33bd4d59ba1288db3680d2539ac5cff725741f7a075a9433a9312a7db931cc89

General

Target

0acdbf6b25a91c5f4893e400e65e0496.exe
Size

244KB
MD5

0acdbf6b25a91c5f4893e400e65e0496
SHA1

286543197ef5eab99694c4fdc9d809acb8ddfbf7
SHA256

33bd4d59ba1288db3680d2539ac5cff725741f7a075a9433a9312a7db931cc89
SHA512

588a08b822a87be0b5c4bf281113c29612f62447037df625d6a98620ad8cc3b2112566e31bf58b9807695b66d0d3e08a2534f5a5fc21ea23a2edb2183d25e23b
SSDEEP

3072:SH8cRYc70fvbtCiqTf0dYTaMd4fh6FDGeTWXXCwu6Jw7WmXSHAXgamyPDbM:SHTH0fv5dyDxYCwu6mH2AX1DM

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\9b7b7593\\X"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
340	csrss.exe
2760	X

Loads dropped DLL 2 IoCs

pid	Process
1732	0acdbf6b25a91c5f4893e400e65e0496.exe
1732	0acdbf6b25a91c5f4893e400e65e0496.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 2616	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	29

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{1a74ef5b-e0c8-3427-8f23-6f47e43457d2}	0acdbf6b25a91c5f4893e400e65e0496.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1a74ef5b-e0c8-3427-8f23-6f47e43457d2}\u = "71"	0acdbf6b25a91c5f4893e400e65e0496.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1a74ef5b-e0c8-3427-8f23-6f47e43457d2}\cid = "4912105587930870270"	0acdbf6b25a91c5f4893e400e65e0496.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1732	0acdbf6b25a91c5f4893e400e65e0496.exe
1732	0acdbf6b25a91c5f4893e400e65e0496.exe
1732	0acdbf6b25a91c5f4893e400e65e0496.exe
1732	0acdbf6b25a91c5f4893e400e65e0496.exe
2760	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	0acdbf6b25a91c5f4893e400e65e0496.exe
Token: SeDebugPrivilege	1732	0acdbf6b25a91c5f4893e400e65e0496.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
340	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1096	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	10
PID 1732 wrote to memory of 340	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	26
PID 1732 wrote to memory of 2760	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	28
PID 1732 wrote to memory of 2760	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	28
PID 1732 wrote to memory of 2760	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	28
PID 1732 wrote to memory of 2760	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	28
PID 2760 wrote to memory of 1096	2760	X	10
PID 1732 wrote to memory of 2616	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	29
PID 1732 wrote to memory of 2616	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	29
PID 1732 wrote to memory of 2616	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	29
PID 1732 wrote to memory of 2616	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	29
PID 1732 wrote to memory of 2616	1732	0acdbf6b25a91c5f4893e400e65e0496.exe	29
PID 340 wrote to memory of 2656	340	csrss.exe	31
PID 340 wrote to memory of 2656	340	csrss.exe	31
PID 340 wrote to memory of 3044	340	csrss.exe	32
PID 340 wrote to memory of 3044	340	csrss.exe	32

C:\Users\Admin\AppData\Local\Temp\0acdbf6b25a91c5f4893e400e65e0496.exe
"C:\Users\Admin\AppData\Local\Temp\0acdbf6b25a91c5f4893e400e65e0496.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\9b7b7593\X
  *0*47*bbd4b1fe*69.64.52.10:53
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:2616

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1096

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2656

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
29KB

MD5
1149c1bd71248a9d170e4568fb08df30

SHA1
6f77f183d65709901f476c5d6eebaed060a495f9

SHA256
c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

SHA512
9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
69de74e27e6f361b6613a0507d81dae7

SHA1
796c02884f8ad9fcc50dda4c7edb247db63cce79

SHA256
9a99c1b6f2b5239506643dc10b6796996543c163fca9ca386377a624c9337b2e

SHA512
e7472bb6c7c292c0528b317e5fa5503c4e9d6e4f91a5be84264c41f02f9dca8ee5bc239053db1a10e2c51cc9f5c68d08154cd8d8d0fedbf593d7343d1e367f0b

Download Submit
memory/340-27-0x0000000000E40000-0x0000000000E4B000-memory.dmp

Filesize
44KB

Download
memory/340-42-0x00000000025A0000-0x00000000025A2000-memory.dmp

Filesize
8KB

Download
memory/340-18-0x0000000000E40000-0x0000000000E4B000-memory.dmp

Filesize
44KB

Download
memory/340-20-0x00000000025A0000-0x00000000025A2000-memory.dmp

Filesize
8KB

Download
memory/1096-39-0x00000000025E0000-0x00000000025EB000-memory.dmp

Filesize
44KB

Download
memory/1096-12-0x00000000025A0000-0x00000000025A2000-memory.dmp

Filesize
8KB

Download
memory/1096-33-0x00000000025D0000-0x00000000025DB000-memory.dmp

Filesize
44KB

Download
memory/1096-28-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/1096-38-0x00000000025E0000-0x00000000025EB000-memory.dmp

Filesize
44KB

Download
memory/1096-11-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/1096-29-0x00000000025D0000-0x00000000025DB000-memory.dmp

Filesize
44KB

Download
memory/1096-37-0x00000000025D0000-0x00000000025DB000-memory.dmp

Filesize
44KB

Download
memory/1096-7-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/1096-3-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/1732-40-0x0000000030670000-0x00000000306C1000-memory.dmp

Filesize
324KB

Download
memory/1732-41-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/1732-2-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/1732-43-0x0000000030670000-0x00000000306C1000-memory.dmp

Filesize
324KB

Download
memory/1732-1-0x0000000030670000-0x00000000306C1000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads