7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253

General

Target

7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe
Size

209KB
MD5

d6529cc6041d7a80b0b69e42420b1242
SHA1

dc4de780ead9f585dd3c1818af8f0ec4b0e508d1
SHA256

7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253
SHA512

7f08f8dbd7fa4e3484f0eb9eb48a02706c454c82f98e5eccbcd525a82b203ac3d3ea587d63c6f4a3f65c0be16c3edf7c22792a4029552c7d86cbd8223945a31a
SSDEEP

3072:tjYOFZdahMAiVfXtB+lltpnNryrCVM4DkO1eqfG5qB3NP9:jZdfAkPi3nNLdkK3O5qB3NP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Deletes itself 1 IoCs

pid	Process
884	cmd.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 944 set thread context of 884	944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe
944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe
944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe
944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe
Token: SeDebugPrivilege	944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1268	944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe	12
PID 944 wrote to memory of 332	944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe	2
PID 944 wrote to memory of 884	944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe	28
PID 944 wrote to memory of 884	944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe	28
PID 944 wrote to memory of 884	944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe	28
PID 944 wrote to memory of 884	944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe	28
PID 944 wrote to memory of 884	944	7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe	28
PID 332 wrote to memory of 864	332	csrss.exe	22

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268
- C:\Users\Admin\AppData\Local\Temp\7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe
  "C:\Users\Admin\AppData\Local\Temp\7d84ca06fa5420ff75daaebedeffe8446e92783bb02eb18bda262585cfea7253.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
0ff50008c413a7de58460b8f420b0f42

SHA1
2c719326e59d0676cc907c9a5c3d6fefee63b3ea

SHA256
5bfc05e067233878b73f781fe2d22753ef2cb1d8268cd7c881eb6b72777df39f

SHA512
eca07cbbb09f67714099d0af7534c0e98964f51357214ec726b8831416bce5562de61364a1507c888ad226f0c3136292fa7123399d4e2b3219ef7f8a9f86e317

Download Submit
\Windows\System32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
memory/332-68-0x0000000000A40000-0x0000000000A51000-memory.dmp

Filesize
68KB

Download
memory/864-76-0x00000000008E0000-0x00000000008EB000-memory.dmp

Filesize
44KB

Download
memory/864-85-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/864-84-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/864-83-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/864-82-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/864-80-0x00000000008E0000-0x00000000008EB000-memory.dmp

Filesize
44KB

Download
memory/864-72-0x00000000008E0000-0x00000000008EB000-memory.dmp

Filesize
44KB

Download
memory/944-71-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/944-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/944-69-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/944-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/944-65-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1268-63-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/1268-59-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/1268-55-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing