c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996

General

Target

c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Size

207KB
MD5

3200d276e79328dc4215b482566cc4d0
SHA1

678d6bdd77ab682ab23a8e081040acd46253d28e
SHA256

c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996
SHA512

8be0d02f8a2a3939760f30d547dce67256d23a6a94fc908ae989f88bc9e095e2314c59d41e14359732c064fc9ffb2f3e06e617c4817f3e2bc55d5289324c030e
SSDEEP

3072:mY22D32pxiCbv7xo9sAUcf6yidUr/61Z1ILrZXTXkS2jbxWGqt:L2g4iCXxo9sAURDdK6L1ILljXkSbGq

Score

10^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
1188	Explorer.EXE
480	services.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 2484	2096	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe	30
PID 2096 set thread context of 2484	2096	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe	30
PID 2096 set thread context of 2484	2096	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe	30

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3533259084-2542256011-65585152-1000\\$d42efe3c20f7caa195f648ba935092c5\\n."	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$d42efe3c20f7caa195f648ba935092c5\\n."	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\clsid	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe

NTFS ADS 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\en-US:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2096	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Token: SeDebugPrivilege	2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Token: SeDebugPrivilege	2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
Token: SeBackupPrivilege	480	services.exe
Token: SeRestorePrivilege	480	services.exe
Token: SeSecurityPrivilege	480	services.exe
Token: SeTakeOwnershipPrivilege	480	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2096	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2484	2096	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe	30
PID 2096 wrote to memory of 2484	2096	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe	30
PID 2096 wrote to memory of 2484	2096	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe	30
PID 2096 wrote to memory of 2484	2096	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe	30
PID 2484 wrote to memory of 1188	2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe	21
PID 2484 wrote to memory of 1188	2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe	21
PID 2484 wrote to memory of 480	2484	c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe	6

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188
- C:\Users\Admin\AppData\Local\Temp\c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
  "C:\Users\Admin\AppData\Local\Temp\c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe
    "C:\Users\Admin\AppData\Local\Temp\c43e203dfc4284505a119df6a230cf04da79e40541fa0796367128f72c140996N.exe"
    3⤵
    - Modifies security service
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$d42efe3c20f7caa195f648ba935092c5\@

Filesize
2KB

MD5
ed0337436c4db7243d5a080fd60f2e93

SHA1
639e6b7daa4858e49053e0425051c9442909eb5d

SHA256
1dd09c7ff897a653b77072e5241649d67f0cfbc222fe4864a1ea24e775c23c1a

SHA512
5977375a4904a444e00cb11aa9dc03c6f7ab4678b99e8d0fe3ab908f07f0e540c67a33b05b4990e1d24d3096bd0c9bd01daff872b8d34ba3a2fb2f4d0a0df243

Download Submit
C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\$d42efe3c20f7caa195f648ba935092c5\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
memory/480-31-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/480-24-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1188-17-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1188-15-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1188-29-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2096-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2096-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2096-3-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2096-1-0x0000000000260000-0x000000000028B000-memory.dmp

Filesize
172KB

Download
memory/2096-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2484-18-0x0000000074A30000-0x0000000074A4E000-memory.dmp

Filesize
120KB

Download
memory/2484-11-0x0000000074A30000-0x0000000074A4E000-memory.dmp

Filesize
120KB

Download
memory/2484-20-0x0000000074A30000-0x0000000074A4E000-memory.dmp

Filesize
120KB

Download
memory/2484-7-0x0000000074A30000-0x0000000074A4E000-memory.dmp

Filesize
120KB

Download
memory/2484-10-0x0000000074A30000-0x0000000074A4E000-memory.dmp

Filesize
120KB

Download
memory/2484-12-0x0000000001ED0000-0x0000000001F0B000-memory.dmp

Filesize
236KB

Download
memory/2484-36-0x0000000074A30000-0x0000000074A88000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads