Analysis
-
max time kernel
119s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 22:36
Behavioral task
behavioral1
Sample
591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe
Resource
win7-20241010-en
General
-
Target
591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe
-
Size
392KB
-
MD5
82e2ea96bd980f31e38f51638b635e7f
-
SHA1
e5001915a2516fe86c6d04822bc669919991ee24
-
SHA256
591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb
-
SHA512
564f98b8265597c93acdc5d6426089a5441598d38aac13ab1e16ec074b8291c3e8e176ded09bdf5eb24a700a6c1910416cbe45f1426d50a43e50cd4da219d97b
-
SSDEEP
3072:V+ESQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2K:DPA6wxmuJspr2lb6P
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\7119 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msbkiaw.bat" svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 3464 skyrpe.exe 178812 skyrpe.exe 178872 skyrpe.exe -
Loads dropped DLL 5 IoCs
pid Process 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\skype\\skyrpe.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum skyrpe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 skyrpe.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2956 set thread context of 3236 2956 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 31 PID 3464 set thread context of 178812 3464 skyrpe.exe 36 PID 3464 set thread context of 178872 3464 skyrpe.exe 37 -
resource yara_rule behavioral1/memory/2956-0-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral1/memory/2956-223-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral1/memory/3236-53483-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3236-53489-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3236-53485-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2956-53490-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral1/memory/3236-53491-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3236-53492-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x0009000000016d42-53517.dat upx behavioral1/memory/3236-53531-0x0000000003260000-0x00000000032C2000-memory.dmp upx behavioral1/memory/3236-53687-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3464-53693-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral1/memory/178812-106978-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3464-106982-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral1/memory/3236-106985-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\msbkiaw.bat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 178872 skyrpe.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 178872 skyrpe.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe Token: SeDebugPrivilege 178812 skyrpe.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2956 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 3464 skyrpe.exe 178812 skyrpe.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2956 wrote to memory of 3236 2956 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 31 PID 2956 wrote to memory of 3236 2956 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 31 PID 2956 wrote to memory of 3236 2956 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 31 PID 2956 wrote to memory of 3236 2956 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 31 PID 2956 wrote to memory of 3236 2956 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 31 PID 2956 wrote to memory of 3236 2956 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 31 PID 2956 wrote to memory of 3236 2956 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 31 PID 2956 wrote to memory of 3236 2956 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 31 PID 3236 wrote to memory of 3380 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 32 PID 3236 wrote to memory of 3380 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 32 PID 3236 wrote to memory of 3380 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 32 PID 3236 wrote to memory of 3380 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 32 PID 3380 wrote to memory of 3428 3380 cmd.exe 34 PID 3380 wrote to memory of 3428 3380 cmd.exe 34 PID 3380 wrote to memory of 3428 3380 cmd.exe 34 PID 3380 wrote to memory of 3428 3380 cmd.exe 34 PID 3236 wrote to memory of 3464 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 35 PID 3236 wrote to memory of 3464 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 35 PID 3236 wrote to memory of 3464 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 35 PID 3236 wrote to memory of 3464 3236 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 35 PID 3464 wrote to memory of 178812 3464 skyrpe.exe 36 PID 3464 wrote to memory of 178812 3464 skyrpe.exe 36 PID 3464 wrote to memory of 178812 3464 skyrpe.exe 36 PID 3464 wrote to memory of 178812 3464 skyrpe.exe 36 PID 3464 wrote to memory of 178812 3464 skyrpe.exe 36 PID 3464 wrote to memory of 178812 3464 skyrpe.exe 36 PID 3464 wrote to memory of 178812 3464 skyrpe.exe 36 PID 3464 wrote to memory of 178812 3464 skyrpe.exe 36 PID 3464 wrote to memory of 178872 3464 skyrpe.exe 37 PID 3464 wrote to memory of 178872 3464 skyrpe.exe 37 PID 3464 wrote to memory of 178872 3464 skyrpe.exe 37 PID 3464 wrote to memory of 178872 3464 skyrpe.exe 37 PID 3464 wrote to memory of 178872 3464 skyrpe.exe 37 PID 3464 wrote to memory of 178872 3464 skyrpe.exe 37 PID 3464 wrote to memory of 178872 3464 skyrpe.exe 37 PID 178872 wrote to memory of 179004 178872 skyrpe.exe 38 PID 178872 wrote to memory of 179004 178872 skyrpe.exe 38 PID 178872 wrote to memory of 179004 178872 skyrpe.exe 38 PID 178872 wrote to memory of 179004 178872 skyrpe.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe"C:\Users\Admin\AppData\Local\Temp\591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe"C:\Users\Admin\AppData\Local\Temp\591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KGEVT.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3428
-
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:178812
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:178872 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:179004
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139B
MD50654f004b2e314bad7f75867e91da37d
SHA14232c22e7340b12108d86e3cb35ed288a3dbc7f1
SHA256ead325a060300a9606a3f0f14694be39a3e4006a60c6c3eb0bea5d6f98192249
SHA512dda135cdfca90a742d42b4c7a5e7f5df6580ec428302a8f0c311f5b92eb08dda75774e0c7497110faffbe2dfa02b30d2dfe35ec2848a275f53be8d930c7aa553
-
Filesize
392KB
MD53d4fce8824e6db5a8c910c449b94bc1b
SHA1da8e84b4d98a48acefce51e863c4dd20a33a2670
SHA2566b21088170105963f936421197568949e5655e57af0fcd2e96093808a2b4aa32
SHA512590b373b54a087c901b92a29600aa0a75d023fe5426d9bc90b788794ba306ca6ceca719150b3759a4e1bb942a88ca36720742413a7057c5f3d238aa2a4880bf7