35efd6e55c007cb23d1dbdad8739fc2168b5b922f54b2dadbc413e5eb31decc5

General

Target

744695826257863c7567c820c4c6e8c0.exe
Size

281KB
MD5

744695826257863c7567c820c4c6e8c0
SHA1

1ed6df7ec410eb9035049e341fbcedb7d60928b9
SHA256

35efd6e55c007cb23d1dbdad8739fc2168b5b922f54b2dadbc413e5eb31decc5
SHA512

3dd3fdab83d147023122bb887f4065c182dd7d338fa6dba17932b54d24a4d68cd6289f6d365e1fbfb8940e3658bef2b050a8207c9afd2447e571d7a6759985ac
SSDEEP

6144:cA6W7hZWRquMrkNw2KQU1uJQIfvYmziFMm8LXoBmbOhFUI5Au:chW7r3rkieUUBfvChUXmmbqKt

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\efb26d8c\\X"	Explorer.EXE

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2616 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

csrss.exeX

pid process

340 csrss.exe
2828 X
Loads dropped DLL 2 IoCs

Processes:

744695826257863c7567c820c4c6e8c0.exe

pid process

1812 744695826257863c7567c820c4c6e8c0.exe
1812 744695826257863c7567c820c4c6e8c0.exe
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Suspicious use of SetThreadContext 1 IoCs

Processes:

744695826257863c7567c820c4c6e8c0.exe

description pid process target process

PID 1812 set thread context of 2616 1812 744695826257863c7567c820c4c6e8c0.exe cmd.exe

pid	process
2616	cmd.exe

pid	process
340	csrss.exe
2828	X

description	ioc
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240

description	pid	process	target process
PID 1812 set thread context of 2616	1812	744695826257863c7567c820c4c6e8c0.exe	cmd.exe

Modifies registry class 3 IoCs

Processes:

744695826257863c7567c820c4c6e8c0.exe

description	ioc	process
Key created	\registry\machine\Software\Classes\Interface\{608520b7-739c-b2d0-52f0-b848cb1c2d9c}	744695826257863c7567c820c4c6e8c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{608520b7-739c-b2d0-52f0-b848cb1c2d9c}\u = "203"	744695826257863c7567c820c4c6e8c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{608520b7-739c-b2d0-52f0-b848cb1c2d9c}\cid = "10915495076268629775"	744695826257863c7567c820c4c6e8c0.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

744695826257863c7567c820c4c6e8c0.exeX

pid	process
1812	744695826257863c7567c820c4c6e8c0.exe
1812	744695826257863c7567c820c4c6e8c0.exe
1812	744695826257863c7567c820c4c6e8c0.exe
1812	744695826257863c7567c820c4c6e8c0.exe
2828	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

744695826257863c7567c820c4c6e8c0.exe

description pid process

Token: SeDebugPrivilege 1812 744695826257863c7567c820c4c6e8c0.exe
Token: SeDebugPrivilege 1812 744695826257863c7567c820c4c6e8c0.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

340 csrss.exe

description	pid	process
Token: SeDebugPrivilege	1812	744695826257863c7567c820c4c6e8c0.exe
Token: SeDebugPrivilege	1812	744695826257863c7567c820c4c6e8c0.exe

pid	process
340	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

744695826257863c7567c820c4c6e8c0.exeXcsrss.exe

description	pid	process	target process
PID 1812 wrote to memory of 1264	1812	744695826257863c7567c820c4c6e8c0.exe	Explorer.EXE
PID 1812 wrote to memory of 340	1812	744695826257863c7567c820c4c6e8c0.exe	csrss.exe
PID 1812 wrote to memory of 2828	1812	744695826257863c7567c820c4c6e8c0.exe	X
PID 1812 wrote to memory of 2828	1812	744695826257863c7567c820c4c6e8c0.exe	X
PID 1812 wrote to memory of 2828	1812	744695826257863c7567c820c4c6e8c0.exe	X
PID 1812 wrote to memory of 2828	1812	744695826257863c7567c820c4c6e8c0.exe	X
PID 2828 wrote to memory of 1264	2828	X	Explorer.EXE
PID 1812 wrote to memory of 2616	1812	744695826257863c7567c820c4c6e8c0.exe	cmd.exe
PID 1812 wrote to memory of 2616	1812	744695826257863c7567c820c4c6e8c0.exe	cmd.exe
PID 1812 wrote to memory of 2616	1812	744695826257863c7567c820c4c6e8c0.exe	cmd.exe
PID 1812 wrote to memory of 2616	1812	744695826257863c7567c820c4c6e8c0.exe	cmd.exe
PID 1812 wrote to memory of 2616	1812	744695826257863c7567c820c4c6e8c0.exe	cmd.exe
PID 340 wrote to memory of 1888	340	csrss.exe	WMIADAP.EXE
PID 340 wrote to memory of 1888	340	csrss.exe	WMIADAP.EXE
PID 340 wrote to memory of 2996	340	csrss.exe	wmiprvse.exe
PID 340 wrote to memory of 2996	340	csrss.exe	wmiprvse.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1264

C:\Users\Admin\AppData\Local\Temp\744695826257863c7567c820c4c6e8c0.exe
"C:\Users\Admin\AppData\Local\Temp\744695826257863c7567c820c4c6e8c0.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\efb26d8c\X
*0*cb*68845f0f*31.193.3.240:53
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:2616

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1888

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll
Filesize
29KB

MD5
1149c1bd71248a9d170e4568fb08df30

SHA1
6f77f183d65709901f476c5d6eebaed060a495f9

SHA256
c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

SHA512
9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

Download Submit
\Users\Admin\AppData\Local\efb26d8c\X
Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
Filesize
2KB

MD5
ab8d0a8500b4bfd752bdce6609598190

SHA1
f9da55847329fc81fef3b96b62f4d248adafec4e

SHA256
82f022c322768f543e64450982e8e46eb43eec51265f8c6c2bda3e0ab71f25bc

SHA512
91cb5d67385071bd9a308aba45450e46138a80d686d8695923aaab3b124e37440c74e30f63f7a2ffe8189aa2e2f7eb825e351992342de53704f3e9efe00bb9f4

Download Submit
memory/340-16-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/340-21-0x0000000000A70000-0x0000000000A7B000-memory.dmp

Filesize
44KB

Download
memory/340-20-0x0000000000A70000-0x0000000000A7B000-memory.dmp

Filesize
44KB

Download
memory/1264-12-0x0000000002A30000-0x0000000002A32000-memory.dmp

Filesize
8KB

Download
memory/1264-33-0x0000000002C50000-0x0000000002C5B000-memory.dmp

Filesize
44KB

Download
memory/1264-3-0x0000000002AC0000-0x0000000002AC6000-memory.dmp

Filesize
24KB

Download
memory/1264-7-0x0000000002AC0000-0x0000000002AC6000-memory.dmp

Filesize
24KB

Download
memory/1264-11-0x0000000002AC0000-0x0000000002AC6000-memory.dmp

Filesize
24KB

Download
memory/1264-28-0x0000000002C50000-0x0000000002C5B000-memory.dmp

Filesize
44KB

Download
memory/1264-29-0x0000000002AC0000-0x0000000002AC8000-memory.dmp

Filesize
32KB

Download
memory/1264-43-0x0000000002C60000-0x0000000002C6B000-memory.dmp

Filesize
44KB

Download
memory/1264-37-0x0000000002C50000-0x0000000002C5B000-memory.dmp

Filesize
44KB

Download
memory/1264-38-0x0000000002C60000-0x0000000002C6B000-memory.dmp

Filesize
44KB

Download
memory/1812-39-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/1812-40-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/1812-42-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/1812-1-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/1812-2-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads