afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046

General

Target

windows.exe
Size

913KB
MD5

4c30c907584baa7c1931a3a83ba69149
SHA1

09d3887d9895189a49930a61aea8c788b1ad1c0e
SHA256

afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046
SHA512

1f581850f9722153d760f6a0f125b71aae3b87546c851a26674cc37ec76b13e39f8abc93a77e1d32fdfe906fa80945fbfb9774cb002dadd922b629879c9246cc
SSDEEP

24576:1Eqr4MROxnF25bYmfFhQ3rZlI0AilFEvxHil71B:1EjMiz3rZlI0AilFEvxHi

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	windows.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	windows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
9	0.tcp.eu.ngrok.io

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	windows.exe
File created	C:\Windows\assembly\Desktop.ini	windows.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	windows.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	windows.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 4860	1400	windows.exe	83
PID 1400 wrote to memory of 4860	1400	windows.exe	83
PID 4860 wrote to memory of 1324	4860	csc.exe	85
PID 4860 wrote to memory of 1324	4860	csc.exe	85

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uwwnzdm7.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE3A9.tmp"
    3⤵
    PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE3AA.tmp

Filesize
1KB

MD5
922e5b206aab0bbec9ab2f658e875dbb

SHA1
8f821c98fa759bf229ec29e2841aa3f0a66f8792

SHA256
656a20d32f1cf59db663723595648a18dfd26975bd8a36f58863249202034f50

SHA512
81c6e818ba42c02567c2fb30d04f77fd548d8d76e02c82fb21b2d154779a81da617e5aa76bee4eacf1a84c6036e43b1845690cc1a414fda4815d1f1e5c943fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwwnzdm7.dll

Filesize
76KB

MD5
f8ae1eea65fea128208183f5e5ca2c88

SHA1
183a46571a20a420809c0fbe67f0801bcccc140e

SHA256
6bee27fc6a7414604295a7927eb30ab88fd1d1286f1684dad6f08e8ac715f910

SHA512
e64da1d37eeadd140a1bfc3ffc43b0c7d459b54caa47b27acab65de35167904c7cb6034b3805ef26a971b86c4c2ea4ffdec2e1a2f618961bb7c1c4f490087718

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE3A9.tmp

Filesize
676B

MD5
35331e33d4e7c4bc7a8ac836059d088e

SHA1
cf29ac290adf5f6bd86b123d0d97959d3960727d

SHA256
299333608ac4c303e707f93979e5ff6933e7f307a73b95a101516acb088fce46

SHA512
9e4d1682ca4aa55edf14aebaedbafb98df1e7a3e28df661b619b8518c9ccc13917e25580f3f6ca8e558d83dcc70ef14c864b91a8b184de75b30e1a136281f880

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uwwnzdm7.0.cs

Filesize
208KB

MD5
05f50de06bccfbf50b95b0b5364b27dc

SHA1
05ef5f48d26dae4e2e83ece9c3027aeaad789c59

SHA256
683f36bbd78e9bbb8a9452c7310b5f308148109edb85e75d72f8c479e811c331

SHA512
e5f72df7ef9b74a195970befc3799f57c7116a7c061cd25f343ea8729a399d2672aaa0fec82a1adaf9c98663fe2a16a2beb8a20829f5b8975125f72e3bdc50aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uwwnzdm7.cmdline

Filesize
349B

MD5
2a4a5c6bf56af9a258c0e77f2173553c

SHA1
849a04145896e25e1f540629073ef43271a42771

SHA256
c46fd9e1ad3567843945ae32de9167041d32b0ac9a4aa26f8641f46e1b68f6f1

SHA512
fb2c9133bb0dad408cd0712244029d167e30a8c6fb481e657ab0eed5586ba9b56bc0b4f84030a7b6ade7ab1b77fe70f6603141b08ff55ba1f6554b30be410d90

Download Submit
memory/1400-26-0x00000000011B0000-0x00000000011B8000-memory.dmp

Filesize
32KB

Download
memory/1400-30-0x000000001DDD0000-0x000000001DEC0000-memory.dmp

Filesize
960KB

Download
memory/1400-7-0x000000001BF50000-0x000000001C41E000-memory.dmp

Filesize
4.8MB

Download
memory/1400-6-0x000000001B8A0000-0x000000001B8AE000-memory.dmp

Filesize
56KB

Download
memory/1400-49-0x00007FFBD0B10000-0x00007FFBD14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1400-3-0x000000001B7C0000-0x000000001B81C000-memory.dmp

Filesize
368KB

Download
memory/1400-2-0x00007FFBD0B10000-0x00007FFBD14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1400-48-0x00007FFBD0B10000-0x00007FFBD14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1400-23-0x000000001C4E0000-0x000000001C4F6000-memory.dmp

Filesize
88KB

Download
memory/1400-1-0x00007FFBD0B10000-0x00007FFBD14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1400-25-0x00000000011D0000-0x00000000011E2000-memory.dmp

Filesize
72KB

Download
memory/1400-0-0x00007FFBD0DC5000-0x00007FFBD0DC6000-memory.dmp

Filesize
4KB

Download
memory/1400-27-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/1400-28-0x000000001CEB0000-0x000000001CF12000-memory.dmp

Filesize
392KB

Download
memory/1400-29-0x000000001D810000-0x000000001DDCA000-memory.dmp

Filesize
5.7MB

Download
memory/1400-8-0x000000001C420000-0x000000001C4BC000-memory.dmp

Filesize
624KB

Download
memory/1400-31-0x000000001CB10000-0x000000001CB2E000-memory.dmp

Filesize
120KB

Download
memory/1400-32-0x000000001DEC0000-0x000000001DF09000-memory.dmp

Filesize
292KB

Download
memory/1400-33-0x00007FFBD0B10000-0x00007FFBD14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1400-34-0x000000001DF80000-0x000000001DFF0000-memory.dmp

Filesize
448KB

Download
memory/1400-35-0x00007FFBD0B10000-0x00007FFBD14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1400-37-0x000000001E250000-0x000000001E268000-memory.dmp

Filesize
96KB

Download
memory/1400-38-0x000000001D030000-0x000000001D040000-memory.dmp

Filesize
64KB

Download
memory/1400-39-0x000000001D040000-0x000000001D048000-memory.dmp

Filesize
32KB

Download
memory/1400-42-0x000000001F2B0000-0x000000001F3EC000-memory.dmp

Filesize
1.2MB

Download
memory/1400-45-0x00007FFBD0DC5000-0x00007FFBD0DC6000-memory.dmp

Filesize
4KB

Download
memory/1400-46-0x00007FFBD0B10000-0x00007FFBD14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1400-47-0x00007FFBD0B10000-0x00007FFBD14B1000-memory.dmp

Filesize
9.6MB

Download
memory/4860-21-0x00007FFBD0B10000-0x00007FFBD14B1000-memory.dmp

Filesize
9.6MB

Download
memory/4860-14-0x00007FFBD0B10000-0x00007FFBD14B1000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing