59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b

General

Target

59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Size

196KB
MD5

9f360e5b97c36d26e53b9942011e9edb
SHA1

89f4a312e07cee437d1e7fb75f69b67e79cbda31
SHA256

59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b
SHA512

8e54c187bd4124fa0cc173acc9b39322a78b6f53e998b0eb912d771d3caf68d28070b4569a68040fcdb1420470318f09515ab241ed61fdbb95ca407d5667adb9
SSDEEP

6144:UWz7pKmxYHowRjlMS5kCEKzXWv/es7WMdSU:Uw1K1JqS5keDWXeGWMdR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1360	Explorer.EXE
464	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4063495947-34355257-727531523-1000\\$d4e37f8e5af09b64e86d0830097e992e\\n."	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d4e37f8e5af09b64e86d0830097e992e\\n."	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe

Deletes itself 1 IoCs

pid	Process
516	cmd.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 516	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe	27

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4063495947-34355257-727531523-1000\\$d4e37f8e5af09b64e86d0830097e992e\\n."	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d4e37f8e5af09b64e86d0830097e992e\\n."	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\clsid	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
464	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1360	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Token: SeDebugPrivilege	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Token: SeDebugPrivilege	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
Token: SeDebugPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1360	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe	17
PID 1104 wrote to memory of 1360	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe	17
PID 1104 wrote to memory of 464	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe	2
PID 1104 wrote to memory of 516	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe	27
PID 1104 wrote to memory of 516	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe	27
PID 1104 wrote to memory of 516	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe	27
PID 1104 wrote to memory of 516	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe	27
PID 1104 wrote to memory of 516	1104	59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe	27

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360
- C:\Users\Admin\AppData\Local\Temp\59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe
  "C:\Users\Admin\AppData\Local\Temp\59c6ccf2930a38f55b216e78952d2477c1736a207f60cbadbb4bcf43948ddd3b.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\@

Filesize
2KB

MD5
76e03ce085cd1cb33b6d45f15c1d85fe

SHA1
5b6c013fb43c325b29f1cc9c083b35e40dca2620

SHA256
3daececd5b8f45cc829af8dbc8a1e69c0ff6d6e1c2f4ea3a1849ef2c1f4e89f3

SHA512
cba729f472f5ccb8ffc41e6c8d723430ce75b6446c7ab72d9326daae3d71dac7a3c77661ab978ad41fdfe63900120f57fff0242e85ec3977ec6eb423b84d1e28

Download Submit
C:\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-18\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\$d4e37f8e5af09b64e86d0830097e992e\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
memory/1104-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-60-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/1104-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing