f45992d5769523b5380d45fe1a40f2c921eabf98b695d2c2b272bcde12cab75e

General

Target

csrss.exe
Size

1.8MB
MD5

c952383a9e62b399001ebbb03468d786
SHA1

1e45c19599479a6673c137ed59386b56696b4949
SHA256

f45992d5769523b5380d45fe1a40f2c921eabf98b695d2c2b272bcde12cab75e
SHA512

77eb2aeff62b52ec958315b46b7efb70574d2f42e7d2819cef615e0849e9f94bcd8a99113253213a9bd696e56e4024ce5e1f1a896f17d8ad0713a3955610f547

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4000-114-0x0000000000400000-0x0000000000A16000-memory.dmp	upx
behavioral2/memory/4000-115-0x0000000000400000-0x0000000000A16000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url	wscript.exe

Suspicious use of SetThreadContext 16 IoCs

Processes:

csrss.exe

description	pid	process	target process
PID 4044 set thread context of 4000	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 4016	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 3192	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 1552	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 2448	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 2912	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 2296	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 2920	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 424	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 2712	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 3396	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 1276	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 3488	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 2080	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 3868	4044	csrss.exe	notepad.exe
PID 4044 set thread context of 3492	4044	csrss.exe	notepad.exe

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2652	4000	WerFault.exe	notepad.exe
3628	4016	WerFault.exe	notepad.exe
744	3192	WerFault.exe	notepad.exe
2180	1552	WerFault.exe	notepad.exe
968	2448	WerFault.exe	notepad.exe
8	2912	WerFault.exe	notepad.exe
2200	2296	WerFault.exe	notepad.exe
2024	2920	WerFault.exe	notepad.exe
3008	424	WerFault.exe	notepad.exe
3852	2712	WerFault.exe	notepad.exe
2312	3396	WerFault.exe	notepad.exe
428	1276	WerFault.exe	notepad.exe
1480	3488	WerFault.exe	notepad.exe
3956	2080	WerFault.exe	notepad.exe
2248	3868	WerFault.exe	notepad.exe
2212	3492	WerFault.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exe

pid	process
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe
4044	csrss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

csrss.exe

description	pid	process
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe
Token: SeDebugPrivilege	4044	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

csrss.execmd.exe

description	pid	process	target process
PID 4044 wrote to memory of 4000	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4000	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4000	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4000	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4000	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4000	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4000	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4000	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4016	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4016	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4016	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4016	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4016	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4016	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4016	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 4016	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 1188	4044	csrss.exe	cmd.exe
PID 4044 wrote to memory of 1188	4044	csrss.exe	cmd.exe
PID 4044 wrote to memory of 1188	4044	csrss.exe	cmd.exe
PID 1188 wrote to memory of 1484	1188	cmd.exe	wscript.exe
PID 1188 wrote to memory of 1484	1188	cmd.exe	wscript.exe
PID 1188 wrote to memory of 1484	1188	cmd.exe	wscript.exe
PID 4044 wrote to memory of 1188	4044	csrss.exe	cmd.exe
PID 4044 wrote to memory of 1188	4044	csrss.exe	cmd.exe
PID 4044 wrote to memory of 3192	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 3192	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 3192	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 3192	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 3192	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 3192	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 3192	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 3192	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 1552	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 1552	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 1552	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 1552	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 1552	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 1552	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 1552	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 1552	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2448	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2448	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2448	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2448	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2448	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2448	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2448	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2448	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2912	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2912	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2912	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2912	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2912	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2912	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2912	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2912	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2296	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2296	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2296	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2296	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2296	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2296	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2296	4044	csrss.exe	notepad.exe
PID 4044 wrote to memory of 2296	4044	csrss.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:4000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4000 -s 180
3⤵
- Program crash
PID:2652

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:4016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4016 -s 180
3⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
3⤵
- Drops startup file
PID:1484

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:3192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3192 -s 180
3⤵
- Program crash
PID:744

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:1552

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1552 -s 192
3⤵
- Program crash
PID:2180

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:2448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2448 -s 180
3⤵
- Program crash
PID:968

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:2912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2912 -s 180
3⤵
- Program crash
PID:8

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:2296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2296 -s 180
3⤵
- Program crash
PID:2200

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:2920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2920 -s 108
3⤵
- Program crash
PID:2024

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 424 -s 180
3⤵
- Program crash
PID:3008

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:2712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2712 -s 180
3⤵
- Program crash
PID:3852

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:3396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3396 -s 180
3⤵
- Program crash
PID:2312

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:1276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1276 -s 180
3⤵
- Program crash
PID:428

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:3488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3488 -s 180
3⤵
- Program crash
PID:1480

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:2080

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2080 -s 180
3⤵
- Program crash
PID:3956

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:3868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3868 -s 180
3⤵
- Program crash
PID:2248

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
2⤵
PID:3492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3492 -s 180
3⤵
- Program crash
PID:2212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LKBNMTFJgl\r.vbs
MD5
19b2d791962e01151e4b6a40a90e8cd8

SHA1
a1ee500267dd1d457b3f840f8a00ba808bb46eb3

SHA256
67824e30ec5d2b61ffb266e8a37e9b929e82d507d09d21961b8293c99816c664

SHA512
4d39fd8f11e86490041190f1419273c702ccd85dcc603e5d7acc9d55cc60031ef1f7cc901a2c09b46d6bdc560a4c81d464c8495e7f9e8707ec7cd999f49c49fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url
MD5
e03e6937ba1878ace3d849b233adecfe

SHA1
affbb4f8b53af6cf35660b775a0a8f70fb95f8b5

SHA256
9846a8975f8e2dbc96cd18d5015c03b4d8226fddf69bcb99a0610c855b0a9e6d

SHA512
99ea03b8635d89409c6e65dc1dd1e995eac8c02e373f3b01faa7d715f347722075cc0d5d629914399505a2ca8ffb80bfa8cafa9d99a2e702d1fcd94fb0baeca9

Download Submit
memory/424-161-0x0000000000A14AA0-mapping.dmp

Download
memory/1188-124-0x0000000000000000-mapping.dmp

Download
memory/1188-127-0x0000000002D40000-0x0000000002F14000-memory.dmp

Filesize
1.8MB

Download
memory/1276-176-0x0000000000A14AA0-mapping.dmp

Download
memory/1484-125-0x0000000000000000-mapping.dmp

Download
memory/1552-136-0x0000000000A14AA0-mapping.dmp

Download
memory/2080-186-0x0000000000A14AA0-mapping.dmp

Download
memory/2296-151-0x0000000000A14AA0-mapping.dmp

Download
memory/2448-141-0x0000000000A14AA0-mapping.dmp

Download
memory/2712-166-0x0000000000A14AA0-mapping.dmp

Download
memory/2912-146-0x0000000000A14AA0-mapping.dmp

Download
memory/2920-156-0x0000000000A14AA0-mapping.dmp

Download
memory/3192-131-0x0000000000A14AA0-mapping.dmp

Download
memory/3396-171-0x0000000000A14AA0-mapping.dmp

Download
memory/3488-181-0x0000000000A14AA0-mapping.dmp

Download
memory/3492-196-0x0000000000A14AA0-mapping.dmp

Download
memory/3868-191-0x0000000000A14AA0-mapping.dmp

Download
memory/4000-116-0x0000000000A14AA0-mapping.dmp

Download
memory/4000-115-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4000-114-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4016-121-0x0000000000A14AA0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads