839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a

General

Target

839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Size

196KB
MD5

49a2d19637804a785b6ddf5cb6bb16ed
SHA1

3b6e79a8208c58a56a1586cf5477812e4a3b9aeb
SHA256

839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a
SHA512

8db861742a99e3d1169d7f8ef4710851154531bb4f62c44fb935582963f3f2276836146e7e2955041216a0f01d7b83fb99af3eebc73e8d0e6123362e5bd683af
SSDEEP

3072:WB7WtowMfN0ztRYR8u7ivSd82laHSmM7N795rj2EtUNmpKIQTZxqcW/:mitjMfyhRYb7iKG2laymo5JUN4+c

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	services.exe

Modifies security service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\DeleteFlag = "1"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	services.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	services.exe

Executes dropped EXE 2 IoCs

pid	Process
1372	Explorer.EXE
460	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-1214520366-621468234-4062160515-1000\\$e0870acbcd010e28031691a4b4cb2286\\n."	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$e0870acbcd010e28031691a4b4cb2286\\n."	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\clsid	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-1214520366-621468234-4062160515-1000\\$e0870acbcd010e28031691a4b4cb2286\\n."	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$e0870acbcd010e28031691a4b4cb2286\\n."	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
460	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1372	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Token: SeDebugPrivilege	684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Token: SeDebugPrivilege	684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
Token: SeDebugPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 1372	684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe	10
PID 684 wrote to memory of 1372	684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe	10
PID 684 wrote to memory of 460	684	839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe	2

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1372
- C:\Users\Admin\AppData\Local\Temp\839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe
  "C:\Users\Admin\AppData\Local\Temp\839b4baa551ca71753994e4bf879f58c425dacefe4d2689097bfe02eaee3921a.exe"
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$e0870acbcd010e28031691a4b4cb2286\@

Filesize
2KB

MD5
d13d54a87652ee79ea496d43aea4f85a

SHA1
20d166cb91b24d0c16fd309e3631afe50d196e6c

SHA256
2e027a580256dffe0255651c083e547ad2485f568f46bba7336fd4ce5e8a5a51

SHA512
97c3cabe13a81d11aad691913cf479f4c38904679bd3c6468f0098a70aaffd2848be76334785674c453ffa845fdadd407e1ae71968ab86937faa795ad23b0934

Download Submit
C:\$Recycle.Bin\S-1-5-18\$e0870acbcd010e28031691a4b4cb2286\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\$e0870acbcd010e28031691a4b4cb2286\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-18\$e0870acbcd010e28031691a4b4cb2286\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\$e0870acbcd010e28031691a4b4cb2286\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
memory/684-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-58-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/684-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-63-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/684-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/684-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads