7f4a3ea921540e70fabd10ad63e1bc317b0dd6e003b00344ff67972483b9e999

General

Target

716d9c46a3a896ff776132ad7b46c3fb.exe
Size

222KB
MD5

716d9c46a3a896ff776132ad7b46c3fb
SHA1

40d6de046d157aff1ed24a4b2a854560eb4aaec5
SHA256

7f4a3ea921540e70fabd10ad63e1bc317b0dd6e003b00344ff67972483b9e999
SHA512

659851eaa0cdf33b1e1b6781c37311969fe3dd081c5b6ea6bf367b6e558138bfbbf7aabe89a1ec2a73b532abb3a81828f2dd84e396cb718ebc81a5a4ae700f05
SSDEEP

6144:dNQqTVl2aZXdbolhwRbgNTrpOE3qUSU32LYTIzqGFkz:dGqTVl2edolK4P3quOYTIqGWz

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2796 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

336 csrss.exe
Drops desktop.ini file(s) 2 IoCs

Processes:

csrss.exe

description ioc process

File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe
File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

716d9c46a3a896ff776132ad7b46c3fb.exe

description pid process target process

PID 2152 set thread context of 2796 2152 716d9c46a3a896ff776132ad7b46c3fb.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

716d9c46a3a896ff776132ad7b46c3fb.execsrss.exe

pid process

2152 716d9c46a3a896ff776132ad7b46c3fb.exe
2152 716d9c46a3a896ff776132ad7b46c3fb.exe
2152 716d9c46a3a896ff776132ad7b46c3fb.exe
336 csrss.exe

pid	process
2796	cmd.exe

pid	process
336	csrss.exe

description	ioc	process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

description	pid	process	target process
PID 2152 set thread context of 2796	2152	716d9c46a3a896ff776132ad7b46c3fb.exe	cmd.exe

pid	process
2152	716d9c46a3a896ff776132ad7b46c3fb.exe
2152	716d9c46a3a896ff776132ad7b46c3fb.exe
2152	716d9c46a3a896ff776132ad7b46c3fb.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

716d9c46a3a896ff776132ad7b46c3fb.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2152	716d9c46a3a896ff776132ad7b46c3fb.exe
Token: SeDebugPrivilege	2152	716d9c46a3a896ff776132ad7b46c3fb.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

336 csrss.exe

pid	process
336	csrss.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

716d9c46a3a896ff776132ad7b46c3fb.execsrss.exe

description	pid	process	target process
PID 2152 wrote to memory of 336	2152	716d9c46a3a896ff776132ad7b46c3fb.exe	csrss.exe
PID 2152 wrote to memory of 2796	2152	716d9c46a3a896ff776132ad7b46c3fb.exe	cmd.exe
PID 2152 wrote to memory of 2796	2152	716d9c46a3a896ff776132ad7b46c3fb.exe	cmd.exe
PID 2152 wrote to memory of 2796	2152	716d9c46a3a896ff776132ad7b46c3fb.exe	cmd.exe
PID 2152 wrote to memory of 2796	2152	716d9c46a3a896ff776132ad7b46c3fb.exe	cmd.exe
PID 2152 wrote to memory of 2796	2152	716d9c46a3a896ff776132ad7b46c3fb.exe	cmd.exe
PID 336 wrote to memory of 3000	336	csrss.exe	WMIADAP.EXE
PID 336 wrote to memory of 3000	336	csrss.exe	WMIADAP.EXE
PID 336 wrote to memory of 1976	336	csrss.exe	wmiprvse.exe
PID 336 wrote to memory of 1976	336	csrss.exe	wmiprvse.exe
PID 336 wrote to memory of 844	336	csrss.exe	svchost.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\716d9c46a3a896ff776132ad7b46c3fb.exe
"C:\Users\Admin\AppData\Local\Temp\716d9c46a3a896ff776132ad7b46c3fb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Deletes itself
PID:2796

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll
Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
\??\globalroot\systemroot\assembly\temp\@
Filesize
2KB

MD5
918c0aa33dfa7671cf58d13ed20ba2b6

SHA1
ef9d95dc1cd435e48ed100976ab55bb50f7d1f33

SHA256
3a1a1622b3f050f67876e00fb7d5c625434087dd99b996c984443b21b0416125

SHA512
01143b604e7aa5f472f258224a9f37b7184ad92087de8f23ac7a304ae435ff74ca4c2abc4b58d628a5ee8af212be0ff737c5c5349469400113083dea0e6ad848

Download Submit
memory/336-41-0x0000000001FD0000-0x0000000001FE2000-memory.dmp

Filesize
72KB

Download
memory/336-31-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/336-33-0x0000000001FD0000-0x0000000001FE2000-memory.dmp

Filesize
72KB

Download
memory/336-34-0x0000000001FD0000-0x0000000001FE2000-memory.dmp

Filesize
72KB

Download
memory/336-40-0x0000000001FD0000-0x0000000001FE2000-memory.dmp

Filesize
72KB

Download
memory/844-43-0x0000000000830000-0x000000000083B000-memory.dmp

Filesize
44KB

Download
memory/844-51-0x0000000000830000-0x000000000083B000-memory.dmp

Filesize
44KB

Download
memory/844-47-0x0000000000830000-0x000000000083B000-memory.dmp

Filesize
44KB

Download
memory/844-52-0x0000000001FD0000-0x0000000001FE2000-memory.dmp

Filesize
72KB

Download
memory/844-53-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/844-55-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/844-61-0x0000000001FD0000-0x0000000001FE2000-memory.dmp

Filesize
72KB

Download
memory/844-62-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/2152-16-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-39-0x00000000004E0000-0x0000000000526000-memory.dmp

Filesize
280KB

Download
memory/2152-25-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-24-0x00000000004E5000-0x00000000004E6000-memory.dmp

Filesize
4KB

Download
memory/2152-30-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-21-0x00000000004E0000-0x0000000000526000-memory.dmp

Filesize
280KB

Download
memory/2152-20-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-19-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-18-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-37-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2152-38-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-23-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-17-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-15-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2152-11-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-7-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2152-6-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2152-5-0x0000000000234000-0x0000000000235000-memory.dmp

Filesize
4KB

Download
memory/2152-4-0x0000000000230000-0x0000000000294000-memory.dmp

Filesize
400KB

Download
memory/2152-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2152-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2152-1-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing