92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf

General

Target

92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Size

21KB
MD5

bf8503557d267a979c1840b5241f5ea8
SHA1

ba94e45cae97f1f71a45fe234b1aa2bd1ba81698
SHA256

92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf
SHA512

ef314220b0921d99a139f744d620c92dc8a3547b232a7268540d23339856ac7266083d42cad0782f8fd0a9d17c5923f6493d43619b0d7e2ed7cb8c30c3b6c65d
SSDEEP

384:oc+h/+GIQMCczE3yzySSAsmXVFwWynCMSc2ZsKw8WS/PtY4JQjYVkwNeso:ox6QA9PTPDhc2ZT0SH6Ysj

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Modifies Shared Task Scheduler registry keys 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{3AB9FAD5-2FC6-43CF-B48E-6641F7026360} = "OLE Object"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{3AB9FAD5-2FC6-43CF-B48E-6641F7026360}\InProcServer32	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{3AB9FAD5-2FC6-43CF-B48E-6641F7026360}\InProcServer32\ = "C:\\Windows\\SysWow64\\barseek.dll"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{3AB9FAD5-2FC6-43CF-B48E-6641F7026360}\InProcServer32\ThreadingModel = "Apartment"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Loads dropped DLL 1 IoCs

pid	Process
3816	rundll32.exe

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\barseek.dll	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Security\selfdel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Security	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Security\id = "570426025621"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Security\host = "64.70.19.203"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Security	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{3AB9FAD5-2FC6-43CF-B48E-6641F7026360}\InProcServer32\ThreadingModel = "Apartment"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{3AB9FAD5-2FC6-43CF-B48E-6641F7026360}\InProcServer32	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{3AB9FAD5-2FC6-43CF-B48E-6641F7026360}	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{3AB9FAD5-2FC6-43CF-B48E-6641F7026360}\InProcServer32\ = "C:\\Windows\\SysWow64\\barseek.dll"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 3816	336	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe	81
PID 336 wrote to memory of 3816	336	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe	81
PID 336 wrote to memory of 3816	336	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe	81

C:\Users\Admin\AppData\Local\Temp\92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
"C:\Users\Admin\AppData\Local\Temp\92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe"
1⤵
- Modifies security service
- Windows security bypass
- Modifies Shared Task Scheduler registry keys
- Registers COM server for autorun
- Windows security modification
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\barseek.dll, load
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  PID:3816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\barseek.dll

Filesize
16KB

MD5
2927b7854e17a95473c9b14a241931dd

SHA1
2b36d180eebe0123459755934c9806ce1b49b367

SHA256
9f185d268e09533a52f8efe0022694e83179c62a2b940be9eb6f24291ee23c52

SHA512
37a7495f008f6945067fe94f1be8d0ba58a15d6b33066573f528a688a9da256a1841fd65b6459180fa6348907c8fbe785e0221ed2e0bd78c8899bdc7e31c2688

Download Submit
C:\Windows\SysWOW64\barseek.dll

Filesize
16KB

MD5
2927b7854e17a95473c9b14a241931dd

SHA1
2b36d180eebe0123459755934c9806ce1b49b367

SHA256
9f185d268e09533a52f8efe0022694e83179c62a2b940be9eb6f24291ee23c52

SHA512
37a7495f008f6945067fe94f1be8d0ba58a15d6b33066573f528a688a9da256a1841fd65b6459180fa6348907c8fbe785e0221ed2e0bd78c8899bdc7e31c2688

Download Submit
memory/336-132-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/336-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3816-137-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/3816-138-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads