Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
18-02-2022 07:13
Static task
static1
Behavioral task
behavioral1
Sample
Myou.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Myou.dll
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
csrts.exe
Resource
win7-en-20211208
General
-
Target
csrts.exe
-
Size
498KB
-
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6
-
SHA1
865fe61d037b67841c36468a9e7af15656621abc
-
SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
-
SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 556 updater.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1184 cmd.exe -
Loads dropped DLL 5 IoCs
Processes:
csrts.exeupdater.exepid process 880 csrts.exe 556 updater.exe 556 updater.exe 556 updater.exe 556 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 4 IoCs
Processes:
updater.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\Myou.dll updater.exe File created C:\Program Files\Mozilla Firefox\firefox.exe updater.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe updater.exe File created C:\Program Files\Mozilla Firefox\Myou.dll updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
updater.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde updater.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 updater.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
updater.exepid process 556 updater.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
csrts.exeupdater.exedescription pid process Token: SeDebugPrivilege 880 csrts.exe Token: SeDebugPrivilege 556 updater.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
csrts.exeupdater.exedescription pid process target process PID 880 wrote to memory of 556 880 csrts.exe updater.exe PID 880 wrote to memory of 556 880 csrts.exe updater.exe PID 880 wrote to memory of 556 880 csrts.exe updater.exe PID 880 wrote to memory of 556 880 csrts.exe updater.exe PID 880 wrote to memory of 556 880 csrts.exe updater.exe PID 880 wrote to memory of 556 880 csrts.exe updater.exe PID 880 wrote to memory of 556 880 csrts.exe updater.exe PID 880 wrote to memory of 1184 880 csrts.exe cmd.exe PID 880 wrote to memory of 1184 880 csrts.exe cmd.exe PID 880 wrote to memory of 1184 880 csrts.exe cmd.exe PID 880 wrote to memory of 1184 880 csrts.exe cmd.exe PID 556 wrote to memory of 544 556 updater.exe cmd.exe PID 556 wrote to memory of 544 556 updater.exe cmd.exe PID 556 wrote to memory of 544 556 updater.exe cmd.exe PID 556 wrote to memory of 544 556 updater.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\csrts.exe"C:\Users\Admin\AppData\Local\Temp\csrts.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\updater.exe"C:\Users\Admin\AppData\Roaming\updater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6d5d13e1-cd55-4f10-ac91-93f6389261df.bat" "3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\30e6376c-b318-4bb5-a22d-d653d59640c1.bat" "2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\30e6376c-b318-4bb5-a22d-d653d59640c1.batMD5
0a8022bac033cce238b7e344c2cecc78
SHA19255d9c5f1ccf77efdfcec40be92aeb98896a391
SHA256a56efe904bd6357561e87be6ca556445f22733e26d9a98e843eb08d58b5656d5
SHA512b6fd83d8227d4753989c3f128e1ae4baa0aaa5be03a3cf18e962ae176f0f0f11a09d3643bc1540684d5f624b2d5448a2dcd71f9fb26460c8bb6d411a29ab79bd
-
C:\Users\Admin\AppData\Local\Temp\6d5d13e1-cd55-4f10-ac91-93f6389261df.batMD5
828c5b96d0306ca4b4f8321711a0d78b
SHA1200bd5b788f5cad2f7ef5fc90b0561cb55631258
SHA256c571fcfde329cb909cc62b2dcaa05c9ae3ed69da3bb3d69e1ffe222e6f8f7e5a
SHA5128e365db127113e96dd9c6de1e6771d938e8d3b8bb8cc87fd3deb99f708055ff10ef34753005881bcc3a58a31d7f648038b14cebddd9b8ecd6b73ca0bed0cfad5
-
C:\Users\Admin\AppData\Roaming\EasiUpdate\Log.txtMD5
89eecf5d74b0e99e7118fcb2cd0d78aa
SHA14c70575a29ef819b944ceca26733b6041394b2df
SHA256ba3ac353cfd9628c6bd0d63c47d81ea3c78f273d03999e4fc4a7da186a42de2f
SHA512f73ae4b92e38539e0417e8759b78544ea27fdf6d3d6ebc94cbe18e85e4759f10dc294a58bcd6a004009d591330aa56d8d9e84d0e86d04542d219766fe2529ef5
-
C:\Users\Admin\AppData\Roaming\Myou.dllMD5
313bc92dce801c2ec316c57ea74dd92a
SHA1dd13b2799a9ecea34c29aeffba8ffee5a85d10c6
SHA256467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f
SHA512442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c
-
C:\Users\Admin\AppData\Roaming\updater.exeMD5
aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1865fe61d037b67841c36468a9e7af15656621abc
SHA2563dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
-
C:\Users\Admin\AppData\Roaming\updater.exeMD5
aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1865fe61d037b67841c36468a9e7af15656621abc
SHA2563dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
-
\Program Files\Mozilla Firefox\firefox.exeMD5
aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1865fe61d037b67841c36468a9e7af15656621abc
SHA2563dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
-
\Program Files\Mozilla Firefox\firefox.exeMD5
aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1865fe61d037b67841c36468a9e7af15656621abc
SHA2563dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
-
\Users\Admin\AppData\Roaming\Myou.dllMD5
313bc92dce801c2ec316c57ea74dd92a
SHA1dd13b2799a9ecea34c29aeffba8ffee5a85d10c6
SHA256467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f
SHA512442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c
-
\Users\Admin\AppData\Roaming\Myou.dllMD5
313bc92dce801c2ec316c57ea74dd92a
SHA1dd13b2799a9ecea34c29aeffba8ffee5a85d10c6
SHA256467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f
SHA512442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c
-
\Users\Admin\AppData\Roaming\updater.exeMD5
aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1865fe61d037b67841c36468a9e7af15656621abc
SHA2563dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
-
memory/556-68-0x0000000000390000-0x000000000039E000-memory.dmpFilesize
56KB
-
memory/556-63-0x0000000000300000-0x000000000037E000-memory.dmpFilesize
504KB
-
memory/556-70-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/556-69-0x0000000074A3E000-0x0000000074A3F000-memory.dmpFilesize
4KB
-
memory/556-72-0x00000000005D0000-0x0000000000600000-memory.dmpFilesize
192KB
-
memory/556-73-0x0000000004BB5000-0x0000000004BC6000-memory.dmpFilesize
68KB
-
memory/880-55-0x0000000074A3E000-0x0000000074A3F000-memory.dmpFilesize
4KB
-
memory/880-59-0x0000000004A75000-0x0000000004A86000-memory.dmpFilesize
68KB
-
memory/880-58-0x0000000000560000-0x000000000056E000-memory.dmpFilesize
56KB
-
memory/880-57-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/880-56-0x00000000013E0000-0x000000000145E000-memory.dmpFilesize
504KB