Resubmissions

18/02/2022, 07:34

220218-jea7tadbcq 8

18/02/2022, 07:13

220218-h2b7yschgj 8

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    18/02/2022, 07:34

General

  • Target

    csrts.exe

  • Size

    498KB

  • MD5

    aa877144edcef2e8d5a8d37d7ea0d4b6

  • SHA1

    865fe61d037b67841c36468a9e7af15656621abc

  • SHA256

    3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

  • SHA512

    300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\csrts.exe
    "C:\Users\Admin\AppData\Local\Temp\csrts.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Roaming\updater.exe
      "C:\Users\Admin\AppData\Roaming\updater.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\e8108e96-388d-461f-ad4e-fdb1623e3e15.bat" "
        3⤵
          PID:1888
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\799f62c5-2a6e-4b3d-81fc-7fa4c1f61018.bat" "
        2⤵
        • Deletes itself
        PID:1120

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1168-68-0x00000000005F0000-0x00000000005FE000-memory.dmp

      Filesize

      56KB

    • memory/1168-63-0x0000000000170000-0x00000000001EE000-memory.dmp

      Filesize

      504KB

    • memory/1168-69-0x0000000073FCE000-0x0000000073FCF000-memory.dmp

      Filesize

      4KB

    • memory/1168-70-0x0000000004B30000-0x0000000004B31000-memory.dmp

      Filesize

      4KB

    • memory/1168-72-0x0000000002010000-0x0000000002040000-memory.dmp

      Filesize

      192KB

    • memory/1168-73-0x0000000004B35000-0x0000000004B46000-memory.dmp

      Filesize

      68KB

    • memory/1212-55-0x0000000073FCE000-0x0000000073FCF000-memory.dmp

      Filesize

      4KB

    • memory/1212-59-0x0000000004A25000-0x0000000004A36000-memory.dmp

      Filesize

      68KB

    • memory/1212-58-0x0000000000290000-0x000000000029E000-memory.dmp

      Filesize

      56KB

    • memory/1212-57-0x0000000004A20000-0x0000000004A21000-memory.dmp

      Filesize

      4KB

    • memory/1212-56-0x00000000001F0000-0x000000000026E000-memory.dmp

      Filesize

      504KB