99200990542dee7794486cd828fa4883502037d620a39be5eb16beb94085b2b2

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d54380f953e1ec9581130143c4922eb5.exe
Size

243KB
MD5

d54380f953e1ec9581130143c4922eb5
SHA1

79d16728373632ce6ff1153541f0323085069539
SHA256

99200990542dee7794486cd828fa4883502037d620a39be5eb16beb94085b2b2
SHA512

c8a6c2e1ba703a3d7c5313a6f87f81c2ba8a5302e661c84b8af2d61d7b4472c0e7e6369cbe56ef1c460b698ce6bbe78fc9229e4d4030a1a2708d310f98b4fb97
SSDEEP

6144:N0/4jkcyqO3YcK7fD2RysX+001urGFCbeY/B0ZiLwkTFG:W/4TyT8KRQ000UKlp+oTF

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\601de525\\X"	Explorer.EXE

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2480 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

csrss.exeX

pid process

336 csrss.exe
2648 X
Loads dropped DLL 2 IoCs

Processes:

d54380f953e1ec9581130143c4922eb5.exe

pid process

2084 d54380f953e1ec9581130143c4922eb5.exe
2084 d54380f953e1ec9581130143c4922eb5.exe
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 69.64.52.10
Destination IP 69.64.52.10
Destination IP 69.64.52.10
Destination IP 69.64.52.10
Destination IP 69.64.52.10
Suspicious use of SetThreadContext 1 IoCs

Processes:

d54380f953e1ec9581130143c4922eb5.exe

description pid process target process

PID 2084 set thread context of 2480 2084 d54380f953e1ec9581130143c4922eb5.exe cmd.exe

pid	process
2480	cmd.exe

pid	process
336	csrss.exe
2648	X

pid	process
2084	d54380f953e1ec9581130143c4922eb5.exe
2084	d54380f953e1ec9581130143c4922eb5.exe

description	ioc
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10

description	pid	process	target process
PID 2084 set thread context of 2480	2084	d54380f953e1ec9581130143c4922eb5.exe	cmd.exe

Modifies registry class 3 IoCs

Processes:

d54380f953e1ec9581130143c4922eb5.exe

description	ioc	process
Key created	\registry\machine\Software\Classes\Interface\{a87e7c5c-7642-9dcf-a97a-d789bc2b53fe}	d54380f953e1ec9581130143c4922eb5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a87e7c5c-7642-9dcf-a97a-d789bc2b53fe}\u = "71"	d54380f953e1ec9581130143c4922eb5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a87e7c5c-7642-9dcf-a97a-d789bc2b53fe}\cid = "12744840248436013905"	d54380f953e1ec9581130143c4922eb5.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

d54380f953e1ec9581130143c4922eb5.exeX

pid process

2084 d54380f953e1ec9581130143c4922eb5.exe
2084 d54380f953e1ec9581130143c4922eb5.exe
2084 d54380f953e1ec9581130143c4922eb5.exe
2084 d54380f953e1ec9581130143c4922eb5.exe
2648 X
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d54380f953e1ec9581130143c4922eb5.exe

description pid process

Token: SeDebugPrivilege 2084 d54380f953e1ec9581130143c4922eb5.exe
Token: SeDebugPrivilege 2084 d54380f953e1ec9581130143c4922eb5.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

336 csrss.exe

pid	process
2084	d54380f953e1ec9581130143c4922eb5.exe
2084	d54380f953e1ec9581130143c4922eb5.exe
2084	d54380f953e1ec9581130143c4922eb5.exe
2084	d54380f953e1ec9581130143c4922eb5.exe
2648	X

description	pid	process
Token: SeDebugPrivilege	2084	d54380f953e1ec9581130143c4922eb5.exe
Token: SeDebugPrivilege	2084	d54380f953e1ec9581130143c4922eb5.exe

pid	process
336	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

d54380f953e1ec9581130143c4922eb5.exeXcsrss.exe

description	pid	process	target process
PID 2084 wrote to memory of 1208	2084	d54380f953e1ec9581130143c4922eb5.exe	Explorer.EXE
PID 2084 wrote to memory of 336	2084	d54380f953e1ec9581130143c4922eb5.exe	csrss.exe
PID 2084 wrote to memory of 2648	2084	d54380f953e1ec9581130143c4922eb5.exe	X
PID 2084 wrote to memory of 2648	2084	d54380f953e1ec9581130143c4922eb5.exe	X
PID 2084 wrote to memory of 2648	2084	d54380f953e1ec9581130143c4922eb5.exe	X
PID 2084 wrote to memory of 2648	2084	d54380f953e1ec9581130143c4922eb5.exe	X
PID 2648 wrote to memory of 1208	2648	X	Explorer.EXE
PID 2084 wrote to memory of 2480	2084	d54380f953e1ec9581130143c4922eb5.exe	cmd.exe
PID 2084 wrote to memory of 2480	2084	d54380f953e1ec9581130143c4922eb5.exe	cmd.exe
PID 2084 wrote to memory of 2480	2084	d54380f953e1ec9581130143c4922eb5.exe	cmd.exe
PID 2084 wrote to memory of 2480	2084	d54380f953e1ec9581130143c4922eb5.exe	cmd.exe
PID 2084 wrote to memory of 2480	2084	d54380f953e1ec9581130143c4922eb5.exe	cmd.exe
PID 336 wrote to memory of 2844	336	csrss.exe	WMIADAP.EXE
PID 336 wrote to memory of 2844	336	csrss.exe	WMIADAP.EXE
PID 336 wrote to memory of 2868	336	csrss.exe	wmiprvse.exe
PID 336 wrote to memory of 2868	336	csrss.exe	wmiprvse.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1208

C:\Users\Admin\AppData\Local\Temp\d54380f953e1ec9581130143c4922eb5.exe
"C:\Users\Admin\AppData\Local\Temp\d54380f953e1ec9581130143c4922eb5.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Local\601de525\X
*0*47*4f213b51*69.64.52.10:53
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:2480

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2844

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\601de525\X
Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
\Windows\System32\consrv.dll
Filesize
29KB

MD5
1149c1bd71248a9d170e4568fb08df30

SHA1
6f77f183d65709901f476c5d6eebaed060a495f9

SHA256
c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

SHA512
9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
Filesize
2KB

MD5
357ac37f46e85a2030d94ae48c5ecd83

SHA1
5dda011291aee54e74300bf55a0b91608a0e698e

SHA256
dcf8313ff441f607e927fe6829f6046b07b3c4f9d296d37fa428a5b55cc96155

SHA512
5721f86e1c7853b60b9227332638425c53a2c2591b6b80ec3b7110333e7c6506756a1e3d4dca9a68ed03d1ea98bf0a23cb4a1e572814100647978e441a2dd6fd

Download Submit
memory/336-18-0x0000000000E00000-0x0000000000E0B000-memory.dmp

Filesize
44KB

Download
memory/336-42-0x0000000002F20000-0x0000000002F22000-memory.dmp

Filesize
8KB

Download
memory/336-20-0x0000000000E00000-0x0000000000E0B000-memory.dmp

Filesize
44KB

Download
memory/1208-27-0x0000000002F50000-0x0000000002F5B000-memory.dmp

Filesize
44KB

Download
memory/1208-11-0x0000000002F30000-0x0000000002F36000-memory.dmp

Filesize
24KB

Download
memory/1208-3-0x0000000002F30000-0x0000000002F36000-memory.dmp

Filesize
24KB

Download
memory/1208-7-0x0000000002F30000-0x0000000002F36000-memory.dmp

Filesize
24KB

Download
memory/1208-12-0x0000000002F20000-0x0000000002F22000-memory.dmp

Filesize
8KB

Download
memory/1208-29-0x0000000002F30000-0x0000000002F38000-memory.dmp

Filesize
32KB

Download
memory/1208-32-0x0000000002F50000-0x0000000002F5B000-memory.dmp

Filesize
44KB

Download
memory/1208-36-0x0000000002F50000-0x0000000002F5B000-memory.dmp

Filesize
44KB

Download
memory/1208-37-0x0000000002F60000-0x0000000002F6B000-memory.dmp

Filesize
44KB

Download
memory/1208-38-0x0000000002F60000-0x0000000002F6B000-memory.dmp

Filesize
44KB

Download
memory/2084-2-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2084-40-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2084-39-0x0000000030670000-0x00000000306C5000-memory.dmp

Filesize
340KB

Download
memory/2084-43-0x0000000030670000-0x00000000306C5000-memory.dmp

Filesize
340KB

Download
memory/2084-1-0x0000000030670000-0x00000000306C5000-memory.dmp

Filesize
340KB

Download