General

  • Target

    CSRSS.Exe

  • Size

    210KB

  • Sample

    210410-pjqlvlb4w2

  • MD5

    67438e8ddb537ef31fd86c5b046e986b

  • SHA1

    0722038e02681bb4f1312b92bd62cd070476f3d6

  • SHA256

    d7f19de8eb2461c635c0170448a58a1ec6e6de014b4410883f87d0b5d7868e65

  • SHA512

    31ba7615a173c84cd59152ed44d707ef81f37bba9d91bc9afb86d89cb6c99f4346cfdce272224f7c3e00f0b23ff930df7cc4285d63fc2185e50669ad8c5c7c39

Malware Config

Targets

    • Target

      CSRSS.Exe

    • Size

      210KB

    • MD5

      67438e8ddb537ef31fd86c5b046e986b

    • SHA1

      0722038e02681bb4f1312b92bd62cd070476f3d6

    • SHA256

      d7f19de8eb2461c635c0170448a58a1ec6e6de014b4410883f87d0b5d7868e65

    • SHA512

      31ba7615a173c84cd59152ed44d707ef81f37bba9d91bc9afb86d89cb6c99f4346cfdce272224f7c3e00f0b23ff930df7cc4285d63fc2185e50669ad8c5c7c39

    • Modifies Windows Defender Real-time Protection settings

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks