3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac

General

Target

3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe
Size

913KB
MD5

42b16240015658fba13097e399a64ee7
SHA1

69860a526a3e385c02530b747a98daa4a34961d9
SHA256

3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac
SHA512

d7443e63d0ce6383d533a96178dbd1798e7da2322e08c4c5e00af42003b120266c60e8b00d222f4dcd79cf80cefe6a086e383ef566aaee57ca4dd5fdd02a4f95
SSDEEP

24576:AEqr4MROxnF25bHKTlQlrZlI0AilFEvxHidlN:AEjMiwlrZlI0AilFEvxHid

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe
File opened for modification	C:\Windows\assembly	3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3952	3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3952	3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 1232	3952	3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe	93
PID 3952 wrote to memory of 1232	3952	3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe	93
PID 1232 wrote to memory of 1140	1232	csc.exe	94
PID 1232 wrote to memory of 1140	1232	csc.exe	94

C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe
"C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7yg1tqru.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFC42.tmp"
    3⤵
    PID:1140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7yg1tqru.dll

Filesize
76KB

MD5
1e7af68aa0ab176a0962074eb83259b2

SHA1
7bf984ff0856ecd4ce7e905a964580ece2dc700b

SHA256
1f510f3d02fe467785e8c12c4786b9e62a1079194da2de558bef11e2e070ab03

SHA512
7ca8b4f3e0c7c53d488aab5cb42e88fa92c98f07c2c10f9849853cd5322f1fcf402a13283ddd8752486127a6526e10a67b1d531f64ef7f03f7e03e4213970386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC43.tmp

Filesize
1KB

MD5
b574f85dafe903e030eb76e13360edd5

SHA1
cccf987b6ed36fd33650f80aff9bcdd1a4c7b0a8

SHA256
7ffd8fb6bce005914bf3218c4543706ec6e325935c028f1b39b1f73deebb24c2

SHA512
a0a69c382acbe95997ffab887a31b82cff4e676ef8cc5b56b7e68d1da034d6c3b3515b64d4f1579626dc3a6e6277f3dec21a66d25ef0678b8435ba5f3847c837

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7yg1tqru.0.cs

Filesize
208KB

MD5
dea383b3c8a377d743512736f9f4b9d1

SHA1
c6df4eb9698e8fa0173f1226459b2efb56928d13

SHA256
4f262123b5433f5389f86282c41c5932ef897dffdbb033616954bee77aeae03a

SHA512
43166c19d2fdf29cc2656289f6835224c085d570d119a5359002bb924edac25a2957e68a236da0fdb09dd3917d4c57dbbb040b2cd07b3dc848fb3fde95c8fbc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7yg1tqru.cmdline

Filesize
349B

MD5
bc12ecd53fc0136bd27eeccfd2209480

SHA1
54b0dae07ea7e500ac21e093aa69bde802497c1c

SHA256
827ce107c126e8c10348c01bce7c3d36bfdb27ed8587a977c4d9aca2ebf3f424

SHA512
ce759e1390b666cfb0a0749ee15da6bddf6a8fc257e8d5e2c19197eed3f22cf52973a092adcc8caa865df68a99ae3be2d20feb4d9f115ad7f8391cf82a084637

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFC42.tmp

Filesize
676B

MD5
6bde3e6306b0fa8c9f81789346d09f67

SHA1
7bc81e285b22339d118826931e26b0fce2acedfe

SHA256
30a3425948788875e33f1cf5297c6810d53a5e471d06e4e51905e15e229e6cbb

SHA512
e003864524182d14724558dd34d49e19190c82ffcfab3e3a711af123bf502634d63875a762047cdedcc0f0b33d9fa5d6a853c14bd9d9700ab13196e9352b6152

Download Submit
memory/1232-14-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/3952-27-0x000000001CB00000-0x000000001CB62000-memory.dmp

Filesize
392KB

Download
memory/3952-30-0x000000001CC60000-0x000000001CC7E000-memory.dmp

Filesize
120KB

Download
memory/3952-7-0x000000001BAF0000-0x000000001BFBE000-memory.dmp

Filesize
4.8MB

Download
memory/3952-6-0x000000001B500000-0x000000001B50E000-memory.dmp

Filesize
56KB

Download
memory/3952-22-0x000000001C710000-0x000000001C726000-memory.dmp

Filesize
88KB

Download
memory/3952-3-0x000000001B410000-0x000000001B46C000-memory.dmp

Filesize
368KB

Download
memory/3952-2-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/3952-1-0x00007FF8BCC30000-0x00007FF8BD5D1000-memory.dmp

Filesize
9.6MB

Download
memory/3952-24-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/3952-26-0x000000001B400000-0x000000001B408000-memory.dmp

Filesize
32KB

Download
memory/3952-0-0x00007FF8BCC30000-0x00007FF8BD5D1000-memory.dmp

Filesize
9.6MB

Download
memory/3952-25-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/3952-28-0x000000001D460000-0x000000001DA1A000-memory.dmp

Filesize
5.7MB

Download
memory/3952-8-0x000000001C060000-0x000000001C0FC000-memory.dmp

Filesize
624KB

Download
memory/3952-29-0x000000001DA20000-0x000000001DB10000-memory.dmp

Filesize
960KB

Download
memory/3952-31-0x000000001DB20000-0x000000001DB69000-memory.dmp

Filesize
292KB

Download
memory/3952-32-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/3952-33-0x000000001DC00000-0x000000001DC70000-memory.dmp

Filesize
448KB

Download
memory/3952-34-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/3952-36-0x000000001DEB0000-0x000000001DEC8000-memory.dmp

Filesize
96KB

Download
memory/3952-37-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/3952-38-0x000000001CC90000-0x000000001CC98000-memory.dmp

Filesize
32KB

Download
memory/3952-39-0x00007FF8BCC30000-0x00007FF8BD5D1000-memory.dmp

Filesize
9.6MB

Download
memory/3952-40-0x00007FF8BCC30000-0x00007FF8BD5D1000-memory.dmp

Filesize
9.6MB

Download
memory/3952-41-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/3952-42-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing