7b77ef5b296a0a3b1bec825ced9a82654af18632fdcd71ef661a10ed738518ec

Reason

Machine shutdown

General

Target

16689be3215ee390deda67e00a8cab59.exe
Size

16KB
MD5

16689be3215ee390deda67e00a8cab59
SHA1

2df0a5b98dcfaa0d0d9678ab0fcf8c026312c7f5
SHA256

7b77ef5b296a0a3b1bec825ced9a82654af18632fdcd71ef661a10ed738518ec
SHA512

1c3a8c4afbea41329fc6db0fd2f45ce1ecaee4164690b46f9f17fd64e6479fc60721e3082d65cb529abb2d4efdfb3b677b6575671bcb0373b7feba9fec06c241
SSDEEP

192:NinxVCvaadYvE5DjMFXkVzvaNqkoPzcNSPYMdp7z4VL9ZXgzm3BEmTi7KvJ/:wnxkinE5qkVziIkymSwzZwzNkiK/

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\csrss.exe	16689be3215ee390deda67e00a8cab59.exe
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	16689be3215ee390deda67e00a8cab59.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	csrss.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/872-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2216-17-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4592-28-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3828-35-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3468-50-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/872-57-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4832-68-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1116-73-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1852-77-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4032-83-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4920-95-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3908-100-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3896-103-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1924-99-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1752-91-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1772-87-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1772-85-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3948-80-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4592-69-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2216-62-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3908-58-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2556-54-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/404-45-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1008-38-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3660-27-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/files/0x0006000000023200-22.dat	upx
behavioral2/files/0x00070000000231fc-21.dat	upx
behavioral2/memory/872-360-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4032-387-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4592-386-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2216-385-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3908-448-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system33.exe	16689be3215ee390deda67e00a8cab59.exe
File created	C:\Windows\SysWOW64\Mikrosoft.exe	16689be3215ee390deda67e00a8cab59.exe
File opened for modification	C:\Windows\SysWOW64\Mikrosoft.exe	16689be3215ee390deda67e00a8cab59.exe
File created	C:\Windows\SysWOW64\Pascal.exe	16689be3215ee390deda67e00a8cab59.exe
File opened for modification	C:\Windows\SysWOW64\Pascal.exe	16689be3215ee390deda67e00a8cab59.exe
File created	C:\Windows\SysWOW64\system33.exe	16689be3215ee390deda67e00a8cab59.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
872	16689be3215ee390deda67e00a8cab59.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 2216	872	16689be3215ee390deda67e00a8cab59.exe	42
PID 872 wrote to memory of 2216	872	16689be3215ee390deda67e00a8cab59.exe	42
PID 872 wrote to memory of 2216	872	16689be3215ee390deda67e00a8cab59.exe	42

C:\Users\Admin\AppData\Local\Temp\16689be3215ee390deda67e00a8cab59.exe
"C:\Users\Admin\AppData\Local\Temp\16689be3215ee390deda67e00a8cab59.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\Pascal.exe
  C:\Windows\System32\Pascal.exe
  2⤵
  PID:4920
- C:\Windows\SysWOW64\Mikrosoft.exe
  C:\Windows\System32\Mikrosoft.exe
  2⤵
  PID:3896
- C:\Windows\SysWOW64\system33.exe
  C:\Windows\System32\system33.exe
  2⤵
  PID:1924
- C:\Windows\SysWOW64\drivers\csrss.exe
  C:\Windows\System32\drivers\csrss.exe
  2⤵
  - Executes dropped EXE
  PID:2216

C:\Windows\SysWOW64\system33.exe
C:\Windows\System32\system33.exe
1⤵
PID:1116

C:\Windows\SysWOW64\Mikrosoft.exe
C:\Windows\System32\Mikrosoft.exe
1⤵
PID:1752

C:\Windows\SysWOW64\system33.exe
C:\Windows\System32\system33.exe
1⤵
PID:1772

C:\Windows\SysWOW64\Mikrosoft.exe
C:\Windows\System32\Mikrosoft.exe
1⤵
PID:3948

C:\Windows\SysWOW64\Mikrosoft.exe
C:\Windows\System32\Mikrosoft.exe
1⤵
PID:1852

C:\Windows\SysWOW64\Pascal.exe
C:\Windows\System32\Pascal.exe
1⤵
PID:4832

C:\Windows\SysWOW64\drivers\csrss.exe
C:\Windows\System32\drivers\csrss.exe
1⤵
PID:4896

C:\Windows\SysWOW64\Mikrosoft.exe
C:\Windows\System32\Mikrosoft.exe
1⤵
PID:3908
- C:\Windows\SysWOW64\shutdown.exe
  shutdown.exe -f -s -t 0
  2⤵
  PID:3776

C:\Windows\SysWOW64\system33.exe
C:\Windows\System32\system33.exe
1⤵
PID:2556

C:\Windows\SysWOW64\Pascal.exe
C:\Windows\System32\Pascal.exe
1⤵
PID:3468

C:\Windows\SysWOW64\drivers\csrss.exe
C:\Windows\System32\drivers\csrss.exe
1⤵
PID:404

C:\Windows\SysWOW64\system33.exe
C:\Windows\System32\system33.exe
1⤵
PID:4032

C:\Windows\SysWOW64\Pascal.exe
C:\Windows\System32\Pascal.exe
1⤵
PID:1008

C:\Windows\SysWOW64\drivers\csrss.exe
C:\Windows\System32\drivers\csrss.exe
1⤵
PID:3828

C:\Windows\SysWOW64\Pascal.exe
C:\Windows\System32\Pascal.exe
1⤵
PID:4592

C:\Windows\SysWOW64\drivers\csrss.exe
C:\Windows\System32\drivers\csrss.exe
1⤵
PID:3660

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3956055 /state1:0x41c64e6d
1⤵
PID:1380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system33.exe

Filesize
16KB

MD5
16689be3215ee390deda67e00a8cab59

SHA1
2df0a5b98dcfaa0d0d9678ab0fcf8c026312c7f5

SHA256
7b77ef5b296a0a3b1bec825ced9a82654af18632fdcd71ef661a10ed738518ec

SHA512
1c3a8c4afbea41329fc6db0fd2f45ce1ecaee4164690b46f9f17fd64e6479fc60721e3082d65cb529abb2d4efdfb3b677b6575671bcb0373b7feba9fec06c241

Download Submit
memory/404-45-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/872-360-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/872-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/872-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1008-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1116-73-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1752-91-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1772-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1772-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1852-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1924-99-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2216-385-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2216-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2216-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2556-54-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3468-50-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3660-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3828-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3896-103-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3908-100-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3908-448-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3908-58-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3948-80-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4032-387-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4032-83-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4592-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4592-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4592-386-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4832-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4920-95-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

Errors