188db24435d6e5f8455ed007f0315edd512359c6b22d045a91b63f34d7397254

Analysis

max time kernel
123s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 06:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d572cbe875ba9405a8cd0435c4b17f61.exe
Size

211KB
MD5

d572cbe875ba9405a8cd0435c4b17f61
SHA1

cdf287e9ffb19edf0385317936b4c93f41b0e1a6
SHA256

188db24435d6e5f8455ed007f0315edd512359c6b22d045a91b63f34d7397254
SHA512

30c93152df73a0d766bc8e701d233330279cf8da81ca102eb74931e70ca00bdf5f42b154e66f6547834b265928ac42a7eeb6abee28d908b074b5781d2d995ef0
SSDEEP

3072:CIT8KFF2RQH8IUh2hIriOhLsTq0xfiN/0ot13ozgC7HCniDqpTqHaJB:C7KFOc1Uh2hAiOaO0xfiZv3ozgRLWq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3040	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 3040	2876	d572cbe875ba9405a8cd0435c4b17f61.exe	28

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\u = "15"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\cid = "2989530632812996255"	explorer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3040	explorer.exe
3040	explorer.exe
3040	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	explorer.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2876	d572cbe875ba9405a8cd0435c4b17f61.exe
336	csrss.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3040	2876	d572cbe875ba9405a8cd0435c4b17f61.exe	28
PID 2876 wrote to memory of 3040	2876	d572cbe875ba9405a8cd0435c4b17f61.exe	28
PID 2876 wrote to memory of 3040	2876	d572cbe875ba9405a8cd0435c4b17f61.exe	28
PID 2876 wrote to memory of 3040	2876	d572cbe875ba9405a8cd0435c4b17f61.exe	28
PID 2876 wrote to memory of 3040	2876	d572cbe875ba9405a8cd0435c4b17f61.exe	28
PID 3040 wrote to memory of 336	3040	explorer.exe	2
PID 336 wrote to memory of 2600	336	csrss.exe	29
PID 336 wrote to memory of 2600	336	csrss.exe	29
PID 336 wrote to memory of 2712	336	csrss.exe	30
PID 336 wrote to memory of 2712	336	csrss.exe	30

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\d572cbe875ba9405a8cd0435c4b17f61.exe
"C:\Users\Admin\AppData\Local\Temp\d572cbe875ba9405a8cd0435c4b17f61.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\explorer.exe
  000000AC*
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2600

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.DLL

Filesize
31KB

MD5
adf1ddd89d424e8d0e275cc42747ec81

SHA1
321105503846b4a5f8fd3ccd6d92253c39b3e1ce

SHA256
5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f

SHA512
3afb78bc1e49c224726ae824a4d36923bc9fedbdbc027576427932d900bbb17a3b536f1b384bc52bd1a1892ff23c5a2453065530fbdc0023392a0d17e7cbc184

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
ea8d3ec963099907e71dd327e83e53f8

SHA1
d27e64a439814717ef899f2c42f602e37d9263b6

SHA256
9b61ceca7a404ee34c7ee1aa2204fb9e45a2e959a9a3dce285d9253bb71d4f13

SHA512
a09f87b9e21e43db4c2ec6e5bb6a4af877bb59d9a54c8d52a8b66441c0f5aec55047cec5bc0d5afb57f9c5783c554a0339fc1774367277b93d03245d944b4965

Download Submit
memory/336-21-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/336-22-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/2876-0-0x0000000000630000-0x000000000065B000-memory.dmp

Filesize
172KB

Download
memory/2876-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2876-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3040-5-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/3040-6-0x00000000000E0000-0x00000000000F2000-memory.dmp

Filesize
72KB

Download
memory/3040-11-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/3040-16-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download