116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8

General

Target

116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Size

157KB
MD5

40646f36fe5551b18f86e945a11d2f36
SHA1

f661b05894fe03cde6352fabb93127d660707a81
SHA256

116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8
SHA512

5223bae9e85e245bea47964f43baaff6c9498a6306c2d2a5436e21da7eef8c00da5ae406c6379bf897083b963e6c2eef84afe66b2edde2cd2d7f8f3e9206bd93

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE ZeroAccess Outbound udp traffic detected
suricata: ET MALWARE ZeroAccess Outbound udp traffic detected
suricata
suricata: ET MALWARE ZeroAccess udp traffic detected
suricata: ET MALWARE ZeroAccess udp traffic detected
suricata
Executes dropped EXE 2 IoCs

Processes:

Explorer.EXEservices.exe

pid process

1296 Explorer.EXE
464 services.exe

pid	process
1296	Explorer.EXE
464	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\\n."	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\\n."	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1208 cmd.exe

pid	process
1208	cmd.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

Processes:

116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe

description	pid	process	target process
PID 1312 set thread context of 1208	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe

description	ioc	process
File created	C:\Windows\Installer\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\@	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
File created	C:\Windows\Installer\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\n	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe

Modifies registry class 6 IoCs

Processes:

116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\\n."	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\\n."	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\clsid	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe

pid	process
1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Token: SeDebugPrivilege	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Token: SeDebugPrivilege	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE
1296 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE
1296 Explorer.EXE

pid	process
1296	Explorer.EXE
1296	Explorer.EXE

pid	process
1296	Explorer.EXE
1296	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe

description	pid	process	target process
PID 1312 wrote to memory of 1296	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe	Explorer.EXE
PID 1312 wrote to memory of 1296	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe	Explorer.EXE
PID 1312 wrote to memory of 464	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe	services.exe
PID 1312 wrote to memory of 1208	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe	cmd.exe
PID 1312 wrote to memory of 1208	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe	cmd.exe
PID 1312 wrote to memory of 1208	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe	cmd.exe
PID 1312 wrote to memory of 1208	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe	cmd.exe
PID 1312 wrote to memory of 1208	1312	116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe	cmd.exe

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1296

C:\Users\Admin\AppData\Local\Temp\116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe
"C:\Users\Admin\AppData\Local\Temp\116d0c92d929775aca86bfc287a11b77094ba4538bd7db2c2b1dce1f40e6c6a8.exe"
2⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\n
Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\??\globalroot\systemroot\Installer\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\n
Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\Users\Admin\AppData\Local\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\n
Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\Windows\Installer\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\n
Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\systemroot\Installer\{9192de6c-db12-e337-43b7-e8b785ccf2d7}\@
Filesize
2KB

MD5
64b5f9083de80181d02caf6571353b6e

SHA1
c223290604f731b6291fd435ce1cee6cafe2094f

SHA256
d3453910508c52a242dceee34fce81bcbd661fdb8fe25ac5382694e22086af0e

SHA512
238713465a7932696d7936db88428170e22fecb7c79849cd248addeb998ff38d95df63edb79b0193cf44771759ad4cb93cfd6e3ca633f0315f8985b525c16bca

Download Submit
memory/1208-64-0x0000000000000000-mapping.dmp

Download
memory/1312-57-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-58-0x00000000004CF000-0x00000000004EE000-memory.dmp

Filesize
124KB

Download
memory/1312-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-63-0x00000000004CF000-0x00000000004EE000-memory.dmp

Filesize
124KB

Download
memory/1312-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1312-66-0x00000000004CF000-0x00000000004EE000-memory.dmp

Filesize
124KB

Download
memory/1312-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads