0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d

General

Target

0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe
Size

87KB
MD5

e7fceebd11f69a00d6ec2856e2fe1835
SHA1

f8016b412cdb8c6d6f3bb74e85b59ed0ff203db8
SHA256

0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d
SHA512

8b77150607142abe5bdc40f4e578a624adfcf8ec4c02df8fe9d9e1083095c0a259d6eb586ac98c52c4a69f87982df0f9b452378a87f983d128e43cf72dc49a64
SSDEEP

1536:OWoWmsjGwdQe2ZBslGwery5fGpb1clN5Vjd3TLU5fgXRgglg2Rvw:wWmsuZBssw6LcLdf8fgBgglg2Rw

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

syshost.exe

pid process

1564 syshost.exe
Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1200 netsh.exe
4588 netsh.exe
3828 netsh.exe
1304 netsh.exe

pid	process
1564	syshost.exe

pid	process
1200	netsh.exe
4588	netsh.exe
3828	netsh.exe
1304	netsh.exe

Drops file in Windows directory 3 IoCs

Processes:

0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exesyshost.exe

description	ioc	process
File created	C:\Windows\Installer\{BF904683-2D9F-E588-C5CB-9600A33078B3}\syshost.exe	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe
File opened for modification	C:\Windows\Installer\{BF904683-2D9F-E588-C5CB-9600A33078B3}\syshost.exe	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe
File opened for modification	C:\Windows\Installer\{BF904683-2D9F-E588-C5CB-9600A33078B3}\syshost.exe.tmp	syshost.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

syshost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting syshost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

syshost.exe

pid process

1564 syshost.exe
1564 syshost.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe

pid process

4328 0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting	syshost.exe

pid	process
1564	syshost.exe
1564	syshost.exe

pid	process
4328	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

syshost.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1564	syshost.exe
Token: SeIncreaseQuotaPrivilege	1564	syshost.exe
Token: SeShutdownPrivilege	1564	syshost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exesyshost.exe

description	pid	process	target process
PID 4328 wrote to memory of 4196	4328	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe	cmd.exe
PID 4328 wrote to memory of 4196	4328	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe	cmd.exe
PID 4328 wrote to memory of 4196	4328	0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe	cmd.exe
PID 1564 wrote to memory of 3828	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 3828	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 3828	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 1304	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 1304	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 1304	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 1200	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 1200	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 1200	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 4588	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 4588	1564	syshost.exe	netsh.exe
PID 1564 wrote to memory of 4588	1564	syshost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe
"C:\Users\Admin\AppData\Local\Temp\0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\dede79fd.tmp"
2⤵
PID:4196

C:\Windows\Installer\{BF904683-2D9F-E588-C5CB-9600A33078B3}\syshost.exe
"C:\Windows\Installer\{BF904683-2D9F-E588-C5CB-9600A33078B3}\syshost.exe" /service
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any
2⤵
- Modifies Windows Firewall
PID:3828

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any
2⤵
- Modifies Windows Firewall
PID:1304

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any
2⤵
- Modifies Windows Firewall
PID:1200

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any
2⤵
- Modifies Windows Firewall
PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{BF904683-2D9F-E588-C5CB-9600A33078B3}\syshost.exe

Filesize
87KB

MD5
e7fceebd11f69a00d6ec2856e2fe1835

SHA1
f8016b412cdb8c6d6f3bb74e85b59ed0ff203db8

SHA256
0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d

SHA512
8b77150607142abe5bdc40f4e578a624adfcf8ec4c02df8fe9d9e1083095c0a259d6eb586ac98c52c4a69f87982df0f9b452378a87f983d128e43cf72dc49a64

Download Submit
C:\Windows\Installer\{BF904683-2D9F-E588-C5CB-9600A33078B3}\syshost.exe

Filesize
87KB

MD5
e7fceebd11f69a00d6ec2856e2fe1835

SHA1
f8016b412cdb8c6d6f3bb74e85b59ed0ff203db8

SHA256
0b592f8fa27773427e81fcce883e8a57737973e34567122113ac72c5d616e44d

SHA512
8b77150607142abe5bdc40f4e578a624adfcf8ec4c02df8fe9d9e1083095c0a259d6eb586ac98c52c4a69f87982df0f9b452378a87f983d128e43cf72dc49a64

Download Submit
memory/1200-146-0x0000000000000000-mapping.dmp

Download
memory/1304-145-0x0000000000000000-mapping.dmp

Download
memory/1564-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1564-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3828-143-0x0000000000000000-mapping.dmp

Download
memory/4196-140-0x0000000000000000-mapping.dmp

Download
memory/4328-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4328-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4328-135-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/4328-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4588-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads