8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2

General

Target

8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Size

160KB
MD5

01183166fbe73829f070df7f433535af
SHA1

12dba89f2c869ff6f12f8005dfb004628e2c983d
SHA256

8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2
SHA512

f8f063332a9c68eee507b0131011f577be2e6115991be36721c7dacc723ae0afe78c63e8e58c1f42d32f86475a82f40a4d123d66e4364bf3ad62418062325e56
SSDEEP

3072:KSoqfIPMILiKeWc92Q8wyyfmsaPFwyv9AvEcsmB5Oa0q/2uCzak:HIUILNisDyfmVuxMZq/z8ak

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Explorer.EXEservices.exe

pid process

1432 Explorer.EXE
464 services.exe

pid	process
1432	Explorer.EXE
464	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\n."	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\n."	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1020 cmd.exe

pid	process
1020	cmd.exe

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	91.195.254.70
Destination IP	91.195.254.70
Destination IP	91.195.254.70
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

Processes:

8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe

description	pid	process	target process
PID 1736 set thread context of 1020	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe	cmd.exe

Modifies registry class 6 IoCs

Processes:

8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\clsid	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\n."	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\n."	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe

pid	process
1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Token: SeDebugPrivilege	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Token: SeDebugPrivilege	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1432 Explorer.EXE
1432 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1432 Explorer.EXE
1432 Explorer.EXE

pid	process
1432	Explorer.EXE
1432	Explorer.EXE

pid	process
1432	Explorer.EXE
1432	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe

description	pid	process	target process
PID 1736 wrote to memory of 1432	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe	Explorer.EXE
PID 1736 wrote to memory of 1432	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe	Explorer.EXE
PID 1736 wrote to memory of 464	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe	services.exe
PID 1736 wrote to memory of 1020	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe	cmd.exe
PID 1736 wrote to memory of 1020	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe	cmd.exe
PID 1736 wrote to memory of 1020	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe	cmd.exe
PID 1736 wrote to memory of 1020	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe	cmd.exe
PID 1736 wrote to memory of 1020	1736	8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe	cmd.exe

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1432

C:\Users\Admin\AppData\Local\Temp\8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe
"C:\Users\Admin\AppData\Local\Temp\8dee4abfdb21c3f74100f83f388a350e8dbef4c2740a1a9e37fee293f6e09cd2.exe"
2⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@
Filesize
2KB

MD5
a99c46622cac3cbe8b84c347a80b4eea

SHA1
3c9533360fbf880f8c3104074fb7a3f0d472e3f9

SHA256
cbb7fca6b3da13f8de99d79efa81358a2697416e5c0c9dd13b3787fa4267fa03

SHA512
7db7f4095d3b0b991eef86ac60b5ab96c5a92c79ee5a63a87e84139c7cfacc1f017bd30628e214dae4df26730bea3a9491a7a16a4f9309161eb79a9d241e1d34

Download Submit
C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
memory/1020-64-0x0000000000000000-mapping.dmp

Download
memory/1736-56-0x000000000089E000-0x00000000008BD000-memory.dmp

Filesize
124KB

Download
memory/1736-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1736-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1736-62-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1736-63-0x000000000089E000-0x00000000008BD000-memory.dmp

Filesize
124KB

Download
memory/1736-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1736-66-0x000000000089E000-0x00000000008BD000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads