fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9

General

Target

fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
Size

178KB
MD5

10a1d3076e341bc58eb877812af28831
SHA1

4ac987f8d220168d089d86f3e47810f67fb4c889
SHA256

fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9
SHA512

9f45ef560a8e3091d232032656810f31521ae7913fe5a437d80b3065e791decf5722c70a9283f19bb59acb3ad1508d2cdaf3535fcf85c564b85fb0f364e93579
SSDEEP

3072:ovbnG14mgBkAV7y9rwOWqdIQhY4IC4ilDG0UQ2Vf8RjPrd:AGGkAc9tdIOYC4iFUQ2BAzrd

Score

8^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{94b51c16-0cef-92dd-5e85-d337991aa9a5}\\n."	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.193.74.13
Destination IP	91.193.74.13
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.193.74.13
Destination IP	91.193.74.13

Modifies registry class 5 IoCs

Processes:

fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\clsid	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{94b51c16-0cef-92dd-5e85-d337991aa9a5}\\n."	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe

pid	process
1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2628 Explorer.EXE

pid	process
2628	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
Token: SeDebugPrivilege	1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
Token: SeDebugPrivilege	1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2628 Explorer.EXE
2628 Explorer.EXE

pid	process
2628	Explorer.EXE
2628	Explorer.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe

description	pid	process	target process
PID 1788 wrote to memory of 2628	1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe	Explorer.EXE
PID 1788 wrote to memory of 2628	1788	fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2628

C:\Users\Admin\AppData\Local\Temp\fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
"C:\Users\Admin\AppData\Local\Temp\fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe"
2⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1788-135-0x00000000004A3000-0x00000000004C6000-memory.dmp

Filesize
140KB

Download
memory/1788-133-0x00000000004A3000-0x00000000004C6000-memory.dmp

Filesize
140KB

Download
memory/1788-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2628-142-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2628-144-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2628-137-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/2628-138-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2628-139-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2628-140-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2628-141-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/2628-134-0x00000000012A0000-0x00000000012A8000-memory.dmp

Filesize
32KB

Download
memory/2628-143-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2628-136-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/2628-145-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/2628-146-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2628-147-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2628-148-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2628-149-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2628-150-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2628-151-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2628-152-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2628-153-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads