a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9

General

Target

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Size

170KB
MD5

dda8981aee97a3408462bc92458aed39
SHA1

1efdfbde1119d532d6e7fb33b82c19d89b9486f4
SHA256

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9
SHA512

bc6ffcf55424e3694822383885a3848ccf1cfbd83dfe747692fbdbdf5898988a1822be1f0edae01eefc3aece34392c41df21b202c2d1e4c763e64bd87055a2f3
SSDEEP

3072:2O+0vRk64ySxQytIlLGgl74TS+uoyNVfsh/yLtcsOFJFwAqUFIe9W3wZ219V3BGJ:XVvRuyIuRGg5Kuo6shvsOFJFwd4QwZEE

Score

8^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{e0613d90-9b67-ae60-58f9-584af5f18b89}\\n."	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 83.133.123.20
Destination IP 83.133.123.20
Destination IP 83.133.123.20
Destination IP 83.133.123.20

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Modifies registry class 5 IoCs

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\clsid	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{e0613d90-9b67-ae60-58f9-584af5f18b89}\\n."	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

pid	process
5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

760 Explorer.EXE

pid	process
760	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

description	pid	process
Token: SeDebugPrivilege	5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Token: SeDebugPrivilege	5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Token: SeDebugPrivilege	5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe

description	pid	process	target process
PID 5000 wrote to memory of 760	5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	Explorer.EXE
PID 5000 wrote to memory of 760	5000	a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:760

C:\Users\Admin\AppData\Local\Temp\a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
"C:\Users\Admin\AppData\Local\Temp\a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe"
2⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-136-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/5000-133-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/5000-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-134-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/5000-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-138-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/5000-137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads