952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679

General

Target

952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
Size

187KB
MD5

404c290e4075f5379a38d09aa75d0a9c
SHA1

a0f3e304f20ea6406abe2feefbae9ee8c0a20e14
SHA256

952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679
SHA512

8adf687fc8155e794948559e8af3304880cf0b80f297ad7cbe076d3691be3b9a7779417a61f789f9ca33ee473590cf005705c8dbd930a0b9462eb8dbf41277c5
SSDEEP

3072:nDMAjn8StcmWoff5r1Qah2XWhfPWhZfg8XX2sj34di5K9Qt+2yo5nyL2Jw5VZv44:DP8S1b5r1Vh2afPWXYu34di5iAnm2Ov4

Score

8^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\n."	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe

Deletes itself 1 IoCs

pid	Process
568	cmd.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 568	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe	27

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
File created	C:\Windows\Installer\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\n	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\n."	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\clsid	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
Token: SeDebugPrivilege	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
Token: SeDebugPrivilege	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1200	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe	8
PID 1284 wrote to memory of 1200	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe	8
PID 1284 wrote to memory of 464	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe	20
PID 1284 wrote to memory of 568	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe	27
PID 1284 wrote to memory of 568	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe	27
PID 1284 wrote to memory of 568	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe	27
PID 1284 wrote to memory of 568	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe	27
PID 1284 wrote to memory of 568	1284	952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200
- C:\Users\Admin\AppData\Local\Temp\952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe
  "C:\Users\Admin\AppData\Local\Temp\952d3be856aac9a5a670399bfa4b860950d8de73c2ff0c376750809f8a40b679.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:568

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\systemroot\Installer\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@

Filesize
2KB

MD5
ace5dbf54dc4982283b6ade3a0a88232

SHA1
f3f2dafb1461acc29c2ad80588e615a6cf24fd49

SHA256
88a5273cfb61991806899f6f6638c5a173829f9f83489e22115d67c92e436d51

SHA512
806f5fc8c082d5ffe8621cee738a799ef285134019d066094d56b507fafb0536d126600f58f7faa214c546a4103c6a1d3482bd77733619b5b774026c027ce486

Download Submit
memory/464-84-0x0000000000140000-0x000000000014C000-memory.dmp

Filesize
48KB

Download
memory/464-83-0x00000000000F0000-0x00000000000F8000-memory.dmp

Filesize
32KB

Download
memory/464-79-0x0000000000140000-0x000000000014C000-memory.dmp

Filesize
48KB

Download
memory/464-78-0x00000000000F0000-0x00000000000F8000-memory.dmp

Filesize
32KB

Download
memory/464-70-0x0000000000130000-0x000000000013C000-memory.dmp

Filesize
48KB

Download
memory/464-74-0x0000000000130000-0x000000000013C000-memory.dmp

Filesize
48KB

Download
memory/1200-77-0x0000000002AF0000-0x0000000002AFC000-memory.dmp

Filesize
48KB

Download
memory/1200-76-0x0000000002AC0000-0x0000000002AC8000-memory.dmp

Filesize
32KB

Download
memory/1200-65-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

Filesize
48KB

Download
memory/1200-61-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

Filesize
48KB

Download
memory/1200-82-0x0000000002AC0000-0x0000000002AC8000-memory.dmp

Filesize
32KB

Download
memory/1200-57-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

Filesize
48KB

Download
memory/1284-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1284-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-81-0x000000000055C000-0x000000000057F000-memory.dmp

Filesize
140KB

Download
memory/1284-56-0x000000000055C000-0x000000000057F000-memory.dmp

Filesize
140KB

Download
memory/1284-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-87-0x000000000055C000-0x000000000057F000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing