fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab

General

Target

fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe
Size

194KB
MD5

50011c70e1fc41269b49dd76250449d9
SHA1

2a3c1b5d12b05dcf692762ae89e14944db237910
SHA256

fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab
SHA512

410c231ab156655b6f655902bc5efb313a2daa658a649a6a2d3b9b409403595d23eadb1514ffaf2b2233957a1b75d778a0cb16fef08d6ff31dd393149a86aa99
SSDEEP

3072:fDLK2h+t3fucSMxfBxxAI7IZ67/X/J/U8+d9R2WH9LPRJqFx/LZBia6C:fV+tvulM7xn97/X/y8+dT2m1RJSfga

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\RYSICQ5USD.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RYSICQ5USD.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Winlogo = "C:\\Users\\Admin\\AppData\\Roaming\\RYSICQ5USD.exe"	.exe

Executes dropped EXE 1 IoCs

Processes:

.exe

pid process

1016 .exe

pid	process
1016	.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCEDB1EF-D66B-ECDE-BD1F-E763E1FAFABE}	.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCEDB1EF-D66B-ECDE-BD1F-E763E1FAFABE}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\RYSICQ5USD.exe"	.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{FCEDB1EF-D66B-ECDE-BD1F-E763E1FAFABE}	.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components\{FCEDB1EF-D66B-ECDE-BD1F-E763E1FAFABE}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\RYSICQ5USD.exe"	.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1016-57-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1016-59-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1016-60-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1016-64-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1016-66-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1016-81-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1016-82-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe

pid process

1420 fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe

pid	process
1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogo = "C:\\Users\\Admin\\AppData\\Roaming\\RYSICQ5USD.exe"	.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogo = "C:\\Users\\Admin\\AppData\\Roaming\\RYSICQ5USD.exe"	.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe

description pid process target process

PID 1420 set thread context of 1016 1420 fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe .exe
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

584 reg.exe
1976 reg.exe
1044 reg.exe
1428 reg.exe

description	pid	process	target process
PID 1420 set thread context of 1016	1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe	.exe

pid	process
584	reg.exe
1976	reg.exe
1044	reg.exe
1428	reg.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe.exe

description	pid	process
Token: SeDebugPrivilege	1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe
Token: 1	1016	.exe
Token: SeCreateTokenPrivilege	1016	.exe
Token: SeAssignPrimaryTokenPrivilege	1016	.exe
Token: SeLockMemoryPrivilege	1016	.exe
Token: SeIncreaseQuotaPrivilege	1016	.exe
Token: SeMachineAccountPrivilege	1016	.exe
Token: SeTcbPrivilege	1016	.exe
Token: SeSecurityPrivilege	1016	.exe
Token: SeTakeOwnershipPrivilege	1016	.exe
Token: SeLoadDriverPrivilege	1016	.exe
Token: SeSystemProfilePrivilege	1016	.exe
Token: SeSystemtimePrivilege	1016	.exe
Token: SeProfSingleProcessPrivilege	1016	.exe
Token: SeIncBasePriorityPrivilege	1016	.exe
Token: SeCreatePagefilePrivilege	1016	.exe
Token: SeCreatePermanentPrivilege	1016	.exe
Token: SeBackupPrivilege	1016	.exe
Token: SeRestorePrivilege	1016	.exe
Token: SeShutdownPrivilege	1016	.exe
Token: SeDebugPrivilege	1016	.exe
Token: SeAuditPrivilege	1016	.exe
Token: SeSystemEnvironmentPrivilege	1016	.exe
Token: SeChangeNotifyPrivilege	1016	.exe
Token: SeRemoteShutdownPrivilege	1016	.exe
Token: SeUndockPrivilege	1016	.exe
Token: SeSyncAgentPrivilege	1016	.exe
Token: SeEnableDelegationPrivilege	1016	.exe
Token: SeManageVolumePrivilege	1016	.exe
Token: SeImpersonatePrivilege	1016	.exe
Token: SeCreateGlobalPrivilege	1016	.exe
Token: 31	1016	.exe
Token: 32	1016	.exe
Token: 33	1016	.exe
Token: 34	1016	.exe
Token: 35	1016	.exe
Token: SeDebugPrivilege	1016	.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

.exe

pid process

1016 .exe
1016 .exe
1016 .exe

pid	process
1016	.exe
1016	.exe
1016	.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1420 wrote to memory of 1016	1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe	.exe
PID 1420 wrote to memory of 1016	1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe	.exe
PID 1420 wrote to memory of 1016	1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe	.exe
PID 1420 wrote to memory of 1016	1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe	.exe
PID 1420 wrote to memory of 1016	1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe	.exe
PID 1420 wrote to memory of 1016	1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe	.exe
PID 1420 wrote to memory of 1016	1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe	.exe
PID 1420 wrote to memory of 1016	1420	fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe	.exe
PID 1016 wrote to memory of 388	1016	.exe	cmd.exe
PID 1016 wrote to memory of 388	1016	.exe	cmd.exe
PID 1016 wrote to memory of 388	1016	.exe	cmd.exe
PID 1016 wrote to memory of 388	1016	.exe	cmd.exe
PID 1016 wrote to memory of 1176	1016	.exe	cmd.exe
PID 1016 wrote to memory of 1176	1016	.exe	cmd.exe
PID 1016 wrote to memory of 1176	1016	.exe	cmd.exe
PID 1016 wrote to memory of 1176	1016	.exe	cmd.exe
PID 1016 wrote to memory of 1728	1016	.exe	cmd.exe
PID 1016 wrote to memory of 1728	1016	.exe	cmd.exe
PID 1016 wrote to memory of 1728	1016	.exe	cmd.exe
PID 1016 wrote to memory of 1728	1016	.exe	cmd.exe
PID 1016 wrote to memory of 872	1016	.exe	cmd.exe
PID 1016 wrote to memory of 872	1016	.exe	cmd.exe
PID 1016 wrote to memory of 872	1016	.exe	cmd.exe
PID 1016 wrote to memory of 872	1016	.exe	cmd.exe
PID 1728 wrote to memory of 1428	1728	cmd.exe	reg.exe
PID 1728 wrote to memory of 1428	1728	cmd.exe	reg.exe
PID 1728 wrote to memory of 1428	1728	cmd.exe	reg.exe
PID 1728 wrote to memory of 1428	1728	cmd.exe	reg.exe
PID 1176 wrote to memory of 1044	1176	cmd.exe	reg.exe
PID 1176 wrote to memory of 1044	1176	cmd.exe	reg.exe
PID 1176 wrote to memory of 1044	1176	cmd.exe	reg.exe
PID 1176 wrote to memory of 1044	1176	cmd.exe	reg.exe
PID 388 wrote to memory of 1976	388	cmd.exe	reg.exe
PID 388 wrote to memory of 1976	388	cmd.exe	reg.exe
PID 388 wrote to memory of 1976	388	cmd.exe	reg.exe
PID 388 wrote to memory of 1976	388	cmd.exe	reg.exe
PID 872 wrote to memory of 584	872	cmd.exe	reg.exe
PID 872 wrote to memory of 584	872	cmd.exe	reg.exe
PID 872 wrote to memory of 584	872	cmd.exe	reg.exe
PID 872 wrote to memory of 584	872	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe
"C:\Users\Admin\AppData\Local\Temp\fcf941c4e5a0350210bf916fb25e29682654832911c59b7599826c714fddaaab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\.exe
C:\Users\Admin\AppData\Local\Temp\.exe
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RYSICQ5USD.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RYSICQ5USD.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RYSICQ5USD.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RYSICQ5USD.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:584

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\AppData\Local\Temp\.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/388-73-0x0000000000000000-mapping.dmp

Download
memory/584-80-0x0000000000000000-mapping.dmp

Download
memory/872-76-0x0000000000000000-mapping.dmp

Download
memory/1016-59-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1016-61-0x0000000000471130-mapping.dmp

Download
memory/1016-64-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1016-82-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1016-81-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1016-66-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1016-60-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1016-57-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1016-56-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1044-78-0x0000000000000000-mapping.dmp

Download
memory/1176-74-0x0000000000000000-mapping.dmp

Download
memory/1420-67-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1420-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1420-65-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-77-0x0000000000000000-mapping.dmp

Download
memory/1728-75-0x0000000000000000-mapping.dmp

Download
memory/1976-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads