afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8

General

Target

afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Size

179KB
MD5

6193ee5f5d2c3bc571d6592db668239c
SHA1

6e01c0e21d73a12eb6cfd87bea60ead9b10adc7f
SHA256

afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8
SHA512

01174c09b3fcf26808bc804c6d827cb1d7f77b8c89f4db9161aea16af3b2d5556642f19becfdc352042cf0cd85979d7dfdb02f00a8bd18e4566b26f42b09be1b
SSDEEP

3072:iB+jXhOmoucEbJNvBpLUSVrEFAKZgeEIoNugEYJi3/kffw0k/mptzs749Qt8:fxOffgBpo24TZgeuPwWI0k/mM71

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters	services.exe

Executes dropped EXE 2 IoCs

pid	Process
1244	Explorer.EXE
460	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3406023954-474543476-3319432036-1000\\$8c508dde2ce992e35b79435a5d2d0943\\n."	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$8c508dde2ce992e35b79435a5d2d0943\\n."	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe

Deletes itself 1 IoCs

pid	Process
1328	cmd.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 616 set thread context of 1328	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3406023954-474543476-3319432036-1000\\$8c508dde2ce992e35b79435a5d2d0943\\n."	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$8c508dde2ce992e35b79435a5d2d0943\\n."	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\clsid	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
460	services.exe
616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Token: SeDebugPrivilege	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Token: SeDebugPrivilege	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
Token: SeDebugPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeShutdownPrivilege	1244	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1244	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe	14
PID 616 wrote to memory of 1244	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe	14
PID 616 wrote to memory of 460	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe	2
PID 616 wrote to memory of 1328	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe	28
PID 616 wrote to memory of 1328	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe	28
PID 616 wrote to memory of 1328	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe	28
PID 616 wrote to memory of 1328	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe	28
PID 616 wrote to memory of 1328	616	afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe	28

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Modifies security service
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1244
- C:\Users\Admin\AppData\Local\Temp\afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe
  "C:\Users\Admin\AppData\Local\Temp\afc4c7b79eb5ca8295412765d9a3e87d0c1827f8ec68575d6abe67485e29aad8.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$8c508dde2ce992e35b79435a5d2d0943\@

Filesize
2KB

MD5
b290cc784397587d350b2bc84634aed4

SHA1
0c69f1f11ba47e2ce47f5eabe51a5c8d49c6ec21

SHA256
c77044f610a4f6e41c6d55ef789915a219e8e1ebd91fc04d39e3ae6ad3e67168

SHA512
1fd505a362a3df910aea4fbb26b52c08c1732725c8f4fd985a5de476050693be0c5301f2dff61600e2c9037f7b998433a8ae913e66c60d338a4d2b1ca537762b

Download Submit
C:\$Recycle.Bin\S-1-5-18\$8c508dde2ce992e35b79435a5d2d0943\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
C:\$Recycle.Bin\S-1-5-21-3406023954-474543476-3319432036-1000\$8c508dde2ce992e35b79435a5d2d0943\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-18\$8c508dde2ce992e35b79435a5d2d0943\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-21-3406023954-474543476-3319432036-1000\$8c508dde2ce992e35b79435a5d2d0943\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
memory/616-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/616-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/616-56-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/616-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/616-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing