3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
Size

397KB
MD5

ecfa84257ab760d56848224f04f45f20
SHA1

efacb3a82c7c2d15baa39a6f78217f22ea202547
SHA256

3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998
SHA512

b9fadbdcf53f8b7a9cfdc9904e5dab1f17ae96a3e328c2c4c6d0ad06077929a259823bc9f7637f6b80acaf1cdf749879cd6081ec4d301e2bd23e9a3bfce206ff
SSDEEP

6144:HK/d/9oM0YTX+nNPHmROkpd3CnvegL1zWmK/jJC+J/VlCa:+d/9nTOnNPGRbiegrKrJCoCa

Score

8^/10

discovery evasion

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 2644	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
Token: SeDebugPrivilege	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
Token: SeShutdownPrivilege	1076	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2436	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	30
PID 3048 wrote to memory of 2436	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	30
PID 3048 wrote to memory of 2436	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	30
PID 3048 wrote to memory of 2436	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	30
PID 3048 wrote to memory of 1076	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	18
PID 3048 wrote to memory of 336	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	2
PID 336 wrote to memory of 2256	336	csrss.exe	31
PID 336 wrote to memory of 2256	336	csrss.exe	31
PID 3048 wrote to memory of 2644	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	32
PID 3048 wrote to memory of 2644	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	32
PID 3048 wrote to memory of 2644	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	32
PID 3048 wrote to memory of 2644	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	32
PID 3048 wrote to memory of 2644	3048	3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe	32
PID 336 wrote to memory of 868	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:868
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076
- C:\Users\Admin\AppData\Local\Temp\3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
  "C:\Users\Admin\AppData\Local\Temp\3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
    "C:\Users\Admin\AppData\Local\Temp\3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe" keahzcqprijnoqp
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
5a9e26d4249406d2d46b7937e3879031

SHA1
44ae94c154e9e5a05d992e51211d62f6c09ccfe1

SHA256
2bc094db466b26d2a56bbb22b300215d38289694de7b34e06156e5f2b668f89f

SHA512
4877944537771d21af3bed2e88b724a2ec73138d3beb11e22621bd931bb2c64f1a10ee4412bc061b4941b89372ca3787480bdadb9ac2c12817ce8ada5ab5cdcc

Download Submit
memory/336-30-0x0000000002300000-0x0000000002311000-memory.dmp

Filesize
68KB

Download
memory/336-23-0x0000000002300000-0x0000000002311000-memory.dmp

Filesize
68KB

Download
memory/336-22-0x0000000002300000-0x0000000002311000-memory.dmp

Filesize
68KB

Download
memory/336-20-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/868-32-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/868-46-0x00000000002B0000-0x00000000002BB000-memory.dmp

Filesize
44KB

Download
memory/868-40-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/868-41-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/868-45-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/868-42-0x00000000002B0000-0x00000000002BB000-memory.dmp

Filesize
44KB

Download
memory/868-36-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/1076-15-0x0000000002590000-0x0000000002596000-memory.dmp

Filesize
24KB

Download
memory/1076-10-0x0000000002590000-0x0000000002596000-memory.dmp

Filesize
24KB

Download
memory/1076-12-0x0000000002580000-0x0000000002582000-memory.dmp

Filesize
8KB

Download
memory/1076-6-0x0000000002590000-0x0000000002596000-memory.dmp

Filesize
24KB

Download
memory/2436-3-0x00000000023A0000-0x00000000027B0000-memory.dmp

Filesize
4.1MB

Download
memory/2436-26-0x0000000000400000-0x0000000000466FC0-memory.dmp

Filesize
411KB

Download
memory/2436-4-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/3048-5-0x0000000000400000-0x0000000000466FC0-memory.dmp

Filesize
411KB

Download
memory/3048-1-0x0000000002540000-0x0000000002950000-memory.dmp

Filesize
4.1MB

Download
memory/3048-0-0x0000000000400000-0x0000000000466FC0-memory.dmp

Filesize
411KB

Download