e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39

General

Target

e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe
Size

220KB
MD5

9ed5fddac20417cc7d033586089557e2
SHA1

7d5cff8e55ddb958558c3c798f177f023d31ba1f
SHA256

e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39
SHA512

ebb0ffa7ea551c6928701219c9353f78588b8f8c9ccbabb14e173bc1a408991c4233f81f9822dcc3b3613effe97628fa3bbd73a8ec8332eaf231e62cc85ebad2
SSDEEP

6144:BE5Sj6t+tEA0LEIm5V6ZrRN+hBcT4dng/G:C5SjzEPtGV6ZjZkdnSG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

332 csrss.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1560 cmd.exe
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 94.242.250.64
Destination IP 94.242.250.64
Destination IP 94.242.250.64
Destination IP 94.242.250.64
Drops desktop.ini file(s) 2 IoCs

Processes:

csrss.exe

description ioc process

File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe
File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe

pid	process
332	csrss.exe

pid	process
1560	cmd.exe

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

description	ioc	process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe

description	pid	process	target process
PID 1232 set thread context of 1560	1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.execsrss.exe

pid	process
1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe
1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe
1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe
1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe
332	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE

pid	process
1284	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe
Token: SeDebugPrivilege	1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe
Token: SeShutdownPrivilege	1284	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

332 csrss.exe

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
332	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.execsrss.exe

description	pid	process	target process
PID 1232 wrote to memory of 1284	1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe	Explorer.EXE
PID 1232 wrote to memory of 332	1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe	csrss.exe
PID 1232 wrote to memory of 1560	1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe	cmd.exe
PID 1232 wrote to memory of 1560	1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe	cmd.exe
PID 1232 wrote to memory of 1560	1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe	cmd.exe
PID 1232 wrote to memory of 1560	1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe	cmd.exe
PID 1232 wrote to memory of 1560	1232	e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe	cmd.exe
PID 332 wrote to memory of 860	332	csrss.exe	svchost.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe
"C:\Users\Admin\AppData\Local\Temp\e7f891e59c8be18563fea334da16d80c2242622c28d280aa72469fce36c53f39.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Deletes itself
PID:1560

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll
Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@
Filesize
2KB

MD5
6ce4c6e6850a2ea6915da255a8ca4dce

SHA1
94f6a93f74f26d576e5089cc58143dab01287062

SHA256
9dc327d2feb7a28badc95b8c0c5c78cd20ac60ab084f93781104a433819642b9

SHA512
53d0fc1e0da5a90ca8fe7aabc4ce974953fb144ae8c9f706b94d36d41e500effb5ca21842de565e21459990b47a93b88abe21eb0be4edcfdbadfa27cf8fce51d

Download Submit
\Windows\System32\consrv.dll
Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
memory/332-72-0x0000000000A40000-0x0000000000A51000-memory.dmp

Filesize
68KB

Download
memory/860-79-0x00000000007F0000-0x00000000007FB000-memory.dmp

Filesize
44KB

Download
memory/860-75-0x00000000007F0000-0x00000000007FB000-memory.dmp

Filesize
44KB

Download
memory/860-88-0x0000000000800000-0x000000000080B000-memory.dmp

Filesize
44KB

Download
memory/860-87-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/860-86-0x0000000000800000-0x000000000080B000-memory.dmp

Filesize
44KB

Download
memory/860-85-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/860-83-0x00000000007F0000-0x00000000007FB000-memory.dmp

Filesize
44KB

Download
memory/1232-69-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/1232-56-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/1232-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1232-54-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/1232-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1232-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1284-61-0x0000000002A10000-0x0000000002A16000-memory.dmp

Filesize
24KB

Download
memory/1284-57-0x0000000002A10000-0x0000000002A16000-memory.dmp

Filesize
24KB

Download
memory/1284-65-0x0000000002A10000-0x0000000002A16000-memory.dmp

Filesize
24KB

Download
memory/1284-68-0x000007FF66ED0000-0x000007FF66EDA000-memory.dmp

Filesize
40KB

Download
memory/1284-67-0x000007FEF60C0000-0x000007FEF6203000-memory.dmp

Filesize
1.3MB

Download
memory/1560-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads