67c120af3c7f5313ee2c250077edc0b84da2c7e708efcdffbfc0941bb9b9361c

General

Target

a84dbdb10d158b76edaafe7020925562.exe
Size

373KB
MD5

a84dbdb10d158b76edaafe7020925562
SHA1

ef8b764c74b008d4d4d3b13d687d149346bbac4c
SHA256

67c120af3c7f5313ee2c250077edc0b84da2c7e708efcdffbfc0941bb9b9361c
SHA512

cd7c0ccda30d1b645502c57e0f64fe0a8b08727650de1c61bd66504fffd0713815eac3b0114dc30d3d64ff0d8a3be8af0fefc9ac0875f2189964851491c5cc77
SSDEEP

6144:qHjB/+bC0n/m31/2jJEUUsNEEZKOIf62QGNnnOTqGQCJX14j4i+pfl0:mR+bC0nOF/2jyUQEZK1RQGNnSYoX11pd

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

saijc.exe

pid process

2540 saijc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1832-0-0x0000000000400000-0x0000000000537000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Vexosy\saijc.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

saijc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{FE84AD74-556D-BCA0-F839-D73135CCCD33} = "C:\\Users\\Admin\\AppData\\Roaming\\Vexosy\\saijc.exe"	saijc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a84dbdb10d158b76edaafe7020925562.exe

description pid process target process

PID 1832 set thread context of 5096 1832 a84dbdb10d158b76edaafe7020925562.exe cmd.exe

description	pid	process	target process
PID 1832 set thread context of 5096	1832	a84dbdb10d158b76edaafe7020925562.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

a84dbdb10d158b76edaafe7020925562.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Internet Explorer\Privacy	a84dbdb10d158b76edaafe7020925562.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a84dbdb10d158b76edaafe7020925562.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

saijc.exe

pid	process
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe
2540	saijc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a84dbdb10d158b76edaafe7020925562.exe

description	pid	process
Token: SeSecurityPrivilege	1832	a84dbdb10d158b76edaafe7020925562.exe
Token: SeSecurityPrivilege	1832	a84dbdb10d158b76edaafe7020925562.exe
Token: SeSecurityPrivilege	1832	a84dbdb10d158b76edaafe7020925562.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a84dbdb10d158b76edaafe7020925562.exesaijc.exe

description	pid	process	target process
PID 1832 wrote to memory of 2540	1832	a84dbdb10d158b76edaafe7020925562.exe	saijc.exe
PID 1832 wrote to memory of 2540	1832	a84dbdb10d158b76edaafe7020925562.exe	saijc.exe
PID 1832 wrote to memory of 2540	1832	a84dbdb10d158b76edaafe7020925562.exe	saijc.exe
PID 2540 wrote to memory of 2908	2540	saijc.exe	sihost.exe
PID 2540 wrote to memory of 2908	2540	saijc.exe	sihost.exe
PID 2540 wrote to memory of 2908	2540	saijc.exe	sihost.exe
PID 2540 wrote to memory of 2908	2540	saijc.exe	sihost.exe
PID 2540 wrote to memory of 2908	2540	saijc.exe	sihost.exe
PID 2540 wrote to memory of 2988	2540	saijc.exe	svchost.exe
PID 2540 wrote to memory of 2988	2540	saijc.exe	svchost.exe
PID 2540 wrote to memory of 2988	2540	saijc.exe	svchost.exe
PID 2540 wrote to memory of 2988	2540	saijc.exe	svchost.exe
PID 2540 wrote to memory of 2988	2540	saijc.exe	svchost.exe
PID 2540 wrote to memory of 1724	2540	saijc.exe	taskhostw.exe
PID 2540 wrote to memory of 1724	2540	saijc.exe	taskhostw.exe
PID 2540 wrote to memory of 1724	2540	saijc.exe	taskhostw.exe
PID 2540 wrote to memory of 1724	2540	saijc.exe	taskhostw.exe
PID 2540 wrote to memory of 1724	2540	saijc.exe	taskhostw.exe
PID 2540 wrote to memory of 3348	2540	saijc.exe	Explorer.EXE
PID 2540 wrote to memory of 3348	2540	saijc.exe	Explorer.EXE
PID 2540 wrote to memory of 3348	2540	saijc.exe	Explorer.EXE
PID 2540 wrote to memory of 3348	2540	saijc.exe	Explorer.EXE
PID 2540 wrote to memory of 3348	2540	saijc.exe	Explorer.EXE
PID 2540 wrote to memory of 3532	2540	saijc.exe	svchost.exe
PID 2540 wrote to memory of 3532	2540	saijc.exe	svchost.exe
PID 2540 wrote to memory of 3532	2540	saijc.exe	svchost.exe
PID 2540 wrote to memory of 3532	2540	saijc.exe	svchost.exe
PID 2540 wrote to memory of 3532	2540	saijc.exe	svchost.exe
PID 2540 wrote to memory of 3752	2540	saijc.exe	DllHost.exe
PID 2540 wrote to memory of 3752	2540	saijc.exe	DllHost.exe
PID 2540 wrote to memory of 3752	2540	saijc.exe	DllHost.exe
PID 2540 wrote to memory of 3752	2540	saijc.exe	DllHost.exe
PID 2540 wrote to memory of 3752	2540	saijc.exe	DllHost.exe
PID 2540 wrote to memory of 3844	2540	saijc.exe	StartMenuExperienceHost.exe
PID 2540 wrote to memory of 3844	2540	saijc.exe	StartMenuExperienceHost.exe
PID 2540 wrote to memory of 3844	2540	saijc.exe	StartMenuExperienceHost.exe
PID 2540 wrote to memory of 3844	2540	saijc.exe	StartMenuExperienceHost.exe
PID 2540 wrote to memory of 3844	2540	saijc.exe	StartMenuExperienceHost.exe
PID 2540 wrote to memory of 3952	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 3952	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 3952	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 3952	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 3952	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 4040	2540	saijc.exe	SearchApp.exe
PID 2540 wrote to memory of 4040	2540	saijc.exe	SearchApp.exe
PID 2540 wrote to memory of 4040	2540	saijc.exe	SearchApp.exe
PID 2540 wrote to memory of 4040	2540	saijc.exe	SearchApp.exe
PID 2540 wrote to memory of 4040	2540	saijc.exe	SearchApp.exe
PID 2540 wrote to memory of 4140	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 4140	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 4140	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 4140	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 4140	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 488	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 488	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 488	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 488	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 488	2540	saijc.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 1276	2540	saijc.exe	TextInputHost.exe
PID 2540 wrote to memory of 1276	2540	saijc.exe	TextInputHost.exe
PID 2540 wrote to memory of 1276	2540	saijc.exe	TextInputHost.exe
PID 2540 wrote to memory of 1276	2540	saijc.exe	TextInputHost.exe
PID 2540 wrote to memory of 1276	2540	saijc.exe	TextInputHost.exe
PID 2540 wrote to memory of 392	2540	saijc.exe	backgroundTaskHost.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:392

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3496

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1276

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3844

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3532

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\a84dbdb10d158b76edaafe7020925562.exe
"C:\Users\Admin\AppData\Local\Temp\a84dbdb10d158b76edaafe7020925562.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Roaming\Vexosy\saijc.exe
"C:\Users\Admin\AppData\Roaming\Vexosy\saijc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0ee61843.bat"
3⤵
PID:5096

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:1724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2988

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2908

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
1⤵
PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0ee61843.bat
Filesize
243B

MD5
19b56d46f201652d7f7b3e73b0a472d7

SHA1
91632148ac3395448adf7e496c12f745fc3eb9cf

SHA256
f4badcee3740dcbbe3fce90f045577810138c84d799db7a54dafc3e184fa2f05

SHA512
06de0f7a257e77def2fcf2316995c3a5bbe1384bb7e5cc17989cb1689c8d6c92212e9c3bfe840e31110343d86389a9530209b5e11921f1b04cba2d96c4d161db

Download Submit
C:\Users\Admin\AppData\Roaming\Jagec\ydwu.uwa
Filesize
366B

MD5
2be9b79968612eb5e6d8f70432282b77

SHA1
59be649a045f45b2f0dbfa6731ca501e9a4fce06

SHA256
caec49bdbdfda1f11c380589ac3f624f5ea6173ba1e1f0e3c325b28ccf6defa7

SHA512
c442913d20570f61647d0d2e32f68cbe77773a3193533886fe03399e0e6618e8e0c7f18ace8ae50040dd2fbd8dac9e9f09ba1db353ffde19bb58a1c83f45181a

Download Submit
C:\Users\Admin\AppData\Roaming\Vexosy\saijc.exe
Filesize
373KB

MD5
a49ff8a1839014beecab648e70f2637c

SHA1
ab81c239fecbf19b6acc68ba7881ed667a1f7b87

SHA256
637735327b980965fc2fa043631c470377178965a359c5696b465aebb51151a9

SHA512
b1e7dbb573f5b996c13ed5f3f9e84de6f26f926d6694dc29a70324c54c0288a2e4e20590ebfd78d67c7d27e7409d17fa966ad41fc6b94d07f26ea8015716be4e

Download Submit
memory/1832-10-0x0000000002650000-0x0000000002691000-memory.dmp

Filesize
260KB

Download
memory/1832-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1832-2-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1832-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1832-0-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1832-12-0x0000000002650000-0x0000000002691000-memory.dmp

Filesize
260KB

Download
memory/1832-13-0x0000000077753000-0x0000000077754000-memory.dmp

Filesize
4KB

Download
memory/1832-14-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1832-16-0x0000000002650000-0x0000000002691000-memory.dmp

Filesize
260KB

Download
memory/1832-1-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-11-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-39-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-9-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5096-20-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/5096-24-0x0000000077753000-0x0000000077754000-memory.dmp

Filesize
4KB

Download
memory/5096-23-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/5096-22-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads