d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6

General

Target

d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Size

140KB
MD5

02a93781de1b642b89e9617ae9e1e733
SHA1

dfd8eed9bab5377c2155c310ea610f28d85ded38
SHA256

d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6
SHA512

2587c1efe70d923f0e8bf399733eea61d20f68fe885686167262e6a0f2c7b48f88be5ed0aff7d1431afede0f93660d5c02afa62581e62e81ac7ab394ed30f277
SSDEEP

3072:F/nU3TQCUKnNlF7ZrHRiaL9qJdZre4/6SRkBK0IocitaoLBms:W38Cb7pqtK42BK0ltpdm

Score

10^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
1224	Explorer.EXE
472	services.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 2900	2032	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe	30
PID 2032 set thread context of 2900	2032	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe	30
PID 2032 set thread context of 2900	2032	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe	30

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\clsid	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-1846800975-3917212583-2893086201-1000\\$a61078f311665132c4cba9e3fbee2e62\\n."	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$a61078f311665132c4cba9e3fbee2e62\\n."	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe

NTFS ADS 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
472	services.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2032	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Token: SeDebugPrivilege	2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Token: SeDebugPrivilege	2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
Token: SeDebugPrivilege	472	services.exe
Token: SeBackupPrivilege	472	services.exe
Token: SeRestorePrivilege	472	services.exe
Token: SeSecurityPrivilege	472	services.exe
Token: SeTakeOwnershipPrivilege	472	services.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2900	2032	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe	30
PID 2032 wrote to memory of 2900	2032	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe	30
PID 2032 wrote to memory of 2900	2032	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe	30
PID 2032 wrote to memory of 2900	2032	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe	30
PID 2900 wrote to memory of 1224	2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe	21
PID 2900 wrote to memory of 1224	2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe	21
PID 2900 wrote to memory of 472	2900	d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe	6

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1224
- C:\Users\Admin\AppData\Local\Temp\d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
  "C:\Users\Admin\AppData\Local\Temp\d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe
    "C:\Users\Admin\AppData\Local\Temp\d426c1111731c93fabcb8e78d9bfd62ac31b391033a6117d02efcbb0db5e40a6.exe"
    3⤵
    - Modifies security service
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$a61078f311665132c4cba9e3fbee2e62\@

Filesize
2KB

MD5
8425184120e67fa09c8a9f7571a7bcbe

SHA1
fa6908b35d8067f0e10869d590ba050a17408e2d

SHA256
f6080e679a2ecc687efc9bba0427eb9af582d0e273f2fb71128ad2d8e7370f90

SHA512
b60ae3a1811ce174774155f303855ed9f70781f633405136c979d642df112bb2ec2b17cfaed6c2f5a6fc0a1e47535c9f9ddc3970808ceac4e99d1671a2cde65e

Download Submit
C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\$a61078f311665132c4cba9e3fbee2e62\n

Filesize
41KB

MD5
fb4e3236959152a057bc6b7603c538ef

SHA1
b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

SHA256
8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

SHA512
993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

Download Submit
memory/472-35-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/472-26-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1224-14-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/1224-18-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2032-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-0-0x000000000040C000-0x000000000040E000-memory.dmp

Filesize
8KB

Download
memory/2032-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-7-0x00000000744D0000-0x00000000744EC000-memory.dmp

Filesize
112KB

Download
memory/2900-20-0x00000000744D0000-0x00000000744EC000-memory.dmp

Filesize
112KB

Download
memory/2900-21-0x00000000744D0000-0x00000000744EC000-memory.dmp

Filesize
112KB

Download
memory/2900-12-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2900-30-0x00000000744D0000-0x0000000074528000-memory.dmp

Filesize
352KB

Download
memory/2900-11-0x00000000744D0000-0x00000000744EC000-memory.dmp

Filesize
112KB

Download
memory/2900-10-0x00000000744D0000-0x00000000744EC000-memory.dmp

Filesize
112KB

Download
memory/2900-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads