25d5313f483954f2b8c3255eaa63e8c5972a6064aa6d06ca49e19b0133d2bdc7

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06265e97aac3790b69e1d955019b904a.exe
Size

146KB
MD5

06265e97aac3790b69e1d955019b904a
SHA1

6303504ea67878efba3a5fbefe5462abcedb862c
SHA256

25d5313f483954f2b8c3255eaa63e8c5972a6064aa6d06ca49e19b0133d2bdc7
SHA512

bf8041b38082b98b7e3193e4bd369837abc536c61d8e32037c7eb6659eb2aee35ea2a8ed912e5cdf0986533a12a57f477970730b7b83eed90d7bc7fa70139724
SSDEEP

3072:XTutRluFz+AH3QKOjO2TQ7EJBz5OwnRoaXx7OuHZIuH1q7pSPNSycm:0RluFz+AXQ7jOcQ7yDLiQx7OuHZRqM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2624	2208	06265e97aac3790b69e1d955019b904a.exe	30

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2208	06265e97aac3790b69e1d955019b904a.exe
2208	06265e97aac3790b69e1d955019b904a.exe
2208	06265e97aac3790b69e1d955019b904a.exe
2208	06265e97aac3790b69e1d955019b904a.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	06265e97aac3790b69e1d955019b904a.exe
Token: SeDebugPrivilege	2208	06265e97aac3790b69e1d955019b904a.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeSystemtimePrivilege	836	svchost.exe
Token: SeBackupPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeShutdownPrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeUndockPrivilege	836	svchost.exe
Token: SeManageVolumePrivilege	836	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1196	2208	06265e97aac3790b69e1d955019b904a.exe	21
PID 2208 wrote to memory of 336	2208	06265e97aac3790b69e1d955019b904a.exe	6
PID 336 wrote to memory of 2920	336	csrss.exe	28
PID 336 wrote to memory of 2920	336	csrss.exe	28
PID 336 wrote to memory of 2592	336	csrss.exe	29
PID 336 wrote to memory of 2592	336	csrss.exe	29
PID 2208 wrote to memory of 2624	2208	06265e97aac3790b69e1d955019b904a.exe	30
PID 2208 wrote to memory of 2624	2208	06265e97aac3790b69e1d955019b904a.exe	30
PID 2208 wrote to memory of 2624	2208	06265e97aac3790b69e1d955019b904a.exe	30
PID 2208 wrote to memory of 2624	2208	06265e97aac3790b69e1d955019b904a.exe	30
PID 2208 wrote to memory of 2624	2208	06265e97aac3790b69e1d955019b904a.exe	30
PID 336 wrote to memory of 836	336	csrss.exe	17

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2920

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196
- C:\Users\Admin\AppData\Local\Temp\06265e97aac3790b69e1d955019b904a.exe
  "C:\Users\Admin\AppData\Local\Temp\06265e97aac3790b69e1d955019b904a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2624

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
a5a71c95558a3c81f437e491a72353e6

SHA1
aba2176091830697fc3730a83c767288d3480de3

SHA256
3d4ac9c17e6d644cab46122a646d2ee429ce6ea24e24c890eb500d40a30b77a2

SHA512
a33d15fbe541658bc6b58eb6a28909867ffcc93ee108a169a85666719e8887ca5bad69a6ac42f2ed1d33fb2f403c531e7c281bbe028fe938bd7e2afd40ebe786

Download Submit
memory/336-20-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/336-21-0x0000000000AB0000-0x0000000000AC1000-memory.dmp

Filesize
68KB

Download
memory/336-22-0x0000000000AB0000-0x0000000000AC1000-memory.dmp

Filesize
68KB

Download
memory/336-14-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/336-16-0x0000000000AB0000-0x0000000000AC1000-memory.dmp

Filesize
68KB

Download
memory/336-17-0x0000000000AB0000-0x0000000000AC1000-memory.dmp

Filesize
68KB

Download
memory/836-24-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/836-25-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/836-29-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/836-33-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/836-34-0x0000000000850000-0x000000000085B000-memory.dmp

Filesize
44KB

Download
memory/836-41-0x0000000000850000-0x000000000085B000-memory.dmp

Filesize
44KB

Download
memory/1196-0-0x0000000002B10000-0x0000000002B16000-memory.dmp

Filesize
24KB

Download
memory/1196-9-0x0000000002B10000-0x0000000002B16000-memory.dmp

Filesize
24KB

Download
memory/1196-5-0x0000000002B10000-0x0000000002B16000-memory.dmp

Filesize
24KB

Download
memory/1196-2-0x0000000002B00000-0x0000000002B02000-memory.dmp

Filesize
8KB

Download