cf8f553cdf1b7748597a118416e41b1d6135633ebc6d0a09cefff76425855c7a

General

Target

c92ae5be4af6e68ebf689a1d7c597703.exe
Size

386KB
MD5

c92ae5be4af6e68ebf689a1d7c597703
SHA1

77dfbe5954d0c6c953e3839aa88e42d3d37aec99
SHA256

cf8f553cdf1b7748597a118416e41b1d6135633ebc6d0a09cefff76425855c7a
SHA512

cfd6fa9e1500191b8b896e885d69e7a502ae70539ea3c066114ebca69d704e17be2b592ae8a57f0173e9d82c37fe73bf942aa975f19cf810f68a48a668e70cff
SSDEEP

6144:naordEkMQn1aOrX4KXZFuD2QjGcjqQeHTTs1yFb7PM5WkKkX7VNuN:aorukMk19rXCXvgTIWXP+1G

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2156	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 2156	1808	c92ae5be4af6e68ebf689a1d7c597703.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1808	c92ae5be4af6e68ebf689a1d7c597703.exe
1808	c92ae5be4af6e68ebf689a1d7c597703.exe
1808	c92ae5be4af6e68ebf689a1d7c597703.exe
1808	c92ae5be4af6e68ebf689a1d7c597703.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	c92ae5be4af6e68ebf689a1d7c597703.exe
Token: SeDebugPrivilege	1808	c92ae5be4af6e68ebf689a1d7c597703.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1212	1808	c92ae5be4af6e68ebf689a1d7c597703.exe	21
PID 1808 wrote to memory of 336	1808	c92ae5be4af6e68ebf689a1d7c597703.exe	2
PID 1808 wrote to memory of 2156	1808	c92ae5be4af6e68ebf689a1d7c597703.exe	28
PID 1808 wrote to memory of 2156	1808	c92ae5be4af6e68ebf689a1d7c597703.exe	28
PID 1808 wrote to memory of 2156	1808	c92ae5be4af6e68ebf689a1d7c597703.exe	28
PID 1808 wrote to memory of 2156	1808	c92ae5be4af6e68ebf689a1d7c597703.exe	28
PID 1808 wrote to memory of 2156	1808	c92ae5be4af6e68ebf689a1d7c597703.exe	28
PID 336 wrote to memory of 2484	336	csrss.exe	30
PID 336 wrote to memory of 2484	336	csrss.exe	30
PID 336 wrote to memory of 2864	336	csrss.exe	31
PID 336 wrote to memory of 2864	336	csrss.exe	31
PID 336 wrote to memory of 848	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:848
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\c92ae5be4af6e68ebf689a1d7c597703.exe
  "C:\Users\Admin\AppData\Local\Temp\c92ae5be4af6e68ebf689a1d7c597703.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2156

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
62bdf8d92ee7e22d6dd8b68f3e923276

SHA1
a178286e145f4f05365cbf7fe49384a13ffff492

SHA256
61f0a30486888a8370efb1e9e13ae13b93824787914e35e5a5ff2d19bdc25bb9

SHA512
70afc8270938c82de9f9ad959a4e2366cd95eceb0ebcb86204da30ce18ad6c5c7d4228023090f3fa4546a0d73dce63e3e41732bc7c14b4228ca0f77c3a27014d

Download Submit
\Windows\System32\consrv.dll

Filesize
53KB

MD5
4d7cde615a0f534bd5e359951829554b

SHA1
c885d00d9000f2a5dbc78f6193a052b36f4fe968

SHA256
414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a

SHA512
33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4

Download Submit
memory/336-44-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/336-36-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/336-37-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/336-43-0x00000000024A0000-0x00000000024A2000-memory.dmp

Filesize
8KB

Download
memory/848-56-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/848-55-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/848-51-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/848-46-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/848-47-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/848-58-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/848-59-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/1212-28-0x00000000024B0000-0x00000000024B6000-memory.dmp

Filesize
24KB

Download
memory/1212-24-0x00000000024B0000-0x00000000024B6000-memory.dmp

Filesize
24KB

Download
memory/1212-30-0x00000000024A0000-0x00000000024A2000-memory.dmp

Filesize
8KB

Download
memory/1212-20-0x00000000024B0000-0x00000000024B6000-memory.dmp

Filesize
24KB

Download
memory/1808-14-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-16-0x0000000000754000-0x0000000000755000-memory.dmp

Filesize
4KB

Download
memory/1808-18-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-19-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-40-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1808-41-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-42-0x0000000000750000-0x000000000078F000-memory.dmp

Filesize
252KB

Download
memory/1808-29-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-15-0x0000000000750000-0x000000000078F000-memory.dmp

Filesize
252KB

Download
memory/1808-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1808-13-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-12-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-11-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-10-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-6-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-2-0x0000000000710000-0x000000000074F000-memory.dmp

Filesize
252KB

Download
memory/1808-1-0x0000000002100000-0x000000000250F000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing