de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842

General

Target

de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Size

125KB
MD5

93e0190fb027672f386ddce1b0737503
SHA1

e2b3d325a2ed0f9224815141d00970510fc527ef
SHA256

de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842
SHA512

84d1cad7e3df859d711ba5a54d9a3938417758ba14ab0bb9c45d419d7d876996cf2a10f992e460d4ec80355152c0019332b3cc7e34c6f6903833ad0139b3fa33
SSDEEP

3072:HTh+VUnCPMTADCcjKZxzYrm8Xp5fs9YxIJF:HAoCP0ACBzYXp5E9YqJ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe

Executes dropped EXE 2 IoCs

pid	Process
1424	Explorer.EXE
468	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d4e37f8e5af09b64e86d0830097e992e\\n."	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4063495947-34355257-727531523-1000\\$d4e37f8e5af09b64e86d0830097e992e\\n."	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 1748	1468	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe	27
PID 1468 set thread context of 1748	1468	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe	27
PID 1468 set thread context of 1748	1468	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe	27

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\en-US:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4063495947-34355257-727531523-1000\\$d4e37f8e5af09b64e86d0830097e992e\\n."	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d4e37f8e5af09b64e86d0830097e992e\\n."	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\clsid	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe

NTFS ADS 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
468	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1424	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1468	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Token: SeDebugPrivilege	1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Token: SeDebugPrivilege	1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
Token: SeDebugPrivilege	468	services.exe
Token: SeBackupPrivilege	468	services.exe
Token: SeRestorePrivilege	468	services.exe
Token: SeSecurityPrivilege	468	services.exe
Token: SeTakeOwnershipPrivilege	468	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1424	Explorer.EXE
1424	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1424	Explorer.EXE
1424	Explorer.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1748	1468	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe	27
PID 1468 wrote to memory of 1748	1468	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe	27
PID 1468 wrote to memory of 1748	1468	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe	27
PID 1468 wrote to memory of 1748	1468	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe	27
PID 1748 wrote to memory of 1424	1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe	14
PID 1748 wrote to memory of 1424	1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe	14
PID 1748 wrote to memory of 468	1748	de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe	2

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1424
- C:\Users\Admin\AppData\Local\Temp\de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
  "C:\Users\Admin\AppData\Local\Temp\de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe
    "C:\Users\Admin\AppData\Local\Temp\de4865ba37f0e3a13018ad34a0be6298fc75606f6e292f0d62111efafa811842.exe"
    3⤵
    - Modifies security service
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\@

Filesize
2KB

MD5
5e1cf86df65d97dcdd5437c8f4ab51d6

SHA1
1fc061458afa17012b988a98e6eb4c6ced5f8c6e

SHA256
794c9d112ef3b5854595f9805d8940f634dcd1c3e95a1ca77e593beab970e5f7

SHA512
17cf55457b89e1d155668b528d73b571949e38f2d47b2c09676149b28d6c831f3131e038bf1ff41d6582d5c1f5ced93bdfd86b317b9452a5a950e2ffc4880a00

Download Submit
C:\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
memory/1468-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1468-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1468-69-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1748-63-0x0000000000240000-0x000000000027C000-memory.dmp

Filesize
240KB

Download
memory/1748-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing