8061cf54b5728fc8eea005c8f5214dccc50f5417ac3d4b17de87aeec8c4ba255

General

Target

c9b6b9bfa26a7e9b2950f3e30820069d.exe
Size

407KB
MD5

c9b6b9bfa26a7e9b2950f3e30820069d
SHA1

282b807d3a7adb05dfb527d5e7db0ee81f36167a
SHA256

8061cf54b5728fc8eea005c8f5214dccc50f5417ac3d4b17de87aeec8c4ba255
SHA512

1bfc76f7ec30162e5d015fec96f27ac55d19f0370fa62d07b58b7cb375ef1f7da82bc6ec448e1aac9ea524fd2b736e495bb166104a4498b4c1b24f4e8536fed6
SSDEEP

12288:Tg0Cq6x4aIhpJIew5rzWZfb6YkOVYGXKmRjVNL:TyfsJezoxkOVim

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

c9b6b9bfa26a7e9b2950f3e30820069d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \\eF35400EoBhB35400\\eF35400EoBhB35400.exe"	c9b6b9bfa26a7e9b2950f3e30820069d.exe

Deletes itself 1 IoCs

Processes:

eF35400EoBhB35400.exe

pid process

3828 eF35400EoBhB35400.exe
Executes dropped EXE 1 IoCs

Processes:

eF35400EoBhB35400.exe

pid process

3828 eF35400EoBhB35400.exe

pid	process
3828	eF35400EoBhB35400.exe

pid	process
3828	eF35400EoBhB35400.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4908-1-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral2/memory/4908-82-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral2/memory/3828-94-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral2/memory/4908-111-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral2/memory/3828-179-0x0000000000400000-0x00000000004CC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eF35400EoBhB35400.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eF35400EoBhB35400 = "C:\\eF35400EoBhB35400\\eF35400EoBhB35400.exe"	eF35400EoBhB35400.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4508 4908 WerFault.exe c9b6b9bfa26a7e9b2950f3e30820069d.exe
3920 3828 WerFault.exe eF35400EoBhB35400.exe

pid	pid_target	process	target process
4508	4908	WerFault.exe	c9b6b9bfa26a7e9b2950f3e30820069d.exe
3920	3828	WerFault.exe	eF35400EoBhB35400.exe

Modifies data under HKEY_USERS 26 IoCs

Processes:

OfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c9b6b9bfa26a7e9b2950f3e30820069d.exe

pid	process
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c9b6b9bfa26a7e9b2950f3e30820069d.exeeF35400EoBhB35400.exe

description pid process

Token: SeDebugPrivilege 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe
Token: SeDebugPrivilege 3828 eF35400EoBhB35400.exe
Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

sihost.exesihost.exesihost.exesihost.exesihost.exesihost.exeeF35400EoBhB35400.exe

pid process

4416 sihost.exe
1128 sihost.exe
3536 sihost.exe
2376 sihost.exe
3548 sihost.exe
2432 sihost.exe
3828 eF35400EoBhB35400.exe
3828 eF35400EoBhB35400.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

eF35400EoBhB35400.exe

pid process

3828 eF35400EoBhB35400.exe
3828 eF35400EoBhB35400.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

4060 OfficeClickToRun.exe

description	pid	process
Token: SeDebugPrivilege	4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe
Token: SeDebugPrivilege	3828	eF35400EoBhB35400.exe

pid	process
4416	sihost.exe
1128	sihost.exe
3536	sihost.exe
2376	sihost.exe
3548	sihost.exe
2432	sihost.exe
3828	eF35400EoBhB35400.exe
3828	eF35400EoBhB35400.exe

pid	process
3828	eF35400EoBhB35400.exe
3828	eF35400EoBhB35400.exe

pid	process
4060	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c9b6b9bfa26a7e9b2950f3e30820069d.exe

description	pid	process	target process
PID 4908 wrote to memory of 3828	4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe	eF35400EoBhB35400.exe
PID 4908 wrote to memory of 3828	4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe	eF35400EoBhB35400.exe
PID 4908 wrote to memory of 3828	4908	c9b6b9bfa26a7e9b2950f3e30820069d.exe	eF35400EoBhB35400.exe

C:\Users\Admin\AppData\Local\Temp\c9b6b9bfa26a7e9b2950f3e30820069d.exe
"C:\Users\Admin\AppData\Local\Temp\c9b6b9bfa26a7e9b2950f3e30820069d.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 848
2⤵
- Program crash
PID:4508

C:\eF35400EoBhB35400\eF35400EoBhB35400.exe
"\eF35400EoBhB35400\eF35400EoBhB35400.exe" "C:\Users\Admin\AppData\Local\Temp\c9b6b9bfa26a7e9b2950f3e30820069d.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 840
3⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4908 -ip 4908
1⤵
PID:416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3828 -ip 3828
1⤵
PID:1332

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:4416

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2172

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:1128

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:3536

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:2376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:3548

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\eF35400EoBhB35400\eF35400EoBhB35400.exe
Filesize
407KB

MD5
1ef94d42f5e2c78aa70b6fcb1b15c9cf

SHA1
547d4d9dc7b11cade6eb4633e0122d3420a9bc49

SHA256
984093c6cd08ccd615de74cce83064fffc5d58dc4356c9de158a9f1adb1e4d41

SHA512
d3eba85233b56e26acf0fbbcf844665aed2d8f498c741ed7f9582426c250e01f9c166d1f3aa9c2ac8e5ff0d5d5d4d8c8f8f4187451bad5e7023630c54102c28d

Download Submit
memory/3828-94-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3828-95-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/3828-179-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4908-0-0x0000000000690000-0x0000000000693000-memory.dmp

Filesize
12KB

Download
memory/4908-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4908-2-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4908-82-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4908-111-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads