0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d

General

Target

0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe
Size

87KB
MD5

e7fceebd11f69a00d6ec2856e2fe1835
SHA1

f8016b412cdb8c6d6f3bb74e85b59ed0ff203db8
SHA256

0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d
SHA512

8b77150607142abe5bdc40f4e578a624adfcf8ec4c02df8fe9d9e1083095c0a259d6eb586ac98c52c4a69f87982df0f9b452378a87f983d128e43cf72dc49a64
SSDEEP

1536:OWoWmsjGwdQe2ZBslGwery5fGpb1clN5Vjd3TLU5fgXRgglg2Rvw:wWmsuZBssw6LcLdf8fgBgglg2Rw

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

syshost.exe

pid process

1960 syshost.exe
Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1748 netsh.exe
1448 netsh.exe
1576 netsh.exe
1612 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1636 cmd.exe

pid	process
1960	syshost.exe

pid	process
1748	netsh.exe
1448	netsh.exe
1576	netsh.exe
1612	netsh.exe

pid	process
1636	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

syshost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	syshost.exe

Drops file in Windows directory 3 IoCs

Processes:

syshost.exe0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe.tmp	syshost.exe
File created	C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe
File opened for modification	C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe

Modifies data under HKEY_USERS 22 IoCs

Processes:

netsh.exenetsh.exesyshost.exenetsh.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting	syshost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	syshost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

syshost.exe

pid process

1960 syshost.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe

pid process

828 0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe

pid	process
1960	syshost.exe

pid	process
828	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

syshost.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1960	syshost.exe
Token: SeIncreaseQuotaPrivilege	1960	syshost.exe
Token: SeShutdownPrivilege	1960	syshost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exesyshost.exe

description	pid	process	target process
PID 828 wrote to memory of 1636	828	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe	cmd.exe
PID 828 wrote to memory of 1636	828	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe	cmd.exe
PID 828 wrote to memory of 1636	828	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe	cmd.exe
PID 828 wrote to memory of 1636	828	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe	cmd.exe
PID 1960 wrote to memory of 1448	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1448	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1448	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1448	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1576	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1576	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1576	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1576	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1612	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1612	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1612	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1612	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1748	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1748	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1748	1960	syshost.exe	netsh.exe
PID 1960 wrote to memory of 1748	1960	syshost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe
"C:\Users\Admin\AppData\Local\Temp\0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\edbe27c5.tmp"
2⤵
- Deletes itself
PID:1636

C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe
"C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1448

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1576

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1612

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe
Filesize
87KB

MD5
e7fceebd11f69a00d6ec2856e2fe1835

SHA1
f8016b412cdb8c6d6f3bb74e85b59ed0ff203db8

SHA256
0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d

SHA512
8b77150607142abe5bdc40f4e578a624adfcf8ec4c02df8fe9d9e1083095c0a259d6eb586ac98c52c4a69f87982df0f9b452378a87f983d128e43cf72dc49a64

Download Submit
C:\Windows\Installer\{CF31981C-2413-A9E1-BC99-1D689AC9704B}\syshost.exe
Filesize
87KB

MD5
e7fceebd11f69a00d6ec2856e2fe1835

SHA1
f8016b412cdb8c6d6f3bb74e85b59ed0ff203db8

SHA256
0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d

SHA512
8b77150607142abe5bdc40f4e578a624adfcf8ec4c02df8fe9d9e1083095c0a259d6eb586ac98c52c4a69f87982df0f9b452378a87f983d128e43cf72dc49a64

Download Submit
memory/828-55-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/828-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/828-58-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/828-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/828-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1448-68-0x0000000000000000-mapping.dmp

Download
memory/1576-70-0x0000000000000000-mapping.dmp

Download
memory/1612-71-0x0000000000000000-mapping.dmp

Download
memory/1636-64-0x0000000000000000-mapping.dmp

Download
memory/1748-74-0x0000000000000000-mapping.dmp

Download
memory/1960-67-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/1960-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads