c6079f689a8a692799e84ae1fbb1341d1ee5519e89cc5a622f315da8e651abeb

Resubmissions

18-02-2022 07:34

220218-jea7tadbcq 8

18-02-2022 07:13

220218-h2b7yschgj 8

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
18-02-2022 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

csrts.exe
Size

498KB
MD5

aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1

865fe61d037b67841c36468a9e7af15656621abc
SHA256

3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512

300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1168 updater.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1120 cmd.exe
Loads dropped DLL 5 IoCs

Processes:

csrts.exeupdater.exe

pid process

1212 csrts.exe
1168 updater.exe
1168 updater.exe
1168 updater.exe
1168 updater.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1168	updater.exe

pid	process
1120	cmd.exe

pid	process
1212	csrts.exe
1168	updater.exe
1168	updater.exe
1168	updater.exe
1168	updater.exe

Drops file in Program Files directory 4 IoCs

Processes:

updater.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe	updater.exe
File opened for modification	C:\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe	updater.exe
File created	C:\Program Files\Mozilla Firefox\Myou.dll	updater.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Myou.dll	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

updater.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	updater.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

updater.exe

pid process

1168 updater.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

csrts.exeupdater.exe

description pid process

Token: SeDebugPrivilege 1212 csrts.exe
Token: SeDebugPrivilege 1168 updater.exe

pid	process
1168	updater.exe

description	pid	process
Token: SeDebugPrivilege	1212	csrts.exe
Token: SeDebugPrivilege	1168	updater.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

csrts.exeupdater.exe

description	pid	process	target process
PID 1212 wrote to memory of 1168	1212	csrts.exe	updater.exe
PID 1212 wrote to memory of 1168	1212	csrts.exe	updater.exe
PID 1212 wrote to memory of 1168	1212	csrts.exe	updater.exe
PID 1212 wrote to memory of 1168	1212	csrts.exe	updater.exe
PID 1212 wrote to memory of 1168	1212	csrts.exe	updater.exe
PID 1212 wrote to memory of 1168	1212	csrts.exe	updater.exe
PID 1212 wrote to memory of 1168	1212	csrts.exe	updater.exe
PID 1212 wrote to memory of 1120	1212	csrts.exe	cmd.exe
PID 1212 wrote to memory of 1120	1212	csrts.exe	cmd.exe
PID 1212 wrote to memory of 1120	1212	csrts.exe	cmd.exe
PID 1212 wrote to memory of 1120	1212	csrts.exe	cmd.exe
PID 1168 wrote to memory of 1888	1168	updater.exe	cmd.exe
PID 1168 wrote to memory of 1888	1168	updater.exe	cmd.exe
PID 1168 wrote to memory of 1888	1168	updater.exe	cmd.exe
PID 1168 wrote to memory of 1888	1168	updater.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\csrts.exe
"C:\Users\Admin\AppData\Local\Temp\csrts.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Roaming\updater.exe
"C:\Users\Admin\AppData\Roaming\updater.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\e8108e96-388d-461f-ad4e-fdb1623e3e15.bat" "
3⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\799f62c5-2a6e-4b3d-81fc-7fa4c1f61018.bat" "
2⤵
- Deletes itself
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\799f62c5-2a6e-4b3d-81fc-7fa4c1f61018.bat
MD5
0a8022bac033cce238b7e344c2cecc78

SHA1
9255d9c5f1ccf77efdfcec40be92aeb98896a391

SHA256
a56efe904bd6357561e87be6ca556445f22733e26d9a98e843eb08d58b5656d5

SHA512
b6fd83d8227d4753989c3f128e1ae4baa0aaa5be03a3cf18e962ae176f0f0f11a09d3643bc1540684d5f624b2d5448a2dcd71f9fb26460c8bb6d411a29ab79bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8108e96-388d-461f-ad4e-fdb1623e3e15.bat
MD5
828c5b96d0306ca4b4f8321711a0d78b

SHA1
200bd5b788f5cad2f7ef5fc90b0561cb55631258

SHA256
c571fcfde329cb909cc62b2dcaa05c9ae3ed69da3bb3d69e1ffe222e6f8f7e5a

SHA512
8e365db127113e96dd9c6de1e6771d938e8d3b8bb8cc87fd3deb99f708055ff10ef34753005881bcc3a58a31d7f648038b14cebddd9b8ecd6b73ca0bed0cfad5

Download Submit
C:\Users\Admin\AppData\Roaming\EasiUpdate\Log.txt
MD5
b4975bb98dd34e66e011f2de80799baa

SHA1
39cb309ef458945f3f5208cc264e8b8d73191e14

SHA256
adcbe7bed3612e9a4b23ec44f3aff6c827880368ad01dcd3696c4f35440af7c3

SHA512
0ea5f80bd90f1d32c958ed3b0ee6d99ff6873aace47b8b1a91fe5f329fd51216f14c62d59468ed928ec7623731f20235a92f351499fd88f74dac9589b4515813

Download Submit
C:\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
C:\Users\Admin\AppData\Roaming\updater.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
C:\Users\Admin\AppData\Roaming\updater.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
\Users\Admin\AppData\Roaming\updater.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
memory/1168-68-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/1168-63-0x0000000000170000-0x00000000001EE000-memory.dmp

Filesize
504KB

Download
memory/1168-69-0x0000000073FCE000-0x0000000073FCF000-memory.dmp

Filesize
4KB

Download
memory/1168-70-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1168-72-0x0000000002010000-0x0000000002040000-memory.dmp

Filesize
192KB

Download
memory/1168-73-0x0000000004B35000-0x0000000004B46000-memory.dmp

Filesize
68KB

Download
memory/1212-55-0x0000000073FCE000-0x0000000073FCF000-memory.dmp

Filesize
4KB

Download
memory/1212-59-0x0000000004A25000-0x0000000004A36000-memory.dmp

Filesize
68KB

Download
memory/1212-58-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/1212-57-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1212-56-0x00000000001F0000-0x000000000026E000-memory.dmp

Filesize
504KB

Download