6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e

General

Target

6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Size

167KB
MD5

480617cdb358533aa5d6f679dba14c75
SHA1

02e01a1ecdd509976d68853c466b18828fe460f3
SHA256

6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e
SHA512

b1320e1a1b0e8104986691436f4932ae75e00e25afdc969197509ff56316132cea0cc133d11ad4fc4c0242a7823f91743e94645207f99c1287e419669c5eb088
SSDEEP

3072:kHzxDIlNXHiuseOxn9jtaVDTBssxJunHddjaWnW4/EHyuDgbm2CjKJsvf:G6XHZOha5CsxJun7bSfgbxC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1212	Explorer.EXE
460	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4063495947-34355257-727531523-1000\\$d4e37f8e5af09b64e86d0830097e992e\\n."	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d4e37f8e5af09b64e86d0830097e992e\\n."	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe

Deletes itself 1 IoCs

pid	Process
556	cmd.exe

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1308 set thread context of 556	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe	27

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\clsid	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4063495947-34355257-727531523-1000\\$d4e37f8e5af09b64e86d0830097e992e\\n."	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d4e37f8e5af09b64e86d0830097e992e\\n."	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Token: SeDebugPrivilege	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Token: SeDebugPrivilege	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1212	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe	19
PID 1308 wrote to memory of 1212	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe	19
PID 1308 wrote to memory of 460	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe	2
PID 1308 wrote to memory of 556	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe	27
PID 1308 wrote to memory of 556	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe	27
PID 1308 wrote to memory of 556	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe	27
PID 1308 wrote to memory of 556	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe	27
PID 1308 wrote to memory of 556	1308	6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe	27

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212
- C:\Users\Admin\AppData\Local\Temp\6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe
  "C:\Users\Admin\AppData\Local\Temp\6cdacca78b85e2645d17e3fbd8b76c7ccba38db4c018179aa0a283c7058a956e.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\@

Filesize
2KB

MD5
9a10521137fbbfec888fa8393ebff6af

SHA1
92eb82b9329af9a86580fd39963547f1c5c62e00

SHA256
b0fc2c3c490174211f24a456526660122ea172733f1ad8d65f8b1bacfb0186d8

SHA512
11c7291ca030179f9a2fa2ae8475a0f2ba6e56c8be7691dfc2b0cbd5acbc6ce050ee8434cbc68fdafd53033dce485ada9e02944c4b72d5be2e3b18c36b3dca49

Download Submit
C:\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
memory/1308-59-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1308-61-0x000000000060B000-0x000000000061E000-memory.dmp

Filesize
76KB

Download
memory/1308-62-0x000000000060B000-0x000000000061E000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing