afe29e7c4536a15c35bda84db5d688d9eef0a1df505be15abf10078caf2e31cf

Analysis

max time kernel
69s
max time network
115s
platform
windows10_x64
resource
win10
submitted
08/08/2020, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55.exe
Size

916KB
MD5

abec217429330d3c6cb587d614331bd8
SHA1

81b190f81734d38741dcbbc8384505ede2c30ac5
SHA256

82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55
SHA512

0bf6a687960068e0882d1d9e53fd7b24e1629aa84dd842b3726f73a0e2b7d6015faac9d96966adf1bc8b01e9bbc06ff0fa1c9edb88250fec31d89384cfa4a4ba

Score

8^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 3824	3844	82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55.exe	67
PID 3844 wrote to memory of 3824	3844	82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55.exe	67
PID 3844 wrote to memory of 3824	3844	82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55.exe	67

Executes dropped EXE 1 IoCs

pid	Process
3824	csrsse.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3844	82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55.exe
Token: SeDebugPrivilege	3824	csrsse.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3844	82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55.exe
3844	82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55.exe
3824	csrsse.exe
3824	csrsse.exe

C:\Users\Admin\AppData\Local\Temp\82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55.exe
"C:\Users\Admin\AppData\Local\Temp\82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
PID:3844
- C:\Users\Admin\Documents\csrsse.exe
  "C:\Users\Admin\Documents\csrsse.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads