92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305

General

Target

92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
Size

168KB
MD5

24d74f4e393403285cb6766dcef5f8ec
SHA1

3fa1f0911384fd9912af47bbc72f79bcde925c2d
SHA256

92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305
SHA512

d6bf5c69ed412a1fd59235c2fb7f97574d9adf24f0488dfc1fbdb6f9120f6134790e45fd163d99fc44c65f4138d98114bfb0129c205f1dbac369536c58bb02d0
SSDEEP

3072:CrU8REj7lO48uutkxZeKtsNruxCuZUaHtxb2aQk3O2aT6EXzvRFtmio/67wVsCgq:CrU8aY4TToxN4CkTPp3iVFtmio/67cxS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

services.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	services.exe

Modifies security service 2 TTPs 24 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

services.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\DeleteFlag = "1"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1"	services.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\\n."	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1308 cmd.exe

pid	process
1308	cmd.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

Processes:

services.exe

description ioc process

File created \systemroot\assembly\GAC_64\Desktop.ini services.exe
File created \systemroot\assembly\GAC_32\Desktop.ini services.exe

description	ioc	process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe

description	pid	process	target process
PID 1896 set thread context of 1308	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe

description	ioc	process
File created	C:\Windows\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\@	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
File created	C:\Windows\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\n	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe

Modifies registry class 5 IoCs

Processes:

92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\\n."	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\clsid	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exeservices.exe

pid	process
1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
464	services.exe
1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
Token: SeDebugPrivilege	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
Token: SeDebugPrivilege	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
Token: SeDebugPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe

description	pid	process	target process
PID 1896 wrote to memory of 1256	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe	Explorer.EXE
PID 1896 wrote to memory of 1256	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe	Explorer.EXE
PID 1896 wrote to memory of 464	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe	services.exe
PID 1896 wrote to memory of 1308	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe	cmd.exe
PID 1896 wrote to memory of 1308	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe	cmd.exe
PID 1896 wrote to memory of 1308	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe	cmd.exe
PID 1896 wrote to memory of 1308	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe	cmd.exe
PID 1896 wrote to memory of 1308	1896	92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe
"C:\Users\Admin\AppData\Local\Temp\92e77066ada0501bfd8f469e71cfd8fd916c75dd38e496e206d58d55a9747305.exe"
1⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Deletes itself
PID:1308

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Modifies firewall policy service
- Modifies security service
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\systemroot\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\@
Filesize
2KB

MD5
79f052a279dbfbb9272ef0d68edfd70c

SHA1
a0c0c85934fa94871a7cc2a1396bb72c59c0caa5

SHA256
01f447eecc8f1d2839ccf2c2647ba040b4cb9f81acdf3abfd1d96a3fcc8040c2

SHA512
53ff55b3da4c578e1908ac5e9def3ab8d16befda6a12e8f6c424dd6791c828d200ecc5209da9112216d7214c442c02ffaee8213e7acc48c9534560a113cb47d8

Download Submit
memory/464-77-0x00000000000F0000-0x00000000000FC000-memory.dmp

Filesize
48KB

Download
memory/464-76-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download
memory/464-72-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download
memory/464-78-0x0000000000130000-0x000000000013F000-memory.dmp

Filesize
60KB

Download
memory/464-83-0x0000000000130000-0x000000000013F000-memory.dmp

Filesize
60KB

Download
memory/464-82-0x00000000000F0000-0x00000000000FC000-memory.dmp

Filesize
48KB

Download
memory/1256-61-0x0000000002A40000-0x0000000002A4F000-memory.dmp

Filesize
60KB

Download
memory/1256-67-0x0000000002A50000-0x0000000002A5F000-memory.dmp

Filesize
60KB

Download
memory/1256-57-0x0000000002A40000-0x0000000002A4F000-memory.dmp

Filesize
60KB

Download
memory/1256-81-0x0000000002A00000-0x0000000002A0C000-memory.dmp

Filesize
48KB

Download
memory/1256-66-0x0000000002A00000-0x0000000002A0C000-memory.dmp

Filesize
48KB

Download
memory/1256-65-0x0000000002A40000-0x0000000002A4F000-memory.dmp

Filesize
60KB

Download
memory/1308-84-0x0000000000000000-mapping.dmp

Download
memory/1896-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1896-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1896-54-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/1896-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1896-56-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads