f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6

General

Target

f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Size

153KB
MD5

7cc39d3f4e1a7a3e12147343ecec6f6b
SHA1

c2fc74abd7078e9112212af346750ded9d6058b6
SHA256

f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6
SHA512

bd96df47be3130a71e40dbfc0363d9d4b8d6045105d1eb3d96265ec7736be20339be0267ba5f8da13cb3b2f4bcb5a6c042ae91a554e63f8f8817a92bc360fdee
SSDEEP

3072:Py4FkhMnelQ2+LYHb0PkXLqoE4P6JRzRojEAdVvV+ScKEQ:azHD7nE4yJRf8VcSL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1368	Explorer.EXE
464	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-999675638-2867687379-27515722-1000\\$f545a6cb63874d75375b4ac5befd06b3\\n."	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$f545a6cb63874d75375b4ac5befd06b3\\n."	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1592 set thread context of 2024	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe	27

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\clsid	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-999675638-2867687379-27515722-1000\\$f545a6cb63874d75375b4ac5befd06b3\\n."	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$f545a6cb63874d75375b4ac5befd06b3\\n."	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
464	services.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Token: SeDebugPrivilege	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Token: SeDebugPrivilege	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
Token: SeDebugPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1368	Explorer.EXE
1368	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1368	Explorer.EXE
1368	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1368	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe	15
PID 1592 wrote to memory of 1368	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe	15
PID 1592 wrote to memory of 464	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe	6
PID 1592 wrote to memory of 2024	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe	27
PID 1592 wrote to memory of 2024	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe	27
PID 1592 wrote to memory of 2024	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe	27
PID 1592 wrote to memory of 2024	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe	27
PID 1592 wrote to memory of 2024	1592	f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe	27

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1368
- C:\Users\Admin\AppData\Local\Temp\f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe
  "C:\Users\Admin\AppData\Local\Temp\f79b1d2a69030115077062365017f5ee7bceac61a96fb12fbda4a1a77862d3d6.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$f545a6cb63874d75375b4ac5befd06b3\@

Filesize
2KB

MD5
a7a2f2de18415ddd622665e517a20a13

SHA1
91109a4b68c98fe0c24ecd9d272ef24f91f6676a

SHA256
dc1d541670a86773e39841e06955d542f62eb3d4ab65c291fe88b7153d7101a9

SHA512
445866ee08593a5b42148d9956205a3ea60989be14dde479ac5eff6e1e6da19d89d5547c40cc74ffc75524b31eb90bf6bcef2209c7d0e45c883c975a782d0ec4

Download Submit
C:\$Recycle.Bin\S-1-5-18\$f545a6cb63874d75375b4ac5befd06b3\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\$f545a6cb63874d75375b4ac5befd06b3\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-18\$f545a6cb63874d75375b4ac5befd06b3\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\$f545a6cb63874d75375b4ac5befd06b3\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
memory/1592-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1592-56-0x0000000000230000-0x000000000026F000-memory.dmp

Filesize
252KB

Download
memory/1592-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-57-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing