963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735

Analysis

max time kernel
175s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 16:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe
Size

355KB
MD5

78130e9f5b366e17c525a938a7c12eba
SHA1

1e1e86eb22507b6925ec4cee2620edb4be8e14d3
SHA256

963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735
SHA512

768991981146d3996bf3d820b979c823305bd9b7fcbbcd6239bf195dd49686057abdf0cfc27a1e32144925f56e1a9a5abc26f5ee80c3c7f91f200922171d68a1
SSDEEP

6144:4IRGZr7LD4QP5EiQ1EABZ3shlgJ7Br6/SjG6WK1+aqpbtVXWz3ePdZvV:4IRGZr7NQ1PzJZ6/SjbW5pbtVGG7

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iSyncHost.exe = "c:\\windows\\syswow64\\iSyncHost.exe"	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\yRdpSaProxy.bat	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe
File created	\??\c:\windows\SysWOW64\iSyncHost.exe	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe
File opened for modification	\??\c:\windows\SysWOW64\iSyncHost.exe	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3728	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5032	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe
5032	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe
5032	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe
5032	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 1672	5032	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe	80
PID 5032 wrote to memory of 1672	5032	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe	80
PID 5032 wrote to memory of 1672	5032	963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe	80
PID 1672 wrote to memory of 3728	1672	cmd.exe	82
PID 1672 wrote to memory of 3728	1672	cmd.exe	82
PID 1672 wrote to memory of 3728	1672	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe
"C:\Users\Admin\AppData\Local\Temp\963064ae71f8fbef55c9c59dc46693182ee6931493d17039068dd3f4c57be735.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\syswow64\yRdpSaProxy.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3600
    3⤵
    - Runs ping.exe
    PID:3728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\yRdpSaProxy.bat

Filesize
111B

MD5
cfe68d616232ca6fef5cc4bd735fd05c

SHA1
618b8005064e3db8b091ad44ba195bbac573144c

SHA256
5bb5efc8080182fc6436f5fa2636854c8643dce7a367b0654ca1d1628cfa0e0e

SHA512
2d0f8688ca1977ac0d8295e321aa80304eec430affa531423294182e1257a1716a52f803de3e2691d311ca372dd48d957fb564793b65635b5ab576879958c3df

Download Submit