102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337

General

Target

102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Size

175KB
MD5

52f06b92eeb0c10dee048bcfde75fccf
SHA1

4ae99fcd71b1633d54ce73550f4f8fddcb02d0a5
SHA256

102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337
SHA512

e19e54a236e9a38aac4c9d52260df1d5481acd1d49632b3d35f52ca600fa61e5a59750cf647d42206bb0c7f026289edc35f1a4a04d29976559045b43ab49c113
SSDEEP

3072:a2gr9xeinoMEZi3nHJl+cLjvAGvs1XOJaHO0hWf/xFNiqipS+97jlI9Ajis9KXW:aP9xRoMEZ8aczvsJOJaHgPNiqV47+9fu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1404	Explorer.EXE
460	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\n."	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\n."	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe

Deletes itself 1 IoCs

pid	Process
1696	cmd.exe

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	91.242.217.247
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	91.242.217.247
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 1696	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\clsid	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\n."	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\n."	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Token: SeDebugPrivilege	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Token: SeDebugPrivilege	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1404	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe	16
PID 1980 wrote to memory of 1404	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe	16
PID 1980 wrote to memory of 460	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe	2
PID 1980 wrote to memory of 1696	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe	28
PID 1980 wrote to memory of 1696	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe	28
PID 1980 wrote to memory of 1696	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe	28
PID 1980 wrote to memory of 1696	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe	28
PID 1980 wrote to memory of 1696	1980	102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe	28

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1404
- C:\Users\Admin\AppData\Local\Temp\102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe
  "C:\Users\Admin\AppData\Local\Temp\102ec5eafb430627aa8545e14a53131b16eb513094e6ddeaf0d12b4765af5337.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@

Filesize
2KB

MD5
1889913af0c1af829f70a89abcdb6a1c

SHA1
182108450420ac75f345b80cfe67ac19c5865591

SHA256
d3909e576f7933bbe983af43bf08dec7399a596a343b2d4158dd4af114e42bfc

SHA512
e24c361888465cb6f09dc0716e3c1f7ba1a471fa9aed820f9df10d73df1de1e9c197444ec208d8bf3b26d056f9bdc7eee21a75320f46dced4539d0e4f1a4723d

Download Submit
C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
memory/1696-62-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1980-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-58-0x00000000004BE000-0x00000000004E2000-memory.dmp

Filesize
144KB

Download
memory/1980-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-64-0x00000000004BE000-0x00000000004E2000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing