ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356

General

Target

ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Size

112KB
MD5

a2538c6804d919709078c918c87ac2ac
SHA1

3052c8c6f61269c6d2ce8a4ec70c22be89f5c704
SHA256

ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356
SHA512

4b55fbac9703bcc74f2f95a7300c03bcdb41a6236a6c1b1eb05e29e81dc14f7ff2eeaaa762763fa739d8d466c0755f0286b8349ff1c44ef003ffe9860df76f05
SSDEEP

3072:zZjurA1K+w7KMuu1F+/jmSkmngV5CvMKT:1V9pj/2+2Ql

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe = "c:\\users\\admin\\appdata\\local\\temp\\ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe:*:Enabled:SMPN"	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe"	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wservices = "c:\\windows\\wservices.exe"	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wservices\ImagePath = "c:\\windows\\wservices.exe"	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wservices = "c:\\windows\\wservices.exe"	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\wservices = "c:\\windows\\wservices.exe"	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe"	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\j:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\h:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\q:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\m:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\k:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\g:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\z:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\u:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\s:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\x:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\n:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\e:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\f:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\y:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\p:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\o:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\l:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\i:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\w:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\v:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened (read-only)	\??\r:	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\regedit.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\mui\rctfd.sys	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened for modification	\??\c:\windows\wservices.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File created	\??\c:\windows\lsassv.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened for modification	\??\c:\windows\msrpc.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File created	\??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeLoader.scr	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File created	\??\c:\windows\regedit2.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened for modification	\??\c:\windows\regedit2.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File created	\??\c:\windows\Start Menu\Programs\Startup\AdobeLoader.scr	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File created	\??\c:\windows\wservices.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened for modification	\??\c:\windows\lsassv.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File created	\??\c:\windows\msrpc.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File created	\??\c:\windows\calc.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
File opened for modification	\??\c:\windows\calc.exe	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\ThisEXE = "c:\\users\\admin\\appdata\\local\\temp\\ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe"	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\VerProg = "159"	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1416	ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe

C:\Users\Admin\AppData\Local\Temp\ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe
"C:\Users\Admin\AppData\Local\Temp\ed5ddb3e232beed6a282ae611354f23f52d19608902cacc2c8603d08f47e4356.exe"
1⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Sets service image path in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1416