acb8b1983056a81ddf3e2d907e77c1f4acfa1f3e1ee26bc44dfa3d5bc871d17a

General

Target

26584ad09940ac217ab26b0deab8c3ab.exe
Size

337KB
MD5

26584ad09940ac217ab26b0deab8c3ab
SHA1

2d7d4fef093196effc6e60c76b53582cbe6be653
SHA256

acb8b1983056a81ddf3e2d907e77c1f4acfa1f3e1ee26bc44dfa3d5bc871d17a
SHA512

b46362c43ba7bfff9e76e000767784a2b13eeb71408106a30f19c5bd641c408c256e37740dc4ba312a43f45034bb6fe71d5ba3f525f3b86f0598d7ab272b60ff
SSDEEP

6144:tfwzl1JD1NCrEbtYXb/AIc7Tg/V/zoJIGyxFq/Vl4P:twLJDKrEebfDQ4P

Score

8^/10

evasion

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 2752	1292	26584ad09940ac217ab26b0deab8c3ab.exe	31

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1292	26584ad09940ac217ab26b0deab8c3ab.exe
1292	26584ad09940ac217ab26b0deab8c3ab.exe
1292	26584ad09940ac217ab26b0deab8c3ab.exe
1292	26584ad09940ac217ab26b0deab8c3ab.exe
1292	26584ad09940ac217ab26b0deab8c3ab.exe
1292	26584ad09940ac217ab26b0deab8c3ab.exe
1292	26584ad09940ac217ab26b0deab8c3ab.exe
1292	26584ad09940ac217ab26b0deab8c3ab.exe
1292	26584ad09940ac217ab26b0deab8c3ab.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	26584ad09940ac217ab26b0deab8c3ab.exe
Token: SeDebugPrivilege	1292	26584ad09940ac217ab26b0deab8c3ab.exe
Token: SeShutdownPrivilege	1184	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2276	1292	26584ad09940ac217ab26b0deab8c3ab.exe	30
PID 1292 wrote to memory of 2276	1292	26584ad09940ac217ab26b0deab8c3ab.exe	30
PID 1292 wrote to memory of 2276	1292	26584ad09940ac217ab26b0deab8c3ab.exe	30
PID 1292 wrote to memory of 2276	1292	26584ad09940ac217ab26b0deab8c3ab.exe	30
PID 1292 wrote to memory of 1184	1292	26584ad09940ac217ab26b0deab8c3ab.exe	21
PID 1292 wrote to memory of 332	1292	26584ad09940ac217ab26b0deab8c3ab.exe	2
PID 1292 wrote to memory of 2752	1292	26584ad09940ac217ab26b0deab8c3ab.exe	31
PID 1292 wrote to memory of 2752	1292	26584ad09940ac217ab26b0deab8c3ab.exe	31
PID 1292 wrote to memory of 2752	1292	26584ad09940ac217ab26b0deab8c3ab.exe	31
PID 1292 wrote to memory of 2752	1292	26584ad09940ac217ab26b0deab8c3ab.exe	31
PID 1292 wrote to memory of 2752	1292	26584ad09940ac217ab26b0deab8c3ab.exe	31
PID 332 wrote to memory of 832	332	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:832

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184
- C:\Users\Admin\AppData\Local\Temp\26584ad09940ac217ab26b0deab8c3ab.exe
  "C:\Users\Admin\AppData\Local\Temp\26584ad09940ac217ab26b0deab8c3ab.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\26584ad09940ac217ab26b0deab8c3ab.exe
    "C:\Users\Admin\AppData\Local\Temp\26584ad09940ac217ab26b0deab8c3ab.exe" nfaddtdsdqaohwozdij
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
a97e613b0e96689be0dd93852c60804b

SHA1
a839d4e7633c42956c6b4e4eb4e14fbe6330bf10

SHA256
0f68978ff10dc9bff15245a21c3ba9c324fa53849d894d8e73c45f6c1a522883

SHA512
3c12586bfc13f15713045f1f3cb68379d3e43826906e900d5dc5c46812424007f6804fa2e6874a8df4277b3f06913b0396ceb123e868f304962e9e95adad6607

Download Submit
memory/332-19-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/332-29-0x0000000000800000-0x0000000000811000-memory.dmp

Filesize
68KB

Download
memory/332-22-0x0000000000800000-0x0000000000811000-memory.dmp

Filesize
68KB

Download
memory/332-21-0x0000000000800000-0x0000000000811000-memory.dmp

Filesize
68KB

Download
memory/832-31-0x00000000008D0000-0x00000000008DB000-memory.dmp

Filesize
44KB

Download
memory/832-40-0x00000000008E0000-0x00000000008EB000-memory.dmp

Filesize
44KB

Download
memory/832-44-0x00000000008E0000-0x00000000008EB000-memory.dmp

Filesize
44KB

Download
memory/832-43-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/832-41-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/832-35-0x00000000008D0000-0x00000000008DB000-memory.dmp

Filesize
44KB

Download
memory/832-39-0x00000000008D0000-0x00000000008DB000-memory.dmp

Filesize
44KB

Download
memory/1184-13-0x0000000002A60000-0x0000000002A66000-memory.dmp

Filesize
24KB

Download
memory/1184-5-0x0000000002A60000-0x0000000002A66000-memory.dmp

Filesize
24KB

Download
memory/1184-9-0x0000000002A60000-0x0000000002A66000-memory.dmp

Filesize
24KB

Download
memory/1184-14-0x0000000002A50000-0x0000000002A52000-memory.dmp

Filesize
8KB

Download
memory/1292-0-0x00000000021D0000-0x00000000025E0000-memory.dmp

Filesize
4.1MB

Download
memory/1292-1-0x0000000000400000-0x0000000000457EF0-memory.dmp

Filesize
351KB

Download
memory/1292-27-0x0000000000400000-0x0000000000457EF0-memory.dmp

Filesize
351KB

Download
memory/1292-2-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/1292-26-0x00000000021D0000-0x00000000025E0000-memory.dmp

Filesize
4.1MB

Download
memory/2276-4-0x0000000000400000-0x0000000000457EF0-memory.dmp

Filesize
351KB

Download

Analysis

Sharing