5ca36a4253289490bc69e3d0c4819514bb6fa6ba1d4405127c37e81b37d3b09f

General

Target

64d6a15843305a0c2df1f159e84afa41.exe
Size

156KB
MD5

64d6a15843305a0c2df1f159e84afa41
SHA1

2475051a8179ebd0b4829e00cd0194b54e4b39f5
SHA256

5ca36a4253289490bc69e3d0c4819514bb6fa6ba1d4405127c37e81b37d3b09f
SHA512

18c4cfe30fecedecad8ec3d9e10607461aa2a6bf635458f59229ab98450389694f826cef0a7f15ae18ac8ccb67d83d087a6a81bff45e9df93289287737e61839
SSDEEP

3072:PMngP1zP4IbrGpnqIE2Vc4cffB8Pzn0sZTz5btNE:kEXGpLcvnMDJTzJE

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3044	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1276	Explorer.EXE
468	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	64d6a15843305a0c2df1f159e84afa41.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	64d6a15843305a0c2df1f159e84afa41.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{19350fc2-aa90-f613-4bf0-85f7eee99382}\\n."	64d6a15843305a0c2df1f159e84afa41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{19350fc2-aa90-f613-4bf0-85f7eee99382}\\n."	64d6a15843305a0c2df1f159e84afa41.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1188 set thread context of 3044	1188	64d6a15843305a0c2df1f159e84afa41.exe	28

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{19350fc2-aa90-f613-4bf0-85f7eee99382}\n	64d6a15843305a0c2df1f159e84afa41.exe
File created	C:\Windows\Installer\{19350fc2-aa90-f613-4bf0-85f7eee99382}\@	64d6a15843305a0c2df1f159e84afa41.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\clsid	64d6a15843305a0c2df1f159e84afa41.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	64d6a15843305a0c2df1f159e84afa41.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	64d6a15843305a0c2df1f159e84afa41.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	64d6a15843305a0c2df1f159e84afa41.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{19350fc2-aa90-f613-4bf0-85f7eee99382}\\n."	64d6a15843305a0c2df1f159e84afa41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{19350fc2-aa90-f613-4bf0-85f7eee99382}\\n."	64d6a15843305a0c2df1f159e84afa41.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1188	64d6a15843305a0c2df1f159e84afa41.exe
1188	64d6a15843305a0c2df1f159e84afa41.exe
1188	64d6a15843305a0c2df1f159e84afa41.exe
1188	64d6a15843305a0c2df1f159e84afa41.exe
1188	64d6a15843305a0c2df1f159e84afa41.exe
1188	64d6a15843305a0c2df1f159e84afa41.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	64d6a15843305a0c2df1f159e84afa41.exe
Token: SeDebugPrivilege	1188	64d6a15843305a0c2df1f159e84afa41.exe
Token: SeDebugPrivilege	1188	64d6a15843305a0c2df1f159e84afa41.exe
Token: SeBackupPrivilege	468	services.exe
Token: SeRestorePrivilege	468	services.exe
Token: SeSecurityPrivilege	468	services.exe
Token: SeTakeOwnershipPrivilege	468	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1276	1188	64d6a15843305a0c2df1f159e84afa41.exe	17
PID 1188 wrote to memory of 1276	1188	64d6a15843305a0c2df1f159e84afa41.exe	17
PID 1188 wrote to memory of 468	1188	64d6a15843305a0c2df1f159e84afa41.exe	1
PID 1188 wrote to memory of 3044	1188	64d6a15843305a0c2df1f159e84afa41.exe	28
PID 1188 wrote to memory of 3044	1188	64d6a15843305a0c2df1f159e84afa41.exe	28
PID 1188 wrote to memory of 3044	1188	64d6a15843305a0c2df1f159e84afa41.exe	28
PID 1188 wrote to memory of 3044	1188	64d6a15843305a0c2df1f159e84afa41.exe	28
PID 1188 wrote to memory of 3044	1188	64d6a15843305a0c2df1f159e84afa41.exe	28

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1276
- C:\Users\Admin\AppData\Local\Temp\64d6a15843305a0c2df1f159e84afa41.exe
  "C:\Users\Admin\AppData\Local\Temp\64d6a15843305a0c2df1f159e84afa41.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\{19350fc2-aa90-f613-4bf0-85f7eee99382}\n

Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\systemroot\Installer\{19350fc2-aa90-f613-4bf0-85f7eee99382}\@

Filesize
2KB

MD5
9151aaccfd7bfdce8748ca1e18296cc6

SHA1
cf8ec8529c6a783fb1efa138bc38d30960e21e2f

SHA256
81d912fc49d8958a2de681065b2136a402428a267df729964f16cad5b35d1e62

SHA512
e956bf0fef0f1cdc3c4cc93a3c76a13b621244c4b60704c58ab317ebfa9164c3f2fe186f40d442e4ec75619e02a1653d0e88c017f655c59e16f73126f19d763a

Download Submit
memory/468-20-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/468-13-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1188-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-16-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1188-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-2-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1276-7-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1276-3-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1276-18-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads