d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6

Analysis

max time kernel
210s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
Size

168KB
MD5

daa97f9ceaf67fe0208ca726378b96e9
SHA1

752d46fd2c865ef06bc4d3f352f3064fdd80f51b
SHA256

d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6
SHA512

490406aa70797aaf5c7b736de5b0a58e467b5a8997418571b7d6fa29a587ab8e0e9710d1a71f2e973700619cf5f2170f0804232e167064e8bf2091ccee87009b
SSDEEP

3072:/KUSBPD4qJiktryvtWrdVDXBx+vfWZ3cW/ozyLXQqoCr+tHF6ZfPFYBekSNuo6ar:/pSBPDvJiay1G/DXfMOZM0tLXQqvr+tx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	Explorer.EXE

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4246620582-653642754-1174164128-1000\\$94b51c160cef92dd5e85d337991aa9a5\\n."	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe

Deletes itself 1 IoCs

pid	Process
4824	cmd.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	91.242.217.247
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1772 set thread context of 4824	1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe	82

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-4246620582-653642754-1174164128-1000\\$94b51c160cef92dd5e85d337991aa9a5\\n."	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\clsid	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
Token: SeDebugPrivilege	1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
Token: SeDebugPrivilege	1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE
Token: SeShutdownPrivilege	2032	Explorer.EXE
Token: SeCreatePagefilePrivilege	2032	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2032	Explorer.EXE
2032	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2032	1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe	40
PID 1772 wrote to memory of 2032	1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe	40
PID 1772 wrote to memory of 4824	1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe	82
PID 1772 wrote to memory of 4824	1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe	82
PID 1772 wrote to memory of 4824	1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe	82
PID 1772 wrote to memory of 4824	1772	d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe	82

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2032
- C:\Users\Admin\AppData\Local\Temp\d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe
  "C:\Users\Admin\AppData\Local\Temp\d233bad17b56d3d38ba5e1f3f3f8ca60180a3c6978c329a539ccdd3dfcaf77b6.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:4824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\$94b51c160cef92dd5e85d337991aa9a5\n

Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\$94b51c160cef92dd5e85d337991aa9a5\n

Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
memory/1772-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-133-0x0000000000563000-0x0000000000581000-memory.dmp

Filesize
120KB

Download
memory/1772-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-135-0x0000000000563000-0x0000000000581000-memory.dmp

Filesize
120KB

Download
memory/1772-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-140-0x0000000000563000-0x0000000000581000-memory.dmp

Filesize
120KB

Download
memory/2032-141-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-142-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-143-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-145-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-146-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-144-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-147-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-148-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-149-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-150-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-151-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-152-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-153-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-154-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-155-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-156-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-157-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-158-0x00000000077F0000-0x0000000007800000-memory.dmp

Filesize
64KB

Download
memory/2032-159-0x00000000077F0000-0x0000000007800000-memory.dmp

Filesize
64KB

Download
memory/2032-160-0x00000000077F0000-0x0000000007800000-memory.dmp

Filesize
64KB

Download
memory/2032-161-0x00000000077F0000-0x0000000007800000-memory.dmp

Filesize
64KB

Download
memory/2032-162-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-163-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-164-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-165-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-166-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-167-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-168-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-169-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-170-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-173-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-172-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-171-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-174-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-175-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-176-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-177-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-178-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2032-179-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/2032-180-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2032-181-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2032-182-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2032-183-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/2032-184-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2032-185-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2032-186-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download