73b6df0add9bc6b5792d274d316ecd70d636847db25ce6f3e63e77fb72369037

General

Target

689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe
Size

27.6MB
MD5

220d1ef8904ec400ad2c63fe40c21a75
SHA1

04c5bb65b1a65e7a159c17b8bbaf4e286009370e
SHA256

689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33
SHA512

1ec2cfb174fd749bbec0a87a8cffbfe81284b68a7a09ae1a32cea51cf4d17dadad0f04f185aa8492ec186d409b1422f20ae59b530ed15598e453d923b9f3be4a
SSDEEP

786432:kbnq/UYXTOALUyampRu7cAcwKwV8dPNck+/Fj4y:H/UYXlYyad1cBwV++/Wy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2556	mxcytmx.exe
2800	ChromeSetup.exe
12912	Skcsk.exe
6940	Skcsk.exe

Loads dropped DLL 4 IoCs

pid	Process
2096	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe
2096	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe
2096	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe
2096	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Skcsk.exe
File opened (read-only)	\??\U:	Skcsk.exe
File opened (read-only)	\??\X:	Skcsk.exe
File opened (read-only)	\??\E:	Skcsk.exe
File opened (read-only)	\??\G:	Skcsk.exe
File opened (read-only)	\??\H:	Skcsk.exe
File opened (read-only)	\??\J:	Skcsk.exe
File opened (read-only)	\??\N:	Skcsk.exe
File opened (read-only)	\??\W:	Skcsk.exe
File opened (read-only)	\??\B:	Skcsk.exe
File opened (read-only)	\??\I:	Skcsk.exe
File opened (read-only)	\??\M:	Skcsk.exe
File opened (read-only)	\??\P:	Skcsk.exe
File opened (read-only)	\??\S:	Skcsk.exe
File opened (read-only)	\??\L:	Skcsk.exe
File opened (read-only)	\??\V:	Skcsk.exe
File opened (read-only)	\??\Y:	Skcsk.exe
File opened (read-only)	\??\K:	Skcsk.exe
File opened (read-only)	\??\O:	Skcsk.exe
File opened (read-only)	\??\R:	Skcsk.exe
File opened (read-only)	\??\T:	Skcsk.exe
File opened (read-only)	\??\Z:	Skcsk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Skcsk.exe	mxcytmx.exe
File created	C:\Windows\SysWOW64\Skcsk.exe	mxcytmx.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs

pid	Process
2556	mxcytmx.exe
2556	mxcytmx.exe
2556	mxcytmx.exe
2556	mxcytmx.exe
12912	Skcsk.exe
12912	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mxcytmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skcsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skcsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6888	cmd.exe
8344	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skcsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skcsk.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	Skcsk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Skcsk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	Skcsk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Skcsk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Skcsk.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
8344	PING.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe
6940	Skcsk.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2556	mxcytmx.exe
Token: 33	6940	Skcsk.exe
Token: SeIncBasePriorityPrivilege	6940	Skcsk.exe
Token: 33	6940	Skcsk.exe
Token: SeIncBasePriorityPrivilege	6940	Skcsk.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2556	2096	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe	30
PID 2096 wrote to memory of 2556	2096	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe	30
PID 2096 wrote to memory of 2556	2096	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe	30
PID 2096 wrote to memory of 2556	2096	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe	30
PID 12912 wrote to memory of 6940	12912	Skcsk.exe	35
PID 12912 wrote to memory of 6940	12912	Skcsk.exe	35
PID 12912 wrote to memory of 6940	12912	Skcsk.exe	35
PID 12912 wrote to memory of 6940	12912	Skcsk.exe	35
PID 2556 wrote to memory of 6888	2556	mxcytmx.exe	34
PID 2556 wrote to memory of 6888	2556	mxcytmx.exe	34
PID 2556 wrote to memory of 6888	2556	mxcytmx.exe	34
PID 2556 wrote to memory of 6888	2556	mxcytmx.exe	34
PID 6888 wrote to memory of 8344	6888	cmd.exe	37
PID 6888 wrote to memory of 8344	6888	cmd.exe	37
PID 6888 wrote to memory of 8344	6888	cmd.exe	37
PID 6888 wrote to memory of 8344	6888	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe
"C:\Users\Admin\AppData\Local\Temp\689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\mxcytmx.exe
  "C:\Users\Admin\AppData\Local\Temp\mxcytmx.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\mxcytmx.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:6888
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:8344
- C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:2800

C:\Windows\SysWOW64\Skcsk.exe
C:\Windows\SysWOW64\Skcsk.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:12912
- C:\Windows\SysWOW64\Skcsk.exe
  C:\Windows\SysWOW64\Skcsk.exe -acsi
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe

Filesize
8.5MB

MD5
cd32eed7ff292c4be642d7effbcb7a81

SHA1
168b1c3861b0ff480250284b70a6d57b8852a629

SHA256
2e8957863173f7c3ce0e966b7683c04c16c01bdd78e41b6dc2a4b91a1d8f9181

SHA512
597dd3315a05a0dc28a9fd31b24afbe4f6d2094fc95e8c3b5724368d5a15c97ad71c9dee178ae8ef467a32d8bc8aee304bb1b8e560bc964183ff1eaa610f83de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddjP2D3ssR.exe

Filesize
9.2MB

MD5
4918410934e23bfbb179cb9073a14240

SHA1
45c8fb43c6af466bbd3023f191f7333c93597e40

SHA256
eeb8fb55a7de0f2c1cb177bb87f8e1644db1b2ceb4d449e4bce5f409226f799d

SHA512
a77fb8f9c4d09bd61b8ed3e37eb037d52d9690953cdfd4120ab0d311da59e87bde7126a53a94d92d007876d15128f4cb4cecf561407c3db0db96a3693491d0f3

Download Submit
\Users\Admin\AppData\Local\Temp\mxcytmx.exe

Filesize
27.4MB

MD5
d31f9bc076d52fa03f3a0879951f4694

SHA1
a2dac9662b706023d8dc78684a807a52f7347b1c

SHA256
d42d9de8e102af0f6a8bec27ffd3891ae275480febaa0d6438357f74a03cb977

SHA512
c24c805b4dd1bb9be4c4f20ba3ca2d2dc7cd5d58a80c9d05ea4ec0a1c3ebb2f54c0d02a699aa12b9d0eea002a2b363f840ba1ac79c721fc4a78f8f2843c8c652

Download Submit
memory/2096-883-0x0000000005870000-0x00000000073CA000-memory.dmp

Filesize
27.4MB

Download
memory/2096-1151-0x0000000005870000-0x00000000073CA000-memory.dmp

Filesize
27.4MB

Download
memory/2096-1034-0x0000000005870000-0x00000000073CA000-memory.dmp

Filesize
27.4MB

Download
memory/2556-872-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-862-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-891-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-889-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-887-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-885-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-882-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-895-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-880-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-878-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-876-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-874-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-897-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-870-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-868-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-866-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-864-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-893-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-860-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-858-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-856-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-854-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-852-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-850-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-848-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-846-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-844-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-842-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-840-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-838-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-837-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-899-0x0000000003CB0000-0x0000000003DC1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-27-0x00000000763F0000-0x0000000076437000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads