85cb91f66f432c42a71c741f807288ab2888f5601b7311b5c48bf473461a0f2a

General

Target

b9854b708882ef37ef1e27f65b174060.exe
Size

34KB
MD5

b9854b708882ef37ef1e27f65b174060
SHA1

fd6774ed0e671cbe765619fe041ab93294746d07
SHA256

85cb91f66f432c42a71c741f807288ab2888f5601b7311b5c48bf473461a0f2a
SHA512

a9da65545770336a89dbb8d76c6e63abe27b71cb94eb380a8c79b541468fbe590597686d8244e52e549ac8f214370aa55214bb3a17a63a19a3edd90b728e7074
SSDEEP

768:MyFm2Gn9m9VTXiqzvb7QfNbPtmil8IeZhsjr8E2la2ZjH78K6:My82WmrTXNb4dFm08IeZhsP2TBH7/6

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\sichost.exe"	b9854b708882ef37ef1e27f65b174060.exe

Deletes itself 1 IoCs

pid	Process
2464	sychost.exe

Executes dropped EXE 3 IoCs

pid	Process
2984	sovlost.exe
2464	sychost.exe
2468	sichost.exe

Loads dropped DLL 11 IoCs

pid	Process
2748	b9854b708882ef37ef1e27f65b174060.exe
2748	b9854b708882ef37ef1e27f65b174060.exe
2748	b9854b708882ef37ef1e27f65b174060.exe
2464	sychost.exe
2464	sychost.exe
2464	sychost.exe
2464	sychost.exe
2464	sychost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ssdtti.sys	b9854b708882ef37ef1e27f65b174060.exe
File created	C:\Windows\SysWOW64\sychost.exe	b9854b708882ef37ef1e27f65b174060.exe
File created	C:\Windows\SysWOW64\sichost.exe	sychost.exe
File opened for modification	C:\Windows\SysWOW64\sichost.exe	sychost.exe
File opened for modification	C:\Windows\SysWOW64\discard.ini	sychost.exe
File created	C:\Windows\SysWOW64\sovlost.exe	b9854b708882ef37ef1e27f65b174060.exe
File opened for modification	C:\Windows\SysWOW64\discard.ini	b9854b708882ef37ef1e27f65b174060.exe
File created	C:\Windows\SysWOW64\Nessery.sys	b9854b708882ef37ef1e27f65b174060.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2748	b9854b708882ef37ef1e27f65b174060.exe
2748	b9854b708882ef37ef1e27f65b174060.exe
2748	b9854b708882ef37ef1e27f65b174060.exe
2748	b9854b708882ef37ef1e27f65b174060.exe
2748	b9854b708882ef37ef1e27f65b174060.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe
2468	sichost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2748	b9854b708882ef37ef1e27f65b174060.exe
Token: SeSystemtimePrivilege	2468	sichost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2748	b9854b708882ef37ef1e27f65b174060.exe
2748	b9854b708882ef37ef1e27f65b174060.exe
2984	sovlost.exe
2984	sovlost.exe
2464	sychost.exe
2468	sichost.exe
2468	sichost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2984	2748	b9854b708882ef37ef1e27f65b174060.exe	28
PID 2748 wrote to memory of 2984	2748	b9854b708882ef37ef1e27f65b174060.exe	28
PID 2748 wrote to memory of 2984	2748	b9854b708882ef37ef1e27f65b174060.exe	28
PID 2748 wrote to memory of 2984	2748	b9854b708882ef37ef1e27f65b174060.exe	28
PID 2748 wrote to memory of 2464	2748	b9854b708882ef37ef1e27f65b174060.exe	29
PID 2748 wrote to memory of 2464	2748	b9854b708882ef37ef1e27f65b174060.exe	29
PID 2748 wrote to memory of 2464	2748	b9854b708882ef37ef1e27f65b174060.exe	29
PID 2748 wrote to memory of 2464	2748	b9854b708882ef37ef1e27f65b174060.exe	29
PID 2748 wrote to memory of 2464	2748	b9854b708882ef37ef1e27f65b174060.exe	29
PID 2748 wrote to memory of 2464	2748	b9854b708882ef37ef1e27f65b174060.exe	29
PID 2748 wrote to memory of 2464	2748	b9854b708882ef37ef1e27f65b174060.exe	29
PID 2464 wrote to memory of 2468	2464	sychost.exe	30
PID 2464 wrote to memory of 2468	2464	sychost.exe	30
PID 2464 wrote to memory of 2468	2464	sychost.exe	30
PID 2464 wrote to memory of 2468	2464	sychost.exe	30
PID 2464 wrote to memory of 2468	2464	sychost.exe	30
PID 2464 wrote to memory of 2468	2464	sychost.exe	30
PID 2464 wrote to memory of 2468	2464	sychost.exe	30

C:\Users\Admin\AppData\Local\Temp\b9854b708882ef37ef1e27f65b174060.exe
"C:\Users\Admin\AppData\Local\Temp\b9854b708882ef37ef1e27f65b174060.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\sovlost.exe
  "C:\Windows\system32\sovlost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Windows\SysWOW64\sychost.exe
  "C:\Windows\system32\sychost.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\sichost.exe
    "C:\Windows\system32\sichost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\discard.ini

Filesize
91B

MD5
623f3a38f819d0193b45770b724a297c

SHA1
e236d5b6ef0cd3b8e0c56a57f8c7b343244d46f6

SHA256
f825edad2680131917de7d0d14094b79e9a7d2a51e6940ae15b14cb88ef7dfd3

SHA512
91cb253f4f942974ba5a3750fb113da5f747573817ac4d84416738c79d63f4b9bc102e8fa9e1274e77a38546265bb8b0b4f81e60a66a742dd876245780961a7a

Download Submit
C:\Windows\SysWOW64\discard.ini

Filesize
26B

MD5
d8ab3ea023fda33b8017ccc4748534f8

SHA1
e5c8b0f40ed03ad98f0d207ee073af2ee925db78

SHA256
14776c2d9c1446833752ec1c0686cc74bee4c3bd3036b3ad7cf51249ebe381ab

SHA512
0a6ab8641e77dcdc9b33e49462404aaf43ca549122d6fd5afc72448b5f50558859657d64d66d38415e752c05abaa225e545310986516eb1af0f691ff690ec5e0

Download Submit
C:\Windows\SysWOW64\sichost.exe

Filesize
34KB

MD5
b9854b708882ef37ef1e27f65b174060

SHA1
fd6774ed0e671cbe765619fe041ab93294746d07

SHA256
85cb91f66f432c42a71c741f807288ab2888f5601b7311b5c48bf473461a0f2a

SHA512
a9da65545770336a89dbb8d76c6e63abe27b71cb94eb380a8c79b541468fbe590597686d8244e52e549ac8f214370aa55214bb3a17a63a19a3edd90b728e7074

Download Submit
C:\Windows\SysWOW64\ssdtti.sys

Filesize
2KB

MD5
d8771067a0815b3e741ce7414a879ba3

SHA1
f21a8f45b64d256a79c58626b6a78dfda6902d5c

SHA256
f763fe7f95fb3d3d9a7928c320309b32858d7843d40a9480b612d490c1c8278d

SHA512
65c6d2a77110334b0acc2c63cf5a551a0a52d231ab52bebd666ecfb90d3a3016adf7cea28ac7e5ba10ebeba68c8fb311c92f0c6b2e70dbac61946abbf5079b54

Download Submit
\Windows\SysWOW64\sovlost.exe

Filesize
20KB

MD5
06922f78c398d807dc0bbc9fbd056393

SHA1
392c01659bae0c50659b36d0d844add3935b8345

SHA256
6e615d23f382153740d7aa8386a1a6d892526e4494ac5608d23a21d611cb7dab

SHA512
d246abfe486fa83f51800a37e0ee690c0e027863a9e36db9a8e9a30e82c7daf857422d8496973f4abf2cd69cc52e4d63c05a55ed56874ff5e8e213f57e1bd43e

Download Submit
\Windows\SysWOW64\sychost.exe

Filesize
20KB

MD5
abdb1a784dcaefcbfb8af28599293f4f

SHA1
f1601133a072db15d5941628549544771a9a264c

SHA256
e7fa8bd434c1ca284b24e16b49ce888523af62dbdffc51325e467807796d12b1

SHA512
8880edc42b33d750c731fdb94382edb608df31338bb882179c45b4b6873c168f12ae4854d1b01e2c58f9b56d4003adad6a18f8e5b3312e25a5b6cf7423d709c3

Download Submit
memory/2464-36-0x00000000024F0000-0x000000000254B000-memory.dmp

Filesize
364KB

Download
memory/2468-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2468-45-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2468-43-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/2468-48-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2468-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2748-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2748-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2748-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2748-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads