263f626328b872985dd8839942eed9401dec0db6196052bff5c30286d2dd5d99

General

Target

95a34321e790feaa5eb52be7407a6b78.exe
Size

245KB
MD5

95a34321e790feaa5eb52be7407a6b78
SHA1

17ab8f6c2952544475fd3d3907b083fe950e3694
SHA256

263f626328b872985dd8839942eed9401dec0db6196052bff5c30286d2dd5d99
SHA512

7b469d892d481924302be8c9e66771bfe5db89e4ee168de49a7ee26133c97b432abb1c17d7b4262307a6dfaa3f862562267fa448c92b557982e1db8ddaa0287e
SSDEEP

6144:UA4nSSpKnK7b+1Czdh3/0VZ494C78ELJfdjy:D4nBoKvDzz8VvgJF1jy

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\a98ee895\\X"	Explorer.EXE

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1264 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

csrss.exeX

pid process

340 csrss.exe
2716 X
Loads dropped DLL 2 IoCs

Processes:

95a34321e790feaa5eb52be7407a6b78.exe

pid process

2364 95a34321e790feaa5eb52be7407a6b78.exe
2364 95a34321e790feaa5eb52be7407a6b78.exe
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 69.64.52.10
Destination IP 69.64.52.10
Destination IP 69.64.52.10
Destination IP 69.64.52.10
Destination IP 69.64.52.10
Suspicious use of SetThreadContext 1 IoCs

Processes:

95a34321e790feaa5eb52be7407a6b78.exe

description pid process target process

PID 2364 set thread context of 1264 2364 95a34321e790feaa5eb52be7407a6b78.exe cmd.exe

pid	process
1264	cmd.exe

pid	process
340	csrss.exe
2716	X

description	ioc
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10

description	pid	process	target process
PID 2364 set thread context of 1264	2364	95a34321e790feaa5eb52be7407a6b78.exe	cmd.exe

Modifies registry class 3 IoCs

Processes:

95a34321e790feaa5eb52be7407a6b78.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{bfa737fc-a273-1bb3-d4a0-adf310963e7d}\u = "71"	95a34321e790feaa5eb52be7407a6b78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{bfa737fc-a273-1bb3-d4a0-adf310963e7d}\cid = "16250284583432184900"	95a34321e790feaa5eb52be7407a6b78.exe
Key created	\registry\machine\Software\Classes\Interface\{bfa737fc-a273-1bb3-d4a0-adf310963e7d}	95a34321e790feaa5eb52be7407a6b78.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

95a34321e790feaa5eb52be7407a6b78.exeX

pid	process
2364	95a34321e790feaa5eb52be7407a6b78.exe
2364	95a34321e790feaa5eb52be7407a6b78.exe
2364	95a34321e790feaa5eb52be7407a6b78.exe
2364	95a34321e790feaa5eb52be7407a6b78.exe
2716	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

95a34321e790feaa5eb52be7407a6b78.exe

description pid process

Token: SeDebugPrivilege 2364 95a34321e790feaa5eb52be7407a6b78.exe
Token: SeDebugPrivilege 2364 95a34321e790feaa5eb52be7407a6b78.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

340 csrss.exe

description	pid	process
Token: SeDebugPrivilege	2364	95a34321e790feaa5eb52be7407a6b78.exe
Token: SeDebugPrivilege	2364	95a34321e790feaa5eb52be7407a6b78.exe

pid	process
340	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

95a34321e790feaa5eb52be7407a6b78.exeXcsrss.exe

description	pid	process	target process
PID 2364 wrote to memory of 1076	2364	95a34321e790feaa5eb52be7407a6b78.exe	Explorer.EXE
PID 2364 wrote to memory of 340	2364	95a34321e790feaa5eb52be7407a6b78.exe	csrss.exe
PID 2364 wrote to memory of 2716	2364	95a34321e790feaa5eb52be7407a6b78.exe	X
PID 2364 wrote to memory of 2716	2364	95a34321e790feaa5eb52be7407a6b78.exe	X
PID 2364 wrote to memory of 2716	2364	95a34321e790feaa5eb52be7407a6b78.exe	X
PID 2364 wrote to memory of 2716	2364	95a34321e790feaa5eb52be7407a6b78.exe	X
PID 2716 wrote to memory of 1076	2716	X	Explorer.EXE
PID 2364 wrote to memory of 1264	2364	95a34321e790feaa5eb52be7407a6b78.exe	cmd.exe
PID 2364 wrote to memory of 1264	2364	95a34321e790feaa5eb52be7407a6b78.exe	cmd.exe
PID 2364 wrote to memory of 1264	2364	95a34321e790feaa5eb52be7407a6b78.exe	cmd.exe
PID 2364 wrote to memory of 1264	2364	95a34321e790feaa5eb52be7407a6b78.exe	cmd.exe
PID 2364 wrote to memory of 1264	2364	95a34321e790feaa5eb52be7407a6b78.exe	cmd.exe
PID 340 wrote to memory of 1364	340	csrss.exe	WMIADAP.EXE
PID 340 wrote to memory of 1364	340	csrss.exe	WMIADAP.EXE
PID 340 wrote to memory of 2848	340	csrss.exe	wmiprvse.exe
PID 340 wrote to memory of 2848	340	csrss.exe	wmiprvse.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1076

C:\Users\Admin\AppData\Local\Temp\95a34321e790feaa5eb52be7407a6b78.exe
"C:\Users\Admin\AppData\Local\Temp\95a34321e790feaa5eb52be7407a6b78.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\a98ee895\X
*0*47*1e7b6444*69.64.52.10:53
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:1264

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1364

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll
Filesize
29KB

MD5
1149c1bd71248a9d170e4568fb08df30

SHA1
6f77f183d65709901f476c5d6eebaed060a495f9

SHA256
c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

SHA512
9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

Download Submit
\Users\Admin\AppData\Local\a98ee895\X
Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
Filesize
2KB

MD5
464d18ab742fe3d4f5ae8a286bc809e7

SHA1
925a55fd5b9e3193e7af0ef8a8214f3234791e94

SHA256
6fd70944a098657c506411fe1551d030e8ffce14fb224b7b22dc6d7004db0fab

SHA512
005572640a9f2bbca14d85681c642f3853df4f6ad929f2c50a1f777fa8a77b8be2dd9f0cc6c770e911387ce82d3d1199075e3fabee1033c13e35539f6b08e3c0

Download Submit
memory/340-41-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

Filesize
8KB

Download
memory/340-20-0x0000000000E80000-0x0000000000E8B000-memory.dmp

Filesize
44KB

Download
memory/340-18-0x0000000000E80000-0x0000000000E8B000-memory.dmp

Filesize
44KB

Download
memory/1076-27-0x0000000002F30000-0x0000000002F3B000-memory.dmp

Filesize
44KB

Download
memory/1076-3-0x0000000002F10000-0x0000000002F16000-memory.dmp

Filesize
24KB

Download
memory/1076-11-0x0000000002F10000-0x0000000002F16000-memory.dmp

Filesize
24KB

Download
memory/1076-7-0x0000000002F10000-0x0000000002F16000-memory.dmp

Filesize
24KB

Download
memory/1076-12-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

Filesize
8KB

Download
memory/1076-31-0x0000000002F30000-0x0000000002F3B000-memory.dmp

Filesize
44KB

Download
memory/1076-35-0x0000000002F10000-0x0000000002F18000-memory.dmp

Filesize
32KB

Download
memory/1076-36-0x0000000002F30000-0x0000000002F3B000-memory.dmp

Filesize
44KB

Download
memory/1076-37-0x0000000002F40000-0x0000000002F4B000-memory.dmp

Filesize
44KB

Download
memory/1076-38-0x0000000002F40000-0x0000000002F4B000-memory.dmp

Filesize
44KB

Download
memory/2364-2-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2364-40-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2364-39-0x0000000030670000-0x00000000306C7000-memory.dmp

Filesize
348KB

Download
memory/2364-42-0x0000000030670000-0x00000000306C7000-memory.dmp

Filesize
348KB

Download
memory/2364-43-0x0000000030670000-0x00000000306C7000-memory.dmp

Filesize
348KB

Download
memory/2364-1-0x0000000030670000-0x00000000306C7000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads