878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be

General

Target

878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Size

177KB
MD5

556d1357b8df064b158c9fa260f99ec0
SHA1

62bda45c4a5dc4d4c945d0da013a18a021144ad6
SHA256

878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be
SHA512

b0545ab669747038a06a7fc3623d21f525bd568d9fffb9aab09958717490d595fe2f06e948bcc7ecd253a82e60fa414c9e6a29e122bdaa9ebf8c838cd0844c68
SSDEEP

3072:1QgqpKOv1XcbN54ILz2JRYiR8rf8zKPo9QKUaTAz2RXgTac9DN0KrwkC8:1QgqEOvtcbD4Kz2JR52fAKynAz2RaTD6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1416	Explorer.EXE
464	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\n."	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\n."	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe

Deletes itself 1 IoCs

pid	Process
1976	cmd.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 304 set thread context of 1976	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe	27

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\n."	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\n."	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\clsid	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
464	services.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Token: SeDebugPrivilege	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Token: SeDebugPrivilege	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
Token: SeDebugPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe
Token: SeShutdownPrivilege	1416	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 1416	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe	9
PID 304 wrote to memory of 1416	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe	9
PID 304 wrote to memory of 464	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe	2
PID 304 wrote to memory of 1976	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe	27
PID 304 wrote to memory of 1976	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe	27
PID 304 wrote to memory of 1976	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe	27
PID 304 wrote to memory of 1976	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe	27
PID 304 wrote to memory of 1976	304	878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe	27

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1416
- C:\Users\Admin\AppData\Local\Temp\878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe
  "C:\Users\Admin\AppData\Local\Temp\878aa8aabf7e7ea6f4c3d2d0bb69648a3ef7b5e099b341738d3508bb5d4720be.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@

Filesize
2KB

MD5
c47b082b7205b9b91ab49326f2eb5d40

SHA1
133df031ef99807f1b22d4b5430f5d6adbad59a5

SHA256
756aa043e1ed229130b11efa9434ca0df953f1ba29f74b3e4f2773ac29cf7870

SHA512
54a7f402ad341449020b65858e9987d3b58468b361915ed636687c087f674a7c7bfa5f80d73d76075fdf3c4838c8a8dce8e4f487a87c948e9ca9fb9f16031fa7

Download Submit
C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
memory/304-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/304-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/304-58-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/304-63-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1976-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing