5d91fa0a62e8d79de6b130a8d6f2909e058174699a098802933cc4ff7c6e6c7f

General

Target

6cc3eaef50526f145f57541b202c1025.exe
Size

159KB
MD5

6cc3eaef50526f145f57541b202c1025
SHA1

cec8c3bb3d2ca7aacc6918acdafc85456c88e1bf
SHA256

5d91fa0a62e8d79de6b130a8d6f2909e058174699a098802933cc4ff7c6e6c7f
SHA512

03b3fbe32284b2f6c3cf404e5912cdd542c5b106d9c44139d76b7a455ee1c47660ac6e073d1e6d6a0e09588ba933cc32d3f237246eddfa7a6a7be816e69251e0
SSDEEP

3072:GfIsRhQOk55XQWTt06JMZUlLQuqnvyIbtEjofeQrPvH9DRc6z+QN:GfIs85X/TqZsLQuqnVOrQrXfc6K

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Explorer.EXE

pid process

3436 Explorer.EXE

pid	process
3436	Explorer.EXE

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

6cc3eaef50526f145f57541b202c1025.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	6cc3eaef50526f145f57541b202c1025.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	6cc3eaef50526f145f57541b202c1025.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{869e24b4-ed84-91cb-24b5-09e7287fc4a4}\\n."	6cc3eaef50526f145f57541b202c1025.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Modifies registry class 8 IoCs

Processes:

Explorer.EXE6cc3eaef50526f145f57541b202c1025.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\clsid	6cc3eaef50526f145f57541b202c1025.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	6cc3eaef50526f145f57541b202c1025.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	6cc3eaef50526f145f57541b202c1025.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	6cc3eaef50526f145f57541b202c1025.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{869e24b4-ed84-91cb-24b5-09e7287fc4a4}\\n."	6cc3eaef50526f145f57541b202c1025.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

6cc3eaef50526f145f57541b202c1025.exeExplorer.EXE

pid	process
4884	6cc3eaef50526f145f57541b202c1025.exe
4884	6cc3eaef50526f145f57541b202c1025.exe
4884	6cc3eaef50526f145f57541b202c1025.exe
4884	6cc3eaef50526f145f57541b202c1025.exe
4884	6cc3eaef50526f145f57541b202c1025.exe
4884	6cc3eaef50526f145f57541b202c1025.exe
4884	6cc3eaef50526f145f57541b202c1025.exe
4884	6cc3eaef50526f145f57541b202c1025.exe
3436	Explorer.EXE
3436	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

6cc3eaef50526f145f57541b202c1025.exeExplorer.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	4884	6cc3eaef50526f145f57541b202c1025.exe
Token: SeDebugPrivilege	4884	6cc3eaef50526f145f57541b202c1025.exe
Token: SeDebugPrivilege	4884	6cc3eaef50526f145f57541b202c1025.exe
Token: SeDebugPrivilege	3436	Explorer.EXE
Token: SeManageVolumePrivilege	1008	svchost.exe
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3436 Explorer.EXE
3436 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3436 Explorer.EXE

pid	process
3436	Explorer.EXE
3436	Explorer.EXE

pid	process
3436	Explorer.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

6cc3eaef50526f145f57541b202c1025.exe

description	pid	process	target process
PID 4884 wrote to memory of 3436	4884	6cc3eaef50526f145f57541b202c1025.exe	Explorer.EXE
PID 4884 wrote to memory of 3436	4884	6cc3eaef50526f145f57541b202c1025.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3436

C:\Users\Admin\AppData\Local\Temp\6cc3eaef50526f145f57541b202c1025.exe
"C:\Users\Admin\AppData\Local\Temp\6cc3eaef50526f145f57541b202c1025.exe"
2⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\{869e24b4-ed84-91cb-24b5-09e7287fc4a4}\n
Filesize
42KB

MD5
bfa0c9ec67cd0f1b2dabfc7777aae294

SHA1
c15a4686bda91546e4c3abba58530423c40da3dc

SHA256
f3a8ac1721abb9068c5c281dafeaebdf3a66f96954c9e882ef71dee9c44bc585

SHA512
e2e7b989e17dcf2f0c2b93e53671a6f34230b31b0daa152fd9ec84aa14055b1350960d5dbc7da02a03d4eda7c68f9082f6c8be053ec56c0bed5b2bd0ef38556f

Download Submit
memory/1008-13-0x000001DFE78A0000-0x000001DFE78B0000-memory.dmp

Filesize
64KB

Download
memory/1008-49-0x000001DFEFE50000-0x000001DFEFE51000-memory.dmp

Filesize
4KB

Download
memory/1008-48-0x000001DFEFD40000-0x000001DFEFD41000-memory.dmp

Filesize
4KB

Download
memory/1008-47-0x000001DFEFD40000-0x000001DFEFD41000-memory.dmp

Filesize
4KB

Download
memory/1008-45-0x000001DFEFD10000-0x000001DFEFD11000-memory.dmp

Filesize
4KB

Download
memory/1008-29-0x000001DFE79A0000-0x000001DFE79B0000-memory.dmp

Filesize
64KB

Download
memory/3436-9-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4884-3-0x0000000002180000-0x00000000021AD000-memory.dmp

Filesize
180KB

Download
memory/4884-12-0x0000000002180000-0x00000000021AD000-memory.dmp

Filesize
180KB

Download
memory/4884-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4884-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4884-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4884-4-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/4884-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4884-1-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads