b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff

General

Target

b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Size

197KB
MD5

d3fa003c76cb8d135dc71803f2a89c1b
SHA1

5a7f16f01574c4971a2d883e6abc6133f75e2778
SHA256

b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff
SHA512

947e6816759172a16ec351504a41363953f13bc394fddd2c9b8813b2b181e6fe7454e50179753a8942b98853e110b639e9eca4e69a85efec7eae1f26d3b5a531
SSDEEP

3072:n3K/eEZNrWKFXgrVFHMdEU4+B4I3hfr4FJ8ehq59MaKeGU/IP95CYwFnjEj:3CTsFHOErrC14FJ8ehqDKeGUCz

Score

8^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\n."	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe

Deletes itself 1 IoCs

pid	Process
1832	cmd.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 1832	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe	26

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
File created	C:\Windows\Installer\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\n	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\clsid	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\n."	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
464	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1360	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Token: SeDebugPrivilege	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Token: SeDebugPrivilege	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Token: SeDebugPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1360	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe	12
PID 1464 wrote to memory of 1360	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe	12
PID 1464 wrote to memory of 464	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe	2
PID 1464 wrote to memory of 1832	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe	26
PID 1464 wrote to memory of 1832	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe	26
PID 1464 wrote to memory of 1832	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe	26
PID 1464 wrote to memory of 1832	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe	26
PID 1464 wrote to memory of 1832	1464	b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe	26

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360
- C:\Users\Admin\AppData\Local\Temp\b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
  "C:\Users\Admin\AppData\Local\Temp\b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\systemroot\Installer\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@

Filesize
2KB

MD5
0bb4e877054db30eb89d1431e51c6bb9

SHA1
c33bda8619365601ac0885458665533e38bcec9a

SHA256
b11e38bb0f65e335a5a897480bd1a7f3fef8f6c9b260dcd459dad34c54e48e65

SHA512
fa0ee8e1dfcefc31e8465acff62eecf4b99f9e19c75339898d35b94146fc46712765a6e499315a9b7899dcf1b1018ca65d85bee9855a56d08a04cd62834a1ab6

Download Submit
memory/464-82-0x00000000000C0000-0x00000000000CF000-memory.dmp

Filesize
60KB

Download
memory/464-81-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/464-78-0x00000000000C0000-0x00000000000CF000-memory.dmp

Filesize
60KB

Download
memory/464-77-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/464-69-0x00000000000B0000-0x00000000000BF000-memory.dmp

Filesize
60KB

Download
memory/464-73-0x00000000000B0000-0x00000000000BF000-memory.dmp

Filesize
60KB

Download
memory/1360-64-0x0000000002220000-0x000000000222F000-memory.dmp

Filesize
60KB

Download
memory/1360-76-0x00000000026D0000-0x00000000026DF000-memory.dmp

Filesize
60KB

Download
memory/1360-75-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/1360-60-0x0000000002220000-0x000000000222F000-memory.dmp

Filesize
60KB

Download
memory/1360-80-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/1360-56-0x0000000002220000-0x000000000222F000-memory.dmp

Filesize
60KB

Download
memory/1464-54-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1464-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1464-55-0x0000000000230000-0x0000000000268000-memory.dmp

Filesize
224KB

Download
memory/1464-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing