Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
18-02-2022 07:13
Static task
static1
Behavioral task
behavioral1
Sample
Myou.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Myou.dll
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
csrts.exe
Resource
win7-en-20211208
General
-
Target
csrts.exe
-
Size
498KB
-
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6
-
SHA1
865fe61d037b67841c36468a9e7af15656621abc
-
SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
-
SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 4276 updater.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
updater.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation updater.exe -
Loads dropped DLL 2 IoCs
Processes:
updater.exepid process 4276 updater.exe 4276 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
updater.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini updater.exe -
Drops file in Program Files directory 8 IoCs
Processes:
updater.exedescription ioc process File created C:\Program Files\Mozilla Firefox\Myou.dll updater.exe File opened for modification C:\Program Files\Mozilla Firefox\Myou.dll updater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe updater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe updater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Myou.dll updater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Myou.dll updater.exe File created C:\Program Files\Mozilla Firefox\firefox.exe updater.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe updater.exe -
Drops file in Windows directory 4 IoCs
Processes:
updater.exedescription ioc process File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico updater.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico updater.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Myou.dll updater.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Myou.dll updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
updater.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance updater.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
updater.exepid process 4276 updater.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
csrts.exeupdater.exedescription pid process Token: SeDebugPrivilege 3352 csrts.exe Token: SeDebugPrivilege 4276 updater.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
updater.exepid process 4276 updater.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
csrts.exeupdater.exedescription pid process target process PID 3352 wrote to memory of 4276 3352 csrts.exe updater.exe PID 3352 wrote to memory of 4276 3352 csrts.exe updater.exe PID 3352 wrote to memory of 4276 3352 csrts.exe updater.exe PID 3352 wrote to memory of 3328 3352 csrts.exe cmd.exe PID 3352 wrote to memory of 3328 3352 csrts.exe cmd.exe PID 3352 wrote to memory of 3328 3352 csrts.exe cmd.exe PID 4276 wrote to memory of 4496 4276 updater.exe cmd.exe PID 4276 wrote to memory of 4496 4276 updater.exe cmd.exe PID 4276 wrote to memory of 4496 4276 updater.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\csrts.exe"C:\Users\Admin\AppData\Local\Temp\csrts.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\updater.exe"C:\Users\Admin\AppData\Roaming\updater.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a7816905-2107-4f56-bc2f-ec69e7f22a4a.bat" "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9d5e76d5-dd36-4f08-92a7-c25811bf058f.bat" "2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9d5e76d5-dd36-4f08-92a7-c25811bf058f.batMD5
0a8022bac033cce238b7e344c2cecc78
SHA19255d9c5f1ccf77efdfcec40be92aeb98896a391
SHA256a56efe904bd6357561e87be6ca556445f22733e26d9a98e843eb08d58b5656d5
SHA512b6fd83d8227d4753989c3f128e1ae4baa0aaa5be03a3cf18e962ae176f0f0f11a09d3643bc1540684d5f624b2d5448a2dcd71f9fb26460c8bb6d411a29ab79bd
-
C:\Users\Admin\AppData\Local\Temp\a7816905-2107-4f56-bc2f-ec69e7f22a4a.batMD5
828c5b96d0306ca4b4f8321711a0d78b
SHA1200bd5b788f5cad2f7ef5fc90b0561cb55631258
SHA256c571fcfde329cb909cc62b2dcaa05c9ae3ed69da3bb3d69e1ffe222e6f8f7e5a
SHA5128e365db127113e96dd9c6de1e6771d938e8d3b8bb8cc87fd3deb99f708055ff10ef34753005881bcc3a58a31d7f648038b14cebddd9b8ecd6b73ca0bed0cfad5
-
C:\Users\Admin\AppData\Roaming\EasiUpdate\Log.txtMD5
256de3b84c5dd3b98b8dac7ebf8d33ec
SHA16086a74a0a27f0437e91f00fcd4327206fad4014
SHA256f53003446ce39947f692809b70b19c9d0f28536e5f725d2db194508318c2bd75
SHA5121b0b3379a38c9d54f2a122c411a6dde4ac8a64e3e60ea6e46d8e941462db57dbed80f863068dd9c4a13b79223ce2fa91976bbd45f4766736fe9f0e247851a57f
-
C:\Users\Admin\AppData\Roaming\Myou.dllMD5
313bc92dce801c2ec316c57ea74dd92a
SHA1dd13b2799a9ecea34c29aeffba8ffee5a85d10c6
SHA256467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f
SHA512442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c
-
C:\Users\Admin\AppData\Roaming\updater.exeMD5
aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1865fe61d037b67841c36468a9e7af15656621abc
SHA2563dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
-
C:\Users\Admin\AppData\Roaming\updater.exeMD5
aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1865fe61d037b67841c36468a9e7af15656621abc
SHA2563dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
-
\Users\Admin\AppData\Roaming\Myou.dllMD5
313bc92dce801c2ec316c57ea74dd92a
SHA1dd13b2799a9ecea34c29aeffba8ffee5a85d10c6
SHA256467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f
SHA512442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c
-
\Users\Admin\AppData\Roaming\Myou.dllMD5
313bc92dce801c2ec316c57ea74dd92a
SHA1dd13b2799a9ecea34c29aeffba8ffee5a85d10c6
SHA256467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f
SHA512442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c
-
memory/3352-120-0x0000000005CC0000-0x0000000005D52000-memory.dmpFilesize
584KB
-
memory/3352-115-0x0000000073FEE000-0x0000000073FEF000-memory.dmpFilesize
4KB
-
memory/3352-119-0x00000000060E0000-0x00000000065DE000-memory.dmpFilesize
5.0MB
-
memory/3352-118-0x00000000055E0000-0x00000000055EE000-memory.dmpFilesize
56KB
-
memory/3352-117-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/3352-116-0x0000000000D40000-0x0000000000DBE000-memory.dmpFilesize
504KB
-
memory/4276-127-0x0000000073FEE000-0x0000000073FEF000-memory.dmpFilesize
4KB
-
memory/4276-128-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/4276-130-0x00000000061C0000-0x00000000061F0000-memory.dmpFilesize
192KB
-
memory/4276-131-0x0000000004FC3000-0x0000000004FC5000-memory.dmpFilesize
8KB
-
memory/4276-132-0x00000000084C0000-0x00000000084CA000-memory.dmpFilesize
40KB
-
memory/4276-133-0x0000000009120000-0x0000000009142000-memory.dmpFilesize
136KB