e2106120e16acb7455d98e6068ddc160ad562832104258bcded3090f5aaf2a9c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b59e6ed4184115457e5045117e8e95f1.exe
Size

560KB
MD5

b59e6ed4184115457e5045117e8e95f1
SHA1

feab3523e15087129e8c44b0cd8cb9ed46e8d7ed
SHA256

e2106120e16acb7455d98e6068ddc160ad562832104258bcded3090f5aaf2a9c
SHA512

709a5ce5f91826155a062775e0ac18bac9276f632202e6e20d48fa040d56ee0dd2da5542288b4c61c0c7a8981078bb33c5cfe40ec70ab9805e6770a56ac8b3ed
SSDEEP

12288:kTQghS7CmcR3DvfVYhp/8+hwaQQrprRlgHJIBohE:kTQN7dovfVykJaQQdrRKpIBoK

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\netns\Parameters\ServiceDll = "C:\\Windows\\System32\\sysns.dll"	b59e6ed4184115457e5045117e8e95f1.exe

Loads dropped DLL 2 IoCs

pid	Process
3880	svchost.exe
3880	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysns.dll	b59e6ed4184115457e5045117e8e95f1.exe
File opened for modification	C:\Windows\SysWOW64\sysns.dll	b59e6ed4184115457e5045117e8e95f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2576	b59e6ed4184115457e5045117e8e95f1.exe
2576	b59e6ed4184115457e5045117e8e95f1.exe
2576	b59e6ed4184115457e5045117e8e95f1.exe
2576	b59e6ed4184115457e5045117e8e95f1.exe
2576	b59e6ed4184115457e5045117e8e95f1.exe
2576	b59e6ed4184115457e5045117e8e95f1.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeBackupPrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe
Token: SeRestorePrivilege	2576	b59e6ed4184115457e5045117e8e95f1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2504	2576	b59e6ed4184115457e5045117e8e95f1.exe	94
PID 2576 wrote to memory of 2504	2576	b59e6ed4184115457e5045117e8e95f1.exe	94
PID 2576 wrote to memory of 2504	2576	b59e6ed4184115457e5045117e8e95f1.exe	94

C:\Users\Admin\AppData\Local\Temp\b59e6ed4184115457e5045117e8e95f1.exe
"C:\Users\Admin\AppData\Local\Temp\b59e6ed4184115457e5045117e8e95f1.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\b59e6ed4184115457e5045117e8e95f1.exe"
  2⤵
  PID:2504

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netns
1⤵
PID:2348

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netns
1⤵
- Loads dropped DLL
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sysns.dll

Filesize
320KB

MD5
22155d34265820e3c02d2dd2f627e39e

SHA1
fa1ccc74c2def25bf2f014f31ce84e94c2b31d58

SHA256
96b04b6aae074eb32477c5c818354a448de8d1711988302265ce1f3886fa485f

SHA512
483fdc3c294d34c9861ebced3aa6f7f389cd262095e521c3e20cd39265b0110a80563fb7e2b8b15afd47e26170836107e7bc0736e7a1fbeb8b33e477f1b7e215

Download Submit
\??\c:\windows\SysWOW64\sysns.dll

Filesize
487KB

MD5
0e9420cf69d2b89b2802bd191191216e

SHA1
90583bad182792a2d6e1b468a834d3eafb00d53b

SHA256
6b7bd4312d366bd629fcc5bb7a5e8046bfdd14b5f4f3781e4cf3b291bcffedfb

SHA512
172865d3617dd065e32c8cbdcb8f8ae578624b63c115709fb466ce1a13ec4916c87876664dbc0a4cbf3300acb5dd112657b6b147f350e167bd409366026b9a44

Download Submit
memory/2576-8-0x0000000013140000-0x00000000131D4000-memory.dmp

Filesize
592KB

Download
memory/3880-7-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download
memory/3880-9-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download
memory/3880-10-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download