81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d

Analysis

max time kernel
164s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
Size

1.3MB
MD5

c58c1846fa7e64b14d7de0690d5f0296
SHA1

f10788dd72d677d68657ab834dddf99d1ab3ab88
SHA256

81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d
SHA512

28609874a0faf86a33146757d78d252e070fab2d231992357528dce306ecd63ba70c6adf7c5aadee2a67e61ac553bba6b0664a5dd6bc1bec4e20dfdbe9e1dcef
SSDEEP

24576:GjdvkUZ0pDZe+Bczu3+ZO0IRR3wTkgr9BNpiUU11Wsp1Igj20wqEiGK8xyw:GjdvkY0pDZe+Bczu3+ZO0IRR3eFr9B/B

Score

9^/10

Malware Config

Signatures

Detects executables containing URLs to raw contents of a Github gist 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023225-13.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002322d-19.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023225-37.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Downloads MZ/PE file

Executes dropped EXE 23 IoCs

pid	Process
1332	update.exe
5080	clayylauncher.exe
3076	update.exe
2652	clayylauncher.exe
4796	update.exe
3684	clayylauncher.exe
3332	update.exe
3196	clayylauncher.exe
2336	update.exe
4100	clayylauncher.exe
4980	update.exe
8	clayylauncher.exe
4016	update.exe
808	clayylauncher.exe
992	update.exe
2908	clayylauncher.exe
1512	update.exe
4252	clayylauncher.exe
3336	update.exe
4284	clayylauncher.exe
3548	update.exe
5040	clayylauncher.exe
1132	update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 29 IoCs

Web Service

T1102

flow	ioc
76	raw.githubusercontent.com
9	raw.githubusercontent.com
58	raw.githubusercontent.com
74	raw.githubusercontent.com
75	raw.githubusercontent.com
78	raw.githubusercontent.com
82	raw.githubusercontent.com
83	raw.githubusercontent.com
87	raw.githubusercontent.com
49	raw.githubusercontent.com
85	raw.githubusercontent.com
57	raw.githubusercontent.com
54	raw.githubusercontent.com
56	raw.githubusercontent.com
60	raw.githubusercontent.com
73	raw.githubusercontent.com
77	raw.githubusercontent.com
51	raw.githubusercontent.com
37	raw.githubusercontent.com
61	raw.githubusercontent.com
32	raw.githubusercontent.com
72	raw.githubusercontent.com
55	raw.githubusercontent.com
59	raw.githubusercontent.com
62	raw.githubusercontent.com
8	raw.githubusercontent.com
84	raw.githubusercontent.com
86	raw.githubusercontent.com
69	raw.githubusercontent.com

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1332	update.exe
1332	update.exe
3076	update.exe
3076	update.exe
4796	update.exe
4796	update.exe
3332	update.exe
3332	update.exe
2336	update.exe
2336	update.exe
4980	update.exe
4980	update.exe
4016	update.exe
4016	update.exe
992	update.exe
992	update.exe
1512	update.exe
1512	update.exe
3336	update.exe
3336	update.exe
3548	update.exe
3548	update.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1120	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
1120	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
1332	update.exe
1332	update.exe
5080	clayylauncher.exe
5080	clayylauncher.exe
3076	update.exe
3076	update.exe
2652	clayylauncher.exe
2652	clayylauncher.exe
4796	update.exe
4796	update.exe
3684	clayylauncher.exe
3684	clayylauncher.exe
3332	update.exe
3332	update.exe
3196	clayylauncher.exe
3196	clayylauncher.exe
2336	update.exe
2336	update.exe
4100	clayylauncher.exe
4100	clayylauncher.exe
4980	update.exe
4980	update.exe
8	clayylauncher.exe
8	clayylauncher.exe
4016	update.exe
4016	update.exe
808	clayylauncher.exe
808	clayylauncher.exe
992	update.exe
992	update.exe
2908	clayylauncher.exe
2908	clayylauncher.exe
1512	update.exe
1512	update.exe
4252	clayylauncher.exe
4252	clayylauncher.exe
3336	update.exe
3336	update.exe
4284	clayylauncher.exe
4284	clayylauncher.exe
3548	update.exe
3548	update.exe
5040	clayylauncher.exe
5040	clayylauncher.exe
1132	update.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
1120	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
1120	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
1332	update.exe
1332	update.exe
5080	clayylauncher.exe
5080	clayylauncher.exe
3076	update.exe
3076	update.exe
2652	clayylauncher.exe
2652	clayylauncher.exe
4796	update.exe
4796	update.exe
3684	clayylauncher.exe
3684	clayylauncher.exe
3332	update.exe
3332	update.exe
3196	clayylauncher.exe
3196	clayylauncher.exe
2336	update.exe
2336	update.exe
4100	clayylauncher.exe
4100	clayylauncher.exe
4980	update.exe
4980	update.exe
8	clayylauncher.exe
8	clayylauncher.exe
4016	update.exe
4016	update.exe
808	clayylauncher.exe
808	clayylauncher.exe
992	update.exe
992	update.exe
2908	clayylauncher.exe
2908	clayylauncher.exe
1512	update.exe
1512	update.exe
4252	clayylauncher.exe
4252	clayylauncher.exe
3336	update.exe
3336	update.exe
4284	clayylauncher.exe
4284	clayylauncher.exe
3548	update.exe
3548	update.exe
5040	clayylauncher.exe
5040	clayylauncher.exe
1132	update.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1332	1120	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe	90
PID 1120 wrote to memory of 1332	1120	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe	90
PID 1332 wrote to memory of 5080	1332	update.exe	93
PID 1332 wrote to memory of 5080	1332	update.exe	93
PID 5080 wrote to memory of 3076	5080	clayylauncher.exe	96
PID 5080 wrote to memory of 3076	5080	clayylauncher.exe	96
PID 3076 wrote to memory of 2652	3076	update.exe	97
PID 3076 wrote to memory of 2652	3076	update.exe	97
PID 2652 wrote to memory of 4796	2652	clayylauncher.exe	98
PID 2652 wrote to memory of 4796	2652	clayylauncher.exe	98
PID 4796 wrote to memory of 3684	4796	update.exe	99
PID 4796 wrote to memory of 3684	4796	update.exe	99
PID 3684 wrote to memory of 3332	3684	clayylauncher.exe	100
PID 3684 wrote to memory of 3332	3684	clayylauncher.exe	100
PID 3332 wrote to memory of 3196	3332	update.exe	102
PID 3332 wrote to memory of 3196	3332	update.exe	102
PID 3196 wrote to memory of 2336	3196	clayylauncher.exe	103
PID 3196 wrote to memory of 2336	3196	clayylauncher.exe	103
PID 2336 wrote to memory of 4100	2336	update.exe	104
PID 2336 wrote to memory of 4100	2336	update.exe	104
PID 4100 wrote to memory of 4980	4100	clayylauncher.exe	105
PID 4100 wrote to memory of 4980	4100	clayylauncher.exe	105
PID 4980 wrote to memory of 8	4980	update.exe	106
PID 4980 wrote to memory of 8	4980	update.exe	106
PID 8 wrote to memory of 4016	8	clayylauncher.exe	107
PID 8 wrote to memory of 4016	8	clayylauncher.exe	107
PID 4016 wrote to memory of 808	4016	update.exe	108
PID 4016 wrote to memory of 808	4016	update.exe	108
PID 808 wrote to memory of 992	808	clayylauncher.exe	109
PID 808 wrote to memory of 992	808	clayylauncher.exe	109
PID 992 wrote to memory of 2908	992	update.exe	110
PID 992 wrote to memory of 2908	992	update.exe	110
PID 2908 wrote to memory of 1512	2908	clayylauncher.exe	111
PID 2908 wrote to memory of 1512	2908	clayylauncher.exe	111
PID 1512 wrote to memory of 4252	1512	update.exe	112
PID 1512 wrote to memory of 4252	1512	update.exe	112
PID 4252 wrote to memory of 3336	4252	clayylauncher.exe	113
PID 4252 wrote to memory of 3336	4252	clayylauncher.exe	113
PID 3336 wrote to memory of 4284	3336	update.exe	114
PID 3336 wrote to memory of 4284	3336	update.exe	114
PID 4284 wrote to memory of 3548	4284	clayylauncher.exe	115
PID 4284 wrote to memory of 3548	4284	clayylauncher.exe	115
PID 3548 wrote to memory of 5040	3548	update.exe	116
PID 3548 wrote to memory of 5040	3548	update.exe	116
PID 5040 wrote to memory of 1132	5040	clayylauncher.exe	117
PID 5040 wrote to memory of 1132	5040	clayylauncher.exe	117

C:\Users\Admin\AppData\Local\Temp\81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
"C:\Users\Admin\AppData\Local\Temp\81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\update.exe
  update.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
    clayylauncher.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\update.exe
      update.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        9⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        11⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        13⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        15⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        17⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        19⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        21⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        23⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        24⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
572ea307898c8c6eaa8dc4985a77e177

SHA1
07f16d7a86f8b799364a5c654253e9a2058667af

SHA256
a0af8a9e91c0c0e591be7382e2e875d6ad52eb6fa86dbba599704a5d5189e298

SHA512
01f77c6cd80e50006476a66170dcf4238b6b8d5173a20c071605411dc49610d88950b52d6d8935e07301dd69a42c84c713fa50f7d6bc75686b452f77a5a6d191

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
b16c3e3d0ea499e7b1b83509c4bf5cdf

SHA1
29ec482a7571fe069462d7c15f5a82db7ae23d4a

SHA256
60794cb0cbe56a47f434170a23cc1a7480a98ee794c9c2c7b50b310c4df752db

SHA512
033f13093b2edf0e0420f569bb1ed730ac9ad6f105d5be004d4640d195d4d087e0110da20f1936772708f3e09705a78b15771517e695c0e1aababb48b8a33e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe

Filesize
1.3MB

MD5
c58c1846fa7e64b14d7de0690d5f0296

SHA1
f10788dd72d677d68657ab834dddf99d1ab3ab88

SHA256
81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d

SHA512
28609874a0faf86a33146757d78d252e070fab2d231992357528dce306ecd63ba70c6adf7c5aadee2a67e61ac553bba6b0664a5dd6bc1bec4e20dfdbe9e1dcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\version

Filesize
2B

MD5
34173cb38f07f89ddbebc2ac9128303f

SHA1
22d200f8670dbdb3e253a90eee5098477c95c23d

SHA256
624b60c58c9d8bfb6ff1886c2fd605d2adeb6ea4da576068201b6c6958ce93f4

SHA512
1ccbff33e55627a50beca8cf5c89f77c3165dcb3218171308423f250f0bb0be9700bbfdd92d35dfa2e579110266a40194d707b50e7d27b6f09b81fbbf80231a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\manifests\launcher.manifest

Filesize
109B

MD5
146bf1189db2d64cc369d3a9767773ef

SHA1
f7e8b48e4cdaa7aa6e062dc8ce9925ddd5a4e954

SHA256
2458bbb1948fe3d51cc9cbeef699e826e3510d157e6e39f93a72bfee295767c0

SHA512
ea3e937a2d9e71b7e62810abced93c2924292c8492716fa1d272ec87f6dba5114466ee5a10d72e4bc1c0a1a9b006141644d67996149c29c93988f81ba10a242f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.3MB

MD5
2da574ba0c16a05b6e62cea06efb0e84

SHA1
c2f51dddc1e73064e7a77a1e178d67094291cb09

SHA256
1daa9bf491ef2e1420c7eaa4cf707a26d3985748cd94a7fed9598a8ac064eb43

SHA512
f1f2b3d8871f7b8b971f970858318ffc9510b816e78aa1abd92f0a71ce75f6e2fd09691ccc77eb8c3b49b6f128339abd2466f8fdb250f01f64229c71228578d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
8KB

MD5
321618616bb2852bd15d63353f4f2631

SHA1
ca719d035186dd8d45938f1aa0ede20eb44ed613

SHA256
c1aa6440a0dd3b56fc0821d8f5b3e8e1f2e96d234407fc0ca6f878fc4c95ba04

SHA512
60c1083b4dfadcfb374576ba51c956451f062e8c2ae26c52281b996cafb4ada61932155934322c1a15ac3d3c7d0ca988956f01d691e4dfab7d75ffad0110b63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
467KB

MD5
85c7dc7a943e12326a0cdc81e86d64b9

SHA1
0614251697495314251e39d4ecc8f988ef195fc7

SHA256
c2b1716f34de3d9dd900881e8b61626d2df4de19bc3c27c6d2d21471eeaf2742

SHA512
5654ba65a1b899fa5ed2bcc22b95fca4e94529d3d5174c0c2f44acef05dd15963b692f1c288454465772ff8907cd06222243f9ec697653740cd49d5300c23a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
28KB

MD5
ee453984f4602104eb4841d7b67ab2fd

SHA1
a943662877ef3c9ad29f4cdad920455a24a89b50

SHA256
8feb00eeb93ac0d95aeba7151e4e4bd9e318c4cb303d25039fd8bf9bdaef4d8b

SHA512
43548b3e37644f6d462382aac52fd0b643d6ddcaa6aa5ae2d193606c49c36a80e84c0caefbe319dc9ac3851d6f711906a1947acb0605000d2a84f35cd1a83373

Download Submit