b2b1f374822e760b574cff680d989d0f229bdaf9029acacb2449162b92bbc16b

Analysis

max time kernel
4s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mycrypt.exe
Size

228KB
MD5

a35e683f7392d7aa6be1ac5d325a0584
SHA1

7b2a3dfd0579ec4a9f61e45994a48881ebb91b49
SHA256

85fac218aabc9a6d08380d6f4fbe07818c5f7c8dc1f630bb849ab5681c83d7de
SHA512

7c94c1f19f793d7efe251d9c0c4df900a10b8b85a36da9c883fce2b511f5f65d107d09be777efa92a3be6c0bdd38c302acd024ee48cf836889f79dfabb069470
SSDEEP

3072:R26et7TW3+lXSittze7GjsZCc8dexm1qX2Gqfkz297vslPCTjUB9LQdItu:R2BTW6ji7ZCc8dMOqX2Gb29AlPn9Mx

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2892	netsh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 1720	2384	Mycrypt.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	Mycrypt.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1720	2384	Mycrypt.exe	28
PID 2384 wrote to memory of 1720	2384	Mycrypt.exe	28
PID 2384 wrote to memory of 1720	2384	Mycrypt.exe	28
PID 2384 wrote to memory of 1720	2384	Mycrypt.exe	28
PID 2384 wrote to memory of 1720	2384	Mycrypt.exe	28
PID 2384 wrote to memory of 1720	2384	Mycrypt.exe	28
PID 2384 wrote to memory of 1720	2384	Mycrypt.exe	28
PID 2384 wrote to memory of 1720	2384	Mycrypt.exe	28

C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe
"C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe
  "C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1720
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    PID:2892
- - C:\Users\Admin\AppData\Roaming\lsass.exe
    /d C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe
    3⤵
    PID:2880
  - - C:\Users\Admin\AppData\Roaming\lsass.exe
      C:\Users\Admin\AppData\Roaming\lsass.exe /d C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe
      4⤵
      PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab3DFC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E2E.tmp

Filesize
92KB

MD5
71e4ce8b3a1b89f335a6936bbdafce4c

SHA1
6e0d450eb5f316a9924b3e58445b26bfb727001e

SHA256
a5edfae1527d0c8d9fe5e7a2c5c21b671e61f9981f3bcf9e8cc9f9bb9f3b44c5

SHA512
b80af88699330e1ff01e409daabdedeef350fe7d192724dfa8622afa71e132076144175f6e097f8136f1bba44c7cb30cfdd0414dbe4e0a4712b3bad7b70aeff7

Download Submit
C:\Users\Admin\AppData\Roaming\aVoQBOBA

Filesize
8KB

MD5
e094ffac2dafa62cd9b77f4cf58dff8c

SHA1
045fe7943c5574f92cf21436780db8685bda3312

SHA256
b05e2f4aeb13aab1c0d713571bc5a5ccca7c8d04c64e7d8cad7fb86e709c9eeb

SHA512
e0aa8324d2b3290c4622e7e192762adc1085d03654155875244495f7da265260b0af53b95344d5dfd050d978b449397313bd98dedc30d18f0f3aa01f6dee75a0

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
4KB

MD5
7f13a8e8b656f282cda570ce51daf6a2

SHA1
6ea8c206fdf8ad16b9aeba14a55a2d34a900aa3c

SHA256
236115e4dacc1a335e3ff6cab0b50605e7abf2be8db8eef7f2fd638036db0375

SHA512
d8ef706260e0e8c0a88366ffdb5c4a43458e0e975e3ee111e30650fa43ae4a8880208f123fbae76545d25f9f316cf689dd52c80d5c299b8556c7e82062f5c82d

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
32KB

MD5
8e84acf5cd74a8d508472bfe2f15fab8

SHA1
ab561f11dab9bc3ddc372beccef2d036bdf92cc5

SHA256
86433b5814fc1c5c7e805573637d30eb73c95e8a5c6c4072630ed7c9fd833d2d

SHA512
2c1243e7f9080366da9c693e2f5cbf80c86ae9becedcb0bf7d3c9877de1ad43eea1146654b9af4a273f4297970ef4769b07478b38c7ccdea0c812ce391d48aad

Download Submit
\Users\Admin\AppData\Roaming\lsass.exe

Filesize
16KB

MD5
03c0f46dc6869cc87005dc27b2f23e4c

SHA1
7de7c5e3e4591fa39593dc2328c20538b5af662a

SHA256
4bcb0843d74dea62618306be840e28df1c6763e00c851a70967d6b03c075b5a2

SHA512
cc72ae021c5d7fbc1d1f50c6bbefed574506f9658747b88b69f49b6d49268a67701436ca2b724611e8fa7736b943151641aa40565a703352624f8589a7128fd8

Download Submit
\Users\Admin\AppData\Roaming\lsass.exe

Filesize
14KB

MD5
a22d8e967f20982530b55ab0b8527c8a

SHA1
3373ab9a0406f68b1feddcc25675a6dff4bb4668

SHA256
57148812c1fb27fe5322acc41429472714c5b6ec894d9f719eaede245a987b5b

SHA512
8867a687badcb9f6f2ea7e2b679d86aa737fd336b699afa7ec80d745d609783f331bf627f25aaa7027396d03647264fae71b5a537fa5b289e852a6c4b68d4fda

Download Submit
memory/1720-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1720-63-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1720-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1720-79-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1720-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1720-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1720-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1976-96-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1976-97-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1976-98-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1976-99-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1976-102-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1976-105-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1976-108-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads