02d1aed87366355321948056b3b3ebeb32b12d4db7423bae8b31d174d72d4da8

General

Target

4fa6c1c17e7c1296d9eef7676b948c46.exe
Size

75KB
MD5

4fa6c1c17e7c1296d9eef7676b948c46
SHA1

27bdc174fa02ff18f4d5bafd622d46fdb9bd1b3f
SHA256

02d1aed87366355321948056b3b3ebeb32b12d4db7423bae8b31d174d72d4da8
SHA512

e5fa924db2facf47cd8ea14878c51be73dd81311d67aea05c3c5106817763e50d3d60667987ab76f98f6a0c2378c443fc99a4e526e093e81693548b282604d81
SSDEEP

1536:RGjac6lUu4sjBS28Ck89bcRobapREOm9FbOBWVe/bEw3BWF17xwhHKnLB8NhZg/3:RG+baBL30F11whqnNz/OB/q

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Windows Service

T1543.003

pid	Process
4088	netsh.exe
2144	netsh.exe
3512	netsh.exe
3256	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
4720	syshost.exe

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	178.32.31.41
Destination IP	178.32.31.41

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{46417BEB-90F2-2B06-E8EC-0512C8A09DA1}\syshost.exe.tmp	syshost.exe
File created	C:\Windows\Installer\{46417BEB-90F2-2B06-E8EC-0512C8A09DA1}\syshost.exe	4fa6c1c17e7c1296d9eef7676b948c46.exe
File opened for modification	C:\Windows\Installer\{46417BEB-90F2-2B06-E8EC-0512C8A09DA1}\syshost.exe	4fa6c1c17e7c1296d9eef7676b948c46.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4720	syshost.exe
4720	syshost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4856	4fa6c1c17e7c1296d9eef7676b948c46.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4720	syshost.exe
Token: SeIncreaseQuotaPrivilege	4720	syshost.exe
Token: SeShutdownPrivilege	4720	syshost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2164	4856	4fa6c1c17e7c1296d9eef7676b948c46.exe	101
PID 4856 wrote to memory of 2164	4856	4fa6c1c17e7c1296d9eef7676b948c46.exe	101
PID 4856 wrote to memory of 2164	4856	4fa6c1c17e7c1296d9eef7676b948c46.exe	101
PID 4720 wrote to memory of 4088	4720	syshost.exe	103
PID 4720 wrote to memory of 4088	4720	syshost.exe	103
PID 4720 wrote to memory of 4088	4720	syshost.exe	103

C:\Users\Admin\AppData\Local\Temp\4fa6c1c17e7c1296d9eef7676b948c46.exe
"C:\Users\Admin\AppData\Local\Temp\4fa6c1c17e7c1296d9eef7676b948c46.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\d33f04c5.tmp"
  2⤵
  PID:2164

C:\Windows\Installer\{46417BEB-90F2-2B06-E8EC-0512C8A09DA1}\syshost.exe
"C:\Windows\Installer\{46417BEB-90F2-2B06-E8EC-0512C8A09DA1}\syshost.exe" /service
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  PID:4088
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  PID:2144
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  PID:3512
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4720-15-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4720-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-9-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4720-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-14-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/4720-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4856-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4856-12-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4856-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4856-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4856-5-0x00000000009E0000-0x00000000009E6000-memory.dmp

Filesize
24KB

Download
memory/4856-2-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4856-0-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads