c3f6253dabad24e7782da59f8499133eb47a2d65be3ee0f2406078a85b6e3bd3

General

Target

InitSetting.exe
Size

1.3MB
MD5

aba13f00b24f624e532510a2f85f718e
SHA1

dd0d44110097c49c188a48144302a9d160618f06
SHA256

c3f6253dabad24e7782da59f8499133eb47a2d65be3ee0f2406078a85b6e3bd3
SHA512

1fc54b623d968071afd0a6a20ab61a4f23bc139670d5bd65b71517888a1dd9ed43327db55942b1e0e7b20596b5ba8a68189cdfefa8ff33ee4d93c215b618b16b
SSDEEP

24576:8cmf0iHbbns/obsC21Cb5IbdahtN7f7lCobwD:8cI0i/3bg4CbdAtZpb

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	InitSetting.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	InitSetting.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	InitSetting.exe
File created	C:\Windows\assembly\Desktop.ini	InitSetting.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	InitSetting.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1404	InitSetting.exe
1404	InitSetting.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	InitSetting.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1316	1404	InitSetting.exe	108
PID 1404 wrote to memory of 1316	1404	InitSetting.exe	108
PID 1316 wrote to memory of 3892	1316	csc.exe	110
PID 1316 wrote to memory of 3892	1316	csc.exe	110

C:\Users\Admin\AppData\Local\Temp\InitSetting.exe
"C:\Users\Admin\AppData\Local\Temp\InitSetting.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vesnx2_c.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6703.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6702.tmp"
    3⤵
    PID:3892

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:1360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6703.tmp

Filesize
1KB

MD5
a19cb32ed08ab9679591816c1380c37d

SHA1
9a20fd5084d73db023ff32367b031d8759f12662

SHA256
b3def2c2ee9ef64e45ba19be8ab02d2328ddd25cc08e2734b3723b540db3f610

SHA512
74a8f389c345f847a5b4407a37dc5d522d03274418138674a7b531e53a354e2565008b9a1502ee58ca3ddb252ec0c2e91e9a66e7cca53f3805548a751cc79204

Download Submit
C:\Users\Admin\AppData\Local\Temp\vesnx2_c.dll

Filesize
8KB

MD5
d1db8642bac95937ca9321f547233f32

SHA1
0ab6c54aa9ead9c083e59cefcd16bd4482c23dfc

SHA256
d8aa9d7ecaeb4a96fc0d013971e67145a6085cc9000d642354b7efb639e7da04

SHA512
3d8a5d1e074cc8ce40a8c0a2a141f023a7dd704691277ddd90bccd83f336dac283c4a256d7f60d9f06f7cefecd14d5a28c79fe7951fb7f6067b7bcac56089f87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6702.tmp

Filesize
676B

MD5
8c2c8ace03b20f18b03e37ac920d4f8b

SHA1
a95ff00afab9e928c80c9060f78dc855ccb42f6d

SHA256
7bb8fa4c647882e513aba0eb59028bece67da3193bed7c2c48933f29b5915347

SHA512
9111fb6c85fa699fbdbbb6b6796a500e5eee321b16a7a05c5d39bc17e15bb3d5dcaead145869072fafca204abf1f1a5e6e65196a0445c348af438ed33eedeb9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vesnx2_c.0.cs

Filesize
12KB

MD5
77b72ed16b7223ff250ff95a5a66b9a9

SHA1
4f4a9f8357f2002214acc96f8eb37729a47cb60f

SHA256
0cfb58e799e3b982939312a5ec6585aad9eba3479c833896221fb8298e11dbd1

SHA512
e193d780a56140ab955af3c9299eb7c404c85977be60a664cc85d43ac578b5618abe802f71e421d5ae5790158771ac3b7aebbc0d4ec432099f3ec867dd55fab5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vesnx2_c.cmdline

Filesize
404B

MD5
eb566c2f0afa533eaa9d6dfb629d562d

SHA1
eb52914ec6c9ae22407f013ff9995d6f17bee8b5

SHA256
a4c1e877f3741e27d7f118b898aeb4412fbbd01d0dfa4d583365ebf6a1ac7ce2

SHA512
429cf7e9aafc28705e62d5693d2b1c7d0451e9ee440860f3a761fc33b12f844999f2bdc87a1397979fbb5edefe49f5f11c02c7bc32fbd3fe8653540f77cf4935

Download Submit
memory/1316-37-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/1360-23-0x00007FFD62D60000-0x00007FFD63701000-memory.dmp

Filesize
9.6MB

Download
memory/1360-25-0x0000000001510000-0x0000000001520000-memory.dmp

Filesize
64KB

Download
memory/1360-9-0x00007FFD62D60000-0x00007FFD63701000-memory.dmp

Filesize
9.6MB

Download
memory/1360-8-0x0000000001540000-0x0000000001560000-memory.dmp

Filesize
128KB

Download
memory/1360-10-0x0000000001510000-0x0000000001520000-memory.dmp

Filesize
64KB

Download
memory/1360-11-0x00007FFD62D60000-0x00007FFD63701000-memory.dmp

Filesize
9.6MB

Download
memory/1360-12-0x0000000001510000-0x0000000001520000-memory.dmp

Filesize
64KB

Download
memory/1360-24-0x0000000001510000-0x0000000001520000-memory.dmp

Filesize
64KB

Download
memory/1404-19-0x000000001D390000-0x000000001D3AC000-memory.dmp

Filesize
112KB

Download
memory/1404-26-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/1404-1-0x000000001B5A0000-0x000000001BAAE000-memory.dmp

Filesize
5.1MB

Download
memory/1404-20-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/1404-21-0x00007FFD62D60000-0x00007FFD63701000-memory.dmp

Filesize
9.6MB

Download
memory/1404-22-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/1404-17-0x000000001D350000-0x000000001D384000-memory.dmp

Filesize
208KB

Download
memory/1404-16-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/1404-7-0x000000001D280000-0x000000001D31C000-memory.dmp

Filesize
624KB

Download
memory/1404-18-0x000000001B070000-0x000000001B07E000-memory.dmp

Filesize
56KB

Download
memory/1404-27-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/1404-28-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/1404-29-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/1404-6-0x000000001CD10000-0x000000001D1DE000-memory.dmp

Filesize
4.8MB

Download
memory/1404-5-0x000000001C110000-0x000000001C4E4000-memory.dmp

Filesize
3.8MB

Download
memory/1404-4-0x00007FFD62D60000-0x00007FFD63701000-memory.dmp

Filesize
9.6MB

Download
memory/1404-3-0x000000001BBF0000-0x000000001BD26000-memory.dmp

Filesize
1.2MB

Download
memory/1404-2-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/1404-0-0x00007FFD62D60000-0x00007FFD63701000-memory.dmp

Filesize
9.6MB

Download
memory/1404-45-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing