Analysis

  • max time kernel
    125s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 10:47

General

  • Target

    f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe

  • Size

    378KB

  • MD5

    84024db2745e8bb754ce8ff3a99b53d8

  • SHA1

    71ef6e78338dfd3a0b9bf4b15fd7f77ee0241009

  • SHA256

    f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19

  • SHA512

    da001c26b21748ed4fd5c319336526137451cac5927a6348ef616b5409413696a9a2fac3aeb3b34f180043312fb27d42971e16fa0b70c3c0d0a9a1d0907481c9

  • SSDEEP

    6144:ceNU1uIJW3hVEckfSOBlWWRmGwL4QQgKKX8x7/2xWqWma2XDzHPt281:PyJmhVrpOjWtGNgDUiWqWNKDrt2

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe
    "C:\Users\Admin\AppData\Local\Temp\f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Program Files\Sysremser.exe
      "C:\Program Files\Sysremser.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        3⤵
        • Modifies registry class
        PID:2080
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe"
      2⤵
        PID:3360

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Sysremser.exe

      Filesize

      378KB

      MD5

      84024db2745e8bb754ce8ff3a99b53d8

      SHA1

      71ef6e78338dfd3a0b9bf4b15fd7f77ee0241009

      SHA256

      f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19

      SHA512

      da001c26b21748ed4fd5c319336526137451cac5927a6348ef616b5409413696a9a2fac3aeb3b34f180043312fb27d42971e16fa0b70c3c0d0a9a1d0907481c9

    • C:\Program Files\Sysremser.exe

      Filesize

      378KB

      MD5

      84024db2745e8bb754ce8ff3a99b53d8

      SHA1

      71ef6e78338dfd3a0b9bf4b15fd7f77ee0241009

      SHA256

      f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19

      SHA512

      da001c26b21748ed4fd5c319336526137451cac5927a6348ef616b5409413696a9a2fac3aeb3b34f180043312fb27d42971e16fa0b70c3c0d0a9a1d0907481c9

    • memory/2080-139-0x0000000010000000-0x0000000010167000-memory.dmp

      Filesize

      1.4MB

    • memory/3528-137-0x0000000010000000-0x0000000010167000-memory.dmp

      Filesize

      1.4MB

    • memory/3528-141-0x0000000010000000-0x0000000010167000-memory.dmp

      Filesize

      1.4MB

    • memory/4980-132-0x0000000010000000-0x0000000010167000-memory.dmp

      Filesize

      1.4MB

    • memory/4980-133-0x0000000010000000-0x0000000010167000-memory.dmp

      Filesize

      1.4MB

    • memory/4980-142-0x0000000010000000-0x0000000010167000-memory.dmp

      Filesize

      1.4MB