	2988	jitok.exe	WerFault.exe
PID 2988 wrote to memory of 1028	2988	jitok.exe	WerFault.exe
PID 1028 wrote to memory of 2884	1028	WerFault.exe	WerFault.exe
PID 1028 wrote to memory of 2884	1028	WerFault.exe	WerFault.exe
PID 1028 wrote to memory of 2884	1028	WerFault.exe	WerFault.exe
PID 1028 wrote to memory of 2884	1028	WerFault.exe	WerFault.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:320

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\a84dbdb10d158b76edaafe7020925562.exe
"C:\Users\Admin\AppData\Local\Temp\a84dbdb10d158b76edaafe7020925562.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Roaming\Hyyk\jitok.exe
"C:\Users\Admin\AppData\Roaming\Hyyk\jitok.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1e2356b6.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 112
4⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 528
5⤵
- Program crash
PID:2884

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-181336726890199196346993063320036088751165019595-209369799-1715889996-1778760264"
1⤵
PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ovjyv\uqax.gut
Filesize
366B

MD5
43f241e27de49a4c05f0756a5ac8eca7

SHA1
cfa55d256d0a9ca79dfdfb576b62cb7b3ea44018

SHA256
4d28aec225e7cecb8fbbe442a1fca9117bb117b4f7c791df7858b4c48391db5b

SHA512
be92eb9959d412a694e29e0626caef51dae885e23520482c0dcea9af04950765e7fbe8a15f73b99e98f05184810dc6e7594793be5e20ba3c4c977cb86eab3369

Download Submit
\Users\Admin\AppData\Roaming\Hyyk\jitok.exe
Filesize
373KB

MD5
3c50f7177e8b16eba299c25045fdae9d

SHA1
bd4e59d24dff6eae48fba614ccfcc3a020765fb0

SHA256
693a3495b3007a8e9d7b20cee0de4b6f92c7e82b95b03869502de4c960a30170

SHA512
37b742cbb503f85dbb26d03a9391e1587cb9fd0b5df7e6803152299c16466e3c492d4eb663f370e6b853ee939c786abab08623da97640f6b1c4269163c7e78c3

Download Submit
memory/320-43-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/320-49-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/320-45-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/320-47-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1120-25-0x0000000002060000-0x00000000020A1000-memory.dmp

Filesize
260KB

Download
memory/1120-16-0x0000000002060000-0x00000000020A1000-memory.dmp

Filesize
260KB

Download
memory/1120-19-0x0000000002060000-0x00000000020A1000-memory.dmp

Filesize
260KB

Download
memory/1120-21-0x0000000002060000-0x00000000020A1000-memory.dmp

Filesize
260KB

Download
memory/1120-23-0x0000000002060000-0x00000000020A1000-memory.dmp

Filesize
260KB

Download
memory/1172-29-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1172-31-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1172-35-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1172-33-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1212-40-0x0000000002D40000-0x0000000002D81000-memory.dmp

Filesize
260KB

Download
memory/1212-41-0x0000000002D40000-0x0000000002D81000-memory.dmp

Filesize
260KB

Download
memory/1212-38-0x0000000002D40000-0x0000000002D81000-memory.dmp

Filesize
260KB

Download
memory/1212-39-0x0000000002D40000-0x0000000002D81000-memory.dmp

Filesize
260KB

Download
memory/2932-57-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-77-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-171-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2932-12-0x0000000002480000-0x00000000025B7000-memory.dmp

Filesize
1.2MB

Download
memory/2932-1-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2932-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2932-56-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2932-55-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2932-170-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2932-54-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2932-53-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2932-60-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2932-62-0x0000000077A30000-0x0000000077A31000-memory.dmp

Filesize
4KB

Download
memory/2932-59-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-52-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2932-63-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-65-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-67-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-69-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-71-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-73-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-75-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-0-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2932-79-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-81-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-153-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2932-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2988-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2988-15-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2988-189-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2988-190-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads