54a02c62da5909f1cb2c52a87925c58e559c3d789a3997417e705877cc9ba215

General

Target

6306f11b58b3101f8733917a7e55f624.exe
Size

186KB
MD5

6306f11b58b3101f8733917a7e55f624
SHA1

710abd7c511f4b1ab964c2e1f2f11c49cf280323
SHA256

54a02c62da5909f1cb2c52a87925c58e559c3d789a3997417e705877cc9ba215
SHA512

e3a5a218f4efe3d2ed385cf3cf7a5e51fcb557e1ce3353cb48de177e7e093683204927adf1cbb770816a2422e83462d2bf7a563f2a8b531fb7e8d97f5d746426
SSDEEP

3072:jFjAY9/TB7tqg/4mwEG/erxGl1IlMAta77kFV3PLkTfxla:xcuVP2E8HA8kP/LCfa

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2004	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3500	Explorer.EXE

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	6306f11b58b3101f8733917a7e55f624.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3791175113-1062217823-1177695025-1000\\$4a3131d8d1a175157774ac21d0e41a67\\n."	6306f11b58b3101f8733917a7e55f624.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	6306f11b58b3101f8733917a7e55f624.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	194.165.17.3

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1864 set thread context of 2004	1864	6306f11b58b3101f8733917a7e55f624.exe	21

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	6306f11b58b3101f8733917a7e55f624.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	6306f11b58b3101f8733917a7e55f624.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	6306f11b58b3101f8733917a7e55f624.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3791175113-1062217823-1177695025-1000\\$4a3131d8d1a175157774ac21d0e41a67\\n."	6306f11b58b3101f8733917a7e55f624.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\clsid	6306f11b58b3101f8733917a7e55f624.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1864	6306f11b58b3101f8733917a7e55f624.exe
1864	6306f11b58b3101f8733917a7e55f624.exe
1864	6306f11b58b3101f8733917a7e55f624.exe
1864	6306f11b58b3101f8733917a7e55f624.exe
1864	6306f11b58b3101f8733917a7e55f624.exe
1864	6306f11b58b3101f8733917a7e55f624.exe
1864	6306f11b58b3101f8733917a7e55f624.exe
1864	6306f11b58b3101f8733917a7e55f624.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	6306f11b58b3101f8733917a7e55f624.exe
Token: SeDebugPrivilege	1864	6306f11b58b3101f8733917a7e55f624.exe
Token: SeDebugPrivilege	1864	6306f11b58b3101f8733917a7e55f624.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 3500	1864	6306f11b58b3101f8733917a7e55f624.exe	51
PID 1864 wrote to memory of 3500	1864	6306f11b58b3101f8733917a7e55f624.exe	51
PID 1864 wrote to memory of 2004	1864	6306f11b58b3101f8733917a7e55f624.exe	21
PID 1864 wrote to memory of 2004	1864	6306f11b58b3101f8733917a7e55f624.exe	21
PID 1864 wrote to memory of 2004	1864	6306f11b58b3101f8733917a7e55f624.exe	21
PID 1864 wrote to memory of 2004	1864	6306f11b58b3101f8733917a7e55f624.exe	21

C:\Users\Admin\AppData\Local\Temp\6306f11b58b3101f8733917a7e55f624.exe
"C:\Users\Admin\AppData\Local\Temp\6306f11b58b3101f8733917a7e55f624.exe"
1⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:2004

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1864-2-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1864-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1864-1-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3500-3-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/3500-8-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/3500-11-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/3500-12-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads