c6079f689a8a692799e84ae1fbb1341d1ee5519e89cc5a622f315da8e651abeb

Resubmissions

18-02-2022 07:34

220218-jea7tadbcq 8

18-02-2022 07:13

220218-h2b7yschgj 8

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
18-02-2022 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

csrts.exe
Size

498KB
MD5

aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1

865fe61d037b67841c36468a9e7af15656621abc
SHA256

3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512

300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

556 updater.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1184 cmd.exe
Loads dropped DLL 5 IoCs

Processes:

csrts.exeupdater.exe

pid process

880 csrts.exe
556 updater.exe
556 updater.exe
556 updater.exe
556 updater.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
556	updater.exe

pid	process
1184	cmd.exe

pid	process
880	csrts.exe
556	updater.exe
556	updater.exe
556	updater.exe
556	updater.exe

Drops file in Program Files directory 4 IoCs

Processes:

updater.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\Myou.dll	updater.exe
File created	C:\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe	updater.exe
File opened for modification	C:\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe	updater.exe
File created	C:\Program Files\Mozilla Firefox\Myou.dll	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

updater.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	updater.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

updater.exe

pid process

556 updater.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

csrts.exeupdater.exe

description pid process

Token: SeDebugPrivilege 880 csrts.exe
Token: SeDebugPrivilege 556 updater.exe

pid	process
556	updater.exe

description	pid	process
Token: SeDebugPrivilege	880	csrts.exe
Token: SeDebugPrivilege	556	updater.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

csrts.exeupdater.exe

description	pid	process	target process
PID 880 wrote to memory of 556	880	csrts.exe	updater.exe
PID 880 wrote to memory of 556	880	csrts.exe	updater.exe
PID 880 wrote to memory of 556	880	csrts.exe	updater.exe
PID 880 wrote to memory of 556	880	csrts.exe	updater.exe
PID 880 wrote to memory of 556	880	csrts.exe	updater.exe
PID 880 wrote to memory of 556	880	csrts.exe	updater.exe
PID 880 wrote to memory of 556	880	csrts.exe	updater.exe
PID 880 wrote to memory of 1184	880	csrts.exe	cmd.exe
PID 880 wrote to memory of 1184	880	csrts.exe	cmd.exe
PID 880 wrote to memory of 1184	880	csrts.exe	cmd.exe
PID 880 wrote to memory of 1184	880	csrts.exe	cmd.exe
PID 556 wrote to memory of 544	556	updater.exe	cmd.exe
PID 556 wrote to memory of 544	556	updater.exe	cmd.exe
PID 556 wrote to memory of 544	556	updater.exe	cmd.exe
PID 556 wrote to memory of 544	556	updater.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\csrts.exe
"C:\Users\Admin\AppData\Local\Temp\csrts.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Roaming\updater.exe
"C:\Users\Admin\AppData\Roaming\updater.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6d5d13e1-cd55-4f10-ac91-93f6389261df.bat" "
3⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\30e6376c-b318-4bb5-a22d-d653d59640c1.bat" "
2⤵
- Deletes itself
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30e6376c-b318-4bb5-a22d-d653d59640c1.bat
MD5
0a8022bac033cce238b7e344c2cecc78

SHA1
9255d9c5f1ccf77efdfcec40be92aeb98896a391

SHA256
a56efe904bd6357561e87be6ca556445f22733e26d9a98e843eb08d58b5656d5

SHA512
b6fd83d8227d4753989c3f128e1ae4baa0aaa5be03a3cf18e962ae176f0f0f11a09d3643bc1540684d5f624b2d5448a2dcd71f9fb26460c8bb6d411a29ab79bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d5d13e1-cd55-4f10-ac91-93f6389261df.bat
MD5
828c5b96d0306ca4b4f8321711a0d78b

SHA1
200bd5b788f5cad2f7ef5fc90b0561cb55631258

SHA256
c571fcfde329cb909cc62b2dcaa05c9ae3ed69da3bb3d69e1ffe222e6f8f7e5a

SHA512
8e365db127113e96dd9c6de1e6771d938e8d3b8bb8cc87fd3deb99f708055ff10ef34753005881bcc3a58a31d7f648038b14cebddd9b8ecd6b73ca0bed0cfad5

Download Submit
C:\Users\Admin\AppData\Roaming\EasiUpdate\Log.txt
MD5
89eecf5d74b0e99e7118fcb2cd0d78aa

SHA1
4c70575a29ef819b944ceca26733b6041394b2df

SHA256
ba3ac353cfd9628c6bd0d63c47d81ea3c78f273d03999e4fc4a7da186a42de2f

SHA512
f73ae4b92e38539e0417e8759b78544ea27fdf6d3d6ebc94cbe18e85e4759f10dc294a58bcd6a004009d591330aa56d8d9e84d0e86d04542d219766fe2529ef5

Download Submit
C:\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
C:\Users\Admin\AppData\Roaming\updater.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
C:\Users\Admin\AppData\Roaming\updater.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
\Users\Admin\AppData\Roaming\updater.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
memory/556-68-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/556-63-0x0000000000300000-0x000000000037E000-memory.dmp

Filesize
504KB

Download
memory/556-70-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/556-69-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/556-72-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/556-73-0x0000000004BB5000-0x0000000004BC6000-memory.dmp

Filesize
68KB

Download
memory/880-55-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/880-59-0x0000000004A75000-0x0000000004A86000-memory.dmp

Filesize
68KB

Download
memory/880-58-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/880-57-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/880-56-0x00000000013E0000-0x000000000145E000-memory.dmp

Filesize
504KB

Download