8ac6cf99d887f1673b90524d8c321c0f063a91d983fb7d836c03965d6b684bbd

General

Target

037ab996f6ed7a21342e924203149dd5.exe
Size

5KB
MD5

037ab996f6ed7a21342e924203149dd5
SHA1

5b5f88b75db62669b8a33f927ab3d7dcfa0442e2
SHA256

8ac6cf99d887f1673b90524d8c321c0f063a91d983fb7d836c03965d6b684bbd
SHA512

ef100cf99d68d545d4e8201c82a09dc98e3e76e02c5231cc633ed9f509238fa40a7e9659df9301757eca31711037dd7c334131320464d8d3045b7f8af67b8894
SSDEEP

96:OAXXiKfxXmLrYmntjB4K9hre8Q27MZ65lADnmaeuCnqzOU6d9ltB:lXiKfxoYmD4KXekMZmonmaeuAq3qLtB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1892	dskernel.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dskernel.exe	037ab996f6ed7a21342e924203149dd5.exe
File opened for modification	C:\Windows\SysWOW64\dskernel.exe	037ab996f6ed7a21342e924203149dd5.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	dskernel.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	dskernel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{044613D5-10BF-4F8D-98AB-DB0D761CD3A7}\WpadDecisionReason = "1"	dskernel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{044613D5-10BF-4F8D-98AB-DB0D761CD3A7}\WpadNetworkName = "Network 3"	dskernel.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-f5-d2-88-32-e1	dskernel.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{044613D5-10BF-4F8D-98AB-DB0D761CD3A7}\3e-f5-d2-88-32-e1	dskernel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dskernel.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	dskernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	dskernel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	dskernel.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dskernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	dskernel.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{044613D5-10BF-4F8D-98AB-DB0D761CD3A7}\WpadDecisionTime = 10bc17963137da01	dskernel.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-f5-d2-88-32-e1\WpadDecisionTime = 10bc17963137da01	dskernel.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dskernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dskernel.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{044613D5-10BF-4F8D-98AB-DB0D761CD3A7}	dskernel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{044613D5-10BF-4F8D-98AB-DB0D761CD3A7}\WpadDecision = "0"	dskernel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	dskernel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dskernel.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dskernel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-f5-d2-88-32-e1\WpadDecisionReason = "1"	dskernel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-f5-d2-88-32-e1\WpadDecision = "0"	dskernel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	dskernel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dskernel.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2484	037ab996f6ed7a21342e924203149dd5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2768	2484	037ab996f6ed7a21342e924203149dd5.exe	29
PID 2484 wrote to memory of 2768	2484	037ab996f6ed7a21342e924203149dd5.exe	29
PID 2484 wrote to memory of 2768	2484	037ab996f6ed7a21342e924203149dd5.exe	29
PID 2484 wrote to memory of 2768	2484	037ab996f6ed7a21342e924203149dd5.exe	29

C:\Users\Admin\AppData\Local\Temp\037ab996f6ed7a21342e924203149dd5.exe
"C:\Users\Admin\AppData\Local\Temp\037ab996f6ed7a21342e924203149dd5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\037AB9~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2768

C:\Windows\SysWOW64\dskernel.exe
C:\Windows\SysWOW64\dskernel.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dskernel.exe

Filesize
5KB

MD5
037ab996f6ed7a21342e924203149dd5

SHA1
5b5f88b75db62669b8a33f927ab3d7dcfa0442e2

SHA256
8ac6cf99d887f1673b90524d8c321c0f063a91d983fb7d836c03965d6b684bbd

SHA512
ef100cf99d68d545d4e8201c82a09dc98e3e76e02c5231cc633ed9f509238fa40a7e9659df9301757eca31711037dd7c334131320464d8d3045b7f8af67b8894

Download Submit
memory/1892-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2484-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing