6cfae9fac2b59c2520f8911a66bd16899886170ff2a5f17f40161ac47f66b0ff

General

Target

b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe
Size

483KB
MD5

b0ee0f69d0044d4d4e1ba6fbe7a556ee
SHA1

562ae410121bf87420074a70023c40bbb9e7bcc3
SHA256

6cfae9fac2b59c2520f8911a66bd16899886170ff2a5f17f40161ac47f66b0ff
SHA512

6f984f428421adb3e48b18c8a6f1f76f0a11a06ce3c58355820fae85b3c346870f797137494125f121d5f25d8ef91f1182ab42a269ddadedc05255510a054644

Score

8^/10

persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

syscheck.exeNETSTAT.EXE

pid	process
1620	syscheck.exe
1620	syscheck.exe
1228	NETSTAT.EXE
1228	NETSTAT.EXE
1228	NETSTAT.EXE
1228	NETSTAT.EXE
1228	NETSTAT.EXE
1228	NETSTAT.EXE
1228	NETSTAT.EXE
1228	NETSTAT.EXE
1228	NETSTAT.EXE
1228	NETSTAT.EXE
1228	NETSTAT.EXE
1228	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

syscheck.exeNETSTAT.EXE

pid process

1620 syscheck.exe
1620 syscheck.exe
1620 syscheck.exe
1228 NETSTAT.EXE
1228 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

syscheck.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysnet = "C:\\Users\\Admin\\AppData\\Local\\syscheck.exe -boot"	syscheck.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

b0ee0f69d0044d4d4e1ba6fbe7a556ee.execmd.exesyscheck.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1508 wrote to memory of 1764	1508	b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe	cmd.exe
PID 1508 wrote to memory of 1764	1508	b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe	cmd.exe
PID 1508 wrote to memory of 1764	1508	b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe	cmd.exe
PID 1508 wrote to memory of 1764	1508	b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe	cmd.exe
PID 1508 wrote to memory of 1880	1508	b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe	cmd.exe
PID 1508 wrote to memory of 1880	1508	b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe	cmd.exe
PID 1508 wrote to memory of 1880	1508	b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe	cmd.exe
PID 1508 wrote to memory of 1880	1508	b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe	cmd.exe
PID 1880 wrote to memory of 1916	1880	cmd.exe	syscheck.exe
PID 1880 wrote to memory of 1916	1880	cmd.exe	syscheck.exe
PID 1880 wrote to memory of 1916	1880	cmd.exe	syscheck.exe
PID 1880 wrote to memory of 1916	1880	cmd.exe	syscheck.exe
PID 1916 wrote to memory of 1620	1916	syscheck.exe	syscheck.exe
PID 1916 wrote to memory of 1620	1916	syscheck.exe	syscheck.exe
PID 1916 wrote to memory of 1620	1916	syscheck.exe	syscheck.exe
PID 1916 wrote to memory of 1620	1916	syscheck.exe	syscheck.exe
PID 1916 wrote to memory of 1620	1916	syscheck.exe	syscheck.exe
PID 1916 wrote to memory of 1620	1916	syscheck.exe	syscheck.exe
PID 1916 wrote to memory of 1620	1916	syscheck.exe	syscheck.exe
PID 1212 wrote to memory of 1228	1212	Explorer.EXE	NETSTAT.EXE
PID 1212 wrote to memory of 1228	1212	Explorer.EXE	NETSTAT.EXE
PID 1212 wrote to memory of 1228	1212	Explorer.EXE	NETSTAT.EXE
PID 1212 wrote to memory of 1228	1212	Explorer.EXE	NETSTAT.EXE
PID 1228 wrote to memory of 1140	1228	NETSTAT.EXE	cmd.exe
PID 1228 wrote to memory of 1140	1228	NETSTAT.EXE	cmd.exe
PID 1228 wrote to memory of 1140	1228	NETSTAT.EXE	cmd.exe
PID 1228 wrote to memory of 1140	1228	NETSTAT.EXE	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

syscheck.exesyscheck.exe

pid process

1916 syscheck.exe
1620 syscheck.exe

pid	process
1916	syscheck.exe
1620	syscheck.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

syscheck.exesyscheck.exeNETSTAT.EXE

description	pid	process	target process
PID 1916 set thread context of 1620	1916	syscheck.exe	syscheck.exe
PID 1620 set thread context of 1212	1620	syscheck.exe	Explorer.EXE
PID 1228 set thread context of 1212	1228	NETSTAT.EXE	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

b0ee0f69d0044d4d4e1ba6fbe7a556ee.exesyscheck.exesyscheck.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1508	b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe
Token: SeDebugPrivilege	1916	syscheck.exe
Token: SeDebugPrivilege	1620	syscheck.exe
Token: SeDebugPrivilege	1228	NETSTAT.EXE

Loads dropped DLL 2 IoCs

Processes:

cmd.exesyscheck.exe

pid process

1880 cmd.exe
1916 syscheck.exe

pid	process
1880	cmd.exe
1916	syscheck.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe
"C:\Users\Admin\AppData\Local\Temp\b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe" "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1880

C:\Users\Admin\AppData\Local\syscheck.exe
"C:\Users\Admin\AppData\Local\syscheck.exe"
4⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
PID:1916

C:\Users\Admin\AppData\Local\syscheck.exe
"C:\Users\Admin\AppData\Local\syscheck.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\syscheck.exe

Download Submit
C:\Users\Admin\AppData\Local\syscheck.exe

Download Submit
C:\Users\Admin\AppData\Local\syscheck.exe

Download Submit
\Users\Admin\AppData\Local\syscheck.exe

Download Submit
\Users\Admin\AppData\Local\syscheck.exe

Download Submit
memory/1140-18-0x0000000000000000-mapping.dmp

Download
memory/1228-16-0x0000000000000000-mapping.dmp

Download
memory/1228-17-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/1228-19-0x0000000003130000-0x000000000326C000-memory.dmp

Filesize
1.2MB

Download
memory/1508-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1620-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1620-14-0x000000000041B680-mapping.dmp

Download
memory/1764-3-0x0000000000000000-mapping.dmp

Download
memory/1880-4-0x0000000000000000-mapping.dmp

Download
memory/1916-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads