Analysis
-
max time kernel
89s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 07:55
Static task
static1
Behavioral task
behavioral1
Sample
6cc3eaef50526f145f57541b202c1025.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6cc3eaef50526f145f57541b202c1025.exe
Resource
win10v2004-20231222-en
General
-
Target
6cc3eaef50526f145f57541b202c1025.exe
-
Size
159KB
-
MD5
6cc3eaef50526f145f57541b202c1025
-
SHA1
cec8c3bb3d2ca7aacc6918acdafc85456c88e1bf
-
SHA256
5d91fa0a62e8d79de6b130a8d6f2909e058174699a098802933cc4ff7c6e6c7f
-
SHA512
03b3fbe32284b2f6c3cf404e5912cdd542c5b106d9c44139d76b7a455ee1c47660ac6e073d1e6d6a0e09588ba933cc32d3f237246eddfa7a6a7be816e69251e0
-
SSDEEP
3072:GfIsRhQOk55XQWTt06JMZUlLQuqnvyIbtEjofeQrPvH9DRc6z+QN:GfIs85X/TqZsLQuqnVOrQrXfc6K
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2660 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Explorer.EXEservices.exepid process 1260 Explorer.EXE 464 services.exe -
Registers COM server for autorun 1 TTPs 4 IoCs
Processes:
6cc3eaef50526f145f57541b202c1025.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{1b63f7c3-8bbb-5fac-e4e7-fa0e6991b570}\\n." 6cc3eaef50526f145f57541b202c1025.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{1b63f7c3-8bbb-5fac-e4e7-fa0e6991b570}\\n." 6cc3eaef50526f145f57541b202c1025.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 6cc3eaef50526f145f57541b202c1025.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" 6cc3eaef50526f145f57541b202c1025.exe -
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 -
Drops desktop.ini file(s) 2 IoCs
Processes:
services.exedescription ioc process File created \systemroot\assembly\GAC_64\Desktop.ini services.exe File created \systemroot\assembly\GAC_32\Desktop.ini services.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6cc3eaef50526f145f57541b202c1025.exedescription pid process target process PID 2028 set thread context of 2660 2028 6cc3eaef50526f145f57541b202c1025.exe cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
6cc3eaef50526f145f57541b202c1025.exedescription ioc process File created C:\Windows\Installer\{1b63f7c3-8bbb-5fac-e4e7-fa0e6991b570}\@ 6cc3eaef50526f145f57541b202c1025.exe File created C:\Windows\Installer\{1b63f7c3-8bbb-5fac-e4e7-fa0e6991b570}\n 6cc3eaef50526f145f57541b202c1025.exe -
Modifies registry class 6 IoCs
Processes:
6cc3eaef50526f145f57541b202c1025.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 6cc3eaef50526f145f57541b202c1025.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" 6cc3eaef50526f145f57541b202c1025.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{1b63f7c3-8bbb-5fac-e4e7-fa0e6991b570}\\n." 6cc3eaef50526f145f57541b202c1025.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{1b63f7c3-8bbb-5fac-e4e7-fa0e6991b570}\\n." 6cc3eaef50526f145f57541b202c1025.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\clsid 6cc3eaef50526f145f57541b202c1025.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} 6cc3eaef50526f145f57541b202c1025.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
6cc3eaef50526f145f57541b202c1025.exeservices.exepid process 2028 6cc3eaef50526f145f57541b202c1025.exe 2028 6cc3eaef50526f145f57541b202c1025.exe 2028 6cc3eaef50526f145f57541b202c1025.exe 2028 6cc3eaef50526f145f57541b202c1025.exe 2028 6cc3eaef50526f145f57541b202c1025.exe 2028 6cc3eaef50526f145f57541b202c1025.exe 464 services.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
6cc3eaef50526f145f57541b202c1025.exeservices.exedescription pid process Token: SeDebugPrivilege 2028 6cc3eaef50526f145f57541b202c1025.exe Token: SeDebugPrivilege 2028 6cc3eaef50526f145f57541b202c1025.exe Token: SeDebugPrivilege 2028 6cc3eaef50526f145f57541b202c1025.exe Token: SeDebugPrivilege 464 services.exe Token: SeBackupPrivilege 464 services.exe Token: SeRestorePrivilege 464 services.exe Token: SeSecurityPrivilege 464 services.exe Token: SeTakeOwnershipPrivilege 464 services.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6cc3eaef50526f145f57541b202c1025.exedescription pid process target process PID 2028 wrote to memory of 1260 2028 6cc3eaef50526f145f57541b202c1025.exe Explorer.EXE PID 2028 wrote to memory of 1260 2028 6cc3eaef50526f145f57541b202c1025.exe Explorer.EXE PID 2028 wrote to memory of 464 2028 6cc3eaef50526f145f57541b202c1025.exe services.exe PID 2028 wrote to memory of 2660 2028 6cc3eaef50526f145f57541b202c1025.exe cmd.exe PID 2028 wrote to memory of 2660 2028 6cc3eaef50526f145f57541b202c1025.exe cmd.exe PID 2028 wrote to memory of 2660 2028 6cc3eaef50526f145f57541b202c1025.exe cmd.exe PID 2028 wrote to memory of 2660 2028 6cc3eaef50526f145f57541b202c1025.exe cmd.exe PID 2028 wrote to memory of 2660 2028 6cc3eaef50526f145f57541b202c1025.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\6cc3eaef50526f145f57541b202c1025.exe"C:\Users\Admin\AppData\Local\Temp\6cc3eaef50526f145f57541b202c1025.exe"2⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\{1b63f7c3-8bbb-5fac-e4e7-fa0e6991b570}\nFilesize
42KB
MD5bfa0c9ec67cd0f1b2dabfc7777aae294
SHA1c15a4686bda91546e4c3abba58530423c40da3dc
SHA256f3a8ac1721abb9068c5c281dafeaebdf3a66f96954c9e882ef71dee9c44bc585
SHA512e2e7b989e17dcf2f0c2b93e53671a6f34230b31b0daa152fd9ec84aa14055b1350960d5dbc7da02a03d4eda7c68f9082f6c8be053ec56c0bed5b2bd0ef38556f
-
\systemroot\Installer\{1b63f7c3-8bbb-5fac-e4e7-fa0e6991b570}\@Filesize
2KB
MD56b1b5fcf8326145632af4ba4ebc2b1f7
SHA168ae11b573fe79bb20643ee6f536e0abd116b930
SHA25693ade3c02b1d9d6d254ebd8fd2f5e682738360229940dcbe7f9dbf6efcb0a47f
SHA5121611646bef0c21ed2e132a6d7048ab7048ca48b9b10a3faba865917ab5c45c67125513d3e0c2fac670b8eea8153033b491a8078b8853a627fa9b9d3e5419273e
-
memory/464-26-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/464-15-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1260-24-0x0000000001D50000-0x0000000001D51000-memory.dmpFilesize
4KB
-
memory/1260-23-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1260-6-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1260-10-0x0000000001D50000-0x0000000001D51000-memory.dmpFilesize
4KB
-
memory/2028-4-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2028-5-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2028-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2028-20-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2028-21-0x00000000001C0000-0x00000000001ED000-memory.dmpFilesize
180KB
-
memory/2028-3-0x00000000001C0000-0x00000000001ED000-memory.dmpFilesize
180KB
-
memory/2028-2-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2028-25-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2028-1-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB