9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746

General

Target

9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe
Size

224KB
MD5

21223212fed04d62793ad44a2104749d
SHA1

b897e786f5c509c059bb40aa19a08e77568c5c27
SHA256

9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746
SHA512

d29afd0b2cd42dbc6133e1cb82df95cfba594279e84d40b72679fb3bd018adecc3d40e7fa45c5bb6d76012d2f3d97feea2505a752c50134f621ac6ac209691db
SSDEEP

3072:YUFxY4yg3UtQD1wuZxUQLOKErTMN+laJZr6ss8ijEVUZFO2ZeOd6cLV:/hUQaiyf3Mr6sIEVO7ZeG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Deletes itself 1 IoCs

pid	Process
1128	cmd.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1224 set thread context of 1128	1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe
1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe
1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe
1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe
Token: SeDebugPrivilege	1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1232	1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe	15
PID 1224 wrote to memory of 332	1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe	6
PID 1224 wrote to memory of 1128	1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe	28
PID 1224 wrote to memory of 1128	1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe	28
PID 1224 wrote to memory of 1128	1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe	28
PID 1224 wrote to memory of 1128	1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe	28
PID 1224 wrote to memory of 1128	1224	9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe	28
PID 332 wrote to memory of 876	332	csrss.exe	21

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe
"C:\Users\Admin\AppData\Local\Temp\9ecc01f564a2e700c668144ae234f614fe3a79d6029699e92051d48fd66ae746.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
e60558bda4e220f494f7ef757f0bd725

SHA1
9e1215bdad1a51123a4eb012f1f4e3103ac436ed

SHA256
86a744302786cb7afb20ccf54f8e157fc149906fca8af1bcc62bc56f8d807a98

SHA512
e13e010a99d501a4c462377f144614945346e00b28e1a39936c329f6cdb8ddf24a9188bdb7bd5723925c77b940d6559fd876ad574a8dccac07cd1b1ea13e7576

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
c8865c3f0fa9dc4a92532cbc2ad9b2e8

SHA1
ef2501f45d2363222fb19c8095c6ded8f5c8240e

SHA256
f69fac5e392d0e06714136c4c8893ceef749e28dadc8b96f3dad4aeebad67584

SHA512
9c534ce369ce316d1c853eadf65ec6365464255625df7d428265c4583c8d61beda67725bb5ecc791d5ec913bf58ae2436c3ff9a43a0c08e1373262e18bb8249a

Download Submit
\Windows\System32\consrv.dll

Filesize
52KB

MD5
e60558bda4e220f494f7ef757f0bd725

SHA1
9e1215bdad1a51123a4eb012f1f4e3103ac436ed

SHA256
86a744302786cb7afb20ccf54f8e157fc149906fca8af1bcc62bc56f8d807a98

SHA512
e13e010a99d501a4c462377f144614945346e00b28e1a39936c329f6cdb8ddf24a9188bdb7bd5723925c77b940d6559fd876ad574a8dccac07cd1b1ea13e7576

Download Submit
memory/332-68-0x0000000001EC0000-0x0000000001ED1000-memory.dmp

Filesize
68KB

Download
memory/876-72-0x0000000000830000-0x000000000083B000-memory.dmp

Filesize
44KB

Download
memory/876-84-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/876-85-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/876-83-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/876-82-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/876-80-0x0000000000830000-0x000000000083B000-memory.dmp

Filesize
44KB

Download
memory/876-76-0x0000000000830000-0x000000000083B000-memory.dmp

Filesize
44KB

Download
memory/1224-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1224-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1224-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1224-65-0x0000000000230000-0x000000000026B000-memory.dmp

Filesize
236KB

Download
memory/1224-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1232-63-0x0000000002120000-0x0000000002126000-memory.dmp

Filesize
24KB

Download
memory/1232-59-0x0000000002120000-0x0000000002126000-memory.dmp

Filesize
24KB

Download
memory/1232-55-0x0000000002120000-0x0000000002126000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing