dffde103274f93ec565bc1f394c6b94bea9c0d0c7dc9283a5b61d9adba348eba

General

Target

d5c0204c353df61ec441c834c56c4b03.exe
Size

243KB
MD5

d5c0204c353df61ec441c834c56c4b03
SHA1

4df64a5b956fb7b67bb5489bd069b755cd535f2a
SHA256

dffde103274f93ec565bc1f394c6b94bea9c0d0c7dc9283a5b61d9adba348eba
SHA512

86aa77d0d8db09e16e6158606e67a1bff81b58ea7c9432104e508b888a0235f5b3959d16d17f99a2ffd8dcdbf57715f77ae51843b62e6c7aa9f052a14bdf0208
SSDEEP

6144:Q0a3JZG91AD8A28YoJCoIahGg69dAAxg3gzN3:Q0UGYeOXh3eAAig5

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\2625e5f1\\X"	Explorer.EXE

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2368 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

csrss.exeX

pid process

336 csrss.exe
2572 X
Loads dropped DLL 2 IoCs

Processes:

d5c0204c353df61ec441c834c56c4b03.exe

pid process

2892 d5c0204c353df61ec441c834c56c4b03.exe
2892 d5c0204c353df61ec441c834c56c4b03.exe
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 69.64.52.10
Destination IP 69.64.52.10
Destination IP 69.64.52.10
Destination IP 69.64.52.10
Destination IP 69.64.52.10
Suspicious use of SetThreadContext 1 IoCs

Processes:

d5c0204c353df61ec441c834c56c4b03.exe

description pid process target process

PID 2892 set thread context of 2368 2892 d5c0204c353df61ec441c834c56c4b03.exe cmd.exe

pid	process
2368	cmd.exe

pid	process
336	csrss.exe
2572	X

description	ioc
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10
Destination IP	69.64.52.10

description	pid	process	target process
PID 2892 set thread context of 2368	2892	d5c0204c353df61ec441c834c56c4b03.exe	cmd.exe

Modifies registry class 3 IoCs

Processes:

d5c0204c353df61ec441c834c56c4b03.exe

description	ioc	process
Key created	\registry\machine\Software\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}	d5c0204c353df61ec441c834c56c4b03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\u = "71"	d5c0204c353df61ec441c834c56c4b03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\cid = "7259981083586813355"	d5c0204c353df61ec441c834c56c4b03.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

d5c0204c353df61ec441c834c56c4b03.exeX

pid	process
2892	d5c0204c353df61ec441c834c56c4b03.exe
2892	d5c0204c353df61ec441c834c56c4b03.exe
2892	d5c0204c353df61ec441c834c56c4b03.exe
2892	d5c0204c353df61ec441c834c56c4b03.exe
2572	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d5c0204c353df61ec441c834c56c4b03.exe

description pid process

Token: SeDebugPrivilege 2892 d5c0204c353df61ec441c834c56c4b03.exe
Token: SeDebugPrivilege 2892 d5c0204c353df61ec441c834c56c4b03.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

336 csrss.exe

description	pid	process
Token: SeDebugPrivilege	2892	d5c0204c353df61ec441c834c56c4b03.exe
Token: SeDebugPrivilege	2892	d5c0204c353df61ec441c834c56c4b03.exe

pid	process
336	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

d5c0204c353df61ec441c834c56c4b03.exeXcsrss.exe

description	pid	process	target process
PID 2892 wrote to memory of 1256	2892	d5c0204c353df61ec441c834c56c4b03.exe	Explorer.EXE
PID 2892 wrote to memory of 336	2892	d5c0204c353df61ec441c834c56c4b03.exe	csrss.exe
PID 2892 wrote to memory of 2572	2892	d5c0204c353df61ec441c834c56c4b03.exe	X
PID 2892 wrote to memory of 2572	2892	d5c0204c353df61ec441c834c56c4b03.exe	X
PID 2892 wrote to memory of 2572	2892	d5c0204c353df61ec441c834c56c4b03.exe	X
PID 2892 wrote to memory of 2572	2892	d5c0204c353df61ec441c834c56c4b03.exe	X
PID 2572 wrote to memory of 1256	2572	X	Explorer.EXE
PID 2892 wrote to memory of 2368	2892	d5c0204c353df61ec441c834c56c4b03.exe	cmd.exe
PID 2892 wrote to memory of 2368	2892	d5c0204c353df61ec441c834c56c4b03.exe	cmd.exe
PID 2892 wrote to memory of 2368	2892	d5c0204c353df61ec441c834c56c4b03.exe	cmd.exe
PID 2892 wrote to memory of 2368	2892	d5c0204c353df61ec441c834c56c4b03.exe	cmd.exe
PID 2892 wrote to memory of 2368	2892	d5c0204c353df61ec441c834c56c4b03.exe	cmd.exe
PID 336 wrote to memory of 2424	336	csrss.exe	WMIADAP.EXE
PID 336 wrote to memory of 2424	336	csrss.exe	WMIADAP.EXE
PID 336 wrote to memory of 2788	336	csrss.exe	wmiprvse.exe
PID 336 wrote to memory of 2788	336	csrss.exe	wmiprvse.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1256

C:\Users\Admin\AppData\Local\Temp\d5c0204c353df61ec441c834c56c4b03.exe
"C:\Users\Admin\AppData\Local\Temp\d5c0204c353df61ec441c834c56c4b03.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\2625e5f1\X
*0*47*9b3f5dab*69.64.52.10:53
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:2368

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2424

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll
Filesize
29KB

MD5
1149c1bd71248a9d170e4568fb08df30

SHA1
6f77f183d65709901f476c5d6eebaed060a495f9

SHA256
c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

SHA512
9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

Download Submit
\Users\Admin\AppData\Local\2625e5f1\X
Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
Filesize
2KB

MD5
b1963186aab307167f3a25ae533c907c

SHA1
f3c396501b4f8122da0617e8bc49bd788d761c55

SHA256
1e202b3186ec6489e7a0375977217e13c16cfa689f9496b815ce020cf8d95bfc

SHA512
c6f07f5b7a3eebe02c4dc5164d6c29c1404b5fb3167019e0facc11f239f4f3d09bf8dd4e0ca00230dfc5e70b478c23d2fe3f391d113cf5ccebd8e5f3eec3b36b

Download Submit
memory/336-16-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/336-26-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/336-20-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/1256-12-0x0000000002140000-0x0000000002146000-memory.dmp

Filesize
24KB

Download
memory/1256-36-0x0000000002160000-0x000000000216B000-memory.dmp

Filesize
44KB

Download
memory/1256-5-0x0000000002130000-0x0000000002132000-memory.dmp

Filesize
8KB

Download
memory/1256-8-0x0000000002140000-0x0000000002146000-memory.dmp

Filesize
24KB

Download
memory/1256-3-0x0000000002140000-0x0000000002146000-memory.dmp

Filesize
24KB

Download
memory/1256-28-0x0000000002160000-0x000000000216B000-memory.dmp

Filesize
44KB

Download
memory/1256-32-0x0000000002160000-0x000000000216B000-memory.dmp

Filesize
44KB

Download
memory/1256-43-0x0000000002170000-0x000000000217B000-memory.dmp

Filesize
44KB

Download
memory/1256-37-0x0000000002170000-0x000000000217B000-memory.dmp

Filesize
44KB

Download
memory/2892-39-0x0000000030670000-0x00000000306C6000-memory.dmp

Filesize
344KB

Download
memory/2892-40-0x0000000000370000-0x0000000000470000-memory.dmp

Filesize
1024KB

Download
memory/2892-42-0x0000000030670000-0x00000000306C6000-memory.dmp

Filesize
344KB

Download
memory/2892-1-0x0000000030670000-0x00000000306C6000-memory.dmp

Filesize
344KB

Download
memory/2892-2-0x0000000000370000-0x0000000000470000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads