44f105d64c55a8773bb2a9ede81646f8b79503ec15eea7560990fa132d79ef76

General

Target

fb3d344be065453c0cbe0d477b1c8fa8.exe
Size

195KB
MD5

fb3d344be065453c0cbe0d477b1c8fa8
SHA1

39f5f09feba7b5badec1063ae459fe0e0522b1e0
SHA256

44f105d64c55a8773bb2a9ede81646f8b79503ec15eea7560990fa132d79ef76
SHA512

011406d4ef23135300ec3f718a5b43300fdcc6bad0ec19c99623cd8a0bcee562efd0efcbf4881237652df31f88d9191bddd068ff2dbb4088d290e3464413926c
SSDEEP

3072:qJg93A/BYtsYUG214enxLQVYFKEtgU//r23uV13MBhIog+rMbZBOGSqszwQu5CiQ:b9Qp0lz2yceq//pM/I0rXN1wQu5Cp

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3404	Explorer.EXE

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	fb3d344be065453c0cbe0d477b1c8fa8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	fb3d344be065453c0cbe0d477b1c8fa8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3803511929-1339359695-2191195476-1000\\$4732b980f267194ec6fce0414fbbade7\\n."	fb3d344be065453c0cbe0d477b1c8fa8.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\clsid	fb3d344be065453c0cbe0d477b1c8fa8.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	fb3d344be065453c0cbe0d477b1c8fa8.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	fb3d344be065453c0cbe0d477b1c8fa8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	fb3d344be065453c0cbe0d477b1c8fa8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3803511929-1339359695-2191195476-1000\\$4732b980f267194ec6fce0414fbbade7\\n."	fb3d344be065453c0cbe0d477b1c8fa8.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
3404	Explorer.EXE
3404	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
Token: SeDebugPrivilege	2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
Token: SeDebugPrivilege	2240	fb3d344be065453c0cbe0d477b1c8fa8.exe
Token: SeDebugPrivilege	3404	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3404	Explorer.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3404	2240	fb3d344be065453c0cbe0d477b1c8fa8.exe	48
PID 2240 wrote to memory of 3404	2240	fb3d344be065453c0cbe0d477b1c8fa8.exe	48

C:\Users\Admin\AppData\Local\Temp\fb3d344be065453c0cbe0d477b1c8fa8.exe
"C:\Users\Admin\AppData\Local\Temp\fb3d344be065453c0cbe0d477b1c8fa8.exe"
1⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2240-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-5-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2240-4-0x00000000009F0000-0x0000000000A23000-memory.dmp

Filesize
204KB

Download
memory/2240-2-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2240-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-11-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3404-13-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3404-14-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads