7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d

General

Target

7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe
Size

910KB
MD5

90e425380cdd0184c50f30c9f06af217
SHA1

2e2c7e0c80c7b05262822e1f1362d14c46eb5dc0
SHA256

7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d
SHA512

a1b1c6df4b5cdf7abb4a3fde6cc97a0bbce5cb06331eb02fa78e482181703a7bc3049ac8d520606ffe2aa9e045bb3633215d5f5e8a747fa035e1b4c116676365
SSDEEP

12288:85STYf+qnR7Fkxh7dG1lFlWcYT70pxnnaaoawASIh4BBpGmrZNrI0AilFEvxHvBI:ohg4MROxnFp/iHrZlI0AilFEvxHidj

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe
File created	C:\Windows\assembly\Desktop.ini	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1268	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1268	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2828	1268	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe	83
PID 1268 wrote to memory of 2828	1268	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe	83
PID 2828 wrote to memory of 4880	2828	csc.exe	85
PID 2828 wrote to memory of 4880	2828	csc.exe	85

C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe
"C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\to04um8f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A8E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A8D.tmp"
    3⤵
    PID:4880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8A8E.tmp

Filesize
1KB

MD5
2c780d2c568df39d8a0bf9a4ab3cb939

SHA1
0f0b3ba61e66c49c1fea086fec0fa832bd40fbf3

SHA256
e597be852d5e4b23d5d8220186d239ab67296074a830b26bdbe25f958d5abffb

SHA512
a330a0686bb70457e71468572151cec95bdae919732e2cb0d0b26ef8a308c5f2ed7b92c4fb57c8fde6144e6a7991b3bf2601c37c0165f65d2389b97e67ad2bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\to04um8f.dll

Filesize
76KB

MD5
5d736fa3dcf58317f6ac91543a86da78

SHA1
a498e6af4411c5cae5ad55da349140518721d2f8

SHA256
13000bc0488d6ccaa9337243a2ce475414a74a26a983377d01b584601207161d

SHA512
02c4507a20e1256b1012687671a62fc26040be79151c1c0134239a95d6fdd4a6477cb5ee94286e38a74a649db40d913c580c0b4980a037a8fc49155a58ea0532

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8A8D.tmp

Filesize
676B

MD5
f2ef5a13b8b974dc7af1a8eb8d1ca550

SHA1
05f8d8a3f9f09d7d1bd5053b047f422fca7dcbea

SHA256
2bc1e8fca3b700d16f5e16221e5566a57f56f3e53f8a09f6cb02c0f319aeb90f

SHA512
4ad230961a86f1033d427e119d4d99c3380d6392cdd3b74fafa06f22cccff3e5828c2b5b01b4fca277eeef120d3510ae5978fb18b985ca676f11f85fe1ba80a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\to04um8f.0.cs

Filesize
208KB

MD5
ac842bdcbaedf3e3a3cf91babd2759ff

SHA1
dac6a53e5e8f1498cf27dec864e97d597827000c

SHA256
eaf8d46e2f35c0f34f61ef282195989572868aa127e362769bfd096d4cf50fc6

SHA512
01847dbcd74dfcf9c10c9c78f75e2149cf87aeaf37129c72d90262171502f24d42f195648b048d22daeba426c1197e7bf8d6c607030353ca9a54a69b5d8710f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\to04um8f.cmdline

Filesize
349B

MD5
8952c2b6798c6f219436e32f7a70df85

SHA1
16b24056a1d5745b37388d430a87e0cd27e8c69a

SHA256
ec2318ea446ef63c7d3d5f6a493791aa1218bd7b77d27494b00c3fa70ace263f

SHA512
75f132f3ab722dcfe07b52e4e5ca22e918942a316c2479ef0a74ea91088855b6cb34cdf9ce7a4b8f6b49bd4e9a860e0b059ff2394b8bb55b59b4bcd98a34809c

Download Submit
memory/1268-25-0x000000001B940000-0x000000001B952000-memory.dmp

Filesize
72KB

Download
memory/1268-28-0x00000000014D0000-0x00000000014E0000-memory.dmp

Filesize
64KB

Download
memory/1268-6-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download
memory/1268-7-0x000000001C0F0000-0x000000001C5BE000-memory.dmp

Filesize
4.8MB

Download
memory/1268-5-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

Filesize
56KB

Download
memory/1268-32-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download
memory/1268-2-0x000000001B9F0000-0x000000001BA4C000-memory.dmp

Filesize
368KB

Download
memory/1268-31-0x00007FFB5C655000-0x00007FFB5C656000-memory.dmp

Filesize
4KB

Download
memory/1268-23-0x000000001CCF0000-0x000000001CD06000-memory.dmp

Filesize
88KB

Download
memory/1268-1-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download
memory/1268-0-0x00007FFB5C655000-0x00007FFB5C656000-memory.dmp

Filesize
4KB

Download
memory/1268-26-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/1268-27-0x000000001CD30000-0x000000001CD48000-memory.dmp

Filesize
96KB

Download
memory/1268-8-0x000000001C660000-0x000000001C6FC000-memory.dmp

Filesize
624KB

Download
memory/1268-29-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download
memory/1268-30-0x000000001B8B0000-0x000000001B8B8000-memory.dmp

Filesize
32KB

Download
memory/2828-21-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download
memory/2828-19-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing