417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc

General

Target

417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Size

187KB
MD5

8315452376df44f14cca47b0c787da21
SHA1

b30169d697c56a47638240e7eb393913c96d907b
SHA256

417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc
SHA512

0634b339c20984401bbcc03b188c90f104eb73c9205227490f44206cf2f1f34b60b26c671d55a867da90638832c736f17ca0991abdc25aa4397c1b67f5f7df3d
SSDEEP

3072:+xbnkOSiUOlKINlfslQ8bO9dMeR7v1L5qDNSO91ha41QKondgm9yurR0:ATEOlKI3slQ/9d1T1An1hF+gerG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1368	Explorer.EXE
468	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4063495947-34355257-727531523-1000\\$d4e37f8e5af09b64e86d0830097e992e\\n."	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d4e37f8e5af09b64e86d0830097e992e\\n."	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe

Deletes itself 1 IoCs

pid	Process
676	cmd.exe

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 676	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe	27

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4063495947-34355257-727531523-1000\\$d4e37f8e5af09b64e86d0830097e992e\\n."	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d4e37f8e5af09b64e86d0830097e992e\\n."	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\clsid	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1368	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Token: SeDebugPrivilege	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Token: SeDebugPrivilege	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
Token: SeBackupPrivilege	468	services.exe
Token: SeRestorePrivilege	468	services.exe
Token: SeSecurityPrivilege	468	services.exe
Token: SeTakeOwnershipPrivilege	468	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1368	Explorer.EXE
1368	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1368	Explorer.EXE
1368	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1368	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe	10
PID 1696 wrote to memory of 1368	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe	10
PID 1696 wrote to memory of 468	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe	2
PID 1696 wrote to memory of 676	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe	27
PID 1696 wrote to memory of 676	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe	27
PID 1696 wrote to memory of 676	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe	27
PID 1696 wrote to memory of 676	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe	27
PID 1696 wrote to memory of 676	1696	417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe	27

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1368
- C:\Users\Admin\AppData\Local\Temp\417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe
  "C:\Users\Admin\AppData\Local\Temp\417d235f12e8e7901140f0f7218fa993f27256b70b99def6a0eb5a5ac9ff5acc.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\@

Filesize
2KB

MD5
bc4134e350cc02b2f90c880454cc2543

SHA1
74a45da34c5dce182b92dfa6d85f5b2fa18994d6

SHA256
2cf0bbf3d64caadb13c0d17b6b7b7620aad4bc18e820fa6e8245d0dd3b7fd33c

SHA512
c7dfbec06d37011b494546ea83594ea5629dd5b052dfdbb37d0e3b4ef269fc31ccb3101bdfdaff6d1ef16c8852317a1558a3a32f270552bed6d48f39dd9a9ca5

Download Submit
C:\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
memory/1368-65-0x000007FEFB570000-0x000007FEFB6B3000-memory.dmp

Filesize
1.3MB

Download
memory/1368-66-0x000007FF272E0000-0x000007FF272EA000-memory.dmp

Filesize
40KB

Download
memory/1696-59-0x000000000064A000-0x0000000000668000-memory.dmp

Filesize
120KB

Download
memory/1696-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-55-0x000000000064A000-0x0000000000668000-memory.dmp

Filesize
120KB

Download
memory/1696-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing