f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e

Analysis

max time kernel
152s
max time network
191s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe
Size

245KB
MD5

44449f247a792b91470a8c1d8f0f6ad0
SHA1

2b6c81f882dd130e88bb01397e9d8444d88f9532
SHA256

f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e
SHA512

65113696c4ca661819368aa54debb704f9c29f8b797266718e4be5d3fd3e6cef8f3c4ba13042701f02b9db00727d6d2410a74f6641c8f4306bf4eca4b9bccb5e
SSDEEP

3072:tDChcAg0TpB5mulhSS47W7/lxRhF1QCpNl+1LCcwXZqHPhrJLVEu+VbzC7TH33uK:ohc09muSRi/l3pn3cKZqHprdUW/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Deletes itself 1 IoCs

pid	Process
1152	cmd.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 1152	1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe
1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe
1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe
1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe
336	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1276	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe
Token: SeDebugPrivilege	1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeShutdownPrivilege	1276	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1276	1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe	15
PID 1420 wrote to memory of 336	1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe	6
PID 1420 wrote to memory of 1152	1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe	28
PID 1420 wrote to memory of 1152	1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe	28
PID 1420 wrote to memory of 1152	1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe	28
PID 1420 wrote to memory of 1152	1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe	28
PID 1420 wrote to memory of 1152	1420	f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe	28
PID 336 wrote to memory of 872	336	csrss.exe	22

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1276
- C:\Users\Admin\AppData\Local\Temp\f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe
  "C:\Users\Admin\AppData\Local\Temp\f6d943f0c22fbe93c130b56e725bcebf809fd538fd61e4bfc24ec626d121c20e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
56176a03fd704b23673dcbf62e14caea

SHA1
3f588f583cc0d50a29874f7319b62a06fe647209

SHA256
8eddff7da2eb52d0a33d112efeccd6092e05f7998036fa65bbc571692aa536d5

SHA512
b8025b4fbaced6cdb16b3dc979a80e1726ce8c57da1582db0f8cf607475155e32fec62cfa0fcdb3e3bd19c5395f0a2aa4b73f79123dd67dcbe16bf0c1ac21b00

Download Submit
\Windows\System32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
memory/336-87-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/872-113-0x00000000002F0000-0x00000000002FB000-memory.dmp

Filesize
44KB

Download
memory/872-112-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/872-105-0x00000000002F0000-0x00000000002FB000-memory.dmp

Filesize
44KB

Download
memory/872-104-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/872-94-0x00000000002E0000-0x00000000002EB000-memory.dmp

Filesize
44KB

Download
memory/872-102-0x00000000002E0000-0x00000000002EB000-memory.dmp

Filesize
44KB

Download
memory/872-98-0x00000000002E0000-0x00000000002EB000-memory.dmp

Filesize
44KB

Download
memory/1276-92-0x000007FEF67D0000-0x000007FEF6913000-memory.dmp

Filesize
1.3MB

Download
memory/1276-70-0x0000000002620000-0x0000000002626000-memory.dmp

Filesize
24KB

Download
memory/1276-93-0x000007FEA6E00000-0x000007FEA6E0A000-memory.dmp

Filesize
40KB

Download
memory/1276-74-0x0000000002620000-0x0000000002626000-memory.dmp

Filesize
24KB

Download
memory/1276-78-0x0000000002620000-0x0000000002626000-memory.dmp

Filesize
24KB

Download
memory/1420-90-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/1420-80-0x0000000000220000-0x000000000027F000-memory.dmp

Filesize
380KB

Download
memory/1420-81-0x0000000000497000-0x000000000049B000-memory.dmp

Filesize
16KB

Download
memory/1420-69-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/1420-84-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/1420-83-0x00000000004A0000-0x00000000004DD000-memory.dmp

Filesize
244KB

Download
memory/1420-88-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1420-89-0x00000000004A0000-0x00000000004DD000-memory.dmp

Filesize
244KB

Download
memory/1420-68-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/1420-82-0x0000000000461000-0x0000000000475000-memory.dmp

Filesize
80KB

Download
memory/1420-54-0x0000000000220000-0x000000000027F000-memory.dmp

Filesize
380KB

Download
memory/1420-79-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1420-65-0x00000000004A0000-0x00000000004DD000-memory.dmp

Filesize
244KB

Download
memory/1420-66-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/1420-64-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/1420-63-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/1420-62-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/1420-59-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/1420-56-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/1420-55-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download