6e275a1c573096bb89612897a765becb0e1f9e4cd40ad93b65684692006bee57

General

Target

45e8f263c76074a06d84a9104221216e.exe
Size

197KB
MD5

45e8f263c76074a06d84a9104221216e
SHA1

31658a5d3641718e72ea286636db99a2f487fa98
SHA256

6e275a1c573096bb89612897a765becb0e1f9e4cd40ad93b65684692006bee57
SHA512

554cceda667f67839a59a8fabcebc106ac21568cb9df88511cbe6507ed720b874f26dba3fa19e0dd1b96e29506daa21cece35d2944292751cfda260318e813c4
SSDEEP

3072:aFaIHvps6EopEftBNkh0pyEIyidKAC66RXLB74kZ03:aFalpo+V7/JiEygVc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1224	Explorer.EXE
468	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	45e8f263c76074a06d84a9104221216e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	45e8f263c76074a06d84a9104221216e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-1603059206-2004189698-4139800220-1000\\$cfb9360131739cee24eb9324ba1faccf\\n."	45e8f263c76074a06d84a9104221216e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$cfb9360131739cee24eb9324ba1faccf\\n."	45e8f263c76074a06d84a9104221216e.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2348 set thread context of 2544	2348	45e8f263c76074a06d84a9104221216e.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\clsid	45e8f263c76074a06d84a9104221216e.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	45e8f263c76074a06d84a9104221216e.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	45e8f263c76074a06d84a9104221216e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	45e8f263c76074a06d84a9104221216e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-1603059206-2004189698-4139800220-1000\\$cfb9360131739cee24eb9324ba1faccf\\n."	45e8f263c76074a06d84a9104221216e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$cfb9360131739cee24eb9324ba1faccf\\n."	45e8f263c76074a06d84a9104221216e.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2348	45e8f263c76074a06d84a9104221216e.exe
2348	45e8f263c76074a06d84a9104221216e.exe
2348	45e8f263c76074a06d84a9104221216e.exe
2348	45e8f263c76074a06d84a9104221216e.exe
2348	45e8f263c76074a06d84a9104221216e.exe
2348	45e8f263c76074a06d84a9104221216e.exe
468	services.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	45e8f263c76074a06d84a9104221216e.exe
Token: SeDebugPrivilege	2348	45e8f263c76074a06d84a9104221216e.exe
Token: SeDebugPrivilege	2348	45e8f263c76074a06d84a9104221216e.exe
Token: SeDebugPrivilege	468	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1224	Explorer.EXE
1224	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1224	Explorer.EXE
1224	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1224	2348	45e8f263c76074a06d84a9104221216e.exe	11
PID 2348 wrote to memory of 1224	2348	45e8f263c76074a06d84a9104221216e.exe	11
PID 2348 wrote to memory of 468	2348	45e8f263c76074a06d84a9104221216e.exe	2
PID 2348 wrote to memory of 2544	2348	45e8f263c76074a06d84a9104221216e.exe	28
PID 2348 wrote to memory of 2544	2348	45e8f263c76074a06d84a9104221216e.exe	28
PID 2348 wrote to memory of 2544	2348	45e8f263c76074a06d84a9104221216e.exe	28
PID 2348 wrote to memory of 2544	2348	45e8f263c76074a06d84a9104221216e.exe	28
PID 2348 wrote to memory of 2544	2348	45e8f263c76074a06d84a9104221216e.exe	28

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1224
- C:\Users\Admin\AppData\Local\Temp\45e8f263c76074a06d84a9104221216e.exe
  "C:\Users\Admin\AppData\Local\Temp\45e8f263c76074a06d84a9104221216e.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$cfb9360131739cee24eb9324ba1faccf\@

Filesize
2KB

MD5
03adb9c30bb6c6c5583465df477e0ae3

SHA1
5c3a7334596f31f9f855252540659c643e4fcb82

SHA256
24e9b89263f1a3990c83719390030020a9fbfca28300f081216f02440ccceb6f

SHA512
13379d525fedec15abfc7d0a81e0fd6e3d2f0cd1dd7f50818ba439d2fd43b0d7a248a0540e353666bfda052d265a046809d0039c91146349f6ab90612036de95

Download Submit
\$Recycle.Bin\S-1-5-21-1603059206-2004189698-4139800220-1000\$cfb9360131739cee24eb9324ba1faccf\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
memory/468-22-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/468-14-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1224-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2348-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2348-2-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2348-20-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2348-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads