8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa

General

Target

8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Size

154KB
MD5

f568feb9d9e52e6ca4a2e9c2aa7b6ac1
SHA1

1d54221b8506a4eefe98d7071ec2621c3892bda6
SHA256

8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa
SHA512

ee01d4806a2b0f88fb0cc9e7763f41e5dd14f5f34cb64d3e947878ab138ae61c2c390df923f799226fc73ec713c6511982f94f3f4b454d998dd6d32cdb4656e2
SSDEEP

3072:nxbv6QZjOhmD7D2t40Dmq+1b3IHhAF0EL+z+G6j/wGoJ+2:nxbCBc2t40aq+1sGF0Exj

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Explorer.EXEservices.exe

pid process

1344 Explorer.EXE
464 services.exe

pid	process
1344	Explorer.EXE
464	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4063495947-34355257-727531523-1000\\$d4e37f8e5af09b64e86d0830097e992e\\n."	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d4e37f8e5af09b64e86d0830097e992e\\n."	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1380 cmd.exe

pid	process
1380	cmd.exe

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	91.195.254.70
Destination IP	91.195.254.70
Destination IP	91.195.254.70

Suspicious use of SetThreadContext 1 IoCs

Processes:

8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe

description	pid	process	target process
PID 1444 set thread context of 1380	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe	cmd.exe

Modifies registry class 6 IoCs

Processes:

8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4063495947-34355257-727531523-1000\\$d4e37f8e5af09b64e86d0830097e992e\\n."	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d4e37f8e5af09b64e86d0830097e992e\\n."	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\clsid	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe

pid	process
1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1344 Explorer.EXE

pid	process
1344	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Token: SeDebugPrivilege	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Token: SeDebugPrivilege	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1344 Explorer.EXE
1344 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1344 Explorer.EXE
1344 Explorer.EXE

pid	process
1344	Explorer.EXE
1344	Explorer.EXE

pid	process
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe

description	pid	process	target process
PID 1444 wrote to memory of 1344	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe	Explorer.EXE
PID 1444 wrote to memory of 1344	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe	Explorer.EXE
PID 1444 wrote to memory of 464	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe	services.exe
PID 1444 wrote to memory of 1380	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe	cmd.exe
PID 1444 wrote to memory of 1380	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe	cmd.exe
PID 1444 wrote to memory of 1380	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe	cmd.exe
PID 1444 wrote to memory of 1380	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe	cmd.exe
PID 1444 wrote to memory of 1380	1444	8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe	cmd.exe

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1344

C:\Users\Admin\AppData\Local\Temp\8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe
"C:\Users\Admin\AppData\Local\Temp\8ebef10661973654d41d225ecf491417cb6624a90d3d1dc94408bab0fc1a6bfa.exe"
2⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\@
Filesize
2KB

MD5
d7113831b377291f7720f6dcb2ea2777

SHA1
eee3fbd18afa9d1aa6fba1a623a018ba9d1718af

SHA256
ddb40d3369dc76e3c647f2d59a8d84b9179f9b8ee5248ae7e759f308e4f608c7

SHA512
0da1245dd2a577eba3f8e14584724b1e1d1c3892721b4592c15db6b13cda58b46a30a6125bc9031b312421ffad65d71224ed0fd3ca1af719a1f886395e3fb02e

Download Submit
C:\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\n
Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\$d4e37f8e5af09b64e86d0830097e992e\n
Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\n
Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\$d4e37f8e5af09b64e86d0830097e992e\n
Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
memory/1380-63-0x0000000000000000-mapping.dmp

Download
memory/1444-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1444-57-0x00000000005ED000-0x000000000060C000-memory.dmp

Filesize
124KB

Download
memory/1444-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1444-62-0x00000000005ED000-0x000000000060C000-memory.dmp

Filesize
124KB

Download
memory/1444-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1444-65-0x00000000005ED000-0x000000000060C000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads