25d5313f483954f2b8c3255eaa63e8c5972a6064aa6d06ca49e19b0133d2bdc7

General

Target

06265e97aac3790b69e1d955019b904a.exe
Size

146KB
MD5

06265e97aac3790b69e1d955019b904a
SHA1

6303504ea67878efba3a5fbefe5462abcedb862c
SHA256

25d5313f483954f2b8c3255eaa63e8c5972a6064aa6d06ca49e19b0133d2bdc7
SHA512

bf8041b38082b98b7e3193e4bd369837abc536c61d8e32037c7eb6659eb2aee35ea2a8ed912e5cdf0986533a12a57f477970730b7b83eed90d7bc7fa70139724
SSDEEP

3072:XTutRluFz+AH3QKOjO2TQ7EJBz5OwnRoaXx7OuHZIuH1q7pSPNSycm:0RluFz+AXQ7jOcQ7yDLiQx7OuHZRqM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
340	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 2644	1660	06265e97aac3790b69e1d955019b904a.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1660	06265e97aac3790b69e1d955019b904a.exe
1660	06265e97aac3790b69e1d955019b904a.exe
1660	06265e97aac3790b69e1d955019b904a.exe
1660	06265e97aac3790b69e1d955019b904a.exe
340	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	06265e97aac3790b69e1d955019b904a.exe
Token: SeDebugPrivilege	1660	06265e97aac3790b69e1d955019b904a.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1180	Explorer.EXE
1180	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1180	Explorer.EXE
1180	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
340	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1180	1660	06265e97aac3790b69e1d955019b904a.exe	17
PID 1660 wrote to memory of 340	1660	06265e97aac3790b69e1d955019b904a.exe	6
PID 1660 wrote to memory of 2644	1660	06265e97aac3790b69e1d955019b904a.exe	28
PID 1660 wrote to memory of 2644	1660	06265e97aac3790b69e1d955019b904a.exe	28
PID 1660 wrote to memory of 2644	1660	06265e97aac3790b69e1d955019b904a.exe	28
PID 1660 wrote to memory of 2644	1660	06265e97aac3790b69e1d955019b904a.exe	28
PID 1660 wrote to memory of 2644	1660	06265e97aac3790b69e1d955019b904a.exe	28
PID 340 wrote to memory of 2544	340	csrss.exe	30
PID 340 wrote to memory of 2544	340	csrss.exe	30
PID 340 wrote to memory of 2980	340	csrss.exe	31
PID 340 wrote to memory of 2980	340	csrss.exe	31
PID 340 wrote to memory of 844	340	csrss.exe	23

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Users\Admin\AppData\Local\Temp\06265e97aac3790b69e1d955019b904a.exe
"C:\Users\Admin\AppData\Local\Temp\06265e97aac3790b69e1d955019b904a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:2644

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:844
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2544

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
7ee9b52e1ef862ea44188533c4f0d74b

SHA1
ec67475bb1264a7953c21fc4533bf754e2289a78

SHA256
3e1b8c526e2b523452023e70e2a6e69ea33ed81e0d7376f12a53a6912ef92232

SHA512
2f49740b9c593b94ecbc2fb72b71f650fbf6e09d3d645477027bbff8e6aac1347bbc8c4f88443b2fc724e37cb13d20683fc19b65cc77d316e11bf79e0a418f3d

Download Submit
\Windows\System32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
memory/340-16-0x0000000000E50000-0x0000000000E61000-memory.dmp

Filesize
68KB

Download
memory/340-15-0x0000000000E50000-0x0000000000E61000-memory.dmp

Filesize
68KB

Download
memory/340-19-0x0000000002630000-0x0000000002632000-memory.dmp

Filesize
8KB

Download
memory/340-20-0x0000000000E50000-0x0000000000E61000-memory.dmp

Filesize
68KB

Download
memory/844-22-0x0000000000DB0000-0x0000000000DBB000-memory.dmp

Filesize
44KB

Download
memory/844-36-0x0000000000DC0000-0x0000000000DCB000-memory.dmp

Filesize
44KB

Download
memory/844-35-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/844-31-0x0000000000DB0000-0x0000000000DBB000-memory.dmp

Filesize
44KB

Download
memory/844-27-0x0000000000DB0000-0x0000000000DBB000-memory.dmp

Filesize
44KB

Download
memory/844-34-0x0000000000DC0000-0x0000000000DCB000-memory.dmp

Filesize
44KB

Download
memory/844-23-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/844-32-0x0000000000DC0000-0x0000000000DCB000-memory.dmp

Filesize
44KB

Download
memory/1180-9-0x0000000002630000-0x0000000002632000-memory.dmp

Filesize
8KB

Download
memory/1180-8-0x0000000002640000-0x0000000002646000-memory.dmp

Filesize
24KB

Download
memory/1180-0-0x0000000002640000-0x0000000002646000-memory.dmp

Filesize
24KB

Download
memory/1180-4-0x0000000002640000-0x0000000002646000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing