c9113d59f62469218952967fb4b007199182241e4aa8fc593b8af7415a4c97db

General

Target

7648837c1662a2aa04dfe9445a38fe38.exe
Size

281KB
MD5

7648837c1662a2aa04dfe9445a38fe38
SHA1

57bf107c518134d20b482bd16d26e0d3e9237b3d
SHA256

c9113d59f62469218952967fb4b007199182241e4aa8fc593b8af7415a4c97db
SHA512

be0e340b7d44fc4b94c18c47acb479952675825734009ddee9447513fe1eceefc13216940aa992d1b6e2c63c1c856c7be5346a867c1dfd5e6fbbf12979d55914
SSDEEP

6144:cA6W7hZWRuuMrkNw2KQU1uJQIfvYmziFMm8LXoBmbOhFUI5Au:chW7r7rkieUUBfvChUXmmbqKt

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\2e1f5c24\\X"	Explorer.EXE

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2628 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

csrss.exeX

pid process

336 csrss.exe
2360 X
Loads dropped DLL 2 IoCs

Processes:

7648837c1662a2aa04dfe9445a38fe38.exe

pid process

628 7648837c1662a2aa04dfe9445a38fe38.exe
628 7648837c1662a2aa04dfe9445a38fe38.exe
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Suspicious use of SetThreadContext 1 IoCs

Processes:

7648837c1662a2aa04dfe9445a38fe38.exe

description pid process target process

PID 628 set thread context of 2628 628 7648837c1662a2aa04dfe9445a38fe38.exe cmd.exe

pid	process
2628	cmd.exe

pid	process
336	csrss.exe
2360	X

description	ioc
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240

description	pid	process	target process
PID 628 set thread context of 2628	628	7648837c1662a2aa04dfe9445a38fe38.exe	cmd.exe

Modifies registry class 3 IoCs

Processes:

7648837c1662a2aa04dfe9445a38fe38.exe

description	ioc	process
Key created	\registry\machine\Software\Classes\Interface\{af2ad639-2cd1-1453-3d7f-d39f46830ea4}	7648837c1662a2aa04dfe9445a38fe38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{af2ad639-2cd1-1453-3d7f-d39f46830ea4}\u = "71"	7648837c1662a2aa04dfe9445a38fe38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{af2ad639-2cd1-1453-3d7f-d39f46830ea4}\cid = "5421597234351480330"	7648837c1662a2aa04dfe9445a38fe38.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

7648837c1662a2aa04dfe9445a38fe38.exeX

pid	process
628	7648837c1662a2aa04dfe9445a38fe38.exe
628	7648837c1662a2aa04dfe9445a38fe38.exe
628	7648837c1662a2aa04dfe9445a38fe38.exe
628	7648837c1662a2aa04dfe9445a38fe38.exe
2360	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7648837c1662a2aa04dfe9445a38fe38.exe

description pid process

Token: SeDebugPrivilege 628 7648837c1662a2aa04dfe9445a38fe38.exe
Token: SeDebugPrivilege 628 7648837c1662a2aa04dfe9445a38fe38.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
1384 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
1384 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

336 csrss.exe

description	pid	process
Token: SeDebugPrivilege	628	7648837c1662a2aa04dfe9445a38fe38.exe
Token: SeDebugPrivilege	628	7648837c1662a2aa04dfe9445a38fe38.exe

pid	process
1384	Explorer.EXE
1384	Explorer.EXE

pid	process
1384	Explorer.EXE
1384	Explorer.EXE

pid	process
336	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7648837c1662a2aa04dfe9445a38fe38.exeXcsrss.exe

description	pid	process	target process
PID 628 wrote to memory of 1384	628	7648837c1662a2aa04dfe9445a38fe38.exe	Explorer.EXE
PID 628 wrote to memory of 336	628	7648837c1662a2aa04dfe9445a38fe38.exe	csrss.exe
PID 628 wrote to memory of 2360	628	7648837c1662a2aa04dfe9445a38fe38.exe	X
PID 628 wrote to memory of 2360	628	7648837c1662a2aa04dfe9445a38fe38.exe	X
PID 628 wrote to memory of 2360	628	7648837c1662a2aa04dfe9445a38fe38.exe	X
PID 628 wrote to memory of 2360	628	7648837c1662a2aa04dfe9445a38fe38.exe	X
PID 2360 wrote to memory of 1384	2360	X	Explorer.EXE
PID 628 wrote to memory of 2628	628	7648837c1662a2aa04dfe9445a38fe38.exe	cmd.exe
PID 628 wrote to memory of 2628	628	7648837c1662a2aa04dfe9445a38fe38.exe	cmd.exe
PID 628 wrote to memory of 2628	628	7648837c1662a2aa04dfe9445a38fe38.exe	cmd.exe
PID 628 wrote to memory of 2628	628	7648837c1662a2aa04dfe9445a38fe38.exe	cmd.exe
PID 628 wrote to memory of 2628	628	7648837c1662a2aa04dfe9445a38fe38.exe	cmd.exe
PID 336 wrote to memory of 2052	336	csrss.exe	WMIADAP.EXE
PID 336 wrote to memory of 2052	336	csrss.exe	WMIADAP.EXE
PID 336 wrote to memory of 1900	336	csrss.exe	wmiprvse.exe
PID 336 wrote to memory of 1900	336	csrss.exe	wmiprvse.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1384

C:\Users\Admin\AppData\Local\Temp\7648837c1662a2aa04dfe9445a38fe38.exe
"C:\Users\Admin\AppData\Local\Temp\7648837c1662a2aa04dfe9445a38fe38.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\2e1f5c24\X
*0*47*b4c29e0a*31.193.3.240:53
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:2628

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2052

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll
Filesize
29KB

MD5
1149c1bd71248a9d170e4568fb08df30

SHA1
6f77f183d65709901f476c5d6eebaed060a495f9

SHA256
c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

SHA512
9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

Download Submit
\Users\Admin\AppData\Local\2e1f5c24\X
Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
Filesize
2KB

MD5
ab8d0a8500b4bfd752bdce6609598190

SHA1
f9da55847329fc81fef3b96b62f4d248adafec4e

SHA256
82f022c322768f543e64450982e8e46eb43eec51265f8c6c2bda3e0ab71f25bc

SHA512
91cb5d67385071bd9a308aba45450e46138a80d686d8695923aaab3b124e37440c74e30f63f7a2ffe8189aa2e2f7eb825e351992342de53704f3e9efe00bb9f4

Download Submit
memory/336-20-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/336-42-0x0000000002E50000-0x0000000002E52000-memory.dmp

Filesize
8KB

Download
memory/336-19-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/628-1-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/628-43-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/628-2-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/628-41-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/628-40-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/628-39-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/1384-3-0x0000000002E60000-0x0000000002E66000-memory.dmp

Filesize
24KB

Download
memory/1384-27-0x0000000002E80000-0x0000000002E8B000-memory.dmp

Filesize
44KB

Download
memory/1384-31-0x0000000002E80000-0x0000000002E8B000-memory.dmp

Filesize
44KB

Download
memory/1384-35-0x0000000002E80000-0x0000000002E8B000-memory.dmp

Filesize
44KB

Download
memory/1384-36-0x0000000002E90000-0x0000000002E9B000-memory.dmp

Filesize
44KB

Download
memory/1384-37-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/1384-38-0x0000000002E90000-0x0000000002E9B000-memory.dmp

Filesize
44KB

Download
memory/1384-4-0x0000000002E50000-0x0000000002E52000-memory.dmp

Filesize
8KB

Download
memory/1384-8-0x0000000002E60000-0x0000000002E66000-memory.dmp

Filesize
24KB

Download
memory/1384-44-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/1384-12-0x0000000002E60000-0x0000000002E66000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads