Analysis
-
max time kernel
225s -
max time network
280s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
18-02-2022 07:34
Static task
static1
Behavioral task
behavioral1
Sample
Myou.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Myou.dll
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
csrts.exe
Resource
win7-en-20211208
General
-
Target
csrts.exe
-
Size
498KB
-
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6
-
SHA1
865fe61d037b67841c36468a9e7af15656621abc
-
SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
-
SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 2464 updater.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
updater.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation updater.exe -
Loads dropped DLL 2 IoCs
Processes:
updater.exepid process 2464 updater.exe 2464 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
updater.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini updater.exe -
Drops file in Program Files directory 8 IoCs
Processes:
updater.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\Myou.dll updater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe updater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe updater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Myou.dll updater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Myou.dll updater.exe File created C:\Program Files\Mozilla Firefox\firefox.exe updater.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe updater.exe File created C:\Program Files\Mozilla Firefox\Myou.dll updater.exe -
Drops file in Windows directory 5 IoCs
Processes:
updater.exemspaint.exedescription ioc process File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico updater.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico updater.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Myou.dll updater.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Myou.dll updater.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
updater.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance updater.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
updater.exemspaint.exepid process 2464 updater.exe 3800 mspaint.exe 3800 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
csrts.exeupdater.exedescription pid process Token: SeDebugPrivilege 1800 csrts.exe Token: SeDebugPrivilege 2464 updater.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
updater.exepid process 2464 updater.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mspaint.exepid process 3800 mspaint.exe 3800 mspaint.exe 3800 mspaint.exe 3800 mspaint.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
csrts.exeupdater.exedescription pid process target process PID 1800 wrote to memory of 2464 1800 csrts.exe updater.exe PID 1800 wrote to memory of 2464 1800 csrts.exe updater.exe PID 1800 wrote to memory of 2464 1800 csrts.exe updater.exe PID 1800 wrote to memory of 1900 1800 csrts.exe cmd.exe PID 1800 wrote to memory of 1900 1800 csrts.exe cmd.exe PID 1800 wrote to memory of 1900 1800 csrts.exe cmd.exe PID 2464 wrote to memory of 3112 2464 updater.exe cmd.exe PID 2464 wrote to memory of 3112 2464 updater.exe cmd.exe PID 2464 wrote to memory of 3112 2464 updater.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\csrts.exe"C:\Users\Admin\AppData\Local\Temp\csrts.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\updater.exe"C:\Users\Admin\AppData\Roaming\updater.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b23aba79-0484-4260-98e6-5f13849138d9.bat" "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\62701414-a807-4782-abb9-4bc778f3dfb5.bat" "2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\CompleteInvoke.emf"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\请阅读我.RSA.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\62701414-a807-4782-abb9-4bc778f3dfb5.batMD5
0a8022bac033cce238b7e344c2cecc78
SHA19255d9c5f1ccf77efdfcec40be92aeb98896a391
SHA256a56efe904bd6357561e87be6ca556445f22733e26d9a98e843eb08d58b5656d5
SHA512b6fd83d8227d4753989c3f128e1ae4baa0aaa5be03a3cf18e962ae176f0f0f11a09d3643bc1540684d5f624b2d5448a2dcd71f9fb26460c8bb6d411a29ab79bd
-
C:\Users\Admin\AppData\Local\Temp\b23aba79-0484-4260-98e6-5f13849138d9.batMD5
828c5b96d0306ca4b4f8321711a0d78b
SHA1200bd5b788f5cad2f7ef5fc90b0561cb55631258
SHA256c571fcfde329cb909cc62b2dcaa05c9ae3ed69da3bb3d69e1ffe222e6f8f7e5a
SHA5128e365db127113e96dd9c6de1e6771d938e8d3b8bb8cc87fd3deb99f708055ff10ef34753005881bcc3a58a31d7f648038b14cebddd9b8ecd6b73ca0bed0cfad5
-
C:\Users\Admin\AppData\Roaming\EasiUpdate\Log.txtMD5
831d59a9c81492520237d44da7e8172b
SHA10c433e9deca85594e6c1ddd7b3cf86a8c27ef9dd
SHA2567c57220c61d17c04e28bd507ef3932554302be4b81ab4fabad211095172b903e
SHA5120882376489e18fb80b97a9f5b17fe7eca4df88dbf27e165baea24c029c69d81ca3cb40e693fd622671481fc11324cddb94c2d4f83acd89d10601031b27d10cfc
-
C:\Users\Admin\AppData\Roaming\Myou.dllMD5
313bc92dce801c2ec316c57ea74dd92a
SHA1dd13b2799a9ecea34c29aeffba8ffee5a85d10c6
SHA256467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f
SHA512442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c
-
C:\Users\Admin\AppData\Roaming\updater.exeMD5
aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1865fe61d037b67841c36468a9e7af15656621abc
SHA2563dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
-
C:\Users\Admin\AppData\Roaming\updater.exeMD5
aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1865fe61d037b67841c36468a9e7af15656621abc
SHA2563dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
-
C:\Users\Admin\Downloads\请阅读我.RSA.txtMD5
c1039c734709f73a3af9a383fb9c2639
SHA16c04df37bd9e626aa319917dc459cf2a6bfad3d0
SHA25651b98e60e1c96ac128ada45d42f615a14e9db0e630bf9162de217cc5050337d3
SHA512b1543200384f75e1f9ae2193055177cdc007cf12a944eb32786cc982f10b0fc38e784ad5a600b0bc18ac1ef1b7f51132ebc1859f253dec6c6bf812a272ad8b75
-
\Users\Admin\AppData\Roaming\Myou.dllMD5
313bc92dce801c2ec316c57ea74dd92a
SHA1dd13b2799a9ecea34c29aeffba8ffee5a85d10c6
SHA256467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f
SHA512442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c
-
\Users\Admin\AppData\Roaming\Myou.dllMD5
313bc92dce801c2ec316c57ea74dd92a
SHA1dd13b2799a9ecea34c29aeffba8ffee5a85d10c6
SHA256467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f
SHA512442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c
-
memory/1800-120-0x0000000005430000-0x00000000054C2000-memory.dmpFilesize
584KB
-
memory/1800-115-0x0000000073F6E000-0x0000000073F6F000-memory.dmpFilesize
4KB
-
memory/1800-119-0x0000000005850000-0x0000000005D4E000-memory.dmpFilesize
5.0MB
-
memory/1800-118-0x00000000029B0000-0x00000000029BE000-memory.dmpFilesize
56KB
-
memory/1800-117-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/1800-116-0x0000000000610000-0x000000000068E000-memory.dmpFilesize
504KB
-
memory/2464-128-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/2464-127-0x0000000073F6E000-0x0000000073F6F000-memory.dmpFilesize
4KB
-
memory/2464-130-0x00000000061C0000-0x00000000061F0000-memory.dmpFilesize
192KB
-
memory/2464-131-0x0000000005093000-0x0000000005095000-memory.dmpFilesize
8KB
-
memory/2464-132-0x0000000006940000-0x000000000694A000-memory.dmpFilesize
40KB
-
memory/2464-133-0x0000000008FD0000-0x0000000008FF2000-memory.dmpFilesize
136KB