a17a56a6133deb30a7b5347798b8cac8438e90695cae989a41971fe1583682ba

General

Target

Siyanur lag hack- S.A latino/siyanur - Lag Hack.exe
Size

777KB
MD5

91c8a2597dfaa6acd74e3e36aad13795
SHA1

6eecfee76e50c1386d5e2ace2d854b36e772f39e
SHA256

6579041d87f55e77a82942f943ecee122555a40f0bc93be4614cf024b87f1cf1
SHA512

bba3004e251eeeed049a656746fe3e915e46953f46078cefd18bb79a7dd04f81155f4396e3bb07ae99523ac4fa99386255e378eeee997550bc875004c7a1c7ab
SSDEEP

24576:5naVMJ3TWq+OxymwoglBMazrEdr6kS3rJQBtUkBgJ:5amJjyOwmwoMFqrSinXBgJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

siyanur - Lag Hack.tmpsnetcfg.exe

pid process

2652 siyanur - Lag Hack.tmp
1516 snetcfg.exe

pid	process
2652	siyanur - Lag Hack.tmp
1516	snetcfg.exe

Loads dropped DLL 8 IoCs

Processes:

siyanur - Lag Hack.exesiyanur - Lag Hack.tmp

pid	process
2196	siyanur - Lag Hack.exe
2652	siyanur - Lag Hack.tmp
2652	siyanur - Lag Hack.tmp
2652	siyanur - Lag Hack.tmp
2652	siyanur - Lag Hack.tmp
2652	siyanur - Lag Hack.tmp
2652	siyanur - Lag Hack.tmp
2644

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

Processes:

DrvInst.exesiyanur - Lag Hack.tmp

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{167e4073-3d88-4673-6f92-98739132044e}	DrvInst.exe
File created	C:\Windows\system32\is-0M7CP.tmp	siyanur - Lag Hack.tmp
File opened for modification	C:\Windows\System32\DriverStore\Temp\{167e4073-3d88-4673-6f92-98739132044e}\SET5570.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{167e4073-3d88-4673-6f92-98739132044e}\SET5570.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{167e4073-3d88-4673-6f92-98739132044e}\spfdrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{167e4073-3d88-4673-6f92-98739132044e}\SET5571.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{167e4073-3d88-4673-6f92-98739132044e}\SET5571.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{167e4073-3d88-4673-6f92-98739132044e}\spfdrv.sys	DrvInst.exe

Drops file in Program Files directory 11 IoCs

Processes:

siyanur - Lag Hack.tmp

description	ioc	process
File created	C:\Program Files\Siyanur\unins000.dat	siyanur - Lag Hack.tmp
File created	C:\Program Files\Siyanur\is-N4JLL.tmp	siyanur - Lag Hack.tmp
File created	C:\Program Files\Siyanur\is-FN2OC.tmp	siyanur - Lag Hack.tmp
File created	C:\Program Files\Siyanur\is-LEJ15.tmp	siyanur - Lag Hack.tmp
File created	C:\Program Files\Siyanur\is-DNQDH.tmp	siyanur - Lag Hack.tmp
File created	C:\Program Files\Siyanur\is-258AT.tmp	siyanur - Lag Hack.tmp
File created	C:\Program Files\Siyanur\is-EGH21.tmp	siyanur - Lag Hack.tmp
File created	C:\Program Files\Siyanur\is-FVQV4.tmp	siyanur - Lag Hack.tmp
File created	C:\Program Files\Siyanur\is-TRJUB.tmp	siyanur - Lag Hack.tmp
File created	C:\Program Files\Siyanur\is-VD55P.tmp	siyanur - Lag Hack.tmp
File opened for modification	C:\Program Files\Siyanur\unins000.dat	siyanur - Lag Hack.tmp

Drops file in Windows directory 2 IoCs

Processes:

snetcfg.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	snetcfg.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

siyanur - Lag Hack.exesiyanur - Lag Hack.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siyanur - Lag Hack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siyanur - Lag Hack.tmp

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

snetcfg.exeDrvInst.exerundll32.exe

description	pid	process
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	1516	snetcfg.exe
Token: SeRestorePrivilege	2360	DrvInst.exe
Token: SeRestorePrivilege	2360	DrvInst.exe
Token: SeRestorePrivilege	2360	DrvInst.exe
Token: SeRestorePrivilege	2360	DrvInst.exe
Token: SeRestorePrivilege	2360	DrvInst.exe
Token: SeRestorePrivilege	2360	DrvInst.exe
Token: SeRestorePrivilege	2360	DrvInst.exe
Token: SeRestorePrivilege	1536	rundll32.exe
Token: SeRestorePrivilege	1536	rundll32.exe
Token: SeRestorePrivilege	1536	rundll32.exe
Token: SeRestorePrivilege	1536	rundll32.exe
Token: SeRestorePrivilege	1536	rundll32.exe
Token: SeRestorePrivilege	1536	rundll32.exe
Token: SeRestorePrivilege	1536	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

siyanur - Lag Hack.tmp

pid process

2652 siyanur - Lag Hack.tmp

pid	process
2652	siyanur - Lag Hack.tmp

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

siyanur - Lag Hack.exesiyanur - Lag Hack.tmpDrvInst.exe

description	pid	process	target process
PID 2196 wrote to memory of 2652	2196	siyanur - Lag Hack.exe	siyanur - Lag Hack.tmp
PID 2196 wrote to memory of 2652	2196	siyanur - Lag Hack.exe	siyanur - Lag Hack.tmp
PID 2196 wrote to memory of 2652	2196	siyanur - Lag Hack.exe	siyanur - Lag Hack.tmp
PID 2196 wrote to memory of 2652	2196	siyanur - Lag Hack.exe	siyanur - Lag Hack.tmp
PID 2196 wrote to memory of 2652	2196	siyanur - Lag Hack.exe	siyanur - Lag Hack.tmp
PID 2196 wrote to memory of 2652	2196	siyanur - Lag Hack.exe	siyanur - Lag Hack.tmp
PID 2196 wrote to memory of 2652	2196	siyanur - Lag Hack.exe	siyanur - Lag Hack.tmp
PID 2652 wrote to memory of 1516	2652	siyanur - Lag Hack.tmp	snetcfg.exe
PID 2652 wrote to memory of 1516	2652	siyanur - Lag Hack.tmp	snetcfg.exe
PID 2652 wrote to memory of 1516	2652	siyanur - Lag Hack.tmp	snetcfg.exe
PID 2652 wrote to memory of 1516	2652	siyanur - Lag Hack.tmp	snetcfg.exe
PID 2360 wrote to memory of 1536	2360	DrvInst.exe	rundll32.exe
PID 2360 wrote to memory of 1536	2360	DrvInst.exe	rundll32.exe
PID 2360 wrote to memory of 1536	2360	DrvInst.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Siyanur lag hack- S.A latino\siyanur - Lag Hack.exe
"C:\Users\Admin\AppData\Local\Temp\Siyanur lag hack- S.A latino\siyanur - Lag Hack.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\is-QFASC.tmp\siyanur - Lag Hack.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QFASC.tmp\siyanur - Lag Hack.tmp" /SL5="$400E0,552640,54272,C:\Users\Admin\AppData\Local\Temp\Siyanur lag hack- S.A latino\siyanur - Lag Hack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Program Files\Siyanur\snetcfg.exe
    "C:\Program Files\Siyanur\snetcfg.exe" -v -l spfdrv.inf -m spfdrv_m.inf -c s -i nt_spfdrv
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1516

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{78e093e7-37ca-4744-0a75-33100e569674}\spfdrv.inf" "9" "6e2cd0677" "0000000000000244" "WinSta0\Default" "0000000000000564" "208" "C:\Program Files\Siyanur"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{296ec24b-3d88-4673-afd6-e95c9c59194d} Global\{6d0e77f9-70a4-69e5-716c-3666804c5b0e} C:\Windows\System32\DriverStore\Temp\{167e4073-3d88-4673-6f92-98739132044e}\spfdrv.inf
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Siyanur\spfdrv.inf

Filesize
3KB

MD5
9fc9d155a31cc6fca37ce89ab8a28728

SHA1
86a54d8184911b8f5f4527513aeb848e3345c163

SHA256
0aa3404756bc22158550e3c06fb9cf70067f13079fd93cd21eb4cdc40246d06e

SHA512
de7590d9c263c99f97941b0dc86e4e7a2a68f9f8a044e2fed00da51b2e9ec626dc8b4d065f9a6295f146e41764df96ac082d57c94474ae374d1adbceb56ea983

Download Submit
C:\Users\Admin\AppData\Local\Temp\{78e093e7-37ca-4744-0a75-33100e569674}\spfdrv.sys

Filesize
31KB

MD5
0a0db26708469f3ade7dfcc5679be8f9

SHA1
5f75aca605e5c967d43cd74a490a57b3166865ae

SHA256
7799f60f6ebf7985a4c08a0185e93843f85ddea130f0c507a5b90c3f9b52e977

SHA512
5f5e12ea1d9c4b368f7f31d9128107ee07bea8b65da77a8a83e178d2e94b7a3e7c20eda7835db66ab40b7131e11c23bd9922f490041a4205cfb07b84f10061fd

Download Submit
\Program Files\Siyanur\siyanur.exe

Filesize
36KB

MD5
20c4cd6e8536974333b42b87670edc72

SHA1
367ba1d78d578c5d76b2ab610ed0a74b4d43b958

SHA256
853c150960d267159a5b35692c66cabfb84a07ccd928ad3c7abd355f1c7751ff

SHA512
39493bb0f8c12f350ae8b3d3126becd15d143a4d7d8331254d28f43a5b9637058ca0e2472331c0198d7b78229d7b5eedfdc6d1feca41d843410e020e4fc4db5a

Download Submit
\Program Files\Siyanur\snetcfg.exe

Filesize
15KB

MD5
69caec3264ee2470fbe9f931e46c9004

SHA1
0abb876471eb403017044672ae7b2fa7307692e5

SHA256
5143a5aae6bfe37c36189536f759e66134525bbc5803683fc779fe8a1249ec91

SHA512
8cf034314bf389754545663ea4d174fbc9516239a55b580bdb063c17d8eb90e76664582a5823f3df0429e34efae90f8ddd3d1649c3b484f2082474bbf3144125

Download Submit
\Users\Admin\AppData\Local\Temp\is-115E1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QFASC.tmp\siyanur - Lag Hack.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
memory/2196-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2196-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2196-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2196-92-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2652-11-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2652-19-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2652-80-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2652-91-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2652-17-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads