798f8698fc6a500b954a0bad01acc25e9120c2ab3e7c74c40e8f9ff936129b28

General

Target

b9e65dcaaebcaaa7393f677997a7aa79.exe
Size

35KB
MD5

b9e65dcaaebcaaa7393f677997a7aa79
SHA1

fee140708be425e5ec3a827ee6083f1ec7072a13
SHA256

798f8698fc6a500b954a0bad01acc25e9120c2ab3e7c74c40e8f9ff936129b28
SHA512

34c4a35efef7c73b2a8198005589822d438f9674934bc0ca355bce9db02652304501abab1195d81baa53b5052be0808848bc0d701d831de7efdcb2f5002bf0ed
SSDEEP

768:WSFD2Dn9m9VTXiOjO4ZcXZbgFqKdbdNhe05WPCc2erQl:WSx2ZmrTXljORXFgFT5Jh5WPCcdEl

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\sichost.exe"	b9e65dcaaebcaaa7393f677997a7aa79.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	b9e65dcaaebcaaa7393f677997a7aa79.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	sychost.exe

Deletes itself 1 IoCs

pid	Process
3204	sychost.exe

Executes dropped EXE 3 IoCs

pid	Process
3268	sovlost.exe
3204	sychost.exe
4512	sichost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nessery.sys	b9e65dcaaebcaaa7393f677997a7aa79.exe
File created	C:\Windows\SysWOW64\ssdtti.sys	b9e65dcaaebcaaa7393f677997a7aa79.exe
File created	C:\Windows\SysWOW64\sychost.exe	b9e65dcaaebcaaa7393f677997a7aa79.exe
File created	C:\Windows\SysWOW64\sichost.exe	sychost.exe
File opened for modification	C:\Windows\SysWOW64\sichost.exe	sychost.exe
File opened for modification	C:\Windows\SysWOW64\discard.ini	sychost.exe
File created	C:\Windows\SysWOW64\sovlost.exe	b9e65dcaaebcaaa7393f677997a7aa79.exe
File opened for modification	C:\Windows\SysWOW64\discard.ini	b9e65dcaaebcaaa7393f677997a7aa79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1924	844	WerFault.exe	92
2360	844	WerFault.exe	92
2948	4512	WerFault.exe	112
2328	4512	WerFault.exe	112

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe
4512	sichost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	844	b9e65dcaaebcaaa7393f677997a7aa79.exe
Token: SeSystemtimePrivilege	4512	sichost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
844	b9e65dcaaebcaaa7393f677997a7aa79.exe
3268	sovlost.exe
3268	sovlost.exe
3204	sychost.exe
4512	sichost.exe
4512	sichost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 3268	844	b9e65dcaaebcaaa7393f677997a7aa79.exe	106
PID 844 wrote to memory of 3268	844	b9e65dcaaebcaaa7393f677997a7aa79.exe	106
PID 844 wrote to memory of 3268	844	b9e65dcaaebcaaa7393f677997a7aa79.exe	106
PID 844 wrote to memory of 3204	844	b9e65dcaaebcaaa7393f677997a7aa79.exe	107
PID 844 wrote to memory of 3204	844	b9e65dcaaebcaaa7393f677997a7aa79.exe	107
PID 844 wrote to memory of 3204	844	b9e65dcaaebcaaa7393f677997a7aa79.exe	107
PID 3204 wrote to memory of 4512	3204	sychost.exe	112
PID 3204 wrote to memory of 4512	3204	sychost.exe	112
PID 3204 wrote to memory of 4512	3204	sychost.exe	112

C:\Users\Admin\AppData\Local\Temp\b9e65dcaaebcaaa7393f677997a7aa79.exe
"C:\Users\Admin\AppData\Local\Temp\b9e65dcaaebcaaa7393f677997a7aa79.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\sovlost.exe
  "C:\Windows\system32\sovlost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3268
- C:\Windows\SysWOW64\sychost.exe
  "C:\Windows\system32\sychost.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\sichost.exe
    "C:\Windows\system32\sichost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1208
      4⤵
      Program crash
      PID:2948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1292
      4⤵
      Program crash
      PID:2328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 768
  2⤵
  - Program crash
  PID:1924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 760
  2⤵
  - Program crash
  PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 844 -ip 844
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 844 -ip 844
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4512 -ip 4512
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4512 -ip 4512
1⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\discard.ini

Filesize
91B

MD5
8f05f9a770bb85e64bb0e559bd1bf908

SHA1
8339b5d9eb911aa2c1da49ac7a7ec06dbd237347

SHA256
b5228a86abb336cc4f8fac4703f38ea5c005f245bbaf04d119a8a0c36239cfac

SHA512
8f232deb20d61fa58f7d5abd93b367e15f3b9f2b0a264d5b905641231f5ffc0419a3c6903285d7e9976e5f73015a5959b8c585e7cf8cca438b12f51e5d939631

Download Submit
C:\Windows\SysWOW64\discard.ini

Filesize
26B

MD5
d8ab3ea023fda33b8017ccc4748534f8

SHA1
e5c8b0f40ed03ad98f0d207ee073af2ee925db78

SHA256
14776c2d9c1446833752ec1c0686cc74bee4c3bd3036b3ad7cf51249ebe381ab

SHA512
0a6ab8641e77dcdc9b33e49462404aaf43ca549122d6fd5afc72448b5f50558859657d64d66d38415e752c05abaa225e545310986516eb1af0f691ff690ec5e0

Download Submit
C:\Windows\SysWOW64\sichost.exe

Filesize
35KB

MD5
b9e65dcaaebcaaa7393f677997a7aa79

SHA1
fee140708be425e5ec3a827ee6083f1ec7072a13

SHA256
798f8698fc6a500b954a0bad01acc25e9120c2ab3e7c74c40e8f9ff936129b28

SHA512
34c4a35efef7c73b2a8198005589822d438f9674934bc0ca355bce9db02652304501abab1195d81baa53b5052be0808848bc0d701d831de7efdcb2f5002bf0ed

Download Submit
C:\Windows\SysWOW64\sovlost.exe

Filesize
20KB

MD5
33bb2a692bd2dada7d6f7a574dce9305

SHA1
e18ab04b0f3d4cd7c968bd0c0b3b6d1ffd66b96b

SHA256
af27d3417da82b642c67a80d6d98f815b9ebf333e8038c9f4446ae598475afb7

SHA512
474a626a2d598a9be2cbba06257d5dc9115cf6b099df804a9e7860965dec03df365e4d351088ec04ac6c2d53c047db71007d01ec5e6258e67bd5f20c71195b23

Download Submit
C:\Windows\SysWOW64\ssdtti.sys

Filesize
2KB

MD5
1e14c892a6d3bd78c5508a13873b9e7b

SHA1
a817f4492fd9b0013eda6cb45624af8ce4b04efa

SHA256
99cc0877502487b5d58ce9921366fbd299253673c33c8b4d67fc872323dc334e

SHA512
11b0393308cb5239c4f0a7c31d6fd09e03c7a623941d1c408f1ab4119ba4089382a57db7a52990009f20ec54eb71dff2aafd6c75a0c17789edabf6f85dd298e6

Download Submit
C:\Windows\SysWOW64\sychost.exe

Filesize
20KB

MD5
abdb1a784dcaefcbfb8af28599293f4f

SHA1
f1601133a072db15d5941628549544771a9a264c

SHA256
e7fa8bd434c1ca284b24e16b49ce888523af62dbdffc51325e467807796d12b1

SHA512
8880edc42b33d750c731fdb94382edb608df31338bb882179c45b4b6873c168f12ae4854d1b01e2c58f9b56d4003adad6a18f8e5b3312e25a5b6cf7423d709c3

Download Submit
memory/844-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/844-1-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/844-29-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4512-42-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4512-44-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads