7cbb3a25ea393f3e590f9b26a6d02457d3c3fe6eed2c418bf1b389ac58c12a61

General

Target

071c5bee94a2368e9fec5e885f9f03ed.exe
Size

180KB
MD5

071c5bee94a2368e9fec5e885f9f03ed
SHA1

5783246d157b9c381e0ea501c22e628956eb99ee
SHA256

7cbb3a25ea393f3e590f9b26a6d02457d3c3fe6eed2c418bf1b389ac58c12a61
SHA512

a43de022e5b70d321296c112658a7dcb260222753d717b3fd6fa56725a4ca6515075a4d771eea626d199459e3104af297320379f37953ed96fb3eadc07cd45f0
SSDEEP

3072:d5MurQVx3VKUq+2cE9EOB3vd2oCO001kai/rZtFCYu+CwNLYToAq:vHrgVKUX2LFd2pO001kaMrNCY5CWLH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1240	Explorer.EXE
468	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	071c5bee94a2368e9fec5e885f9f03ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	071c5bee94a2368e9fec5e885f9f03ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-452311807-3713411997-1028535425-1000\\$5fd2fe5a25dc242c20f3b15fb26cd3ad\\n."	071c5bee94a2368e9fec5e885f9f03ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$5fd2fe5a25dc242c20f3b15fb26cd3ad\\n."	071c5bee94a2368e9fec5e885f9f03ed.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 2908	2808	071c5bee94a2368e9fec5e885f9f03ed.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$5fd2fe5a25dc242c20f3b15fb26cd3ad\\n."	071c5bee94a2368e9fec5e885f9f03ed.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\clsid	071c5bee94a2368e9fec5e885f9f03ed.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	071c5bee94a2368e9fec5e885f9f03ed.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	071c5bee94a2368e9fec5e885f9f03ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	071c5bee94a2368e9fec5e885f9f03ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-452311807-3713411997-1028535425-1000\\$5fd2fe5a25dc242c20f3b15fb26cd3ad\\n."	071c5bee94a2368e9fec5e885f9f03ed.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2808	071c5bee94a2368e9fec5e885f9f03ed.exe
2808	071c5bee94a2368e9fec5e885f9f03ed.exe
2808	071c5bee94a2368e9fec5e885f9f03ed.exe
2808	071c5bee94a2368e9fec5e885f9f03ed.exe
2808	071c5bee94a2368e9fec5e885f9f03ed.exe
2808	071c5bee94a2368e9fec5e885f9f03ed.exe
468	services.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	071c5bee94a2368e9fec5e885f9f03ed.exe
Token: SeDebugPrivilege	2808	071c5bee94a2368e9fec5e885f9f03ed.exe
Token: SeDebugPrivilege	2808	071c5bee94a2368e9fec5e885f9f03ed.exe
Token: SeDebugPrivilege	468	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1240	2808	071c5bee94a2368e9fec5e885f9f03ed.exe	14
PID 2808 wrote to memory of 1240	2808	071c5bee94a2368e9fec5e885f9f03ed.exe	14
PID 2808 wrote to memory of 468	2808	071c5bee94a2368e9fec5e885f9f03ed.exe	2
PID 2808 wrote to memory of 2908	2808	071c5bee94a2368e9fec5e885f9f03ed.exe	28
PID 2808 wrote to memory of 2908	2808	071c5bee94a2368e9fec5e885f9f03ed.exe	28
PID 2808 wrote to memory of 2908	2808	071c5bee94a2368e9fec5e885f9f03ed.exe	28
PID 2808 wrote to memory of 2908	2808	071c5bee94a2368e9fec5e885f9f03ed.exe	28
PID 2808 wrote to memory of 2908	2808	071c5bee94a2368e9fec5e885f9f03ed.exe	28

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1240
- C:\Users\Admin\AppData\Local\Temp\071c5bee94a2368e9fec5e885f9f03ed.exe
  "C:\Users\Admin\AppData\Local\Temp\071c5bee94a2368e9fec5e885f9f03ed.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$5fd2fe5a25dc242c20f3b15fb26cd3ad\@

Filesize
2KB

MD5
d89b0af08d2a615a1bf092f0ed69efc4

SHA1
2afdb5a5baf375d98921423671a869ad57e59884

SHA256
127b4725d11bcc049e0ca02914b353c5f02302f66361bf9eb4ce83dee45aa1d8

SHA512
c37991cf8fedd01ac60534b2cd4bd0a55b22e9e02e16b6d0181685da0600a9c5472879fa190606463eead20f20371ef9b4317d2b1c045610eb4f07b4b783cde1

Download Submit
C:\$Recycle.Bin\S-1-5-21-452311807-3713411997-1028535425-1000\$5fd2fe5a25dc242c20f3b15fb26cd3ad\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
memory/468-22-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/468-15-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1240-6-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1240-10-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1240-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2808-3-0x00000000005D0000-0x0000000000602000-memory.dmp

Filesize
200KB

Download
memory/2808-2-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads