c6079f689a8a692799e84ae1fbb1341d1ee5519e89cc5a622f315da8e651abeb

General

Target

csrts.exe
Size

498KB
MD5

aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1

865fe61d037b67841c36468a9e7af15656621abc
SHA256

3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512

300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

4276 updater.exe

pid	process
4276	updater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	updater.exe

Loads dropped DLL 2 IoCs

Processes:

updater.exe

pid process

4276 updater.exe
4276 updater.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4276	updater.exe
4276	updater.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

updater.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	updater.exe

Drops file in Program Files directory 8 IoCs

Processes:

updater.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\Myou.dll	updater.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Myou.dll	updater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A‎c‎r‎o‎R‎d‎3‎2‎.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A‎c‎r‎o‎R‎d‎3‎2‎.exe	updater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Myou.dll	updater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Myou.dll	updater.exe
File created	C:\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe	updater.exe
File opened for modification	C:\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe	updater.exe

Drops file in Windows directory 4 IoCs

Processes:

updater.exe

description	ioc	process
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\S‎C‎_‎R‎e‎a‎d‎e‎r‎.ico	updater.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\S‎C‎_‎R‎e‎a‎d‎e‎r‎.ico	updater.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Myou.dll	updater.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Myou.dll	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

updater.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance updater.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

updater.exe

pid process

4276 updater.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

csrts.exeupdater.exe

description pid process

Token: SeDebugPrivilege 3352 csrts.exe
Token: SeDebugPrivilege 4276 updater.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

updater.exe

pid process

4276 updater.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	updater.exe

pid	process
4276	updater.exe

description	pid	process
Token: SeDebugPrivilege	3352	csrts.exe
Token: SeDebugPrivilege	4276	updater.exe

pid	process
4276	updater.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

csrts.exeupdater.exe

description	pid	process	target process
PID 3352 wrote to memory of 4276	3352	csrts.exe	updater.exe
PID 3352 wrote to memory of 4276	3352	csrts.exe	updater.exe
PID 3352 wrote to memory of 4276	3352	csrts.exe	updater.exe
PID 3352 wrote to memory of 3328	3352	csrts.exe	cmd.exe
PID 3352 wrote to memory of 3328	3352	csrts.exe	cmd.exe
PID 3352 wrote to memory of 3328	3352	csrts.exe	cmd.exe
PID 4276 wrote to memory of 4496	4276	updater.exe	cmd.exe
PID 4276 wrote to memory of 4496	4276	updater.exe	cmd.exe
PID 4276 wrote to memory of 4496	4276	updater.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\csrts.exe
"C:\Users\Admin\AppData\Local\Temp\csrts.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Roaming\updater.exe
"C:\Users\Admin\AppData\Roaming\updater.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a7816905-2107-4f56-bc2f-ec69e7f22a4a.bat" "
3⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9d5e76d5-dd36-4f08-92a7-c25811bf058f.bat" "
2⤵
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9d5e76d5-dd36-4f08-92a7-c25811bf058f.bat
MD5
0a8022bac033cce238b7e344c2cecc78

SHA1
9255d9c5f1ccf77efdfcec40be92aeb98896a391

SHA256
a56efe904bd6357561e87be6ca556445f22733e26d9a98e843eb08d58b5656d5

SHA512
b6fd83d8227d4753989c3f128e1ae4baa0aaa5be03a3cf18e962ae176f0f0f11a09d3643bc1540684d5f624b2d5448a2dcd71f9fb26460c8bb6d411a29ab79bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7816905-2107-4f56-bc2f-ec69e7f22a4a.bat
MD5
828c5b96d0306ca4b4f8321711a0d78b

SHA1
200bd5b788f5cad2f7ef5fc90b0561cb55631258

SHA256
c571fcfde329cb909cc62b2dcaa05c9ae3ed69da3bb3d69e1ffe222e6f8f7e5a

SHA512
8e365db127113e96dd9c6de1e6771d938e8d3b8bb8cc87fd3deb99f708055ff10ef34753005881bcc3a58a31d7f648038b14cebddd9b8ecd6b73ca0bed0cfad5

Download Submit
C:\Users\Admin\AppData\Roaming\EasiUpdate\Log.txt
MD5
256de3b84c5dd3b98b8dac7ebf8d33ec

SHA1
6086a74a0a27f0437e91f00fcd4327206fad4014

SHA256
f53003446ce39947f692809b70b19c9d0f28536e5f725d2db194508318c2bd75

SHA512
1b0b3379a38c9d54f2a122c411a6dde4ac8a64e3e60ea6e46d8e941462db57dbed80f863068dd9c4a13b79223ce2fa91976bbd45f4766736fe9f0e247851a57f

Download Submit
C:\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
C:\Users\Admin\AppData\Roaming\updater.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
C:\Users\Admin\AppData\Roaming\updater.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
memory/3352-120-0x0000000005CC0000-0x0000000005D52000-memory.dmp

Filesize
584KB

Download
memory/3352-115-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

Filesize
4KB

Download
memory/3352-119-0x00000000060E0000-0x00000000065DE000-memory.dmp

Filesize
5.0MB

Download
memory/3352-118-0x00000000055E0000-0x00000000055EE000-memory.dmp

Filesize
56KB

Download
memory/3352-117-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/3352-116-0x0000000000D40000-0x0000000000DBE000-memory.dmp

Filesize
504KB

Download
memory/4276-127-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

Filesize
4KB

Download
memory/4276-128-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4276-130-0x00000000061C0000-0x00000000061F0000-memory.dmp

Filesize
192KB

Download
memory/4276-131-0x0000000004FC3000-0x0000000004FC5000-memory.dmp

Filesize
8KB

Download
memory/4276-132-0x00000000084C0000-0x00000000084CA000-memory.dmp

Filesize
40KB

Download
memory/4276-133-0x0000000009120000-0x0000000009142000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads