7d4733843e9f8dfd03ec44d5516737ff2a26b400a3b7a396e3a2be0d732ca8bc

General

Target

09eee7755e1cf4279ac29ada66dd0d82.exe
Size

196KB
MD5

09eee7755e1cf4279ac29ada66dd0d82
SHA1

30262f204da06370e290e533ab34ac94d4535452
SHA256

7d4733843e9f8dfd03ec44d5516737ff2a26b400a3b7a396e3a2be0d732ca8bc
SHA512

091ce6ebd7cc3d7c9de6b6798c42f3580cb7e7ebb2852f7a9631e12105064689b41d38c5bc993ea7f637e5000acddad4c934f87e602559c232607ba9e1e870f8
SSDEEP

3072:ApuAgBsUQxs7Lsu79NXbghxqLw7zbYGE70p6hCR4aIz3h3YmaWAIWXIzndBRv:eHgWdunLgrqLwzYVRsR23OmasWMdrv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1260	Explorer.EXE
468	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	09eee7755e1cf4279ac29ada66dd0d82.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	09eee7755e1cf4279ac29ada66dd0d82.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-928733405-3780110381-2966456290-1000\\$6e73f6ee16d00fbdd3d62b2c4f6dcafa\\n."	09eee7755e1cf4279ac29ada66dd0d82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$6e73f6ee16d00fbdd3d62b2c4f6dcafa\\n."	09eee7755e1cf4279ac29ada66dd0d82.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 2692	2396	09eee7755e1cf4279ac29ada66dd0d82.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	09eee7755e1cf4279ac29ada66dd0d82.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	09eee7755e1cf4279ac29ada66dd0d82.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-928733405-3780110381-2966456290-1000\\$6e73f6ee16d00fbdd3d62b2c4f6dcafa\\n."	09eee7755e1cf4279ac29ada66dd0d82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$6e73f6ee16d00fbdd3d62b2c4f6dcafa\\n."	09eee7755e1cf4279ac29ada66dd0d82.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\clsid	09eee7755e1cf4279ac29ada66dd0d82.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	09eee7755e1cf4279ac29ada66dd0d82.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2396	09eee7755e1cf4279ac29ada66dd0d82.exe
2396	09eee7755e1cf4279ac29ada66dd0d82.exe
2396	09eee7755e1cf4279ac29ada66dd0d82.exe
2396	09eee7755e1cf4279ac29ada66dd0d82.exe
2396	09eee7755e1cf4279ac29ada66dd0d82.exe
2396	09eee7755e1cf4279ac29ada66dd0d82.exe
468	services.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	09eee7755e1cf4279ac29ada66dd0d82.exe
Token: SeDebugPrivilege	2396	09eee7755e1cf4279ac29ada66dd0d82.exe
Token: SeDebugPrivilege	2396	09eee7755e1cf4279ac29ada66dd0d82.exe
Token: SeDebugPrivilege	468	services.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1260	2396	09eee7755e1cf4279ac29ada66dd0d82.exe	9
PID 2396 wrote to memory of 1260	2396	09eee7755e1cf4279ac29ada66dd0d82.exe	9
PID 2396 wrote to memory of 468	2396	09eee7755e1cf4279ac29ada66dd0d82.exe	2
PID 2396 wrote to memory of 2692	2396	09eee7755e1cf4279ac29ada66dd0d82.exe	29
PID 2396 wrote to memory of 2692	2396	09eee7755e1cf4279ac29ada66dd0d82.exe	29
PID 2396 wrote to memory of 2692	2396	09eee7755e1cf4279ac29ada66dd0d82.exe	29
PID 2396 wrote to memory of 2692	2396	09eee7755e1cf4279ac29ada66dd0d82.exe	29
PID 2396 wrote to memory of 2692	2396	09eee7755e1cf4279ac29ada66dd0d82.exe	29

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1260
- C:\Users\Admin\AppData\Local\Temp\09eee7755e1cf4279ac29ada66dd0d82.exe
  "C:\Users\Admin\AppData\Local\Temp\09eee7755e1cf4279ac29ada66dd0d82.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$6e73f6ee16d00fbdd3d62b2c4f6dcafa\@

Filesize
2KB

MD5
7955ba775d79ccb53107c437c5cf2dde

SHA1
80bc004a2c3995b8f81f03f231a1e490d1002816

SHA256
c700c3e16d05a25959c7e2de8636a15e22d4debd79902d649c9d1b81e7e6b76e

SHA512
22fa9da4b053d99c28c963102736e5822bfe00afb289640ce3fdcb1cfa34b5c024ef02fdcb95ba571d5d10bd66ef492292a32ae2c96b6513298b78978d117a31

Download Submit
\$Recycle.Bin\S-1-5-21-928733405-3780110381-2966456290-1000\$6e73f6ee16d00fbdd3d62b2c4f6dcafa\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
memory/1260-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-6-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2396-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-5-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2396-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2396-10-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2396-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads