cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321

Analysis

max time kernel
114s
max time network
129s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321.exe
Size

231KB
MD5

db4ac009fbb4ad08a5ef34441af94800
SHA1

fba00dabfadf3e549153dc84a876c0d74408a1f8
SHA256

cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321
SHA512

629752613493e47ef1a20494e191dab7e616d2376182742413fd0a5a865941a9fc8e4f10482d9a59ad3314a5f8fa9562a9959b8260526551191df20f9859d39c
SSDEEP

6144:TFWFMzTdKPUuUiVQQSsVD7ESfI2y21zJCAv0L6g:TBTdKPnWDk7ESAy1ztvDg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Deletes itself 1 IoCs

pid	Process
844	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 844	1348	cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321.exe	27

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3097c7e0-1ac2-2f18-0d68-79804155316e}\cid = "823460337828864518"	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{3097c7e0-1ac2-2f18-0d68-79804155316e}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3097c7e0-1ac2-2f18-0d68-79804155316e}\u = "15"	explorer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
844	explorer.exe
844	explorer.exe
844	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 844	1348	cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321.exe	27
PID 1348 wrote to memory of 844	1348	cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321.exe	27
PID 1348 wrote to memory of 844	1348	cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321.exe	27
PID 1348 wrote to memory of 844	1348	cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321.exe	27
PID 1348 wrote to memory of 844	1348	cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321.exe	27
PID 844 wrote to memory of 332	844	explorer.exe	6

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332

C:\Users\Admin\AppData\Local\Temp\cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321.exe
"C:\Users\Admin\AppData\Local\Temp\cc1952149fc3f1d8a11d45c67f2e570da2bd69bb6e2435e96c55de826db9a321.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\explorer.exe
  00000058*
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.DLL

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
752aef952bbaace3023f41ce950969e9

SHA1
f211337e01c4bab77f242160b2b8a98869f1e975

SHA256
671e2b4806e7b6fc6fe44f3f2909116b474146f1381815f28abcf5d47a6a4318

SHA512
ac0cd361161805996bdd41db833a918264a16f411fd1ad93beaf90f85311d0056b15c39ab029b8828f56f78d9cba2c3bc4d1d93a44107a30b8230dee851d7dc9

Download Submit
memory/332-71-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/844-54-0x0000000000000000-mapping.dmp

Download
memory/844-56-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/844-62-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/844-67-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/844-68-0x0000000000060000-0x0000000000072000-memory.dmp

Filesize
72KB

Download
memory/1348-55-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1348-58-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download