fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32

General

Target

fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe
Size

101KB
MD5

1086091a66f59dbefef28612cbf24daa
SHA1

7d42b73e87e13f2a856dac74d11437f6bc60b818
SHA256

fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32
SHA512

31df5d881ad3985f77130c72dda4349e72dab57e7641d26f9687e7050b8cb754a982367539b15890b669a56fe3f1f85aadda4921aca7c468ba5569792ad77ad7
SSDEEP

1536:x4xPND1BXg2q8yHFdH10ZverAR+1FszZoNTjFRj9z/1jdw9huSuuRrmN1q:+PB1bq7PHu9erAR+1F2QTBRp/YL0q

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ruser\Parameters\ServiceDll = "C:\\Windows\\system32\\RUser.Dll"	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe

Deletes itself 1 IoCs

pid	Process
956	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1580	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RUser.Dll	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe
File opened for modification	C:\Windows\SysWOW64\RUser.Dll	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
872	1580	WerFault.exe	31

Kills process with taskkill 1 IoCs

evasion

pid	Process
1104	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1552	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
468	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	468	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe
Token: SeDebugPrivilege	1104	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1104	468	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe	28
PID 468 wrote to memory of 1104	468	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe	28
PID 468 wrote to memory of 1104	468	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe	28
PID 468 wrote to memory of 1104	468	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe	28
PID 468 wrote to memory of 956	468	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe	32
PID 468 wrote to memory of 956	468	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe	32
PID 468 wrote to memory of 956	468	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe	32
PID 468 wrote to memory of 956	468	fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe	32
PID 956 wrote to memory of 1552	956	cmd.exe	34
PID 956 wrote to memory of 1552	956	cmd.exe	34
PID 956 wrote to memory of 1552	956	cmd.exe	34
PID 956 wrote to memory of 1552	956	cmd.exe	34
PID 1580 wrote to memory of 872	1580	svchost.exe	35
PID 1580 wrote to memory of 872	1580	svchost.exe	35
PID 1580 wrote to memory of 872	1580	svchost.exe	35
PID 1580 wrote to memory of 872	1580	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe
"C:\Users\Admin\AppData\Local\Temp\fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im 360tray.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping localhost -n 1 && del "C:\Users\Admin\AppData\Local\Temp\fbf34ae82c1546363c8343ec9e9372a01bfaf12a0c85e1e26e39a0c6f3ca3a32.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 1
    3⤵
    - Runs ping.exe
    PID:1552

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k Ruser
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 284
  2⤵
  - Program crash
  PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\ruser.dll

Filesize
135KB

MD5
cce6c1f9b0e003297a1f0e01fc640e3e

SHA1
431f48cc709f0717a7905a6f309cfab777652fa9

SHA256
965316ad5463bf7b1e3bb959ac5c33505ad8cb4e136d284ae07c308fac94ec5b

SHA512
e4c7fd8588be344e4ebda01be80f37ca2f16d9ea097f5d65d7e8637b05def023747cec1b8a25aba8588405f8f7dfd9f2d449c0c57c1bf325ff44b33d857d1e9f

Download Submit
\Windows\SysWOW64\RUser.Dll

Filesize
135KB

MD5
cce6c1f9b0e003297a1f0e01fc640e3e

SHA1
431f48cc709f0717a7905a6f309cfab777652fa9

SHA256
965316ad5463bf7b1e3bb959ac5c33505ad8cb4e136d284ae07c308fac94ec5b

SHA512
e4c7fd8588be344e4ebda01be80f37ca2f16d9ea097f5d65d7e8637b05def023747cec1b8a25aba8588405f8f7dfd9f2d449c0c57c1bf325ff44b33d857d1e9f

Download Submit
memory/468-54-0x0000000000400000-0x000000000045A1C5-memory.dmp

Filesize
360KB

Download
memory/468-56-0x0000000000400000-0x000000000045A1C5-memory.dmp

Filesize
360KB

Download
memory/468-62-0x0000000000400000-0x000000000045A1C5-memory.dmp

Filesize
360KB

Download
memory/1580-59-0x0000000000A60000-0x0000000000D8B000-memory.dmp

Filesize
3.2MB

Download
memory/1580-61-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing