cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea

Analysis

max time kernel
76s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
Size

124KB
MD5

afa7a010da6ed78a43780f5aba66f1d1
SHA1

38ee00346262ca90eaa1fed6782ef1d1d3f944b9
SHA256

cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea
SHA512

8d34d2f9130227714deaf26a378a636412ca35d53b371ef7013422b20b5ee079db9c848034d8642f17a75128a5ae3cf5ecca0a852a178e29298d5b158231ba1f
SSDEEP

1536:vXYOvhCoMhWBS0ZJL/FwDt1Go4bEmHRkbHS+5pweJWYgkUW0TjzIbVCF6iN6l886:vXhlMhgB/L64bHiHNweJ0TEVC0jl88wR

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2304	syshost.exe
1700	syshost.exe
3280	syshost.exe
1012	syshost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshost32 = "C:\\Windows\\Installer\\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\\syshost.exe"	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4304 set thread context of 3732	4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	80
PID 2304 set thread context of 1700	2304	syshost.exe	83
PID 3280 set thread context of 1012	3280	syshost.exe	87

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe	syshost.exe
File created	C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
File opened for modification	C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
File opened for modification	C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe	syshost.exe
File opened for modification	C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe.tmp	syshost.exe
File opened for modification	C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe	syshost.exe
File opened for modification	C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe.tmp	syshost.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3976	1700	WerFault.exe	83
936	4304	WerFault.exe	79
3504	1700	WerFault.exe	83
4308	4304	WerFault.exe	79

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications	syshost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\S0_XY	syshost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\S0_XY\Recent File List	syshost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\S0_XY\Settings	syshost.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
2304	syshost.exe
2304	syshost.exe
2304	syshost.exe
2304	syshost.exe
2304	syshost.exe
2304	syshost.exe
1700	syshost.exe
1700	syshost.exe
3280	syshost.exe
3280	syshost.exe
3280	syshost.exe
3280	syshost.exe
3280	syshost.exe
3280	syshost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
2304	syshost.exe
2304	syshost.exe
3280	syshost.exe
3280	syshost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 3732	4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	80
PID 4304 wrote to memory of 3732	4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	80
PID 4304 wrote to memory of 3732	4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	80
PID 4304 wrote to memory of 3732	4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	80
PID 4304 wrote to memory of 3732	4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	80
PID 4304 wrote to memory of 3732	4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	80
PID 4304 wrote to memory of 3732	4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	80
PID 4304 wrote to memory of 3732	4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	80
PID 4304 wrote to memory of 3732	4304	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	80
PID 2304 wrote to memory of 1700	2304	syshost.exe	83
PID 2304 wrote to memory of 1700	2304	syshost.exe	83
PID 2304 wrote to memory of 1700	2304	syshost.exe	83
PID 2304 wrote to memory of 1700	2304	syshost.exe	83
PID 2304 wrote to memory of 1700	2304	syshost.exe	83
PID 2304 wrote to memory of 1700	2304	syshost.exe	83
PID 2304 wrote to memory of 1700	2304	syshost.exe	83
PID 2304 wrote to memory of 1700	2304	syshost.exe	83
PID 2304 wrote to memory of 1700	2304	syshost.exe	83
PID 3732 wrote to memory of 3280	3732	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	85
PID 3732 wrote to memory of 3280	3732	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	85
PID 3732 wrote to memory of 3280	3732	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	85
PID 3732 wrote to memory of 2448	3732	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	86
PID 3732 wrote to memory of 2448	3732	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	86
PID 3732 wrote to memory of 2448	3732	cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe	86
PID 3280 wrote to memory of 1012	3280	syshost.exe	87
PID 3280 wrote to memory of 1012	3280	syshost.exe	87
PID 3280 wrote to memory of 1012	3280	syshost.exe	87
PID 3280 wrote to memory of 1012	3280	syshost.exe	87
PID 3280 wrote to memory of 1012	3280	syshost.exe	87
PID 3280 wrote to memory of 1012	3280	syshost.exe	87
PID 3280 wrote to memory of 1012	3280	syshost.exe	87
PID 3280 wrote to memory of 1012	3280	syshost.exe	87
PID 3280 wrote to memory of 1012	3280	syshost.exe	87
PID 1012 wrote to memory of 3812	1012	syshost.exe	88
PID 1012 wrote to memory of 3812	1012	syshost.exe	88
PID 1012 wrote to memory of 3812	1012	syshost.exe	88

C:\Users\Admin\AppData\Local\Temp\cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
"C:\Users\Admin\AppData\Local\Temp\cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
  C:\Users\Admin\AppData\Local\Temp\cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe
    C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe
      C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\2fea557d.tmp"
        5⤵
        
        PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea.exe"
    3⤵
    PID:2448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 256
  2⤵
  - Program crash
  PID:936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 256
  2⤵
  - Program crash
  PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4304 -ip 4304
1⤵
PID:3924

C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe
"C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe" /service
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe
  C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 404
    3⤵
    - Program crash
    PID:3976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 188
    3⤵
    - Program crash
    PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1700 -ip 1700
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1700 -ip 1700
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4304 -ip 4304
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe

Filesize
124KB

MD5
afa7a010da6ed78a43780f5aba66f1d1

SHA1
38ee00346262ca90eaa1fed6782ef1d1d3f944b9

SHA256
cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea

SHA512
8d34d2f9130227714deaf26a378a636412ca35d53b371ef7013422b20b5ee079db9c848034d8642f17a75128a5ae3cf5ecca0a852a178e29298d5b158231ba1f

Download Submit
C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe

Filesize
124KB

MD5
afa7a010da6ed78a43780f5aba66f1d1

SHA1
38ee00346262ca90eaa1fed6782ef1d1d3f944b9

SHA256
cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea

SHA512
8d34d2f9130227714deaf26a378a636412ca35d53b371ef7013422b20b5ee079db9c848034d8642f17a75128a5ae3cf5ecca0a852a178e29298d5b158231ba1f

Download Submit
C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe

Filesize
124KB

MD5
afa7a010da6ed78a43780f5aba66f1d1

SHA1
38ee00346262ca90eaa1fed6782ef1d1d3f944b9

SHA256
cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea

SHA512
8d34d2f9130227714deaf26a378a636412ca35d53b371ef7013422b20b5ee079db9c848034d8642f17a75128a5ae3cf5ecca0a852a178e29298d5b158231ba1f

Download Submit
C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe

Filesize
124KB

MD5
afa7a010da6ed78a43780f5aba66f1d1

SHA1
38ee00346262ca90eaa1fed6782ef1d1d3f944b9

SHA256
cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea

SHA512
8d34d2f9130227714deaf26a378a636412ca35d53b371ef7013422b20b5ee079db9c848034d8642f17a75128a5ae3cf5ecca0a852a178e29298d5b158231ba1f

Download Submit
C:\Windows\Installer\{2CA06D6F-975D-7346-673C-CA7A45181AC2}\syshost.exe

Filesize
124KB

MD5
afa7a010da6ed78a43780f5aba66f1d1

SHA1
38ee00346262ca90eaa1fed6782ef1d1d3f944b9

SHA256
cc9ff64e31ecad707d1e395f65fe6616299736c18418798c38e4c789c47c36ea

SHA512
8d34d2f9130227714deaf26a378a636412ca35d53b371ef7013422b20b5ee079db9c848034d8642f17a75128a5ae3cf5ecca0a852a178e29298d5b158231ba1f

Download Submit
memory/1012-166-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/1012-165-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1700-156-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1700-158-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/3732-137-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3732-139-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3732-160-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3732-140-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3732-141-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/3732-135-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4304-133-0x0000000002370000-0x0000000002374000-memory.dmp

Filesize
16KB

Download