a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9

General

Target

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Size

170KB
MD5

dda8981aee97a3408462bc92458aed39
SHA1

1efdfbde1119d532d6e7fb33b82c19d89b9486f4
SHA256

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9
SHA512

bc6ffcf55424e3694822383885a3848ccf1cfbd83dfe747692fbdbdf5898988a1822be1f0edae01eefc3aece34392c41df21b202c2d1e4c763e64bd87055a2f3
SSDEEP

3072:2O+0vRk64ySxQytIlLGgl74TS+uoyNVfsh/yLtcsOFJFwAqUFIe9W3wZ219V3BGJ:XVvRuyIuRGg5Kuo6shvsOFJFwd4QwZEE

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

services.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	services.exe

Modifies security service 2 TTPs 24 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\DeleteFlag = "1"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap	services.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\\n."	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1528 cmd.exe

pid	process
1528	cmd.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

Processes:

services.exe

description ioc process

File created \systemroot\assembly\GAC_64\Desktop.ini services.exe
File created \systemroot\assembly\GAC_32\Desktop.ini services.exe

description	ioc	process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

description	pid	process	target process
PID 2036 set thread context of 1528	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

description	ioc	process
File created	C:\Windows\Installer\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\@	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
File created	C:\Windows\Installer\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\n	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

Modifies registry class 5 IoCs

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\clsid	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\\n."	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exeservices.exe

pid	process
2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
460	services.exe
2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE

pid	process
1272	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exeservices.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Token: SeDebugPrivilege	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Token: SeDebugPrivilege	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Token: SeDebugPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

description	pid	process	target process
PID 2036 wrote to memory of 1272	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	Explorer.EXE
PID 2036 wrote to memory of 1272	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	Explorer.EXE
PID 2036 wrote to memory of 460	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	services.exe
PID 2036 wrote to memory of 1528	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	cmd.exe
PID 2036 wrote to memory of 1528	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	cmd.exe
PID 2036 wrote to memory of 1528	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	cmd.exe
PID 2036 wrote to memory of 1528	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	cmd.exe
PID 2036 wrote to memory of 1528	2036	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	cmd.exe

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Modifies firewall policy service
- Modifies security service
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272

C:\Users\Admin\AppData\Local\Temp\a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
"C:\Users\Admin\AppData\Local\Temp\a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe"
2⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\systemroot\Installer\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\@
Filesize
2KB

MD5
6d740b93fad9f41b807f314fd6a33f35

SHA1
b43fa116b5da12d6a168d0bf17eb6fe0268f5bce

SHA256
d2a706a126e88da8f4ac52b9a501599398f4ebb2e666fcc4130d8e579a123503

SHA512
5ac1acad2bba4d784b34c57fd803446620a291a85279f8a4d5a8365e23bb349d3a442542fbb79e6d822ec95546fd263c6347532c39ac9c6683ffc1501f1d6b91

Download Submit
memory/460-78-0x00000000001A0000-0x00000000001AF000-memory.dmp

Filesize
60KB

Download
memory/460-83-0x00000000001B0000-0x00000000001BF000-memory.dmp

Filesize
60KB

Download
memory/460-82-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/460-79-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/460-80-0x00000000001B0000-0x00000000001BF000-memory.dmp

Filesize
60KB

Download
memory/460-74-0x00000000001A0000-0x00000000001AF000-memory.dmp

Filesize
60KB

Download
memory/1272-61-0x0000000002B10000-0x0000000002B1F000-memory.dmp

Filesize
60KB

Download
memory/1272-69-0x0000000002AF0000-0x0000000002AFC000-memory.dmp

Filesize
48KB

Download
memory/1272-67-0x0000000002B20000-0x0000000002B2F000-memory.dmp

Filesize
60KB

Download
memory/1272-66-0x0000000002AF0000-0x0000000002AFC000-memory.dmp

Filesize
48KB

Download
memory/1272-57-0x0000000002B10000-0x0000000002B1F000-memory.dmp

Filesize
60KB

Download
memory/1272-65-0x0000000002B10000-0x0000000002B1F000-memory.dmp

Filesize
60KB

Download
memory/1528-84-0x0000000000000000-mapping.dmp

Download
memory/2036-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2036-54-0x00000000002B0000-0x00000000002E6000-memory.dmp

Filesize
216KB

Download
memory/2036-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2036-56-0x00000000002B0000-0x00000000002E6000-memory.dmp

Filesize
216KB

Download
memory/2036-85-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads