b68844095af181c139ed272cb04e830f803770518ad9dd78cb789e8f4571b4c3

General

Target

SKM_454e20070310530.SCR
Size

808KB
MD5

fd239f6ff382ff48c0b544c650f7e04b
SHA1

f07e1454a8b708c150490fc454623519dfd6cef3
SHA256

b68844095af181c139ed272cb04e830f803770518ad9dd78cb789e8f4571b4c3
SHA512

122000268724443c5bcfb5a071310e31f838ccee106e868bcdf0ee8d045617e3b65ac52495c6e7cda54b0aec530aa130473b07c5b7114e44a48b64989213b86f

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of SetThreadContext 2 IoCs

Processes:

SKM_454e20070310530.SCRequvnynyhei.exe

description	pid	process	target process
PID 852 set thread context of 1604	852	SKM_454e20070310530.SCR	SKM_454e20070310530.SCR
PID 1164 set thread context of 1040	1164	equvnynyhei.exe	equvnynyhei.exe

Loads dropped DLL 6 IoCs

Processes:

SKM_454e20070310530.SCRequvnynyhei.exe

pid	process
1604	SKM_454e20070310530.SCR
1604	SKM_454e20070310530.SCR
1604	SKM_454e20070310530.SCR
1604	SKM_454e20070310530.SCR
1040	equvnynyhei.exe
1040	equvnynyhei.exe

Suspicious use of AdjustPrivilegeToken 1402 IoCs

Processes:

SKM_454e20070310530.SCRequvnynyhei.exe

description	pid	process
Token: SeSecurityPrivilege	1604	SKM_454e20070310530.SCR
Token: SeSecurityPrivilege	1604	SKM_454e20070310530.SCR
Token: SeSecurityPrivilege	1604	SKM_454e20070310530.SCR
Token: SeSecurityPrivilege	1604	SKM_454e20070310530.SCR
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe
Token: SeSecurityPrivilege	1040	equvnynyhei.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

equvnynyhei.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run	equvnynyhei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Currentversion\Run	equvnynyhei.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\Beygaqyp = "C:\\Users\\Admin\\AppData\\Roaming\\Epmiocte\\equvnynyhei.exe"	equvnynyhei.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

SKM_454e20070310530.SCRSKM_454e20070310530.SCRequvnynyhei.exeequvnynyhei.exe

pid	process
852	SKM_454e20070310530.SCR
1604	SKM_454e20070310530.SCR
1164	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe
1040	equvnynyhei.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

SKM_454e20070310530.SCRSKM_454e20070310530.SCRequvnynyhei.exeequvnynyhei.exe

description	pid	process	target process
PID 852 wrote to memory of 1604	852	SKM_454e20070310530.SCR	SKM_454e20070310530.SCR
PID 852 wrote to memory of 1604	852	SKM_454e20070310530.SCR	SKM_454e20070310530.SCR
PID 852 wrote to memory of 1604	852	SKM_454e20070310530.SCR	SKM_454e20070310530.SCR
PID 852 wrote to memory of 1604	852	SKM_454e20070310530.SCR	SKM_454e20070310530.SCR
PID 1604 wrote to memory of 1164	1604	SKM_454e20070310530.SCR	equvnynyhei.exe
PID 1604 wrote to memory of 1164	1604	SKM_454e20070310530.SCR	equvnynyhei.exe
PID 1604 wrote to memory of 1164	1604	SKM_454e20070310530.SCR	equvnynyhei.exe
PID 1604 wrote to memory of 1164	1604	SKM_454e20070310530.SCR	equvnynyhei.exe
PID 1164 wrote to memory of 1040	1164	equvnynyhei.exe	equvnynyhei.exe
PID 1164 wrote to memory of 1040	1164	equvnynyhei.exe	equvnynyhei.exe
PID 1164 wrote to memory of 1040	1164	equvnynyhei.exe	equvnynyhei.exe
PID 1164 wrote to memory of 1040	1164	equvnynyhei.exe	equvnynyhei.exe
PID 1604 wrote to memory of 1536	1604	SKM_454e20070310530.SCR	cmd.exe
PID 1604 wrote to memory of 1536	1604	SKM_454e20070310530.SCR	cmd.exe
PID 1604 wrote to memory of 1536	1604	SKM_454e20070310530.SCR	cmd.exe
PID 1604 wrote to memory of 1536	1604	SKM_454e20070310530.SCR	cmd.exe
PID 1040 wrote to memory of 1084	1040	equvnynyhei.exe	taskhost.exe
PID 1040 wrote to memory of 1084	1040	equvnynyhei.exe	taskhost.exe
PID 1040 wrote to memory of 1084	1040	equvnynyhei.exe	taskhost.exe
PID 1040 wrote to memory of 1084	1040	equvnynyhei.exe	taskhost.exe
PID 1040 wrote to memory of 1084	1040	equvnynyhei.exe	taskhost.exe
PID 1040 wrote to memory of 1140	1040	equvnynyhei.exe	Dwm.exe
PID 1040 wrote to memory of 1140	1040	equvnynyhei.exe	Dwm.exe
PID 1040 wrote to memory of 1140	1040	equvnynyhei.exe	Dwm.exe
PID 1040 wrote to memory of 1140	1040	equvnynyhei.exe	Dwm.exe
PID 1040 wrote to memory of 1140	1040	equvnynyhei.exe	Dwm.exe
PID 1040 wrote to memory of 1204	1040	equvnynyhei.exe	Explorer.EXE
PID 1040 wrote to memory of 1204	1040	equvnynyhei.exe	Explorer.EXE
PID 1040 wrote to memory of 1204	1040	equvnynyhei.exe	Explorer.EXE
PID 1040 wrote to memory of 1204	1040	equvnynyhei.exe	Explorer.EXE
PID 1040 wrote to memory of 1204	1040	equvnynyhei.exe	Explorer.EXE
PID 1040 wrote to memory of 1936	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1936	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1936	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1936	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1936	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1732	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1732	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1732	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1732	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1732	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1360	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1360	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1360	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1360	1040	equvnynyhei.exe	DllHost.exe
PID 1040 wrote to memory of 1360	1040	equvnynyhei.exe	DllHost.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1536 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

SKM_454e20070310530.SCRequvnynyhei.exe

pid process

852 SKM_454e20070310530.SCR
1164 equvnynyhei.exe
Executes dropped EXE 2 IoCs

Processes:

equvnynyhei.exeequvnynyhei.exe

pid process

1164 equvnynyhei.exe
1040 equvnynyhei.exe

pid	process
1536	cmd.exe

pid	process
1164	equvnynyhei.exe
1040	equvnynyhei.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1084

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1140

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.SCR
"C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.SCR" /S
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:852

C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.SCR
"C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.SCR" /S
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Roaming\Epmiocte\equvnynyhei.exe
"C:\Users\Admin\AppData\Roaming\Epmiocte\equvnynyhei.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
PID:1164

C:\Users\Admin\AppData\Roaming\Epmiocte\equvnynyhei.exe
"C:\Users\Admin\AppData\Roaming\Epmiocte\equvnynyhei.exe"
5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9548fc54.bat"
4⤵
- Deletes itself
PID:1536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1732

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9548fc54.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Epmiocte\equvnynyhei.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Epmiocte\equvnynyhei.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Epmiocte\equvnynyhei.exe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3FAE.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3FED.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmp4FB4.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmp4FD5.tmp

Download Submit
\Users\Admin\AppData\Roaming\Epmiocte\equvnynyhei.exe

Download Submit
\Users\Admin\AppData\Roaming\Epmiocte\equvnynyhei.exe

Download Submit
memory/1040-11-0x000000000043F4D4-mapping.dmp

Download
memory/1164-7-0x0000000000000000-mapping.dmp

Download
memory/1536-14-0x0000000000000000-mapping.dmp

Download
memory/1604-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1604-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1604-1-0x000000000043F4D4-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads