791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e

General

Target

791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Size

163KB
MD5

30dfe01b30835ef02bc7ed0c9d202470
SHA1

21a7fc89ee9f67e7a2a495463d80091a7e70bec2
SHA256

791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e
SHA512

1ff3aab19bf270bb3786267e725700f9dd48b04fa5beb8fd2f3f1b795b82ed0582797499b4f0347c2de6d85017909e5bcadb0e3dc3ef9f0eb5c0c30aabbfbc8c
SSDEEP

3072:CNvuPYzgSsgXHvbLXajMkfFkj+A57zBvg/w2xWE59b:mCEHHX6Mktw+I7zB6wY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1264	Explorer.EXE
460	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3406023954-474543476-3319432036-1000\\$8c508dde2ce992e35b79435a5d2d0943\\n."	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$8c508dde2ce992e35b79435a5d2d0943\\n."	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe

Deletes itself 1 IoCs

pid	Process
468	cmd.exe

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1532 set thread context of 468	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\clsid	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3406023954-474543476-3319432036-1000\\$8c508dde2ce992e35b79435a5d2d0943\\n."	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$8c508dde2ce992e35b79435a5d2d0943\\n."	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Token: SeDebugPrivilege	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Token: SeDebugPrivilege	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
Token: SeShutdownPrivilege	1264	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1264	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe	9
PID 1532 wrote to memory of 1264	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe	9
PID 1532 wrote to memory of 460	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe	22
PID 1532 wrote to memory of 468	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe	28
PID 1532 wrote to memory of 468	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe	28
PID 1532 wrote to memory of 468	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe	28
PID 1532 wrote to memory of 468	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe	28
PID 1532 wrote to memory of 468	1532	791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe	28

C:\Users\Admin\AppData\Local\Temp\791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe
"C:\Users\Admin\AppData\Local\Temp\791a8293a1721b9ff1bb3cce59b9f7a755d2229f538697a48dac74937f17dd3e.exe"
1⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1264

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
PID:460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$8c508dde2ce992e35b79435a5d2d0943\@

Filesize
2KB

MD5
239b19b21107061bae05b07c429cd699

SHA1
e6a87a01ee998b354f1ea1af3f4ae404c561af23

SHA256
4e71b4f58cd0efaa621ad80a679730a640c7c0b5064cc366afdb6b67f62ee5c9

SHA512
d334d18d69e972adc60a41156584176c8f00640b16dde4c4ab47bfdc82898ce2c0eb428c4b548bbac3f1b8b6a85b163c9e50cc9a168fc3362c67c31f19b23a8a

Download Submit
C:\$Recycle.Bin\S-1-5-18\$8c508dde2ce992e35b79435a5d2d0943\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3406023954-474543476-3319432036-1000\$8c508dde2ce992e35b79435a5d2d0943\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-18\$8c508dde2ce992e35b79435a5d2d0943\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-21-3406023954-474543476-3319432036-1000\$8c508dde2ce992e35b79435a5d2d0943\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
memory/1264-66-0x000007FEBF1E0000-0x000007FEBF1EA000-memory.dmp

Filesize
40KB

Download
memory/1264-65-0x000007FEF6C90000-0x000007FEF6DD3000-memory.dmp

Filesize
1.3MB

Download
memory/1532-57-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1532-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1532-64-0x00000000005DE000-0x0000000000602000-memory.dmp

Filesize
144KB

Download
memory/1532-58-0x00000000005DE000-0x0000000000602000-memory.dmp

Filesize
144KB

Download
memory/1532-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing