c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe
Size

1.2MB
MD5

5369e6f7725ef035d5e5ec8e1af45d12
SHA1

3736137464105dda712d3cdbb8fbdb405c5e95b8
SHA256

c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9
SHA512

72469168b2b143e749a1bba1daf6070a4e6d7cce2fa9fff12f0a83354cf7ff2b2a718e62641fd51d30e52be862e04c29079777cf57682277af5438ee99202e02
SSDEEP

24576:F4lavt0LkLL9IMixoEgea43/C/rthNheYtEdk9lq9MmCS:ckwkn9IMHea434hnHraPCS

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2032	passlist.exe
1704	Facebook Hacker.exe
280	Sysmys.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
336	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\passlist.exe	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\passlist.exe	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe

Loads dropped DLL 5 IoCs

pid	Process
1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe
1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe
1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe
2032	passlist.exe
2032	passlist.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bafcac485f78b617b76b11cb26ef9cee = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Sysmys.exe\" .."	Sysmys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bafcac485f78b617b76b11cb26ef9cee = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Sysmys.exe\" .."	Sysmys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	280	Sysmys.exe
Token: 33	280	Sysmys.exe
Token: SeIncBasePriorityPrivilege	280	Sysmys.exe
Token: 33	280	Sysmys.exe
Token: SeIncBasePriorityPrivilege	280	Sysmys.exe
Token: 33	280	Sysmys.exe
Token: SeIncBasePriorityPrivilege	280	Sysmys.exe
Token: 33	280	Sysmys.exe
Token: SeIncBasePriorityPrivilege	280	Sysmys.exe
Token: 33	280	Sysmys.exe
Token: SeIncBasePriorityPrivilege	280	Sysmys.exe
Token: 33	280	Sysmys.exe
Token: SeIncBasePriorityPrivilege	280	Sysmys.exe
Token: 33	280	Sysmys.exe
Token: SeIncBasePriorityPrivilege	280	Sysmys.exe
Token: 33	280	Sysmys.exe
Token: SeIncBasePriorityPrivilege	280	Sysmys.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2032	1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	27
PID 1896 wrote to memory of 2032	1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	27
PID 1896 wrote to memory of 2032	1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	27
PID 1896 wrote to memory of 2032	1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	27
PID 1896 wrote to memory of 1704	1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	28
PID 1896 wrote to memory of 1704	1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	28
PID 1896 wrote to memory of 1704	1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	28
PID 1896 wrote to memory of 1704	1896	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	28
PID 2032 wrote to memory of 280	2032	passlist.exe	29
PID 2032 wrote to memory of 280	2032	passlist.exe	29
PID 2032 wrote to memory of 280	2032	passlist.exe	29
PID 2032 wrote to memory of 280	2032	passlist.exe	29
PID 280 wrote to memory of 336	280	Sysmys.exe	30
PID 280 wrote to memory of 336	280	Sysmys.exe	30
PID 280 wrote to memory of 336	280	Sysmys.exe	30
PID 280 wrote to memory of 336	280	Sysmys.exe	30

C:\Users\Admin\AppData\Local\Temp\c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe
"C:\Users\Admin\AppData\Local\Temp\c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\passlist.exe
  C:\Users\Admin\AppData\Local\Temp/passlist.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\Sysmys.exe
    "C:\Users\Admin\AppData\Local\Temp\Sysmys.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:280
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Sysmys.exe" "Sysmys.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:336
- C:\Users\Admin\AppData\Local\Temp\Facebook Hacker.exe
  "C:\Users\Admin\AppData\Local\Temp/Facebook Hacker.exe"
  2⤵
  - Executes dropped EXE
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Facebook Hacker.exe

Filesize
484KB

MD5
ede83e94140d4d9f5cbaeac0b8c52517

SHA1
c3e6dc3d4facbfe0f7900b94e93f0e1198fb0719

SHA256
1b535d183ad128d8edc41cf8f6404237ee88904ff3a829bc4543791d5a09a452

SHA512
ed68d102c53c557d3f897d6f08ae428983a53daa8e5523b2d1138bc341892d7187c30a1428bb51c467145f71bafa2f983c628e4dd5995a6ece6d87e81dda9c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Facebook Hacker.exe

Filesize
484KB

MD5
ede83e94140d4d9f5cbaeac0b8c52517

SHA1
c3e6dc3d4facbfe0f7900b94e93f0e1198fb0719

SHA256
1b535d183ad128d8edc41cf8f6404237ee88904ff3a829bc4543791d5a09a452

SHA512
ed68d102c53c557d3f897d6f08ae428983a53daa8e5523b2d1138bc341892d7187c30a1428bb51c467145f71bafa2f983c628e4dd5995a6ece6d87e81dda9c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysmys.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysmys.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
C:\Users\Admin\AppData\Local\Temp\passlist.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
C:\Users\Admin\AppData\Local\Temp\passlist.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
\Users\Admin\AppData\Local\Temp\Facebook Hacker.exe

Filesize
484KB

MD5
ede83e94140d4d9f5cbaeac0b8c52517

SHA1
c3e6dc3d4facbfe0f7900b94e93f0e1198fb0719

SHA256
1b535d183ad128d8edc41cf8f6404237ee88904ff3a829bc4543791d5a09a452

SHA512
ed68d102c53c557d3f897d6f08ae428983a53daa8e5523b2d1138bc341892d7187c30a1428bb51c467145f71bafa2f983c628e4dd5995a6ece6d87e81dda9c78

Download Submit
\Users\Admin\AppData\Local\Temp\Sysmys.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
\Users\Admin\AppData\Local\Temp\Sysmys.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
\Users\Admin\AppData\Local\Temp\passlist.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
\Users\Admin\AppData\Local\Temp\passlist.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
memory/280-76-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/280-78-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-66-0x000007FEF2DC0000-0x000007FEF3E56000-memory.dmp

Filesize
16.6MB

Download
memory/1704-68-0x00000000020E7000-0x0000000002106000-memory.dmp

Filesize
124KB

Download
memory/1704-64-0x000007FEF4230000-0x000007FEF4C53000-memory.dmp

Filesize
10.1MB

Download
memory/1896-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/2032-67-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-75-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download