96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe
Size

219KB
MD5

e8a9e2a3829a7637551f627fdda4a753
SHA1

c969ba7107a5355b973f3943eebd3c7ccb196f29
SHA256

96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2
SHA512

1199b3298a3c6ae125e42fee7a8d7b6aa3c12139a6ef5014b68864367494bd0afe826a3b03f2cbda0ba090104a619b6c415f2938299b3ff08d766d09cde3fa9a
SSDEEP

6144:OzZtQYiX6XupUNGN13rTMXXTOqOrNMKN2W:+tg6bNs13rTMXXON

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Deletes itself 1 IoCs

pid	Process
1332	cmd.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 1332	1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe
1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe
1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe
Token: SeDebugPrivilege	1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 336	1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe	6
PID 1516 wrote to memory of 1332	1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe	27
PID 1516 wrote to memory of 1332	1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe	27
PID 1516 wrote to memory of 1332	1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe	27
PID 1516 wrote to memory of 1332	1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe	27
PID 1516 wrote to memory of 1332	1516	96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe	27
PID 336 wrote to memory of 868	336	csrss.exe	9

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Users\Admin\AppData\Local\Temp\96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe
"C:\Users\Admin\AppData\Local\Temp\96a63a039b794c93a8f0dbd6db434cd0931f39fdc3d8b438df6a21a81ae1f1a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:1332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
72e170a6db12bae38284297dd4d1ebd4

SHA1
1718951adf9eb90c78c55d1a453c5a11e2224dc7

SHA256
0dac5e61d73c6ce4e9924af668c2f008274e4a8687bc8da1a57c67c1037cfeec

SHA512
de474d98206aa79ae32cb78f43b64a811350260b10a4e4c3def4e827dabb7c208bf71654e2bbb0e37ff05f085bfd15c9b0485754ced7d3ebf3ce3a3e79403ee7

Download Submit
\Windows\System32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
memory/336-79-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/868-85-0x0000000000880000-0x000000000088B000-memory.dmp

Filesize
44KB

Download
memory/868-104-0x0000000000890000-0x000000000089B000-memory.dmp

Filesize
44KB

Download
memory/868-103-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/868-96-0x0000000000890000-0x000000000089B000-memory.dmp

Filesize
44KB

Download
memory/868-95-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/868-93-0x0000000000880000-0x000000000088B000-memory.dmp

Filesize
44KB

Download
memory/868-89-0x0000000000880000-0x000000000088B000-memory.dmp

Filesize
44KB

Download
memory/1516-56-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1516-82-0x00000000003B1000-0x00000000003C4000-memory.dmp

Filesize
76KB

Download
memory/1516-75-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1516-61-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1516-57-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1516-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1516-78-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1516-72-0x0000000000460000-0x0000000000497000-memory.dmp

Filesize
220KB

Download
memory/1516-81-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1516-74-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1516-83-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1516-84-0x0000000000460000-0x0000000000497000-memory.dmp

Filesize
220KB

Download
memory/1516-54-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1516-71-0x0000000000460000-0x0000000000497000-memory.dmp

Filesize
220KB

Download
memory/1516-70-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1516-55-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/1516-69-0x00000000003B1000-0x00000000003C4000-memory.dmp

Filesize
76KB

Download
memory/1516-68-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1516-67-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1516-66-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download