cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a

General

Target

cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Size

207KB
MD5

538e6dbfe6c5cb1e8e98c2e8e553a0c6
SHA1

bfe346ca0074aae3fb9fb6d2fb721ec1193e3d4a
SHA256

cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a
SHA512

770c0aa6b12e5027772e8c7ff3a0aec45a36b8b4c2cc24835190559e860cf43c13a17264733a667f411ca8f0650af0ff7b4e62491a0a88691db7d96314b16161
SSDEEP

3072:5pTgs2gF1r+W6Ei5RaXRwFd6NnS2jbxWGqt:5pTbDFt+W6VLabNnSbGq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe

Executes dropped EXE 2 IoCs

pid	Process
1200	Explorer.EXE
460	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-575491160-2295418218-1540667289-1000\\$d8cbad8218b4fba1f61311c2aaa4e168\\n."	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d8cbad8218b4fba1f61311c2aaa4e168\\n."	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 268	864	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe	28
PID 864 set thread context of 268	864	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe	28
PID 864 set thread context of 268	864	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe	28

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-575491160-2295418218-1540667289-1000\\$d8cbad8218b4fba1f61311c2aaa4e168\\n."	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d8cbad8218b4fba1f61311c2aaa4e168\\n."	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\clsid	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe

NTFS ADS 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
864	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Token: SeDebugPrivilege	268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Token: SeDebugPrivilege	268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
864	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 268	864	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe	28
PID 864 wrote to memory of 268	864	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe	28
PID 864 wrote to memory of 268	864	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe	28
PID 864 wrote to memory of 268	864	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe	28
PID 268 wrote to memory of 1200	268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe	8
PID 268 wrote to memory of 1200	268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe	8
PID 268 wrote to memory of 460	268	cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe	22

C:\Users\Admin\AppData\Local\Temp\cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
"C:\Users\Admin\AppData\Local\Temp\cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe
  "C:\Users\Admin\AppData\Local\Temp\cd41dab255b50090ce9fef72d6b1c4226c3bf885527c326eba8b90e491ae801a.exe"
  2⤵
  - Modifies security service
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:268

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$d8cbad8218b4fba1f61311c2aaa4e168\@

Filesize
2KB

MD5
a3403ba3af9e69a8c746f621d9869fda

SHA1
5db32c1c6be7bc3ef763cd76b890241b4528fab7

SHA256
859ca56057a28f5bc77a7d34ccaff1de659c3f5b69518431af700d5afbb64cf4

SHA512
1bc61868f7225c5d4f479b5eae3da1d3187db31d8e6c761c505230527613b9dfb065c215d332eb3864dbe361ac66515c69e7b502bef4dd3dec18330413d5de64

Download Submit
C:\$Recycle.Bin\S-1-5-18\$d8cbad8218b4fba1f61311c2aaa4e168\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
C:\$Recycle.Bin\S-1-5-21-575491160-2295418218-1540667289-1000\$d8cbad8218b4fba1f61311c2aaa4e168\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-18\$d8cbad8218b4fba1f61311c2aaa4e168\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-21-575491160-2295418218-1540667289-1000\$d8cbad8218b4fba1f61311c2aaa4e168\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
memory/268-62-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/268-63-0x0000000000380000-0x00000000003BC000-memory.dmp

Filesize
240KB

Download
memory/268-61-0x00000000002E0000-0x000000000030B000-memory.dmp

Filesize
172KB

Download
memory/268-72-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/864-60-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/864-59-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/864-70-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/864-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing