2e0f1487b90d72827b8fb51fd9cc5e4ee49220c1ca177722f276de63dfc5db6a

General

Target

c71d6136d7549559ebddf65a48dd6a06.exe
Size

153KB
MD5

c71d6136d7549559ebddf65a48dd6a06
SHA1

d7d3a14231d2b467a515dabf203fcbc39683d689
SHA256

2e0f1487b90d72827b8fb51fd9cc5e4ee49220c1ca177722f276de63dfc5db6a
SHA512

770f4c4c61bb0726f1bfe3ee0249fb248a3899cf553597319c311de0d904d11328bc4d46ee63c6089a08e0efce1d82f798a06e8f2b073fb5441546cbeb2ff22e
SSDEEP

3072:KTLsLsGHC1Tc0JW458ql25l1EN4u8v3nEJ3kCWcLke:KP1GHST/JWw8qI6NInEiCWcL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1172	Explorer.EXE
480	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	c71d6136d7549559ebddf65a48dd6a06.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	c71d6136d7549559ebddf65a48dd6a06.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{2afc3a57-583b-dc37-6af8-7a4ab5357b5e}\\n."	c71d6136d7549559ebddf65a48dd6a06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{2afc3a57-583b-dc37-6af8-7a4ab5357b5e}\\n."	c71d6136d7549559ebddf65a48dd6a06.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 112 set thread context of 2544	112	c71d6136d7549559ebddf65a48dd6a06.exe	28

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{2afc3a57-583b-dc37-6af8-7a4ab5357b5e}\@	c71d6136d7549559ebddf65a48dd6a06.exe
File created	C:\Windows\Installer\{2afc3a57-583b-dc37-6af8-7a4ab5357b5e}\n	c71d6136d7549559ebddf65a48dd6a06.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\clsid	c71d6136d7549559ebddf65a48dd6a06.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	c71d6136d7549559ebddf65a48dd6a06.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	c71d6136d7549559ebddf65a48dd6a06.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	c71d6136d7549559ebddf65a48dd6a06.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{2afc3a57-583b-dc37-6af8-7a4ab5357b5e}\\n."	c71d6136d7549559ebddf65a48dd6a06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{2afc3a57-583b-dc37-6af8-7a4ab5357b5e}\\n."	c71d6136d7549559ebddf65a48dd6a06.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
112	c71d6136d7549559ebddf65a48dd6a06.exe
112	c71d6136d7549559ebddf65a48dd6a06.exe
112	c71d6136d7549559ebddf65a48dd6a06.exe
112	c71d6136d7549559ebddf65a48dd6a06.exe
112	c71d6136d7549559ebddf65a48dd6a06.exe
112	c71d6136d7549559ebddf65a48dd6a06.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	112	c71d6136d7549559ebddf65a48dd6a06.exe
Token: SeDebugPrivilege	112	c71d6136d7549559ebddf65a48dd6a06.exe
Token: SeDebugPrivilege	112	c71d6136d7549559ebddf65a48dd6a06.exe
Token: SeBackupPrivilege	480	services.exe
Token: SeRestorePrivilege	480	services.exe
Token: SeSecurityPrivilege	480	services.exe
Token: SeTakeOwnershipPrivilege	480	services.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1172	112	c71d6136d7549559ebddf65a48dd6a06.exe	21
PID 112 wrote to memory of 1172	112	c71d6136d7549559ebddf65a48dd6a06.exe	21
PID 112 wrote to memory of 480	112	c71d6136d7549559ebddf65a48dd6a06.exe	6
PID 112 wrote to memory of 2544	112	c71d6136d7549559ebddf65a48dd6a06.exe	28
PID 112 wrote to memory of 2544	112	c71d6136d7549559ebddf65a48dd6a06.exe	28
PID 112 wrote to memory of 2544	112	c71d6136d7549559ebddf65a48dd6a06.exe	28
PID 112 wrote to memory of 2544	112	c71d6136d7549559ebddf65a48dd6a06.exe	28
PID 112 wrote to memory of 2544	112	c71d6136d7549559ebddf65a48dd6a06.exe	28

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1172
- C:\Users\Admin\AppData\Local\Temp\c71d6136d7549559ebddf65a48dd6a06.exe
  "C:\Users\Admin\AppData\Local\Temp\c71d6136d7549559ebddf65a48dd6a06.exe"
  2⤵
  - Registers COM server for autorun
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\{2afc3a57-583b-dc37-6af8-7a4ab5357b5e}\n

Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\systemroot\Installer\{2afc3a57-583b-dc37-6af8-7a4ab5357b5e}\@

Filesize
2KB

MD5
a1da78713fdc92fda32374233e6f129d

SHA1
518cd6d70a9eae2304f4d536212ec73be28b53b0

SHA256
348c7b897a9acbaeb6f729ef297dca6aba8d42919766d0c4d8a39f0884cf9748

SHA512
0735394ccb3f3f70ed4007b55641bdaa4fe61552912e1d3b868e070325623796147e5e643ee73e058f59e1360c1e865351327fafcd79560c9639af24f4e985a9

Download Submit
memory/112-2-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/112-1-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/112-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/112-15-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/112-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/480-13-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/1172-3-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/1172-17-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads