e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8

Analysis

max time kernel
264s
max time network
368s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe
Size

190KB
MD5

e81378414c3719a57300937097e6e151
SHA1

df882733e87d48dae502eeba15d58b6f4dbdf5a5
SHA256

e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8
SHA512

a27afc81a88ed49afd642557e0bafd54d381b29fe6521223c0939f667498f42aa5d5f8ad136e7051c592a78794b732d83ad25460ca6f0a7191a71d506c7e09e4
SSDEEP

3072:h5Q5Nf4uH8KocYuQewRGJelysrFK0xuoKjnhdsIYGvKpQ9b4EQiaB+L/KIz7:hGj4LlcKRG7slxu5jn0aysQiaMLi+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
672	e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe
672	e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe
672	e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe
672	e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1216	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	672	e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe
Token: SeDebugPrivilege	672	e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1216	Explorer.EXE
332	csrss.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 1216	672	e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe	20
PID 672 wrote to memory of 332	672	e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe	6

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1216
- C:\Users\Admin\AppData\Local\Temp\e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe
  "C:\Users\Admin\AppData\Local\Temp\e8a677462bcb879cebe378106bad886aad3bfb0be3003df18d768c289ca99fd8.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\Windows\System32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
memory/332-71-0x0000000002140000-0x0000000002151000-memory.dmp

Filesize
68KB

Download
memory/672-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/672-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/672-56-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/672-57-0x0000000001B70000-0x0000000001BB6000-memory.dmp

Filesize
280KB

Download
memory/672-58-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/672-68-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1216-59-0x0000000002A30000-0x0000000002A36000-memory.dmp

Filesize
24KB

Download
memory/1216-63-0x0000000002A30000-0x0000000002A36000-memory.dmp

Filesize
24KB

Download
memory/1216-67-0x0000000002A30000-0x0000000002A36000-memory.dmp

Filesize
24KB

Download