04d47d7a897a86e711e7c874ada8cca27a7f28cf6a0dc208adaef2cf15fa1ebd

General

Target

14fe5f1c73372df0072bae0a8aee189e.exe
Size

348KB
MD5

14fe5f1c73372df0072bae0a8aee189e
SHA1

32a1f27a86a75616bc1a23bf6894b80fc24cf19b
SHA256

04d47d7a897a86e711e7c874ada8cca27a7f28cf6a0dc208adaef2cf15fa1ebd
SHA512

df0140fac705095b0a3b27236f5e62d7bb87362e355ea7c5457a163c8734d8604d6f32c5415d68c7a96cc2c2df0e2dec6a82028f1c4034548094a5fd3dc06e3b
SSDEEP

6144:3AIgjmiKlYM4XrhfXSClvdnNYMSisQBtdbk8sYMES3npuMvg7ByS35:bgTYgXrhv7lNNB8gdbk8HMES3pu7AO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2124	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
340	csrss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 2124	2988	14fe5f1c73372df0072bae0a8aee189e.exe	29

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2988	14fe5f1c73372df0072bae0a8aee189e.exe
2988	14fe5f1c73372df0072bae0a8aee189e.exe
2988	14fe5f1c73372df0072bae0a8aee189e.exe
2988	14fe5f1c73372df0072bae0a8aee189e.exe
340	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	14fe5f1c73372df0072bae0a8aee189e.exe
Token: SeDebugPrivilege	2988	14fe5f1c73372df0072bae0a8aee189e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2988	14fe5f1c73372df0072bae0a8aee189e.exe
340	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1192	2988	14fe5f1c73372df0072bae0a8aee189e.exe	13
PID 2988 wrote to memory of 340	2988	14fe5f1c73372df0072bae0a8aee189e.exe	6
PID 2988 wrote to memory of 2124	2988	14fe5f1c73372df0072bae0a8aee189e.exe	29
PID 2988 wrote to memory of 2124	2988	14fe5f1c73372df0072bae0a8aee189e.exe	29
PID 2988 wrote to memory of 2124	2988	14fe5f1c73372df0072bae0a8aee189e.exe	29
PID 2988 wrote to memory of 2124	2988	14fe5f1c73372df0072bae0a8aee189e.exe	29
PID 2988 wrote to memory of 2124	2988	14fe5f1c73372df0072bae0a8aee189e.exe	29
PID 340 wrote to memory of 2652	340	csrss.exe	30
PID 340 wrote to memory of 2652	340	csrss.exe	30
PID 340 wrote to memory of 2644	340	csrss.exe	31
PID 340 wrote to memory of 2644	340	csrss.exe	31
PID 340 wrote to memory of 852	340	csrss.exe	24

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\14fe5f1c73372df0072bae0a8aee189e.exe
  "C:\Users\Admin\AppData\Local\Temp\14fe5f1c73372df0072bae0a8aee189e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:852
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2652

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/340-19-0x0000000000E00000-0x0000000000E11000-memory.dmp

Filesize
68KB

Download
memory/340-24-0x0000000000E00000-0x0000000000E11000-memory.dmp

Filesize
68KB

Download
memory/340-23-0x0000000002D60000-0x0000000002D62000-memory.dmp

Filesize
8KB

Download
memory/340-18-0x0000000000E00000-0x0000000000E11000-memory.dmp

Filesize
68KB

Download
memory/852-35-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/852-36-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/852-40-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/852-39-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/852-26-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/852-27-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/852-31-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/1192-3-0x0000000002D70000-0x0000000002D76000-memory.dmp

Filesize
24KB

Download
memory/1192-12-0x0000000002D60000-0x0000000002D62000-memory.dmp

Filesize
8KB

Download
memory/1192-7-0x0000000002D70000-0x0000000002D76000-memory.dmp

Filesize
24KB

Download
memory/1192-11-0x0000000002D70000-0x0000000002D76000-memory.dmp

Filesize
24KB

Download
memory/2988-0-0x0000000030670000-0x00000000306C7000-memory.dmp

Filesize
348KB

Download
memory/2988-2-0x0000000030670000-0x0000000030697000-memory.dmp

Filesize
156KB

Download
memory/2988-1-0x0000000001D30000-0x0000000002D30000-memory.dmp

Filesize
16.0MB

Download
memory/2988-22-0x0000000030670000-0x0000000030697000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing