Resubmissions

18/02/2022, 07:34

220218-jea7tadbcq 8

18/02/2022, 07:13

220218-h2b7yschgj 8

Analysis

  • max time kernel
    94s
  • max time network
    99s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    18/02/2022, 07:13

General

  • Target

    csrts.exe

  • Size

    498KB

  • MD5

    aa877144edcef2e8d5a8d37d7ea0d4b6

  • SHA1

    865fe61d037b67841c36468a9e7af15656621abc

  • SHA256

    3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

  • SHA512

    300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\csrts.exe
    "C:\Users\Admin\AppData\Local\Temp\csrts.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3352
    • C:\Users\Admin\AppData\Roaming\updater.exe
      "C:\Users\Admin\AppData\Roaming\updater.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a7816905-2107-4f56-bc2f-ec69e7f22a4a.bat" "
        3⤵
          PID:4496
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9d5e76d5-dd36-4f08-92a7-c25811bf058f.bat" "
        2⤵
          PID:3328

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3352-120-0x0000000005CC0000-0x0000000005D52000-memory.dmp

        Filesize

        584KB

      • memory/3352-115-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

        Filesize

        4KB

      • memory/3352-119-0x00000000060E0000-0x00000000065DE000-memory.dmp

        Filesize

        5.0MB

      • memory/3352-118-0x00000000055E0000-0x00000000055EE000-memory.dmp

        Filesize

        56KB

      • memory/3352-117-0x00000000057D0000-0x00000000057D1000-memory.dmp

        Filesize

        4KB

      • memory/3352-116-0x0000000000D40000-0x0000000000DBE000-memory.dmp

        Filesize

        504KB

      • memory/4276-127-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

        Filesize

        4KB

      • memory/4276-128-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

        Filesize

        4KB

      • memory/4276-130-0x00000000061C0000-0x00000000061F0000-memory.dmp

        Filesize

        192KB

      • memory/4276-131-0x0000000004FC3000-0x0000000004FC5000-memory.dmp

        Filesize

        8KB

      • memory/4276-132-0x00000000084C0000-0x00000000084CA000-memory.dmp

        Filesize

        40KB

      • memory/4276-133-0x0000000009120000-0x0000000009142000-memory.dmp

        Filesize

        136KB