2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4

General

Target

2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
Size

337KB
MD5

69131d24fb786740a590f9ae73244e38
SHA1

8b9a40e9a88562aa33b398b0d4d73683d3c1107d
SHA256

2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4
SHA512

7393a0012d84154b797cb5878993d10cd940156ec312b59ba5befdaebda6ab57cf8515f3828047578a55150681af4630e2cc11c2dc6e8850f3b6bc1677e5909c
SSDEEP

6144:Kfwzl1JD1NCrEbtYXb/AIc7Tg/V/zoJIGyxFq/Vl4R:OwLJDKrEebfDQ4R

Score

8^/10

evasion

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 1640	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	29

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
332	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1348	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
Token: SeDebugPrivilege	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
Token: SeShutdownPrivilege	1348	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1348	Explorer.EXE
1348	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1348	Explorer.EXE
1348	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1068	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	27
PID 1408 wrote to memory of 1068	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	27
PID 1408 wrote to memory of 1068	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	27
PID 1408 wrote to memory of 1068	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	27
PID 1408 wrote to memory of 1348	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	13
PID 1408 wrote to memory of 332	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	24
PID 1408 wrote to memory of 1640	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	29
PID 1408 wrote to memory of 1640	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	29
PID 1408 wrote to memory of 1640	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	29
PID 1408 wrote to memory of 1640	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	29
PID 1408 wrote to memory of 1640	1408	2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe	29
PID 332 wrote to memory of 864	332	csrss.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1348
- C:\Users\Admin\AppData\Local\Temp\2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
  "C:\Users\Admin\AppData\Local\Temp\2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe
    "C:\Users\Admin\AppData\Local\Temp\2381263c3236c5957b92212f8c73ec10ee21f5d348466a8d46cda7bef7c376a4.exe" nfaddtdsdqaohwozdij
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:864

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
fb30279a85fb3cd4762ce149f0bc109b

SHA1
b5477a07ef6a0f5cec516a2b1ec471993341e97d

SHA256
7d4e3b1f8f04425b8894872c7bba9a914c43417953e8597061071a801c758f2e

SHA512
a189bfe5d7a64d1bde468804b0941b2729999bfad7aefda1c8c53ea92206cec8aca5b34add0906ee124895b733c35907f65b76c9dc32539acdb4d8a2554ccae6

Download Submit
\Windows\System32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
memory/332-76-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/864-92-0x00000000008C0000-0x00000000008CB000-memory.dmp

Filesize
44KB

Download
memory/864-91-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/864-90-0x00000000008C0000-0x00000000008CB000-memory.dmp

Filesize
44KB

Download
memory/864-89-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/864-87-0x00000000008B0000-0x00000000008BB000-memory.dmp

Filesize
44KB

Download
memory/864-83-0x00000000008B0000-0x00000000008BB000-memory.dmp

Filesize
44KB

Download
memory/864-79-0x00000000008B0000-0x00000000008BB000-memory.dmp

Filesize
44KB

Download
memory/1068-75-0x0000000000400000-0x0000000000457EF0-memory.dmp

Filesize
351KB

Download
memory/1348-77-0x000007FEF6230000-0x000007FEF6373000-memory.dmp

Filesize
1.3MB

Download
memory/1348-78-0x000007FE8F7C0000-0x000007FE8F7CA000-memory.dmp

Filesize
40KB

Download
memory/1348-61-0x0000000002660000-0x0000000002666000-memory.dmp

Filesize
24KB

Download
memory/1348-69-0x0000000002660000-0x0000000002666000-memory.dmp

Filesize
24KB

Download
memory/1348-65-0x0000000002660000-0x0000000002666000-memory.dmp

Filesize
24KB

Download
memory/1408-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1408-73-0x0000000001F10000-0x0000000002320000-memory.dmp

Filesize
4.1MB

Download
memory/1408-74-0x0000000000400000-0x0000000000457EF0-memory.dmp

Filesize
351KB

Download
memory/1408-56-0x0000000000400000-0x0000000000457EF0-memory.dmp

Filesize
351KB

Download
memory/1408-55-0x0000000000401000-0x000000000043D000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing