Overview

overview

10

Static

static

f8e6d9646b...86.exe

windows7_x64

8

f8e6d9646b...86.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    20-04-2021 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe

  • Size

    123KB

  • MD5

    4f0abd7211e5bcb49a92591158d4d231

  • SHA1

    f8e6d9646bf17d37f2aad9f5b82212f90f67b886

  • SHA256

    b11f8065c37558a54799f1965283968f05754cd63328560148f59d54ed77351c

  • SHA512

    3e5369dfd10eee1c0f456cd7aa94e095d289f9895f67046df25cac5294b7d6dde897fdc59425c8cd75c61ef6285ef5b645bc7a5f2d5de6b7f6a174bac70ee8fc

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
        "C:\Users\Admin\AppData\Local\Temp\f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\Users\Admin\AppData\Local\Temp\f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
          "C:\Users\Admin\AppData\Local\Temp\f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcc8a6eeb.bat"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1464
            • C:\Windows\SysWOW64\netsh.exe
              netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Yqibsy\ysdanei.exe"
              5⤵
                PID:1056
            • C:\Users\Admin\AppData\Roaming\Yqibsy\ysdanei.exe
              "C:\Users\Admin\AppData\Roaming\Yqibsy\ysdanei.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1636
              • C:\Users\Admin\AppData\Roaming\Yqibsy\ysdanei.exe
                "C:\Users\Admin\AppData\Roaming\Yqibsy\ysdanei.exe"
                5⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:472
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbd23ab3e.bat"
              4⤵
              • Deletes itself
              PID:336
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1168
        • C:\Windows\system32\taskhost.exe
          "taskhost.exe"
          1⤵
            PID:1116
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:1360
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:1820
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:2012

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Modify Existing Service

                1
                T1031

                Registry Run Keys / Startup Folder

                1
                T1060

                Privilege Escalation

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Discovery

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\tmpbd23ab3e.bat
                  MD5

                  b3efa8a1e4219e9f78b209dcd9a5dac2

                  SHA1

                  4cc9aa5419f4f0f341fb38483a9db4a107595588

                  SHA256

                  ae6f14c2a530f7b61df43518a245503c743d9d3e42480e8b06a66261746023e0

                  SHA512

                  f4cc35df75bcca41fa1259a8329b18ffa3ea6242d5218f4833dc577dc4abd4a0aa1bed97869f7a02b0a4474bd5c94f38a51b912397de327345bd508b15ba8565

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\tmpcc8a6eeb.bat
                  MD5

                  847190283db685b8bdbf5dfe9778b1f0

                  SHA1

                  1ec7c4a6dad20f82d2444c80b8194e98ea9b3603

                  SHA256

                  f679cc79632a8c09f1e9aac6568d7cd624fab308d498fac1dbe55a438181a05f

                  SHA512

                  d60683dcd808be29a65cc308ab615ad8a263b9cba21c46acb1dfaac44a3ecc263d55e772d4a3d04a7080f3162bb63d1f4b09507511f71249e768f9ff05b60c9d

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Yqibsy\ysdanei.exe
                  MD5

                  5e75621e4512f32af13eace1825e891b

                  SHA1

                  81835a56f87f48549dd663ad17fc59c06729e0a2

                  SHA256

                  7f876fc75892832c8febeb07b1964a1588825646251137722c158317ef2d108c

                  SHA512

                  06f6b54914ffd3346da430a610f105b30486a6d2eb8b10c5aa5bec8ce901895af6ea276a4f3ed5782e24464384b12a352844e9572476c61511b1ca3064f24c7e

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Yqibsy\ysdanei.exe
                  MD5

                  5e75621e4512f32af13eace1825e891b

                  SHA1

                  81835a56f87f48549dd663ad17fc59c06729e0a2

                  SHA256

                  7f876fc75892832c8febeb07b1964a1588825646251137722c158317ef2d108c

                  SHA512

                  06f6b54914ffd3346da430a610f105b30486a6d2eb8b10c5aa5bec8ce901895af6ea276a4f3ed5782e24464384b12a352844e9572476c61511b1ca3064f24c7e

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Yqibsy\ysdanei.exe
                  MD5

                  5e75621e4512f32af13eace1825e891b

                  SHA1

                  81835a56f87f48549dd663ad17fc59c06729e0a2

                  SHA256

                  7f876fc75892832c8febeb07b1964a1588825646251137722c158317ef2d108c

                  SHA512

                  06f6b54914ffd3346da430a610f105b30486a6d2eb8b10c5aa5bec8ce901895af6ea276a4f3ed5782e24464384b12a352844e9572476c61511b1ca3064f24c7e

                  Download Submit
                • \Users\Admin\AppData\Roaming\Yqibsy\ysdanei.exe
                  MD5

                  5e75621e4512f32af13eace1825e891b

                  SHA1

                  81835a56f87f48549dd663ad17fc59c06729e0a2

                  SHA256

                  7f876fc75892832c8febeb07b1964a1588825646251137722c158317ef2d108c

                  SHA512

                  06f6b54914ffd3346da430a610f105b30486a6d2eb8b10c5aa5bec8ce901895af6ea276a4f3ed5782e24464384b12a352844e9572476c61511b1ca3064f24c7e

                  Download Submit
                • \Users\Admin\AppData\Roaming\Yqibsy\ysdanei.exe
                  MD5

                  5e75621e4512f32af13eace1825e891b

                  SHA1

                  81835a56f87f48549dd663ad17fc59c06729e0a2

                  SHA256

                  7f876fc75892832c8febeb07b1964a1588825646251137722c158317ef2d108c

                  SHA512

                  06f6b54914ffd3346da430a610f105b30486a6d2eb8b10c5aa5bec8ce901895af6ea276a4f3ed5782e24464384b12a352844e9572476c61511b1ca3064f24c7e

                  Download Submit
                • memory/336-81-0x0000000000000000-mapping.dmp
                  Download
                • memory/336-85-0x0000000000140000-0x0000000000167000-memory.dmp
                  Filesize

                  156KB

                  Download
                • memory/1056-75-0x0000000000000000-mapping.dmp
                  Download
                • memory/1464-66-0x0000000000000000-mapping.dmp
                  Download
                • memory/1636-69-0x0000000000000000-mapping.dmp
                  Download
                • memory/1804-60-0x0000000000400000-0x0000000000427000-memory.dmp
                  Filesize

                  156KB

                  Download
                • memory/1804-64-0x0000000000400000-0x0000000000427000-memory.dmp
                  Filesize

                  156KB

                  Download
                • memory/1804-63-0x0000000076A01000-0x0000000076A03000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1804-65-0x0000000000401000-0x0000000000422000-memory.dmp
                  Filesize

                  132KB

                  Download
                • memory/1804-82-0x000000000040E0F1-mapping.dmp
                  Download
                • memory/1804-61-0x0000000000400000-0x0000000000427000-memory.dmp
                  Filesize

                  156KB

                  Download