7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f

General

Target

7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe
Size

3.7MB
MD5

6ab051688fa0d520df5de7b8250dc762
SHA1

d360fef9a184bf48a506f58cf3e04426719f43a4
SHA256

7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f
SHA512

650763d619a59500c21ef4b6f82fd80164a154870a4e04b3138021f85f1bcc633015154a8a5b15461884a145c9f6e78745d887bbd8deaf5718f8269c111736ed
SSDEEP

98304:l3ZO8gaDpbCTN3NWo1y8YVHJZKPYFD4g:lp/deTtEo1y8YVjV

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts svchost.exe
Drops startup file 1 IoCs

Processes:

sysapp.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk sysapp.exe
Executes dropped EXE 2 IoCs

Processes:

sysapp.exeSHOChecker.exe

pid process

2256 sysapp.exe
2400 SHOChecker.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk	sysapp.exe

Loads dropped DLL 3 IoCs

Processes:

7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exesysapp.exe

pid	process
1928	7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe
1928	7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe
2256	sysapp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sysapp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{74DDAFF4FF882225065987}\\{74DDAFF4FF882225065987}.exe"	sysapp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sysapp.exe

description pid process target process

PID 2256 set thread context of 1832 2256 sysapp.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

SHOChecker.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SHOChecker.exe

description	pid	process	target process
PID 2256 set thread context of 1832	2256	sysapp.exe	svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SHOChecker.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

sysapp.exesvchost.exe

pid	process
2256	sysapp.exe
2256	sysapp.exe
2256	sysapp.exe
2256	sysapp.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

sysapp.exeSHOChecker.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2256	sysapp.exe
Token: SeSecurityPrivilege	2256	sysapp.exe
Token: SeTakeOwnershipPrivilege	2256	sysapp.exe
Token: SeLoadDriverPrivilege	2256	sysapp.exe
Token: SeSystemProfilePrivilege	2256	sysapp.exe
Token: SeSystemtimePrivilege	2256	sysapp.exe
Token: SeProfSingleProcessPrivilege	2256	sysapp.exe
Token: SeIncBasePriorityPrivilege	2256	sysapp.exe
Token: SeCreatePagefilePrivilege	2256	sysapp.exe
Token: SeBackupPrivilege	2256	sysapp.exe
Token: SeRestorePrivilege	2256	sysapp.exe
Token: SeShutdownPrivilege	2256	sysapp.exe
Token: SeDebugPrivilege	2256	sysapp.exe
Token: SeSystemEnvironmentPrivilege	2256	sysapp.exe
Token: SeRemoteShutdownPrivilege	2256	sysapp.exe
Token: SeUndockPrivilege	2256	sysapp.exe
Token: SeManageVolumePrivilege	2256	sysapp.exe
Token: 33	2256	sysapp.exe
Token: 34	2256	sysapp.exe
Token: 35	2256	sysapp.exe
Token: SeDebugPrivilege	2400	SHOChecker.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

SHOChecker.exe

pid process

2400 SHOChecker.exe
2400 SHOChecker.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SHOChecker.exe

pid process

2400 SHOChecker.exe
2400 SHOChecker.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SHOChecker.exe

pid process

2400 SHOChecker.exe
2400 SHOChecker.exe

pid	process
2400	SHOChecker.exe
2400	SHOChecker.exe

pid	process
2400	SHOChecker.exe
2400	SHOChecker.exe

pid	process
2400	SHOChecker.exe
2400	SHOChecker.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exesysapp.exesvchost.exe

description	pid	process	target process
PID 1928 wrote to memory of 2256	1928	7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe	sysapp.exe
PID 1928 wrote to memory of 2256	1928	7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe	sysapp.exe
PID 1928 wrote to memory of 2256	1928	7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe	sysapp.exe
PID 1928 wrote to memory of 2400	1928	7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe	SHOChecker.exe
PID 1928 wrote to memory of 2400	1928	7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe	SHOChecker.exe
PID 1928 wrote to memory of 2400	1928	7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe	SHOChecker.exe
PID 1928 wrote to memory of 2400	1928	7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe	SHOChecker.exe
PID 2256 wrote to memory of 1832	2256	sysapp.exe	svchost.exe
PID 2256 wrote to memory of 1832	2256	sysapp.exe	svchost.exe
PID 2256 wrote to memory of 1832	2256	sysapp.exe	svchost.exe
PID 2256 wrote to memory of 1832	2256	sysapp.exe	svchost.exe
PID 1832 wrote to memory of 2644	1832	svchost.exe	WerFault.exe
PID 1832 wrote to memory of 2644	1832	svchost.exe	WerFault.exe
PID 1832 wrote to memory of 2644	1832	svchost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe
"C:\Users\Admin\AppData\Local\Temp\7114c686f31027324e5e415b9a367ce5364db4c7048fd7c6a3f735ac0033609f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Roaming\sysapp.exe
"C:\Users\Admin\AppData\Roaming\sysapp.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1832 -s 220
4⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\SHOChecker.exe
"SHOChecker.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SHOChecker.exe

Filesize
3.1MB

MD5
26b242758e6eab138a28f91ac0bcf647

SHA1
acb609dd41efa47d5f9785a9703f67e64bfb8d37

SHA256
cb58fc8f98badc3f43b48c07e609c614078514b0bd54fb06527e6860e00b676d

SHA512
67b21abc5f3bfb18347ec597973fffbb3b0e7c951f5472b1a511d6b0e399fcb3e69786764cf3d835dfe50d888c36fa99b389d4a6a09cc9065ad60dccbad8c0be

Download Submit
C:\Users\Admin\AppData\Roaming\sysapp.exe

Filesize
278KB

MD5
8a3a576d178ac1abbd9e1c58d00d4afd

SHA1
28ee0f532ab1df4a9a589aa66c6537bebb32751e

SHA256
2786dfc70c53aaef43bfe38177962278530c1593cb3e0c096e88facec0e2f803

SHA512
a641973d0f67c9c4d65a6429b83bbc29a011bdc9ac4f4d57bb88e2dff6ecbbb1db91bb5d280098897f24766f0313004730273d87cbbeb2986caed8d8ca55aa1e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c55e7b590134bae106d2d8170affe162

SHA1
13b61495d4b1460ecb770e42a923c880a73ad692

SHA256
5d4c55ac6c8371c79f94a81c1e53fa50b0fa4231cda0fc9d93892739c723c7e7

SHA512
99162c8512811021c31c98cffe306b3badd07e779ac73d6da16e16d7597c1c8112b1a78dc33a27f717b13333bedf6a804a757e5030f653aeea41a338492c9e27

Download Submit
memory/1832-79-0x0000000140000000-0x000000014004C000-memory.dmp

Filesize
304KB

Download
memory/1832-24-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/2400-75-0x0000000007260000-0x0000000007462000-memory.dmp

Filesize
2.0MB

Download
memory/2400-22-0x0000000001230000-0x0000000001556000-memory.dmp

Filesize
3.1MB

Download
memory/2400-76-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-77-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-78-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/2400-20-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/2400-80-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-82-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads