301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da

General

Target

301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Size

156KB
MD5

823c37dcbc53967e1649e7e47167a965
SHA1

89449923971dcf1970adbb1719d3b1ceb428c2a8
SHA256

301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da
SHA512

dbf156e3f2a6b2115a99538ceeb5781f54d85b5b1d4243e06e3fef645ea3577aeb778b45d2c359973744a3713285f15f364e11edcaaf0e3d2644cccecc52f7d6
SSDEEP

3072:PMngP1zP4IKrGpnqIE2Vc4cffB8Pzn0sZTz5btNE:kEwGpLcvnMDJTzJE

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Explorer.EXEservices.exe

pid process

1256 Explorer.EXE
464 services.exe

pid	process
1256	Explorer.EXE
464	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\\n."	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\\n."	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1448 cmd.exe

pid	process
1448	cmd.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

Processes:

301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe

description	pid	process	target process
PID 1652 set thread context of 1448	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe

description	ioc	process
File created	C:\Windows\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\@	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
File created	C:\Windows\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\n	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe

Modifies registry class 6 IoCs

Processes:

301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\clsid	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\\n."	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\\n."	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe

pid	process
1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Token: SeDebugPrivilege	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Token: SeDebugPrivilege	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe

description	pid	process	target process
PID 1652 wrote to memory of 1256	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe	Explorer.EXE
PID 1652 wrote to memory of 1256	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe	Explorer.EXE
PID 1652 wrote to memory of 464	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe	services.exe
PID 1652 wrote to memory of 1448	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe	cmd.exe
PID 1652 wrote to memory of 1448	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe	cmd.exe
PID 1652 wrote to memory of 1448	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe	cmd.exe
PID 1652 wrote to memory of 1448	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe	cmd.exe
PID 1652 wrote to memory of 1448	1652	301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe	cmd.exe

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256

C:\Users\Admin\AppData\Local\Temp\301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe
"C:\Users\Admin\AppData\Local\Temp\301419811ac9bfb99c27364468fec30425cc439ec989af7b8a3a00e90b0b83da.exe"
2⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\n

Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\??\globalroot\systemroot\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\n

Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\Users\Admin\AppData\Local\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\n

Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\Windows\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\n

Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\systemroot\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\@

Filesize
2KB

MD5
ffb80b9d6a43a14e816774d798917f05

SHA1
15916c4a6be7e3a00e4e0ad5d5d30fe31c585396

SHA256
2adb95f9a8907b8e5510d77a9b364f9e10fb2735a7e6058f1779826aa470678c

SHA512
05c1b494ab62266752389db306d617cc99552bb63c9cb6eb7eb773eaab68551189a5871cffad70e08ed4b141af98f3184b0f873698b59f390358d5871c1ab415

Download Submit
memory/1448-64-0x0000000000000000-mapping.dmp

Download
memory/1652-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-58-0x00000000005EE000-0x000000000060D000-memory.dmp

Filesize
124KB

Download
memory/1652-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-63-0x00000000005EE000-0x000000000060D000-memory.dmp

Filesize
124KB

Download
memory/1652-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1652-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-66-0x00000000005EE000-0x000000000060D000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads