6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b

General

Target

6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Size

308KB
MD5

0c2a1766abf78ca0185ccdf3c95fd762
SHA1

5d5a058df1a326dabfd15b6d6966a607c840aa2d
SHA256

6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b
SHA512

e303a74b0f68a2740b8e861990e8157f35af20bf2000e1085716704ab4b3e855ace0bb339838a06bd82b7897c7f74fd555df2260854bdefaf43ea5241fc9c0b4
SSDEEP

6144:fWs8Q7HJkxrWTS9SgRxkWiZHqB46OuGnyEf:18QzJlSI0xdiFqBNGf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe

Executes dropped EXE 2 IoCs

pid	Process
1260	Explorer.EXE
460	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-999675638-2867687379-27515722-1000\\$f545a6cb63874d75375b4ac5befd06b3\\n."	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$f545a6cb63874d75375b4ac5befd06b3\\n."	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 1852	1424	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe	26
PID 1424 set thread context of 1852	1424	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe	26
PID 1424 set thread context of 1852	1424	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe	26

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\clsid	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-999675638-2867687379-27515722-1000\\$f545a6cb63874d75375b4ac5befd06b3\\n."	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$f545a6cb63874d75375b4ac5befd06b3\\n."	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe

NTFS ADS 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1424	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Token: SeDebugPrivilege	1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Token: SeDebugPrivilege	1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1424	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1852	1424	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe	26
PID 1424 wrote to memory of 1852	1424	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe	26
PID 1424 wrote to memory of 1852	1424	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe	26
PID 1424 wrote to memory of 1852	1424	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe	26
PID 1852 wrote to memory of 1260	1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe	11
PID 1852 wrote to memory of 1260	1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe	11
PID 1852 wrote to memory of 460	1852	6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe	2

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1260
- C:\Users\Admin\AppData\Local\Temp\6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
  "C:\Users\Admin\AppData\Local\Temp\6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe
    "C:\Users\Admin\AppData\Local\Temp\6c6528eeb384187114d04f393d9756a357070b5974de42ab46a60c30b3bfb65b.exe"
    3⤵
    - Modifies security service
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$f545a6cb63874d75375b4ac5befd06b3\@

Filesize
2KB

MD5
2f56b53bf49295978ee49d3fc16df42a

SHA1
244dc6b6a013cd9bb1f8f0dbd2a0438a0b14244f

SHA256
c508a94a40b283ddfb0771d54189a91ec990417edd281773ad193eceb39b8d6b

SHA512
cef82737bd684b2ff63e53ab6016c05faf5467274c0a47752fbb7b9dc9ff0cae3cf4e4d61bc8b94d83adec8a17a80f51a2ab9da6ede53602ef13b6cf655e6b66

Download Submit
C:\$Recycle.Bin\S-1-5-18\$f545a6cb63874d75375b4ac5befd06b3\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\$f545a6cb63874d75375b4ac5befd06b3\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-18\$f545a6cb63874d75375b4ac5befd06b3\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\$f545a6cb63874d75375b4ac5befd06b3\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
memory/1424-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1424-63-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/1424-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1852-65-0x0000000000320000-0x000000000034C000-memory.dmp

Filesize
176KB

Download
memory/1852-66-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1852-59-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/1852-70-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1852-72-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing