f8091ec5985c8a58cb609fdbc0fe1c0ec9d4bcc73f8137a61caf83d6cb48df41

General

Target

77a92a15717ce031a8f42228be680f77.exe
Size

218KB
MD5

77a92a15717ce031a8f42228be680f77
SHA1

8de26f2a0903854480927c31c6795c91672ece9e
SHA256

f8091ec5985c8a58cb609fdbc0fe1c0ec9d4bcc73f8137a61caf83d6cb48df41
SHA512

d92229d88b4de33df6ff5b81cc72780c2cfa428c60fd84cc48d998ad218dc461183cc92c8658c1ef8f7c43dc1d01c9b94b533552aa61925053a8150a1702d4c1
SSDEEP

6144:54Q9Smi4EaT+v9KvGqlOlziStHzeiPkAhdF:5tm4Eaqv9rqlApVh3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2124	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
340	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 2124	1284	77a92a15717ce031a8f42228be680f77.exe	30

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1284	77a92a15717ce031a8f42228be680f77.exe
1284	77a92a15717ce031a8f42228be680f77.exe
1284	77a92a15717ce031a8f42228be680f77.exe
1284	77a92a15717ce031a8f42228be680f77.exe
340	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	77a92a15717ce031a8f42228be680f77.exe
Token: SeDebugPrivilege	1284	77a92a15717ce031a8f42228be680f77.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
340	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1372	1284	77a92a15717ce031a8f42228be680f77.exe	12
PID 1284 wrote to memory of 340	1284	77a92a15717ce031a8f42228be680f77.exe	25
PID 340 wrote to memory of 2780	340	csrss.exe	28
PID 340 wrote to memory of 2780	340	csrss.exe	28
PID 340 wrote to memory of 2608	340	csrss.exe	29
PID 340 wrote to memory of 2608	340	csrss.exe	29
PID 1284 wrote to memory of 2124	1284	77a92a15717ce031a8f42228be680f77.exe	30
PID 1284 wrote to memory of 2124	1284	77a92a15717ce031a8f42228be680f77.exe	30
PID 1284 wrote to memory of 2124	1284	77a92a15717ce031a8f42228be680f77.exe	30
PID 1284 wrote to memory of 2124	1284	77a92a15717ce031a8f42228be680f77.exe	30
PID 1284 wrote to memory of 2124	1284	77a92a15717ce031a8f42228be680f77.exe	30
PID 340 wrote to memory of 844	340	csrss.exe	19

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\77a92a15717ce031a8f42228be680f77.exe
  "C:\Users\Admin\AppData\Local\Temp\77a92a15717ce031a8f42228be680f77.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:844
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2780

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
e60558bda4e220f494f7ef757f0bd725

SHA1
9e1215bdad1a51123a4eb012f1f4e3103ac436ed

SHA256
86a744302786cb7afb20ccf54f8e157fc149906fca8af1bcc62bc56f8d807a98

SHA512
e13e010a99d501a4c462377f144614945346e00b28e1a39936c329f6cdb8ddf24a9188bdb7bd5723925c77b940d6559fd876ad574a8dccac07cd1b1ea13e7576

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
a62bc117fc429980b908247ca9a42be6

SHA1
7ae463b3ab5a08c9ae6d85f9f3564ea9acf435c6

SHA256
46f8b252591f25df9d9fee310a8477208c1aeffbcf9087c9d00b0ce06885caea

SHA512
18ad72038fa59079a66b4a08938fe36f1c5ae45f067ae0924488df308123ee66b7a46dec4a06ebf01b291d7975826cbf1c43b455a278f5143cf2da8fdf37890a

Download Submit
memory/340-30-0x0000000000820000-0x0000000000831000-memory.dmp

Filesize
68KB

Download
memory/340-28-0x0000000003DB0000-0x0000000003DB2000-memory.dmp

Filesize
8KB

Download
memory/340-23-0x0000000000820000-0x0000000000831000-memory.dmp

Filesize
68KB

Download
memory/340-21-0x0000000000820000-0x0000000000831000-memory.dmp

Filesize
68KB

Download
memory/340-22-0x0000000003DB0000-0x0000000003DB2000-memory.dmp

Filesize
8KB

Download
memory/844-37-0x00000000007C0000-0x00000000007CB000-memory.dmp

Filesize
44KB

Download
memory/844-41-0x00000000007C0000-0x00000000007CB000-memory.dmp

Filesize
44KB

Download
memory/844-45-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/844-43-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/844-32-0x00000000007C0000-0x00000000007CB000-memory.dmp

Filesize
44KB

Download
memory/844-35-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/1284-5-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1284-26-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1284-3-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/1284-29-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1284-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1284-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1284-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1284-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-14-0x0000000003DC0000-0x0000000003DC6000-memory.dmp

Filesize
24KB

Download
memory/1372-10-0x0000000003DC0000-0x0000000003DC6000-memory.dmp

Filesize
24KB

Download
memory/1372-6-0x0000000003DC0000-0x0000000003DC6000-memory.dmp

Filesize
24KB

Download
memory/1372-15-0x0000000003DB0000-0x0000000003DB2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing