fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861

General

Target

fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861.exe
Size

72KB
MD5

625f4921396fd4502f6a6196f5a54e20
SHA1

931507cd698eeb74e6d39dfc4482d0b6c9bd1eb8
SHA256

fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861
SHA512

7b71b737c565198fa0189cd8f9dac7977f70adb60da73a3017a730a2aff718588c75c92a3236f0cca5a89c4644661cf56ad837b511248cc0d7024bf23eb4bbf9
SSDEEP

1536:oqMg10vey1tb9lJlRG6M17RDg97GdGS7Me39n0pJ4Y39ORXdvyqH9Ov:5A1t46Mvg0GSYujQyww9Ov

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4540	syshost.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1676	netsh.exe
4228	netsh.exe
3112	netsh.exe
2548	netsh.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{D76CD03B-5945-F48C-4745-B39824F6FAF7}\syshost.exe	fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861.exe
File opened for modification	C:\Windows\Installer\{D76CD03B-5945-F48C-4745-B39824F6FAF7}\syshost.exe	fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861.exe
File opened for modification	C:\Windows\Installer\{D76CD03B-5945-F48C-4745-B39824F6FAF7}\syshost.exe.tmp	syshost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4540	syshost.exe
4540	syshost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2500	fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4540	syshost.exe
Token: SeIncreaseQuotaPrivilege	4540	syshost.exe
Token: SeShutdownPrivilege	4540	syshost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1644	2500	fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861.exe	84
PID 2500 wrote to memory of 1644	2500	fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861.exe	84
PID 2500 wrote to memory of 1644	2500	fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861.exe	84
PID 4540 wrote to memory of 2548	4540	syshost.exe	86
PID 4540 wrote to memory of 2548	4540	syshost.exe	86
PID 4540 wrote to memory of 2548	4540	syshost.exe	86
PID 4540 wrote to memory of 1676	4540	syshost.exe	88
PID 4540 wrote to memory of 1676	4540	syshost.exe	88
PID 4540 wrote to memory of 1676	4540	syshost.exe	88
PID 4540 wrote to memory of 4228	4540	syshost.exe	89
PID 4540 wrote to memory of 4228	4540	syshost.exe	89
PID 4540 wrote to memory of 4228	4540	syshost.exe	89
PID 4540 wrote to memory of 3112	4540	syshost.exe	92
PID 4540 wrote to memory of 3112	4540	syshost.exe	92
PID 4540 wrote to memory of 3112	4540	syshost.exe	92

C:\Users\Admin\AppData\Local\Temp\fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861.exe
"C:\Users\Admin\AppData\Local\Temp\fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\2383c987.tmp"
  2⤵
  PID:1644

C:\Windows\Installer\{D76CD03B-5945-F48C-4745-B39824F6FAF7}\syshost.exe
"C:\Windows\Installer\{D76CD03B-5945-F48C-4745-B39824F6FAF7}\syshost.exe" /service
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  PID:2548
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  PID:1676
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  PID:4228
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{D76CD03B-5945-F48C-4745-B39824F6FAF7}\syshost.exe

Filesize
72KB

MD5
625f4921396fd4502f6a6196f5a54e20

SHA1
931507cd698eeb74e6d39dfc4482d0b6c9bd1eb8

SHA256
fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861

SHA512
7b71b737c565198fa0189cd8f9dac7977f70adb60da73a3017a730a2aff718588c75c92a3236f0cca5a89c4644661cf56ad837b511248cc0d7024bf23eb4bbf9

Download Submit
C:\Windows\Installer\{D76CD03B-5945-F48C-4745-B39824F6FAF7}\syshost.exe

Filesize
72KB

MD5
625f4921396fd4502f6a6196f5a54e20

SHA1
931507cd698eeb74e6d39dfc4482d0b6c9bd1eb8

SHA256
fc9f4c4e1f7effed71d69473f1cae101aeed8f638ad9221277f091a74c84f861

SHA512
7b71b737c565198fa0189cd8f9dac7977f70adb60da73a3017a730a2aff718588c75c92a3236f0cca5a89c4644661cf56ad837b511248cc0d7024bf23eb4bbf9

Download Submit
memory/1644-142-0x0000000000000000-mapping.dmp

Download
memory/1676-145-0x0000000000000000-mapping.dmp

Download
memory/2500-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-139-0x00000000005E0000-0x0000000000608000-memory.dmp

Filesize
160KB

Download
memory/2500-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2548-144-0x0000000000000000-mapping.dmp

Download
memory/3112-147-0x0000000000000000-mapping.dmp

Download
memory/4228-146-0x0000000000000000-mapping.dmp

Download
memory/4540-141-0x0000000000630000-0x0000000000636000-memory.dmp

Filesize
24KB

Download
memory/4540-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4540-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing