06bd744f1ed81eb62bb3fdca2d8983277478f5fd12e51e6dec93bd1f3612b9db

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 04:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cce6a19aa361471478974cf6f02759b0N.exe
Size

355KB
MD5

cce6a19aa361471478974cf6f02759b0
SHA1

6ff2d839ae2467ed28eb76c37e223d65e4826a00
SHA256

06bd744f1ed81eb62bb3fdca2d8983277478f5fd12e51e6dec93bd1f3612b9db
SHA512

134b735dddbd7aee16a7ad0ba1359837fce5a2ba0242ba7dc5d57410fd9b7c27dc2b921aef1f2d72af4f01384113ef1d2cc4a08e03a6a4e54c579d406d2ced6e
SSDEEP

6144:ZJL2VGJcKjEz7QYV/hcnAptNU3Rwd+7bqJhkrayVpw:XL2VYEz75/9ptGyCbqJzyg

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2300	huqyyz.exe
2752	huqyyz.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	cce6a19aa361471478974cf6f02759b0N.exe
2560	cce6a19aa361471478974cf6f02759b0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D95D62C8-3C80-AD4F-B5A1-F2FF8485D1E2} = "C:\\Users\\Admin\\AppData\\Roaming\\Nivyiv\\huqyyz.exe"	huqyyz.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 2560	1908	cce6a19aa361471478974cf6f02759b0N.exe	30
PID 2300 set thread context of 2752	2300	huqyyz.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cce6a19aa361471478974cf6f02759b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cce6a19aa361471478974cf6f02759b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huqyyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe
2752	huqyyz.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2560	1908	cce6a19aa361471478974cf6f02759b0N.exe	30
PID 1908 wrote to memory of 2560	1908	cce6a19aa361471478974cf6f02759b0N.exe	30
PID 1908 wrote to memory of 2560	1908	cce6a19aa361471478974cf6f02759b0N.exe	30
PID 1908 wrote to memory of 2560	1908	cce6a19aa361471478974cf6f02759b0N.exe	30
PID 1908 wrote to memory of 2560	1908	cce6a19aa361471478974cf6f02759b0N.exe	30
PID 1908 wrote to memory of 2560	1908	cce6a19aa361471478974cf6f02759b0N.exe	30
PID 1908 wrote to memory of 2560	1908	cce6a19aa361471478974cf6f02759b0N.exe	30
PID 1908 wrote to memory of 2560	1908	cce6a19aa361471478974cf6f02759b0N.exe	30
PID 1908 wrote to memory of 2560	1908	cce6a19aa361471478974cf6f02759b0N.exe	30
PID 2560 wrote to memory of 2300	2560	cce6a19aa361471478974cf6f02759b0N.exe	31
PID 2560 wrote to memory of 2300	2560	cce6a19aa361471478974cf6f02759b0N.exe	31
PID 2560 wrote to memory of 2300	2560	cce6a19aa361471478974cf6f02759b0N.exe	31
PID 2560 wrote to memory of 2300	2560	cce6a19aa361471478974cf6f02759b0N.exe	31
PID 2300 wrote to memory of 2752	2300	huqyyz.exe	32
PID 2300 wrote to memory of 2752	2300	huqyyz.exe	32
PID 2300 wrote to memory of 2752	2300	huqyyz.exe	32
PID 2300 wrote to memory of 2752	2300	huqyyz.exe	32
PID 2300 wrote to memory of 2752	2300	huqyyz.exe	32
PID 2300 wrote to memory of 2752	2300	huqyyz.exe	32
PID 2300 wrote to memory of 2752	2300	huqyyz.exe	32
PID 2300 wrote to memory of 2752	2300	huqyyz.exe	32
PID 2300 wrote to memory of 2752	2300	huqyyz.exe	32
PID 2560 wrote to memory of 2992	2560	cce6a19aa361471478974cf6f02759b0N.exe	33
PID 2560 wrote to memory of 2992	2560	cce6a19aa361471478974cf6f02759b0N.exe	33
PID 2560 wrote to memory of 2992	2560	cce6a19aa361471478974cf6f02759b0N.exe	33
PID 2560 wrote to memory of 2992	2560	cce6a19aa361471478974cf6f02759b0N.exe	33
PID 2752 wrote to memory of 1112	2752	huqyyz.exe	19
PID 2752 wrote to memory of 1112	2752	huqyyz.exe	19
PID 2752 wrote to memory of 1112	2752	huqyyz.exe	19
PID 2752 wrote to memory of 1112	2752	huqyyz.exe	19
PID 2752 wrote to memory of 1112	2752	huqyyz.exe	19
PID 2752 wrote to memory of 1164	2752	huqyyz.exe	20
PID 2752 wrote to memory of 1164	2752	huqyyz.exe	20
PID 2752 wrote to memory of 1164	2752	huqyyz.exe	20
PID 2752 wrote to memory of 1164	2752	huqyyz.exe	20
PID 2752 wrote to memory of 1164	2752	huqyyz.exe	20
PID 2752 wrote to memory of 1204	2752	huqyyz.exe	21
PID 2752 wrote to memory of 1204	2752	huqyyz.exe	21
PID 2752 wrote to memory of 1204	2752	huqyyz.exe	21
PID 2752 wrote to memory of 1204	2752	huqyyz.exe	21
PID 2752 wrote to memory of 1204	2752	huqyyz.exe	21
PID 2752 wrote to memory of 1656	2752	huqyyz.exe	25
PID 2752 wrote to memory of 1656	2752	huqyyz.exe	25
PID 2752 wrote to memory of 1656	2752	huqyyz.exe	25
PID 2752 wrote to memory of 1656	2752	huqyyz.exe	25
PID 2752 wrote to memory of 1656	2752	huqyyz.exe	25
PID 2752 wrote to memory of 2992	2752	huqyyz.exe	33
PID 2752 wrote to memory of 2992	2752	huqyyz.exe	33
PID 2752 wrote to memory of 2992	2752	huqyyz.exe	33
PID 2752 wrote to memory of 2992	2752	huqyyz.exe	33
PID 2752 wrote to memory of 2992	2752	huqyyz.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\cce6a19aa361471478974cf6f02759b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\cce6a19aa361471478974cf6f02759b0N.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\cce6a19aa361471478974cf6f02759b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\cce6a19aa361471478974cf6f02759b0N.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Users\Admin\AppData\Roaming\Nivyiv\huqyyz.exe
      "C:\Users\Admin\AppData\Roaming\Nivyiv\huqyyz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Users\Admin\AppData\Roaming\Nivyiv\huqyyz.exe
        
        "C:\Users\Admin\AppData\Roaming\Nivyiv\huqyyz.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp254cb869.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:2992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp254cb869.bat

Filesize
245B

MD5
7d676402020d2cf3383cf56bfc6dc0e7

SHA1
276e7b5a9959e87f80ff0fbda2b5a6eb40dbf66c

SHA256
d04c80927d10a76ebbad3a3b58e8e3c8d04fbe753ee520620eaa930d9fe0d5c1

SHA512
8da6241ada4c10e3b899ea7bc5e9768f0a1f40d49317cd9eebfb2b722868e2699da0997eae2c135862740213315e126b39668c7ffa4495b5215329cca6ec6e4e

Download Submit
\Users\Admin\AppData\Roaming\Nivyiv\huqyyz.exe

Filesize
355KB

MD5
7f79d9f023daf1eadb4075d1427ca4a9

SHA1
94cfc3cf68cab3637a636b0ebaeea86f089c4415

SHA256
aa56cad73c1d753ab3096399d4fdb521af11c045d1d5fee7231fb4a4a3c4da2c

SHA512
4bc7a8bee35b7ff8ace2f89d9ad73145be5a37e5f86fafc5f4d872ab1f4a449dc77c757e12a9cc49e06e7482ff6ad1803b85d10bcbcd995a1ef0e0d2d4ccd9ca

Download Submit
memory/1112-57-0x0000000002160000-0x00000000021A4000-memory.dmp

Filesize
272KB

Download
memory/1112-61-0x0000000002160000-0x00000000021A4000-memory.dmp

Filesize
272KB

Download
memory/1112-59-0x0000000002160000-0x00000000021A4000-memory.dmp

Filesize
272KB

Download
memory/1112-55-0x0000000002160000-0x00000000021A4000-memory.dmp

Filesize
272KB

Download
memory/1164-65-0x0000000002040000-0x0000000002084000-memory.dmp

Filesize
272KB

Download
memory/1164-67-0x0000000002040000-0x0000000002084000-memory.dmp

Filesize
272KB

Download
memory/1164-69-0x0000000002040000-0x0000000002084000-memory.dmp

Filesize
272KB

Download
memory/1164-71-0x0000000002040000-0x0000000002084000-memory.dmp

Filesize
272KB

Download
memory/1204-77-0x0000000002F00000-0x0000000002F44000-memory.dmp

Filesize
272KB

Download
memory/1204-76-0x0000000002F00000-0x0000000002F44000-memory.dmp

Filesize
272KB

Download
memory/1204-75-0x0000000002F00000-0x0000000002F44000-memory.dmp

Filesize
272KB

Download
memory/1204-74-0x0000000002F00000-0x0000000002F44000-memory.dmp

Filesize
272KB

Download
memory/1656-79-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1656-81-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1656-82-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1656-80-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1908-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1908-13-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2300-45-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2560-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-50-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-30-0x0000000002260000-0x00000000022BE000-memory.dmp

Filesize
376KB

Download
memory/2560-23-0x0000000002260000-0x00000000022BE000-memory.dmp

Filesize
376KB

Download
memory/2560-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2752-52-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2752-100-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2992-84-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download