b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73

General

Target

b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73.exe
Size

102KB
MD5

75d11415cae5179aa1472ee79a72a036
SHA1

24ce0baf0ffe1d05b995d554f4502715813e0ea9
SHA256

b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73
SHA512

1101ebf3d78b9b9759c556199c527607b7288b07e06259e60501d59b67f5121ba28f28264dfa3b70263168d78656a1b489f020e88ab4aff5ae91200ffcba9ecb
SSDEEP

3072:+P1VMqAT4rYPVi59TOuHts9S0+T0Pa7FzOwKikDmem5hbpVaHDhqc:+PxzNsI6WMwKhE5Jrqt

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1224	syshost.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1540	netsh.exe
1208	netsh.exe
668	netsh.exe
1520	netsh.exe

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	syshost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{CEC4F81F-08BF-4CBE-80F9-94D65FF53561}\syshost.exe	b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73.exe
File opened for modification	C:\Windows\Installer\{CEC4F81F-08BF-4CBE-80F9-94D65FF53561}\syshost.exe	b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73.exe
File opened for modification	C:\Windows\Installer\{CEC4F81F-08BF-4CBE-80F9-94D65FF53561}\syshost.exe.tmp	syshost.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	syshost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1224	syshost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1724	b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1224	syshost.exe
Token: SeIncreaseQuotaPrivilege	1224	syshost.exe
Token: SeShutdownPrivilege	1224	syshost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2032	1724	b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73.exe	28
PID 1724 wrote to memory of 2032	1724	b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73.exe	28
PID 1724 wrote to memory of 2032	1724	b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73.exe	28
PID 1724 wrote to memory of 2032	1724	b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73.exe	28
PID 1224 wrote to memory of 668	1224	syshost.exe	30
PID 1224 wrote to memory of 668	1224	syshost.exe	30
PID 1224 wrote to memory of 668	1224	syshost.exe	30
PID 1224 wrote to memory of 668	1224	syshost.exe	30
PID 1224 wrote to memory of 1520	1224	syshost.exe	32
PID 1224 wrote to memory of 1520	1224	syshost.exe	32
PID 1224 wrote to memory of 1520	1224	syshost.exe	32
PID 1224 wrote to memory of 1520	1224	syshost.exe	32
PID 1224 wrote to memory of 1540	1224	syshost.exe	33
PID 1224 wrote to memory of 1540	1224	syshost.exe	33
PID 1224 wrote to memory of 1540	1224	syshost.exe	33
PID 1224 wrote to memory of 1540	1224	syshost.exe	33
PID 1224 wrote to memory of 1208	1224	syshost.exe	36
PID 1224 wrote to memory of 1208	1224	syshost.exe	36
PID 1224 wrote to memory of 1208	1224	syshost.exe	36
PID 1224 wrote to memory of 1208	1224	syshost.exe	36

C:\Users\Admin\AppData\Local\Temp\b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73.exe
"C:\Users\Admin\AppData\Local\Temp\b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\f0b3758.tmp"
  2⤵
  - Deletes itself
  PID:2032

C:\Windows\Installer\{CEC4F81F-08BF-4CBE-80F9-94D65FF53561}\syshost.exe
"C:\Windows\Installer\{CEC4F81F-08BF-4CBE-80F9-94D65FF53561}\syshost.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  - Modifies data under HKEY_USERS
  PID:668
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  - Modifies data under HKEY_USERS
  PID:1520
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  - Modifies data under HKEY_USERS
  PID:1540
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  - Modifies data under HKEY_USERS
  PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{CEC4F81F-08BF-4CBE-80F9-94D65FF53561}\syshost.exe

Filesize
102KB

MD5
75d11415cae5179aa1472ee79a72a036

SHA1
24ce0baf0ffe1d05b995d554f4502715813e0ea9

SHA256
b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73

SHA512
1101ebf3d78b9b9759c556199c527607b7288b07e06259e60501d59b67f5121ba28f28264dfa3b70263168d78656a1b489f020e88ab4aff5ae91200ffcba9ecb

Download Submit
C:\Windows\Installer\{CEC4F81F-08BF-4CBE-80F9-94D65FF53561}\syshost.exe

Filesize
102KB

MD5
75d11415cae5179aa1472ee79a72a036

SHA1
24ce0baf0ffe1d05b995d554f4502715813e0ea9

SHA256
b4dc67a773e788175805a710f685edad65cfb6704d21f9c2a8bca362f4525b73

SHA512
1101ebf3d78b9b9759c556199c527607b7288b07e06259e60501d59b67f5121ba28f28264dfa3b70263168d78656a1b489f020e88ab4aff5ae91200ffcba9ecb

Download Submit
memory/668-64-0x0000000000000000-mapping.dmp

Download
memory/1208-70-0x0000000000000000-mapping.dmp

Download
memory/1224-63-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1224-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-66-0x0000000000000000-mapping.dmp

Download
memory/1540-67-0x0000000000000000-mapping.dmp

Download
memory/1724-59-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download
memory/1724-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1724-61-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1724-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing