64391a260dab5184d4a3ffeaed021af293f02e984b7a6703b57bb658b878bc50

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
26/06/2023, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64391a260dab5184d4a3ffeaed021af293f02e984b7a6703b57bb658b878bc50.exe
Size

2.5MB
MD5

3922ff3a74810d65ab8ec25fb98a65b6
SHA1

d2c5a41031c5c12618133322bf5c01a14299346d
SHA256

64391a260dab5184d4a3ffeaed021af293f02e984b7a6703b57bb658b878bc50
SHA512

4939173d4e7e524d27154ebb0a465454b7857336fd1f3df90ef62d56cb269b6b5180927534c2abc161870482806bf1993b860b31be083ca0e0437a980592b669
SSDEEP

24576:F2OTeFxvKLuoucZybHXMDg2cQV09aoz25OVn3GuQ5Y3h3js9smDH+M9jW4C5yvzJ:bTux6ZT0sozGK3Ns9sKHJS4C5m3

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1596	Child.exe
1196	Explorer.EXE
464	services.exe

Loads dropped DLL 2 IoCs

pid	Process
1592	cmd.exe
1592	cmd.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3518257231-2980324860-1431329550-1000\\$7736e36f1280d01f6e8c7675455bb1eb\\n."	Child.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$7736e36f1280d01f6e8c7675455bb1eb\\n."	Child.exe
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	Child.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	Child.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1596 set thread context of 880	1596	Child.exe	30

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3518257231-2980324860-1431329550-1000\\$7736e36f1280d01f6e8c7675455bb1eb\\n."	Child.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$7736e36f1280d01f6e8c7675455bb1eb\\n."	Child.exe
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\clsid	Child.exe
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	Child.exe
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	Child.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	Child.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1596	Child.exe
1596	Child.exe
1596	Child.exe
1596	Child.exe
1596	Child.exe
1596	Child.exe
464	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1196	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	Child.exe
Token: SeDebugPrivilege	1596	Child.exe
Token: SeDebugPrivilege	1596	Child.exe
Token: SeDebugPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1592	1612	64391a260dab5184d4a3ffeaed021af293f02e984b7a6703b57bb658b878bc50.exe	28
PID 1612 wrote to memory of 1592	1612	64391a260dab5184d4a3ffeaed021af293f02e984b7a6703b57bb658b878bc50.exe	28
PID 1612 wrote to memory of 1592	1612	64391a260dab5184d4a3ffeaed021af293f02e984b7a6703b57bb658b878bc50.exe	28
PID 1612 wrote to memory of 1592	1612	64391a260dab5184d4a3ffeaed021af293f02e984b7a6703b57bb658b878bc50.exe	28
PID 1592 wrote to memory of 1596	1592	cmd.exe	29
PID 1592 wrote to memory of 1596	1592	cmd.exe	29
PID 1592 wrote to memory of 1596	1592	cmd.exe	29
PID 1592 wrote to memory of 1596	1592	cmd.exe	29
PID 1596 wrote to memory of 1196	1596	Child.exe	10
PID 1596 wrote to memory of 1196	1596	Child.exe	10
PID 1596 wrote to memory of 464	1596	Child.exe	2
PID 1596 wrote to memory of 880	1596	Child.exe	30
PID 1596 wrote to memory of 880	1596	Child.exe	30
PID 1596 wrote to memory of 880	1596	Child.exe	30
PID 1596 wrote to memory of 880	1596	Child.exe	30
PID 1596 wrote to memory of 880	1596	Child.exe	30

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196
- C:\Users\Admin\AppData\Local\Temp\64391a260dab5184d4a3ffeaed021af293f02e984b7a6703b57bb658b878bc50.exe
  "C:\Users\Admin\AppData\Local\Temp\64391a260dab5184d4a3ffeaed021af293f02e984b7a6703b57bb658b878bc50.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c .\Child.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\Child.exe
      .\Child.exe
      4⤵
      Executes dropped EXE
      Registers COM server for autorun
      Suspicious use of SetThreadContext
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$7736e36f1280d01f6e8c7675455bb1eb\@

Filesize
2KB

MD5
bc72429bce82f3f5b7e841626931fc6e

SHA1
4a262431d132cfadf7b3e7ea1d8cf92c17276221

SHA256
92a4b09321ade78c2d8aae997171176139a2d10d0e3dc5de982b5845ee3030e1

SHA512
a1e301d9223afb90730c6009364effcd0e175eb4b43cb6b7f746effea61700fb8e2d3af84b2b78bb0d5ad1fb9c69f64f36f087327589d99b67af0441892a9296

Download Submit
C:\$Recycle.Bin\S-1-5-18\$7736e36f1280d01f6e8c7675455bb1eb\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
C:\$Recycle.Bin\S-1-5-21-3518257231-2980324860-1431329550-1000\$7736e36f1280d01f6e8c7675455bb1eb\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Child.exe

Filesize
164KB

MD5
919f9f1e1288326ec6fef4e5b77bb20e

SHA1
0242bc64bb5b6555801ba4178383720a9a6afbec

SHA256
7b0a2a0e923740b1389d17f0492e628eefe694f049d51a6990b71ad22d4d638c

SHA512
4f78180b4beddc26930fa0fc534c9139704585d46d86b943ebd8d1f02daff9d081863c16f02edc87777097c928d8b81c2dd807ba829d67dd8c654acb28577e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Child.exe

Filesize
164KB

MD5
919f9f1e1288326ec6fef4e5b77bb20e

SHA1
0242bc64bb5b6555801ba4178383720a9a6afbec

SHA256
7b0a2a0e923740b1389d17f0492e628eefe694f049d51a6990b71ad22d4d638c

SHA512
4f78180b4beddc26930fa0fc534c9139704585d46d86b943ebd8d1f02daff9d081863c16f02edc87777097c928d8b81c2dd807ba829d67dd8c654acb28577e51

Download Submit
\$Recycle.Bin\S-1-5-18\$7736e36f1280d01f6e8c7675455bb1eb\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\$Recycle.Bin\S-1-5-21-3518257231-2980324860-1431329550-1000\$7736e36f1280d01f6e8c7675455bb1eb\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
\Users\Admin\AppData\Local\Temp\Child.exe

Filesize
164KB

MD5
919f9f1e1288326ec6fef4e5b77bb20e

SHA1
0242bc64bb5b6555801ba4178383720a9a6afbec

SHA256
7b0a2a0e923740b1389d17f0492e628eefe694f049d51a6990b71ad22d4d638c

SHA512
4f78180b4beddc26930fa0fc534c9139704585d46d86b943ebd8d1f02daff9d081863c16f02edc87777097c928d8b81c2dd807ba829d67dd8c654acb28577e51

Download Submit
\Users\Admin\AppData\Local\Temp\Child.exe

Filesize
164KB

MD5
919f9f1e1288326ec6fef4e5b77bb20e

SHA1
0242bc64bb5b6555801ba4178383720a9a6afbec

SHA256
7b0a2a0e923740b1389d17f0492e628eefe694f049d51a6990b71ad22d4d638c

SHA512
4f78180b4beddc26930fa0fc534c9139704585d46d86b943ebd8d1f02daff9d081863c16f02edc87777097c928d8b81c2dd807ba829d67dd8c654acb28577e51

Download Submit
memory/464-73-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1196-72-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1596-60-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1596-59-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1612-74-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download