85119c7398f8c0e4eba8eeb5e6faeeb2d5951dfb87e4d7bb3f68157acc31bb7f

General

Target

44dda79d57cab147763821a8b7538921.exe
Size

288KB
MD5

44dda79d57cab147763821a8b7538921
SHA1

f0b7aa5c86c0d422e08879c847964deb6b4e283d
SHA256

85119c7398f8c0e4eba8eeb5e6faeeb2d5951dfb87e4d7bb3f68157acc31bb7f
SHA512

5f26ad91ccb1f9d00c50df37ed2bbaa28ca4ed1924b88be15987ccc0cf052f6b58518491c3bec7c4074c128e483be4a1a7059f2404bce423329a297ffbfaf0b2
SSDEEP

6144:qd+kUXo2jyeq7EXtBqIE4+WnYAmpYesrsqbkhXyVvO7C1cwPh5HWAAr6LkQV6MHa:qTGo2jygX6B4+k33g5yw7CSoh52drOkj

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\b72f5ba2\\X"	Explorer.EXE

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3000 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

csrss.exeX

pid process

340 csrss.exe
2960 X
Loads dropped DLL 2 IoCs

Processes:

44dda79d57cab147763821a8b7538921.exe

pid process

2788 44dda79d57cab147763821a8b7538921.exe
2788 44dda79d57cab147763821a8b7538921.exe
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Suspicious use of SetThreadContext 1 IoCs

Processes:

44dda79d57cab147763821a8b7538921.exe

description pid process target process

PID 2788 set thread context of 3000 2788 44dda79d57cab147763821a8b7538921.exe cmd.exe

pid	process
3000	cmd.exe

pid	process
340	csrss.exe
2960	X

description	ioc
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240

description	pid	process	target process
PID 2788 set thread context of 3000	2788	44dda79d57cab147763821a8b7538921.exe	cmd.exe

Modifies registry class 3 IoCs

Processes:

44dda79d57cab147763821a8b7538921.exe

description	ioc	process
Key created	\registry\machine\Software\Classes\Interface\{8e8e4083-5159-4c3c-771c-7aa7863b639b}	44dda79d57cab147763821a8b7538921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8e8e4083-5159-4c3c-771c-7aa7863b639b}\u = "71"	44dda79d57cab147763821a8b7538921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8e8e4083-5159-4c3c-771c-7aa7863b639b}\cid = "10562928529646350455"	44dda79d57cab147763821a8b7538921.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

44dda79d57cab147763821a8b7538921.exeX

pid	process
2788	44dda79d57cab147763821a8b7538921.exe
2788	44dda79d57cab147763821a8b7538921.exe
2788	44dda79d57cab147763821a8b7538921.exe
2788	44dda79d57cab147763821a8b7538921.exe
2960	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

44dda79d57cab147763821a8b7538921.exe

description pid process

Token: SeDebugPrivilege 2788 44dda79d57cab147763821a8b7538921.exe
Token: SeDebugPrivilege 2788 44dda79d57cab147763821a8b7538921.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

340 csrss.exe

description	pid	process
Token: SeDebugPrivilege	2788	44dda79d57cab147763821a8b7538921.exe
Token: SeDebugPrivilege	2788	44dda79d57cab147763821a8b7538921.exe

pid	process
340	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

44dda79d57cab147763821a8b7538921.exeXcsrss.exe

description	pid	process	target process
PID 2788 wrote to memory of 1204	2788	44dda79d57cab147763821a8b7538921.exe	Explorer.EXE
PID 2788 wrote to memory of 340	2788	44dda79d57cab147763821a8b7538921.exe	csrss.exe
PID 2788 wrote to memory of 2960	2788	44dda79d57cab147763821a8b7538921.exe	X
PID 2788 wrote to memory of 2960	2788	44dda79d57cab147763821a8b7538921.exe	X
PID 2788 wrote to memory of 2960	2788	44dda79d57cab147763821a8b7538921.exe	X
PID 2788 wrote to memory of 2960	2788	44dda79d57cab147763821a8b7538921.exe	X
PID 2960 wrote to memory of 1204	2960	X	Explorer.EXE
PID 340 wrote to memory of 1848	340	csrss.exe	WMIADAP.EXE
PID 340 wrote to memory of 1848	340	csrss.exe	WMIADAP.EXE
PID 340 wrote to memory of 1616	340	csrss.exe	wmiprvse.exe
PID 340 wrote to memory of 1616	340	csrss.exe	wmiprvse.exe
PID 2788 wrote to memory of 3000	2788	44dda79d57cab147763821a8b7538921.exe	cmd.exe
PID 2788 wrote to memory of 3000	2788	44dda79d57cab147763821a8b7538921.exe	cmd.exe
PID 2788 wrote to memory of 3000	2788	44dda79d57cab147763821a8b7538921.exe	cmd.exe
PID 2788 wrote to memory of 3000	2788	44dda79d57cab147763821a8b7538921.exe	cmd.exe
PID 2788 wrote to memory of 3000	2788	44dda79d57cab147763821a8b7538921.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1204

C:\Users\Admin\AppData\Local\Temp\44dda79d57cab147763821a8b7538921.exe
"C:\Users\Admin\AppData\Local\Temp\44dda79d57cab147763821a8b7538921.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Local\b72f5ba2\X
*0*47*6d68f077*31.193.3.240:53
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:3000

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1848

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\b72f5ba2\X
Filesize
24KB

MD5
4a89b8b7ba30b1085d5ec6988d40e1db

SHA1
b4d67275afac013aa61cc7577e1ff692378594cf

SHA256
3502843aaefa011fc7cf4cea4ac7993c6864dc0853b2312c6cfff181d0d16dde

SHA512
684d2700b2b887b93e3a75341c444c7cef274770331385ba5419f1951a5255265958702bce12b8fac95b8a1051960505b13666a87bcba0f369ea0feca6157a25

Download Submit
C:\Windows\system32\consrv.dll
Filesize
29KB

MD5
1149c1bd71248a9d170e4568fb08df30

SHA1
6f77f183d65709901f476c5d6eebaed060a495f9

SHA256
c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

SHA512
9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

Download Submit
\Users\Admin\AppData\Local\b72f5ba2\X
Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
\Windows\System32\consrv.dll
Filesize
23KB

MD5
ffabd637885411f66b3679c9ad93a0bf

SHA1
31756186f07b764d11b9d1ca8d838ab44c03c6df

SHA256
206ff19f4def1d17ff2f0d95a2f33ef2bdac55fa2e97ba17c22c65996e6c4d81

SHA512
9103493083350c6f7ebb287e6c46ca569ca583c153baa1f9162bb145426464c0b53bc963fc3fa46c7e6ef5d937bbc14588740fd3afcc3bb7d8842ea46b579958

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
Filesize
2KB

MD5
91f158dcdd546d5b923b0a7f803378ca

SHA1
8a3d6cd4948b3efb2e452eca3c80d2a28d5df2f2

SHA256
d8a4d882913fd21934fa971f82ac90a07eb1af92736a147baebd76607ace7f3e

SHA512
2d3bf3b8bbe0be8ae035b7e3c916aab4fd1bb8256b495389d7d98e287e87cdcf7688327bdee7db41c490888bb9c50cd806a4dab17b04ed6d083fe8769021f122

Download Submit
memory/340-17-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/340-20-0x00000000007B0000-0x00000000007BB000-memory.dmp

Filesize
44KB

Download
memory/340-21-0x00000000007B0000-0x00000000007BB000-memory.dmp

Filesize
44KB

Download
memory/1204-5-0x0000000002AB0000-0x0000000002AB2000-memory.dmp

Filesize
8KB

Download
memory/1204-3-0x0000000002AC0000-0x0000000002AC6000-memory.dmp

Filesize
24KB

Download
memory/1204-37-0x0000000002AE0000-0x0000000002AEB000-memory.dmp

Filesize
44KB

Download
memory/1204-32-0x0000000002AE0000-0x0000000002AEB000-memory.dmp

Filesize
44KB

Download
memory/1204-28-0x0000000002AE0000-0x0000000002AEB000-memory.dmp

Filesize
44KB

Download
memory/1204-39-0x0000000002AF0000-0x0000000002AFB000-memory.dmp

Filesize
44KB

Download
memory/1204-36-0x0000000002AC0000-0x0000000002AC8000-memory.dmp

Filesize
32KB

Download
memory/1204-38-0x0000000002AF0000-0x0000000002AFB000-memory.dmp

Filesize
44KB

Download
memory/1204-8-0x0000000002AC0000-0x0000000002AC6000-memory.dmp

Filesize
24KB

Download
memory/1204-12-0x0000000002AC0000-0x0000000002AC6000-memory.dmp

Filesize
24KB

Download
memory/2788-2-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/2788-40-0x0000000030670000-0x00000000306C1000-memory.dmp

Filesize
324KB

Download
memory/2788-41-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/2788-43-0x0000000030670000-0x00000000306C1000-memory.dmp

Filesize
324KB

Download
memory/2788-1-0x0000000030670000-0x00000000306C1000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads