88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a

General

Target

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
Size

314KB
MD5

88cec7ee32c69ec345641457b99fa642
SHA1

2319981e0ddcd42473b66e8140b4da21bf174de5
SHA256

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a
SHA512

7994f1042a8d0c2eab589cff94ca6429dddcae73d4b8d6118f172175e329b6af6bdf7ee6be077873099a1021b84e73d0c8182ec757997974a2191e8de89afb27
SSDEEP

6144:ljGfV+EP4+FT+U0jLL/RmRxjuJHXI0u0+4c3+L:1GfV+U+U0jP5mRxCHX6T3K

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

syki.exesyki.exe

pid process

1568 syki.exe
748 syki.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

920 cmd.exe

pid	process
1568	syki.exe
748	syki.exe

pid	process
920	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe

pid	process
1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{2354EFA1-C740-BD7D-D045-EBE4E60A83CA} = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mievm\\syki.exe\""	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exesyki.exe

description	pid	process	target process
PID 1616 set thread context of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1568 set thread context of 748	1568	syki.exe	syki.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4D1D2C61-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exesyki.exesyki.exeexplorer.exe

pid	process
1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
1568	syki.exe
1568	syki.exe
748	syki.exe
748	syki.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

syki.exe

pid process

748 syki.exe

pid	process
748	syki.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
Token: SeManageVolumePrivilege	1276	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1276 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1276 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1276 WinMail.exe

pid	process
1276	WinMail.exe

pid	process
1276	WinMail.exe

pid	process
1276	WinMail.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exesyki.exesyki.exeexplorer.exe

description	pid	process	target process
PID 1616 wrote to memory of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1616 wrote to memory of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1616 wrote to memory of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1616 wrote to memory of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1616 wrote to memory of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1616 wrote to memory of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1616 wrote to memory of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1616 wrote to memory of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1616 wrote to memory of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1616 wrote to memory of 1464	1616	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
PID 1464 wrote to memory of 1568	1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	syki.exe
PID 1464 wrote to memory of 1568	1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	syki.exe
PID 1464 wrote to memory of 1568	1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	syki.exe
PID 1464 wrote to memory of 1568	1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	syki.exe
PID 1568 wrote to memory of 748	1568	syki.exe	syki.exe
PID 1568 wrote to memory of 748	1568	syki.exe	syki.exe
PID 1568 wrote to memory of 748	1568	syki.exe	syki.exe
PID 1568 wrote to memory of 748	1568	syki.exe	syki.exe
PID 1568 wrote to memory of 748	1568	syki.exe	syki.exe
PID 1568 wrote to memory of 748	1568	syki.exe	syki.exe
PID 1568 wrote to memory of 748	1568	syki.exe	syki.exe
PID 1568 wrote to memory of 748	1568	syki.exe	syki.exe
PID 1568 wrote to memory of 748	1568	syki.exe	syki.exe
PID 1568 wrote to memory of 748	1568	syki.exe	syki.exe
PID 1464 wrote to memory of 920	1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	cmd.exe
PID 1464 wrote to memory of 920	1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	cmd.exe
PID 1464 wrote to memory of 920	1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	cmd.exe
PID 1464 wrote to memory of 920	1464	88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe	cmd.exe
PID 748 wrote to memory of 792	748	syki.exe	explorer.exe
PID 748 wrote to memory of 792	748	syki.exe	explorer.exe
PID 748 wrote to memory of 792	748	syki.exe	explorer.exe
PID 748 wrote to memory of 792	748	syki.exe	explorer.exe
PID 792 wrote to memory of 1244	792	explorer.exe	Explorer.EXE
PID 792 wrote to memory of 1244	792	explorer.exe	Explorer.EXE
PID 792 wrote to memory of 1244	792	explorer.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
"C:\Users\Admin\AppData\Local\Temp\88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe
"C:\Users\Admin\AppData\Local\Temp\88e56de48e4234d44d68cad33b4173003505a23be4c6681f2c4390d8a9b7d13a.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Roaming\Mievm\syki.exe
"C:\Users\Admin\AppData\Roaming\Mievm\syki.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Roaming\Mievm\syki.exe
"C:\Users\Admin\AppData\Roaming\Mievm\syki.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
6⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp19b74aa0.bat"
4⤵
- Deletes itself
PID:920

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp19b74aa0.bat

Filesize
307B

MD5
9916fe4d65536df94f62b7189fd32a61

SHA1
0285ee962315561ab20094dd9c9e3c566feb1454

SHA256
67a73ae78077c752b78320a0627af0f7dcad525773060a01944c81e003d9ed23

SHA512
efec0f213f118eec1c91e47f834860582023d87460a4cffa12a2b35daa94814a533ecc81981a899d2192631e246df3bae1182f57d5b995089ce0febb44a7c09b

Download Submit
C:\Users\Admin\AppData\Roaming\Mievm\syki.exe

Filesize
314KB

MD5
157f77921821340ac1e824e0a1fb4da5

SHA1
2144c39bee8ea08f2790bad66e5e667ede183ebb

SHA256
94bbb5c5a97e74195356cf7dd7d64dd297e39c22b1b1f0999f24620e7b1cde03

SHA512
e7cace9de3b703977b05263654584db896954ed0629d743be3d24e5a4d6116622f7ae39558fd59d99ba05e75c709d7d64f6ec53018a2889bbdef96f15af7ea70

Download Submit
C:\Users\Admin\AppData\Roaming\Mievm\syki.exe

Filesize
314KB

MD5
157f77921821340ac1e824e0a1fb4da5

SHA1
2144c39bee8ea08f2790bad66e5e667ede183ebb

SHA256
94bbb5c5a97e74195356cf7dd7d64dd297e39c22b1b1f0999f24620e7b1cde03

SHA512
e7cace9de3b703977b05263654584db896954ed0629d743be3d24e5a4d6116622f7ae39558fd59d99ba05e75c709d7d64f6ec53018a2889bbdef96f15af7ea70

Download Submit
C:\Users\Admin\AppData\Roaming\Mievm\syki.exe

Filesize
314KB

MD5
157f77921821340ac1e824e0a1fb4da5

SHA1
2144c39bee8ea08f2790bad66e5e667ede183ebb

SHA256
94bbb5c5a97e74195356cf7dd7d64dd297e39c22b1b1f0999f24620e7b1cde03

SHA512
e7cace9de3b703977b05263654584db896954ed0629d743be3d24e5a4d6116622f7ae39558fd59d99ba05e75c709d7d64f6ec53018a2889bbdef96f15af7ea70

Download Submit
\Users\Admin\AppData\Roaming\Mievm\syki.exe

Filesize
314KB

MD5
157f77921821340ac1e824e0a1fb4da5

SHA1
2144c39bee8ea08f2790bad66e5e667ede183ebb

SHA256
94bbb5c5a97e74195356cf7dd7d64dd297e39c22b1b1f0999f24620e7b1cde03

SHA512
e7cace9de3b703977b05263654584db896954ed0629d743be3d24e5a4d6116622f7ae39558fd59d99ba05e75c709d7d64f6ec53018a2889bbdef96f15af7ea70

Download Submit
\Users\Admin\AppData\Roaming\Mievm\syki.exe

Filesize
314KB

MD5
157f77921821340ac1e824e0a1fb4da5

SHA1
2144c39bee8ea08f2790bad66e5e667ede183ebb

SHA256
94bbb5c5a97e74195356cf7dd7d64dd297e39c22b1b1f0999f24620e7b1cde03

SHA512
e7cace9de3b703977b05263654584db896954ed0629d743be3d24e5a4d6116622f7ae39558fd59d99ba05e75c709d7d64f6ec53018a2889bbdef96f15af7ea70

Download Submit
memory/748-114-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/748-87-0x0000000000412DB6-mapping.dmp

Download
memory/748-99-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/792-97-0x0000000074721000-0x0000000074723000-memory.dmp

Filesize
8KB

Download
memory/792-94-0x0000000000000000-mapping.dmp

Download
memory/792-98-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/920-92-0x0000000000000000-mapping.dmp

Download
memory/1276-100-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1276-101-0x000007FEF61D1000-0x000007FEF61D3000-memory.dmp

Filesize
8KB

Download
memory/1276-102-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1276-108-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/1464-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-93-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-69-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-68-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1464-75-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-64-0x0000000000412DB6-mapping.dmp

Download
memory/1464-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-63-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-59-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1568-73-0x0000000000000000-mapping.dmp

Download
memory/1616-65-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads