c64857d2acfaa9165981da94f99fa442c74fadb9a341d599fb814b759ec8c681

General

Target

f8ca9a5a81760b8daa607fdfd6d65c91.exe
Size

32KB
MD5

f8ca9a5a81760b8daa607fdfd6d65c91
SHA1

641f761f388ef4e98aea2baa1a99c21a876fd612
SHA256

c64857d2acfaa9165981da94f99fa442c74fadb9a341d599fb814b759ec8c681
SHA512

2349dba6c5710364d4b4d71dfd43a0818ebb8575ea58a861b07d7eb29761e7013bf01317bfb86e819be412c3015f7c6171f0d314ce55f481f28f1454b3d56624
SSDEEP

768:5PNIbkvWI1hD90XbEf3xtUP0j1pRPdpQIPZc9:pzWITD90rSvUP0jFbQIBc9

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	f8ca9a5a81760b8daa607fdfd6d65c91.exe

Executes dropped EXE 8 IoCs

pid	Process
4780	skybot.exe
1872	skybot.exe
1656	skybot.exe
4740	skybot.exe
4208	skybot.exe
4280	skybot.exe
3288	skybot.exe
3116	skybot.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe"	f8ca9a5a81760b8daa607fdfd6d65c91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe"	f8ca9a5a81760b8daa607fdfd6d65c91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\skybot.exe	skybot.exe
File created	C:\Windows\SysWOW64\skybot.exe	skybot.exe
File created	C:\Windows\SysWOW64\skybot.exe	skybot.exe
File opened for modification	C:\Windows\SysWOW64\skybot.exe	f8ca9a5a81760b8daa607fdfd6d65c91.exe
File created	C:\Windows\SysWOW64\skybot.exe	skybot.exe
File created	C:\Windows\SysWOW64\skybot.exe	skybot.exe
File created	C:\Windows\SysWOW64\skybot.exe	skybot.exe
File created	C:\Windows\SysWOW64\skybot.exe	f8ca9a5a81760b8daa607fdfd6d65c91.exe
File created	C:\Windows\SysWOW64\skybot.exe	skybot.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1500	f8ca9a5a81760b8daa607fdfd6d65c91.exe
1500	f8ca9a5a81760b8daa607fdfd6d65c91.exe
4780	skybot.exe
4780	skybot.exe
1872	skybot.exe
1872	skybot.exe
1656	skybot.exe
1656	skybot.exe
4740	skybot.exe
4740	skybot.exe
4280	skybot.exe
4280	skybot.exe
3288	skybot.exe
3288	skybot.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 4780	1500	f8ca9a5a81760b8daa607fdfd6d65c91.exe	88
PID 1500 wrote to memory of 4780	1500	f8ca9a5a81760b8daa607fdfd6d65c91.exe	88
PID 1500 wrote to memory of 4780	1500	f8ca9a5a81760b8daa607fdfd6d65c91.exe	88
PID 4780 wrote to memory of 1872	4780	skybot.exe	89
PID 4780 wrote to memory of 1872	4780	skybot.exe	89
PID 4780 wrote to memory of 1872	4780	skybot.exe	89
PID 1872 wrote to memory of 1656	1872	skybot.exe	90
PID 1872 wrote to memory of 1656	1872	skybot.exe	90
PID 1872 wrote to memory of 1656	1872	skybot.exe	90
PID 1656 wrote to memory of 4740	1656	skybot.exe	92
PID 1656 wrote to memory of 4740	1656	skybot.exe	92
PID 1656 wrote to memory of 4740	1656	skybot.exe	92
PID 4740 wrote to memory of 4208	4740	skybot.exe	93
PID 4740 wrote to memory of 4208	4740	skybot.exe	93
PID 4740 wrote to memory of 4208	4740	skybot.exe	93
PID 4208 wrote to memory of 4280	4208	skybot.exe	94
PID 4208 wrote to memory of 4280	4208	skybot.exe	94
PID 4208 wrote to memory of 4280	4208	skybot.exe	94
PID 4280 wrote to memory of 3288	4280	skybot.exe	95
PID 4280 wrote to memory of 3288	4280	skybot.exe	95
PID 4280 wrote to memory of 3288	4280	skybot.exe	95
PID 3288 wrote to memory of 3116	3288	skybot.exe	96
PID 3288 wrote to memory of 3116	3288	skybot.exe	96
PID 3288 wrote to memory of 3116	3288	skybot.exe	96

C:\Users\Admin\AppData\Local\Temp\f8ca9a5a81760b8daa607fdfd6d65c91.exe
"C:\Users\Admin\AppData\Local\Temp\f8ca9a5a81760b8daa607fdfd6d65c91.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\skybot.exe
  C:\Windows\system32\skybot.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\skybot.exe
    C:\Windows\system32\skybot.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\skybot.exe
      C:\Windows\system32\skybot.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\skybot.exe
        
        C:\Windows\system32\skybot.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\SysWOW64\skybot.exe
        
        C:\Windows\system32\skybot.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\skybot.exe
        
        C:\Windows\system32\skybot.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\skybot.exe
        
        C:\Windows\system32\skybot.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\skybot.exe
        
        C:\Windows\system32\skybot.exe
        9⤵
        Executes dropped EXE
        
        PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\skybot.exe

Filesize
32KB

MD5
f8ca9a5a81760b8daa607fdfd6d65c91

SHA1
641f761f388ef4e98aea2baa1a99c21a876fd612

SHA256
c64857d2acfaa9165981da94f99fa442c74fadb9a341d599fb814b759ec8c681

SHA512
2349dba6c5710364d4b4d71dfd43a0818ebb8575ea58a861b07d7eb29761e7013bf01317bfb86e819be412c3015f7c6171f0d314ce55f481f28f1454b3d56624

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
7465dc5adfaaf6f86e2cd02695192abc

SHA1
481102747570255b86563ed5c2be79cf003c3fc9

SHA256
c15033e0bc0f14def3232150f0648cf3d4d98a26f4710fa00ae948fee7a5c391

SHA512
ca96636c3a6e4d65e951b7bba82ce5b9faea47f6d004cb925730e7fa3572e2903b21b0fcb326eff9cfba614a16a852c9513bb763e673690c1e244605a459765d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads