bf8c9af77542db3ba0b3962dc7ba4f6c7728848dd787c6398cfd34cd3e2ca023

Analysis

max time kernel
150s
max time network
60s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf8c9af77542db3ba0b3962dc7ba4f6c7728848dd787c6398cfd34cd3e2ca023.dll
Size

1.3MB
MD5

872285aa166d50053d31b95d2a606b06
SHA1

bc1146ea0a5a91e007e2c2a3a94530bdb5d655e8
SHA256

bf8c9af77542db3ba0b3962dc7ba4f6c7728848dd787c6398cfd34cd3e2ca023
SHA512

8d347c166e06a791b452fb6c542509977cf09a0202e09ea94adab4f63a8d43c78ca52533b923499e94a264caad363a2f8d9c741f4cbb47640702c0761a8fa6eb

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

StikyNot.exeSystemPropertiesPerformance.exewusa.exe

pid process

1548 StikyNot.exe
1676 SystemPropertiesPerformance.exe
432 wusa.exe
Loads dropped DLL 7 IoCs

Processes:

StikyNot.exeSystemPropertiesPerformance.exewusa.exe

pid process

1376
1548 StikyNot.exe
1376
1676 SystemPropertiesPerformance.exe
1376
432 wusa.exe
1376

pid	process
1548	StikyNot.exe
1676	SystemPropertiesPerformance.exe
432	wusa.exe

pid	process
1376
1548	StikyNot.exe
1376
1676	SystemPropertiesPerformance.exe
1376
432	wusa.exe
1376

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pvcyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\1k\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeStikyNot.exeSystemPropertiesPerformance.exewusa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeStikyNot.exe

pid	process
1828	rundll32.exe
1828	rundll32.exe
1828	rundll32.exe
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1548	StikyNot.exe
1548	StikyNot.exe
1376
1376
1376
1376
1376
1376
1376

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1376 wrote to memory of 1744	1376	StikyNot.exe
PID 1376 wrote to memory of 1744	1376	StikyNot.exe
PID 1376 wrote to memory of 1744	1376	StikyNot.exe
PID 1376 wrote to memory of 1548	1376	StikyNot.exe
PID 1376 wrote to memory of 1548	1376	StikyNot.exe
PID 1376 wrote to memory of 1548	1376	StikyNot.exe
PID 1376 wrote to memory of 1664	1376	SystemPropertiesPerformance.exe
PID 1376 wrote to memory of 1664	1376	SystemPropertiesPerformance.exe
PID 1376 wrote to memory of 1664	1376	SystemPropertiesPerformance.exe
PID 1376 wrote to memory of 1676	1376	SystemPropertiesPerformance.exe
PID 1376 wrote to memory of 1676	1376	SystemPropertiesPerformance.exe
PID 1376 wrote to memory of 1676	1376	SystemPropertiesPerformance.exe
PID 1376 wrote to memory of 2020	1376	wusa.exe
PID 1376 wrote to memory of 2020	1376	wusa.exe
PID 1376 wrote to memory of 2020	1376	wusa.exe
PID 1376 wrote to memory of 432	1376	wusa.exe
PID 1376 wrote to memory of 432	1376	wusa.exe
PID 1376 wrote to memory of 432	1376	wusa.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf8c9af77542db3ba0b3962dc7ba4f6c7728848dd787c6398cfd34cd3e2ca023.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:1744

C:\Users\Admin\AppData\Local\YZ1\StikyNot.exe
C:\Users\Admin\AppData\Local\YZ1\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:1664

C:\Users\Admin\AppData\Local\wIro1\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\wIro1\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1676

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:2020

C:\Users\Admin\AppData\Local\5cih3Er5\wusa.exe
C:\Users\Admin\AppData\Local\5cih3Er5\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:432

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5cih3Er5\dpx.dll
Filesize
1.3MB

MD5
73256fce1e9c3f279eefaf576087d8e4

SHA1
70f74f204b59a3494f605a5ebd6908cba46686e5

SHA256
a41082fdd3eeb6238e519ba01c2fe5662e280ab3872acbd932a596f70d8b15ff

SHA512
eb28688cae95709edb62b15c58ad71da6bdba51c74278243c74888022fda231107b9939738e9cd1ef1b3e2d206b4d0ac03cd3dad42446a2234a0f973ec9cd559

Download Submit
C:\Users\Admin\AppData\Local\5cih3Er5\wusa.exe
Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
C:\Users\Admin\AppData\Local\YZ1\DUI70.dll
Filesize
1.5MB

MD5
18d0089543f7a99eaee2878b396bfbc0

SHA1
1b50d20dae8dcccceda2942b74395cdb78a6840b

SHA256
8faca7afb7301157b1cdcadc05f9e72e7b02eb909ec159d408dc221acd7dd019

SHA512
56b42fbc5a9cc08e943949c630a9842225645f09c71173c09c124762ad2e2dfadd3afddc6a55346c243c3de9731fef626f41dabff9fef15ae8f7786625cdf8db

Download Submit
C:\Users\Admin\AppData\Local\YZ1\StikyNot.exe
Filesize
417KB

MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
C:\Users\Admin\AppData\Local\wIro1\SYSDM.CPL
Filesize
1.3MB

MD5
9b61a0872d422a7024899df14321ed9c

SHA1
0893adeb6dac0e11e45dda108a93bbbade846c7f

SHA256
95e604dcb4710c2b87607c40af4999c5ac57f49385311866cb18d6803ecd66b1

SHA512
62090d50269f2b407f0c325c1477cf79cce6c014166a26f0e92e0f4fdd72b9edcc0a8ef3716d852269581b438b4f144d6cd1e94f1dbcbd93f4c6e073ce45bb1f

Download Submit
C:\Users\Admin\AppData\Local\wIro1\SystemPropertiesPerformance.exe
Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
\Users\Admin\AppData\Local\5cih3Er5\dpx.dll
Filesize
1.3MB

MD5
73256fce1e9c3f279eefaf576087d8e4

SHA1
70f74f204b59a3494f605a5ebd6908cba46686e5

SHA256
a41082fdd3eeb6238e519ba01c2fe5662e280ab3872acbd932a596f70d8b15ff

SHA512
eb28688cae95709edb62b15c58ad71da6bdba51c74278243c74888022fda231107b9939738e9cd1ef1b3e2d206b4d0ac03cd3dad42446a2234a0f973ec9cd559

Download Submit
\Users\Admin\AppData\Local\5cih3Er5\wusa.exe
Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
\Users\Admin\AppData\Local\YZ1\DUI70.dll
Filesize
1.5MB

MD5
18d0089543f7a99eaee2878b396bfbc0

SHA1
1b50d20dae8dcccceda2942b74395cdb78a6840b

SHA256
8faca7afb7301157b1cdcadc05f9e72e7b02eb909ec159d408dc221acd7dd019

SHA512
56b42fbc5a9cc08e943949c630a9842225645f09c71173c09c124762ad2e2dfadd3afddc6a55346c243c3de9731fef626f41dabff9fef15ae8f7786625cdf8db

Download Submit
\Users\Admin\AppData\Local\YZ1\StikyNot.exe
Filesize
417KB

MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
\Users\Admin\AppData\Local\wIro1\SYSDM.CPL
Filesize
1.3MB

MD5
9b61a0872d422a7024899df14321ed9c

SHA1
0893adeb6dac0e11e45dda108a93bbbade846c7f

SHA256
95e604dcb4710c2b87607c40af4999c5ac57f49385311866cb18d6803ecd66b1

SHA512
62090d50269f2b407f0c325c1477cf79cce6c014166a26f0e92e0f4fdd72b9edcc0a8ef3716d852269581b438b4f144d6cd1e94f1dbcbd93f4c6e073ce45bb1f

Download Submit
\Users\Admin\AppData\Local\wIro1\SystemPropertiesPerformance.exe
Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ghl\wusa.exe
Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
memory/432-102-0x0000000000000000-mapping.dmp

Download
memory/432-111-0x0000000001AA0000-0x0000000001AA7000-memory.dmp

Filesize
28KB

Download
memory/1376-66-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1376-62-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1376-59-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1376-70-0x0000000002600000-0x0000000002607000-memory.dmp

Filesize
28KB

Download
memory/1376-69-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1376-60-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1376-61-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1376-63-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1376-68-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1376-67-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1376-64-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1376-65-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1548-80-0x0000000000000000-mapping.dmp

Download
memory/1548-86-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1548-85-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/1548-82-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1676-96-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1676-100-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1676-91-0x0000000000000000-mapping.dmp

Download
memory/1828-54-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1828-58-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads