Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-04-2021 09:48
Static task
static1
Behavioral task
behavioral1
Sample
csrss.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
csrss.exe
Resource
win10v20210410
General
-
Target
csrss.exe
-
Size
2.1MB
-
MD5
2a9be7e5bc1de20522b4e71159159956
-
SHA1
53b6034d122211f7e3937d5f61325d3211842848
-
SHA256
f0e98cc9e77c4b14e67aae84dcb833f9d40a536a253cca74409fa195cb35154e
-
SHA512
af42bc88d9de45a575ce63be246706e98e0135738b63d1f02d28fb024487112736be72f7869822ceb8a16617b43a5235d41358b090d223e9913a1cfacd60e7a0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
Processes:
csrss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\kbdarmph\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\SearchUI.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\kbdarmph\\winlogon.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\kbdarmph\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\kbdarmph\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\kbdarmph\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\SearchUI.exe\"" csrss.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 3160 csrss.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
csrss.execsrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion csrss.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
csrss.execsrss.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Wine csrss.exe Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Wine csrss.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
csrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\odt\\taskhostw.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\odt\\taskhostw.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\PerfLogs\\SppExtComObj.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Program Files (x86)\\Windows Mail\\SearchUI.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Program Files (x86)\\Windows Mail\\SearchUI.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\kbdarmph\\winlogon.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\kbdarmph\\winlogon.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\PerfLogs\\SppExtComObj.exe\"" csrss.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ipinfo.io 17 ipinfo.io -
Drops file in System32 directory 3 IoCs
Processes:
csrss.exedescription ioc process File created C:\Windows\SysWOW64\kbdarmph\winlogon.exe csrss.exe File opened for modification C:\Windows\SysWOW64\kbdarmph\winlogon.exe csrss.exe File created C:\Windows\SysWOW64\kbdarmph\cc11b995f2a76da408ea6a601e682e64743153ad csrss.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
csrss.execsrss.exepid process 2184 csrss.exe 3160 csrss.exe -
Drops file in Program Files directory 2 IoCs
Processes:
csrss.exedescription ioc process File created C:\Program Files (x86)\Windows Mail\SearchUI.exe csrss.exe File created C:\Program Files (x86)\Windows Mail\dab4d89cac03ec27dbe47b361df763dc3f848f6c csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3848 schtasks.exe 2912 schtasks.exe 3860 schtasks.exe 1988 schtasks.exe 3116 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
csrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings csrss.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
csrss.execsrss.exepid process 2184 csrss.exe 2184 csrss.exe 2184 csrss.exe 3160 csrss.exe 3160 csrss.exe 3160 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
csrss.exepid process 3160 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
csrss.execsrss.exedescription pid process Token: SeDebugPrivilege 2184 csrss.exe Token: SeDebugPrivilege 3160 csrss.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
csrss.execmd.exedescription pid process target process PID 2184 wrote to memory of 3848 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 3848 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 3848 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 2912 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 2912 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 2912 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 3860 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 3860 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 3860 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 1988 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 1988 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 1988 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 3116 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 3116 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 3116 2184 csrss.exe schtasks.exe PID 2184 wrote to memory of 1568 2184 csrss.exe cmd.exe PID 2184 wrote to memory of 1568 2184 csrss.exe cmd.exe PID 2184 wrote to memory of 1568 2184 csrss.exe cmd.exe PID 1568 wrote to memory of 752 1568 cmd.exe chcp.com PID 1568 wrote to memory of 752 1568 cmd.exe chcp.com PID 1568 wrote to memory of 752 1568 cmd.exe chcp.com PID 1568 wrote to memory of 2800 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 2800 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 2800 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 3160 1568 cmd.exe csrss.exe PID 1568 wrote to memory of 3160 1568 cmd.exe csrss.exe PID 1568 wrote to memory of 3160 1568 cmd.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\kbdarmph\winlogon.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3848 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2912 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\PerfLogs\SppExtComObj.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3860 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SearchUI.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1988 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\csrss.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\FLHmpYhDet.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:752
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\csrss.exe"C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\csrss.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csrss.exe.logMD5
5ffad73168c231b45cb78e9d9f20ddc9
SHA110d2e22118fddb531b038d6a2bbaf4912f67956a
SHA25609002a9002494e8ab1ead3f7db4fdd1fc611094e7f2c1e04c6fb1c2f7dc3767a
SHA512b18a369de64c03825dd865781655ca34e55683489239ce0149dc0c116f3d0249462720843b1bf261f557ba6d5fd5d4cb69d873fe9995b0c9f1b37017b4c395a4
-
C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\csrss.exeMD5
2a9be7e5bc1de20522b4e71159159956
SHA153b6034d122211f7e3937d5f61325d3211842848
SHA256f0e98cc9e77c4b14e67aae84dcb833f9d40a536a253cca74409fa195cb35154e
SHA512af42bc88d9de45a575ce63be246706e98e0135738b63d1f02d28fb024487112736be72f7869822ceb8a16617b43a5235d41358b090d223e9913a1cfacd60e7a0
-
C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\csrss.exeMD5
2a9be7e5bc1de20522b4e71159159956
SHA153b6034d122211f7e3937d5f61325d3211842848
SHA256f0e98cc9e77c4b14e67aae84dcb833f9d40a536a253cca74409fa195cb35154e
SHA512af42bc88d9de45a575ce63be246706e98e0135738b63d1f02d28fb024487112736be72f7869822ceb8a16617b43a5235d41358b090d223e9913a1cfacd60e7a0
-
C:\Users\Public\FLHmpYhDet.batMD5
f2393dee9928e1dbc4beb474e74e9de0
SHA116ec9ffd8666b33e7061b5336266cd60c674be69
SHA256a39957aa9bf4e9f18c80119f093ec9cf7b87c5c51147034b205901413b48adb3
SHA5126fd97eb7bf58cd6b635d7930ec59a5561c0b839e68e857e320bafd7d3276f20d1996554e38f42aa942a725926e334aca236cdd6f0feb119916e0b2fc3405cdb9
-
memory/752-128-0x0000000000000000-mapping.dmp
-
memory/1568-126-0x0000000000000000-mapping.dmp
-
memory/1988-124-0x0000000000000000-mapping.dmp
-
memory/2184-119-0x0000000007B01000-0x0000000007B02000-memory.dmpFilesize
4KB
-
memory/2184-114-0x0000000077300000-0x000000007748E000-memory.dmpFilesize
1.6MB
-
memory/2184-120-0x0000000008700000-0x0000000008701000-memory.dmpFilesize
4KB
-
memory/2184-118-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/2184-117-0x0000000008100000-0x0000000008101000-memory.dmpFilesize
4KB
-
memory/2184-115-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/2800-129-0x0000000000000000-mapping.dmp
-
memory/2912-122-0x0000000000000000-mapping.dmp
-
memory/3116-125-0x0000000000000000-mapping.dmp
-
memory/3160-133-0x0000000077300000-0x000000007748E000-memory.dmpFilesize
1.6MB
-
memory/3160-130-0x0000000000000000-mapping.dmp
-
memory/3160-135-0x0000000001130000-0x0000000001131000-memory.dmpFilesize
4KB
-
memory/3160-139-0x0000000007501000-0x0000000007502000-memory.dmpFilesize
4KB
-
memory/3160-141-0x0000000004EF0000-0x0000000004EF7000-memory.dmpFilesize
28KB
-
memory/3160-142-0x0000000008E60000-0x0000000008E61000-memory.dmpFilesize
4KB
-
memory/3848-121-0x0000000000000000-mapping.dmp
-
memory/3860-123-0x0000000000000000-mapping.dmp