b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139

General

Target

b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe
Size

220KB
MD5

c2dfd5c6c312bb761a31e9336555bb0e
SHA1

e584bbd3e5a54d7bb85b6172bf24bb61b1e5ddfa
SHA256

b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139
SHA512

27d2f6fe22001cfb1eb3b1e06c45793e643406e9fb84d9917fc124e02d2eaf336decb8fb1c4db89c56837fafc692854d33efde5f8be55253f148f596bc4e7b20
SSDEEP

3072:F7k/7PA67EfSNvivoUmC7LcqsAU3ZBrOXcYmJN+s4Tjjq+YBmeck/jzdsFj0ifyW:kPx7RvUEfJd7+zjjbYBmeckPdsFgWyi

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 796 set thread context of 2012	796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe
796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe
796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe
Token: SeDebugPrivilege	796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 336	796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe	6
PID 796 wrote to memory of 2012	796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe	28
PID 796 wrote to memory of 2012	796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe	28
PID 796 wrote to memory of 2012	796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe	28
PID 796 wrote to memory of 2012	796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe	28
PID 796 wrote to memory of 2012	796	b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe	28
PID 336 wrote to memory of 872	336	csrss.exe	22

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe
"C:\Users\Admin\AppData\Local\Temp\b98e43e7b75feb884edb9794767f6283472e0125ffdde8e04ad8bc188726c139.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
75bff68f55d5498d25d686068a43fea0

SHA1
9c3fb68b577c6ee7212d6a8a8fc19af7a6d6b36f

SHA256
7ad85a331128fba81bce3957387ce71821fe7bc107d13e7c4b632e10f49b3d45

SHA512
ab866d0a348a37fcd3eb5ce135f46acc45a00115d4c6bf9288785c69140185280d65e8789afd090bdec5cd0b9f6c72c07b586acd2ef87a421f9dcff86178867e

Download Submit
\Windows\System32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
memory/336-78-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/796-77-0x0000000000460000-0x0000000000497000-memory.dmp

Filesize
220KB

Download
memory/796-56-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/796-66-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/796-67-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/796-68-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/796-69-0x0000000000460000-0x0000000000497000-memory.dmp

Filesize
220KB

Download
memory/796-72-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/796-71-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/796-58-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/796-57-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/796-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/796-76-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/796-75-0x00000000003B1000-0x00000000003C4000-memory.dmp

Filesize
76KB

Download
memory/796-62-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/796-79-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/796-80-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/796-81-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/796-82-0x0000000000460000-0x0000000000497000-memory.dmp

Filesize
220KB

Download
memory/796-55-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/872-88-0x00000000002E0000-0x00000000002EB000-memory.dmp

Filesize
44KB

Download
memory/872-92-0x00000000002E0000-0x00000000002EB000-memory.dmp

Filesize
44KB

Download
memory/872-84-0x00000000002E0000-0x00000000002EB000-memory.dmp

Filesize
44KB

Download
memory/872-94-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/872-95-0x00000000002F0000-0x00000000002FB000-memory.dmp

Filesize
44KB

Download
memory/872-96-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/872-97-0x00000000002F0000-0x00000000002FB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing