c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c

General

Target

c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
Size

154KB
MD5

582b5d008b33aec694043c3e5c47f421
SHA1

166c22d5f5dde4b5021b5001927fd03bf73cc63e
SHA256

c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c
SHA512

ddddd2bdb95ec4c9da09c52423b7038b27670815f7ec989d20fa462d10c9631df18bd7250a5ebdcd85b0cda4d2698b641ae29bc0d2da58cd7c65b9b364c46971
SSDEEP

3072:D0uILepp/gZx2DMVI2X5db4T0pMEqEWx7LAqRfwqtqz34Epfbz1L2S1:uep2Z2+5dsaMEqEWx78IfwI0bzRz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2348	Explorer.EXE

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-2295526160-1155304984-640977766-1000\\$e0613d909b67ae6058f9584af5f18b89\\n."	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	91.195.254.70
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\clsid	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-2295526160-1155304984-640977766-1000\\$e0613d909b67ae6058f9584af5f18b89\\n."	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2348	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
Token: SeDebugPrivilege	4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
Token: SeDebugPrivilege	4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2348	4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe	37
PID 4956 wrote to memory of 2348	4956	c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2348
- C:\Users\Admin\AppData\Local\Temp\c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
  "C:\Users\Admin\AppData\Local\Temp\c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe"
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\$e0613d909b67ae6058f9584af5f18b89\n

Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\$e0613d909b67ae6058f9584af5f18b89\n

Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
memory/4956-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4956-135-0x000000000078E000-0x00000000007AD000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing