Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:58
Static task
static1
Behavioral task
behavioral1
Sample
0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe
Resource
win10v2004-20221111-en
General
-
Target
0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe
-
Size
87KB
-
MD5
e7fceebd11f69a00d6ec2856e2fe1835
-
SHA1
f8016b412cdb8c6d6f3bb74e85b59ed0ff203db8
-
SHA256
0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d
-
SHA512
8b77150607142abe5bdc40f4e578a624adfcf8ec4c02df8fe9d9e1083095c0a259d6eb586ac98c52c4a69f87982df0f9b452378a87f983d128e43cf72dc49a64
-
SSDEEP
1536:OWoWmsjGwdQe2ZBslGwery5fGpb1clN5Vjd3TLU5fgXRgglg2Rvw:wWmsuZBssw6LcLdf8fgBgglg2Rw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
syshost.exepid process 1960 syshost.exe -
Modifies Windows Firewall 1 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 1748 netsh.exe 1448 netsh.exe 1576 netsh.exe 1612 netsh.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1636 cmd.exe -
Drops file in System32 directory 1 IoCs
Processes:
syshost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat syshost.exe -
Drops file in Windows directory 3 IoCs
Processes:
syshost.exe0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exedescription ioc process File opened for modification C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe.tmp syshost.exe File created C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe 0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe File opened for modification C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe 0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe -
Modifies data under HKEY_USERS 22 IoCs
Processes:
netsh.exenetsh.exesyshost.exenetsh.exenetsh.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting syshost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings syshost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
syshost.exepid process 1960 syshost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exepid process 828 0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
syshost.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 1960 syshost.exe Token: SeIncreaseQuotaPrivilege 1960 syshost.exe Token: SeShutdownPrivilege 1960 syshost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exesyshost.exedescription pid process target process PID 828 wrote to memory of 1636 828 0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe cmd.exe PID 828 wrote to memory of 1636 828 0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe cmd.exe PID 828 wrote to memory of 1636 828 0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe cmd.exe PID 828 wrote to memory of 1636 828 0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe cmd.exe PID 1960 wrote to memory of 1448 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1448 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1448 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1448 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1576 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1576 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1576 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1576 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1612 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1612 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1612 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1612 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1748 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1748 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1748 1960 syshost.exe netsh.exe PID 1960 wrote to memory of 1748 1960 syshost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe"C:\Users\Admin\AppData\Local\Temp\0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\edbe27c5.tmp"2⤵
- Deletes itself
-
C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe"C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe" /service1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exeFilesize
87KB
MD5e7fceebd11f69a00d6ec2856e2fe1835
SHA1f8016b412cdb8c6d6f3bb74e85b59ed0ff203db8
SHA2560b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d
SHA5128b77150607142abe5bdc40f4e578a624adfcf8ec4c02df8fe9d9e1083095c0a259d6eb586ac98c52c4a69f87982df0f9b452378a87f983d128e43cf72dc49a64
-
C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exeFilesize
87KB
MD5e7fceebd11f69a00d6ec2856e2fe1835
SHA1f8016b412cdb8c6d6f3bb74e85b59ed0ff203db8
SHA2560b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d
SHA5128b77150607142abe5bdc40f4e578a624adfcf8ec4c02df8fe9d9e1083095c0a259d6eb586ac98c52c4a69f87982df0f9b452378a87f983d128e43cf72dc49a64
-
memory/828-55-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/828-57-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/828-58-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/828-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmpFilesize
8KB
-
memory/828-65-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1448-68-0x0000000000000000-mapping.dmp
-
memory/1576-70-0x0000000000000000-mapping.dmp
-
memory/1612-71-0x0000000000000000-mapping.dmp
-
memory/1636-64-0x0000000000000000-mapping.dmp
-
memory/1748-74-0x0000000000000000-mapping.dmp
-
memory/1960-67-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB
-
memory/1960-66-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB