5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab

General

Target

5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Size

223KB
MD5

2de155730d09862355b062799986fc8c
SHA1

4d4f2de1f7b05bea4914c4bc966a584021e8adc3
SHA256

5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab
SHA512

d2bc5a03146a53e978b8967e9e0c4d5a344155e30edcd2e9c198d20525a01210add64405ea84f41fc772e4ffebb2aa8f172526c5e862052f03eff6b928c5542d
SSDEEP

3072:BEHPJBytw176VhQO3c5ZxW5R1cmgwq18KGm0usOLUUG:Byhwq1eHQO3chCcTwSdAeH

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe

Executes dropped EXE 2 IoCs

pid	Process
1268	Explorer.EXE
460	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\n."	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\n."	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 1428	1044	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe	27
PID 1044 set thread context of 1428	1044	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe	27
PID 1044 set thread context of 1428	1044	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe	27

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\en-US:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\n."	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\n."	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\clsid	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe

NTFS ADS 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1044	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Token: SeDebugPrivilege	1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Token: SeDebugPrivilege	1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1044	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1428	1044	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe	27
PID 1044 wrote to memory of 1428	1044	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe	27
PID 1044 wrote to memory of 1428	1044	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe	27
PID 1044 wrote to memory of 1428	1044	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe	27
PID 1428 wrote to memory of 1268	1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe	11
PID 1428 wrote to memory of 1268	1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe	11
PID 1428 wrote to memory of 460	1428	5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe	2

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268
- C:\Users\Admin\AppData\Local\Temp\5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
  "C:\Users\Admin\AppData\Local\Temp\5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe
    "C:\Users\Admin\AppData\Local\Temp\5be71d9491e7b7f2397df2b73fa7931396bef1f222fc781196c18ac90ca7a3ab.exe"
    3⤵
    - Modifies security service
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@

Filesize
2KB

MD5
06c71957ce74314cf8db332beb94dde8

SHA1
b0f112f28a4b141574d020e926dbfcb73b5454d2

SHA256
268f54d0b0cfab334598b75de47161fd20bf92e16f80be63e0996912d732dd28

SHA512
f2389a18cc28d75e6e9ea416c549ffe18e1330ed7637777a3e97e5b8b6af5db67754e425fe200f1eca38d27295b43f53a1ede33679dd63ec63cba78c661a92c7

Download Submit
C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
memory/1044-63-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/1044-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1044-70-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1428-59-0x0000000000310000-0x000000000034C000-memory.dmp

Filesize
240KB

Download
memory/1428-65-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1428-69-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing