e2106120e16acb7455d98e6068ddc160ad562832104258bcded3090f5aaf2a9c

Analysis

max time kernel
162s
max time network
203s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b59e6ed4184115457e5045117e8e95f1.exe
Size

560KB
MD5

b59e6ed4184115457e5045117e8e95f1
SHA1

feab3523e15087129e8c44b0cd8cb9ed46e8d7ed
SHA256

e2106120e16acb7455d98e6068ddc160ad562832104258bcded3090f5aaf2a9c
SHA512

709a5ce5f91826155a062775e0ac18bac9276f632202e6e20d48fa040d56ee0dd2da5542288b4c61c0c7a8981078bb33c5cfe40ec70ab9805e6770a56ac8b3ed
SSDEEP

12288:kTQghS7CmcR3DvfVYhp/8+hwaQQrprRlgHJIBohE:kTQN7dovfVykJaQQdrRKpIBoK

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netns\Parameters\ServiceDll = "C:\\Windows\\System32\\sysns.dll"	b59e6ed4184115457e5045117e8e95f1.exe

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2560	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sysns.dll	b59e6ed4184115457e5045117e8e95f1.exe
File created	C:\Windows\SysWOW64\sysns.dll	b59e6ed4184115457e5045117e8e95f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2660	b59e6ed4184115457e5045117e8e95f1.exe
2660	b59e6ed4184115457e5045117e8e95f1.exe
2660	b59e6ed4184115457e5045117e8e95f1.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeBackupPrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2660	b59e6ed4184115457e5045117e8e95f1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2604	2660	b59e6ed4184115457e5045117e8e95f1.exe	31
PID 2660 wrote to memory of 2604	2660	b59e6ed4184115457e5045117e8e95f1.exe	31
PID 2660 wrote to memory of 2604	2660	b59e6ed4184115457e5045117e8e95f1.exe	31
PID 2660 wrote to memory of 2604	2660	b59e6ed4184115457e5045117e8e95f1.exe	31

C:\Users\Admin\AppData\Local\Temp\b59e6ed4184115457e5045117e8e95f1.exe
"C:\Users\Admin\AppData\Local\Temp\b59e6ed4184115457e5045117e8e95f1.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\b59e6ed4184115457e5045117e8e95f1.exe"
  2⤵
  - Deletes itself
  PID:2604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netns
1⤵
- Loads dropped DLL
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\sysns.dll

Filesize
487KB

MD5
0e9420cf69d2b89b2802bd191191216e

SHA1
90583bad182792a2d6e1b468a834d3eafb00d53b

SHA256
6b7bd4312d366bd629fcc5bb7a5e8046bfdd14b5f4f3781e4cf3b291bcffedfb

SHA512
172865d3617dd065e32c8cbdcb8f8ae578624b63c115709fb466ce1a13ec4916c87876664dbc0a4cbf3300acb5dd112657b6b147f350e167bd409366026b9a44

Download Submit
memory/2560-6-0x0000000000600000-0x0000000000681000-memory.dmp

Filesize
516KB

Download
memory/2560-9-0x0000000000600000-0x0000000000681000-memory.dmp

Filesize
516KB

Download
memory/2560-11-0x0000000000600000-0x0000000000681000-memory.dmp

Filesize
516KB

Download
memory/2660-7-0x0000000013140000-0x00000000131D4000-memory.dmp

Filesize
592KB

Download
memory/2660-8-0x0000000013140000-0x00000000131D4000-memory.dmp

Filesize
592KB

Download