fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211

General

Target

fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Size

218KB
MD5

60246f41a2f8b74387e8ef2273205d34
SHA1

f441ea5adbc9bcfb3e4e91d08dd8721dd85f12db
SHA256

fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211
SHA512

320ae71872479c9281832ef36f0625e94c3d8fd86f5b32199bb7f65e518a2c971a1274b541afc8ff07b9fbc0f15191f77c9c6e4cb3de8472c58b85836d139570
SSDEEP

3072:XDTDTD8ft6upCJ4oATyIj/Z4/Hb17mnGDIHMhzf+p3fliT6wo33RVsTvG:XXXIUuFoAT/r2j17mnOzDI3gWwifW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe

Executes dropped EXE 2 IoCs

pid	Process
1268	Explorer.EXE
460	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\o."	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\o."	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1372	1632	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe	27
PID 1632 set thread context of 1372	1632	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe	27
PID 1632 set thread context of 1372	1632	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe	27

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\o."	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\o."	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\clsid	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe

NTFS ADS 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@\:@	services.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1632	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Token: SeDebugPrivilege	1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Token: SeDebugPrivilege	1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1632	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1372	1632	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe	27
PID 1632 wrote to memory of 1372	1632	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe	27
PID 1632 wrote to memory of 1372	1632	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe	27
PID 1632 wrote to memory of 1372	1632	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe	27
PID 1372 wrote to memory of 1268	1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe	8
PID 1372 wrote to memory of 1268	1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe	8
PID 1372 wrote to memory of 460	1372	fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268
- C:\Users\Admin\AppData\Local\Temp\fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
  "C:\Users\Admin\AppData\Local\Temp\fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe
    "C:\Users\Admin\AppData\Local\Temp\fe3a4ffe234d3fa625f6895483dcc36b71600b7621739c248da685671aaa6211.exe"
    3⤵
    - Modifies security service
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1372

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@

Filesize
2KB

MD5
855ef3edd9e837853e5be6fe7af0ba7c

SHA1
408d691e58c7668c04a2c4bfbbdb5117e8406ae0

SHA256
7e4174925cf1dee552e700d6005d68ea60fa729b821f078a0e9c65f5583ec178

SHA512
2d2893e044a1fb5facb69571f9ddec0026c7085c75b03129ef3f4a404ca352c7b5deb4c4d05f957f2104820b92338b790a14a79cf823a49e24cc0331ca109179

Download Submit
C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\o

Filesize
27KB

MD5
d1c8cfb5ebf2fbf89e279fd52910c2c7

SHA1
a42fa580f41e92d216f06d22c34482f4dc377a2e

SHA256
4b3604837ca49a9cf95b2f4284f9690e543a5e69354bbaddfb36206248d96357

SHA512
373b472cd2161e6baaf55f401414dc4e61b2eef6877433268c649baae5ada714b04b9cbbac29bd2ff548562ebb4cc1fb80ebd0015ba6ccabb2a5c2f0447f0459

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\o

Filesize
27KB

MD5
d1c8cfb5ebf2fbf89e279fd52910c2c7

SHA1
a42fa580f41e92d216f06d22c34482f4dc377a2e

SHA256
4b3604837ca49a9cf95b2f4284f9690e543a5e69354bbaddfb36206248d96357

SHA512
373b472cd2161e6baaf55f401414dc4e61b2eef6877433268c649baae5ada714b04b9cbbac29bd2ff548562ebb4cc1fb80ebd0015ba6ccabb2a5c2f0447f0459

Download Submit
\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\o

Filesize
27KB

MD5
d1c8cfb5ebf2fbf89e279fd52910c2c7

SHA1
a42fa580f41e92d216f06d22c34482f4dc377a2e

SHA256
4b3604837ca49a9cf95b2f4284f9690e543a5e69354bbaddfb36206248d96357

SHA512
373b472cd2161e6baaf55f401414dc4e61b2eef6877433268c649baae5ada714b04b9cbbac29bd2ff548562ebb4cc1fb80ebd0015ba6ccabb2a5c2f0447f0459

Download Submit
\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\o

Filesize
27KB

MD5
d1c8cfb5ebf2fbf89e279fd52910c2c7

SHA1
a42fa580f41e92d216f06d22c34482f4dc377a2e

SHA256
4b3604837ca49a9cf95b2f4284f9690e543a5e69354bbaddfb36206248d96357

SHA512
373b472cd2161e6baaf55f401414dc4e61b2eef6877433268c649baae5ada714b04b9cbbac29bd2ff548562ebb4cc1fb80ebd0015ba6ccabb2a5c2f0447f0459

Download Submit
memory/1372-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1372-65-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/1372-59-0x00000000003A0000-0x00000000003DC000-memory.dmp

Filesize
240KB

Download
memory/1372-70-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1632-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1632-63-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/1632-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing