1e3dedc43019f6188bfe32d181b15a341067ea5bba96c6d9c8c32e7cd644b02c

General

Target

7c2e90eae04afb2cde1e195a9c4ac9ab.exe
Size

208KB
MD5

7c2e90eae04afb2cde1e195a9c4ac9ab
SHA1

d59484aef721b2fb5e3bdc70875079a556b97097
SHA256

1e3dedc43019f6188bfe32d181b15a341067ea5bba96c6d9c8c32e7cd644b02c
SHA512

59db9ed60409b69ef85c59c09ed60933fcb2d140317ff458f8f7888d2a646de35a4da7780ef8dee61f878496d214231c21849103208f5856848f8d1f57f6778a
SSDEEP

3072:2/SpUqrqYrpWzaMTp2Bb0cbe2cE7Wq7octKT/1XZD+xdcmH9ttBRAtRW0ccK:xUWpCHTps0+vcE7G9XZD+xdcmnqtguK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2804	2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe
2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe
2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe
2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe
Token: SeDebugPrivilege	2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1276	2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe	16
PID 2128 wrote to memory of 336	2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe	5
PID 2128 wrote to memory of 2804	2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe	28
PID 2128 wrote to memory of 2804	2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe	28
PID 2128 wrote to memory of 2804	2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe	28
PID 2128 wrote to memory of 2804	2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe	28
PID 2128 wrote to memory of 2804	2128	7c2e90eae04afb2cde1e195a9c4ac9ab.exe	28
PID 336 wrote to memory of 2604	336	csrss.exe	30
PID 336 wrote to memory of 2604	336	csrss.exe	30
PID 336 wrote to memory of 2748	336	csrss.exe	31
PID 336 wrote to memory of 2748	336	csrss.exe	31
PID 336 wrote to memory of 832	336	csrss.exe	11

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:832
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2604

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\7c2e90eae04afb2cde1e195a9c4ac9ab.exe
  "C:\Users\Admin\AppData\Local\Temp\7c2e90eae04afb2cde1e195a9c4ac9ab.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2804

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
4b3b5020da5ba389b9893f1287728a02

SHA1
d067fab9ff5185f511fb260415e30952917dc789

SHA256
4faf593c1c026beb59ca0d3162e260637a4f04d84e599da82c6fe314ec437373

SHA512
f34edd4a0bd267102c32e174056a3ac4196ee37415184c11457be0a7b5e7337b470194b7fa7b1e5f14caaef563c5abee1932cc84d222cfbd441a9337a18e0d12

Download Submit
memory/336-27-0x00000000008A0000-0x00000000008B1000-memory.dmp

Filesize
68KB

Download
memory/336-23-0x00000000008A0000-0x00000000008B1000-memory.dmp

Filesize
68KB

Download
memory/336-22-0x00000000008A0000-0x00000000008B1000-memory.dmp

Filesize
68KB

Download
memory/336-20-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/832-38-0x0000000000890000-0x000000000089B000-memory.dmp

Filesize
44KB

Download
memory/832-34-0x0000000000890000-0x000000000089B000-memory.dmp

Filesize
44KB

Download
memory/832-42-0x00000000008A0000-0x00000000008AB000-memory.dmp

Filesize
44KB

Download
memory/832-41-0x00000000008A0000-0x00000000008AB000-memory.dmp

Filesize
44KB

Download
memory/832-39-0x00000000008A0000-0x00000000008AB000-memory.dmp

Filesize
44KB

Download
memory/832-30-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/832-29-0x0000000000890000-0x000000000089B000-memory.dmp

Filesize
44KB

Download
memory/1276-6-0x0000000002B60000-0x0000000002B66000-memory.dmp

Filesize
24KB

Download
memory/1276-15-0x0000000002B50000-0x0000000002B52000-memory.dmp

Filesize
8KB

Download
memory/1276-14-0x0000000002B60000-0x0000000002B66000-memory.dmp

Filesize
24KB

Download
memory/1276-10-0x0000000002B60000-0x0000000002B66000-memory.dmp

Filesize
24KB

Download
memory/2128-5-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/2128-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2128-2-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/2128-1-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/2128-26-0x0000000030670000-0x00000000306BF000-memory.dmp

Filesize
316KB

Download
memory/2128-3-0x00000000002D0000-0x000000000031F000-memory.dmp

Filesize
316KB

Download
memory/2128-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing