Overview

overview

10

Static

static

csrss.exe

windows7_x64

10

csrss.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    18-04-2021 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    csrss.exe

  • Size

    2.1MB

  • MD5

    2a9be7e5bc1de20522b4e71159159956

  • SHA1

    53b6034d122211f7e3937d5f61325d3211842848

  • SHA256

    f0e98cc9e77c4b14e67aae84dcb833f9d40a536a253cca74409fa195cb35154e

  • SHA512

    af42bc88d9de45a575ce63be246706e98e0135738b63d1f02d28fb024487112736be72f7869822ceb8a16617b43a5235d41358b090d223e9913a1cfacd60e7a0

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\csrss.exe
    "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\kbdarmph\winlogon.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:3848
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2912
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\PerfLogs\SppExtComObj.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:3860
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SearchUI.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1988
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\csrss.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:3116
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Public\FLHmpYhDet.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:752
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 localhost
          3⤵
          • Runs ping.exe
          PID:2800
        • C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\csrss.exe
          "C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\csrss.exe"
          3⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:3160

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csrss.exe.log
      MD5

      5ffad73168c231b45cb78e9d9f20ddc9

      SHA1

      10d2e22118fddb531b038d6a2bbaf4912f67956a

      SHA256

      09002a9002494e8ab1ead3f7db4fdd1fc611094e7f2c1e04c6fb1c2f7dc3767a

      SHA512

      b18a369de64c03825dd865781655ca34e55683489239ce0149dc0c116f3d0249462720843b1bf261f557ba6d5fd5d4cb69d873fe9995b0c9f1b37017b4c395a4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\csrss.exe
      MD5

      2a9be7e5bc1de20522b4e71159159956

      SHA1

      53b6034d122211f7e3937d5f61325d3211842848

      SHA256

      f0e98cc9e77c4b14e67aae84dcb833f9d40a536a253cca74409fa195cb35154e

      SHA512

      af42bc88d9de45a575ce63be246706e98e0135738b63d1f02d28fb024487112736be72f7869822ceb8a16617b43a5235d41358b090d223e9913a1cfacd60e7a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent\csrss.exe
      MD5

      2a9be7e5bc1de20522b4e71159159956

      SHA1

      53b6034d122211f7e3937d5f61325d3211842848

      SHA256

      f0e98cc9e77c4b14e67aae84dcb833f9d40a536a253cca74409fa195cb35154e

      SHA512

      af42bc88d9de45a575ce63be246706e98e0135738b63d1f02d28fb024487112736be72f7869822ceb8a16617b43a5235d41358b090d223e9913a1cfacd60e7a0

      Download Submit
    • C:\Users\Public\FLHmpYhDet.bat
      MD5

      f2393dee9928e1dbc4beb474e74e9de0

      SHA1

      16ec9ffd8666b33e7061b5336266cd60c674be69

      SHA256

      a39957aa9bf4e9f18c80119f093ec9cf7b87c5c51147034b205901413b48adb3

      SHA512

      6fd97eb7bf58cd6b635d7930ec59a5561c0b839e68e857e320bafd7d3276f20d1996554e38f42aa942a725926e334aca236cdd6f0feb119916e0b2fc3405cdb9

      Download Submit
    • memory/752-128-0x0000000000000000-mapping.dmp
      Download
    • memory/1568-126-0x0000000000000000-mapping.dmp
      Download
    • memory/1988-124-0x0000000000000000-mapping.dmp
      Download
    • memory/2184-119-0x0000000007B01000-0x0000000007B02000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2184-114-0x0000000077300000-0x000000007748E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2184-120-0x0000000008700000-0x0000000008701000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2184-118-0x0000000007880000-0x0000000007881000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2184-117-0x0000000008100000-0x0000000008101000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2184-115-0x0000000000150000-0x0000000000151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2800-129-0x0000000000000000-mapping.dmp
      Download
    • memory/2912-122-0x0000000000000000-mapping.dmp
      Download
    • memory/3116-125-0x0000000000000000-mapping.dmp
      Download
    • memory/3160-133-0x0000000077300000-0x000000007748E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3160-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3160-135-0x0000000001130000-0x0000000001131000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3160-139-0x0000000007501000-0x0000000007502000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3160-141-0x0000000004EF0000-0x0000000004EF7000-memory.dmp
      Filesize

      28KB

      Download
    • memory/3160-142-0x0000000008E60000-0x0000000008E61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3848-121-0x0000000000000000-mapping.dmp
      Download
    • memory/3860-123-0x0000000000000000-mapping.dmp
      Download