Analysis
-
max time kernel
225s -
max time network
280s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
18/02/2022, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
Myou.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Myou.dll
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
csrts.exe
Resource
win7-en-20211208
General
-
Target
csrts.exe
-
Size
498KB
-
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6
-
SHA1
865fe61d037b67841c36468a9e7af15656621abc
-
SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
-
SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2464 updater.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation updater.exe -
Loads dropped DLL 2 IoCs
pid Process 2464 updater.exe 2464 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini updater.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\Myou.dll updater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe updater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe updater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Myou.dll updater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Myou.dll updater.exe File created C:\Program Files\Mozilla Firefox\firefox.exe updater.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe updater.exe File created C:\Program Files\Mozilla Firefox\Myou.dll updater.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico updater.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico updater.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Myou.dll updater.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Myou.dll updater.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance updater.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2464 updater.exe 3800 mspaint.exe 3800 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1800 csrts.exe Token: SeDebugPrivilege 2464 updater.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2464 updater.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3800 mspaint.exe 3800 mspaint.exe 3800 mspaint.exe 3800 mspaint.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1800 wrote to memory of 2464 1800 csrts.exe 69 PID 1800 wrote to memory of 2464 1800 csrts.exe 69 PID 1800 wrote to memory of 2464 1800 csrts.exe 69 PID 1800 wrote to memory of 1900 1800 csrts.exe 70 PID 1800 wrote to memory of 1900 1800 csrts.exe 70 PID 1800 wrote to memory of 1900 1800 csrts.exe 70 PID 2464 wrote to memory of 3112 2464 updater.exe 73 PID 2464 wrote to memory of 3112 2464 updater.exe 73 PID 2464 wrote to memory of 3112 2464 updater.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\csrts.exe"C:\Users\Admin\AppData\Local\Temp\csrts.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Roaming\updater.exe"C:\Users\Admin\AppData\Roaming\updater.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b23aba79-0484-4260-98e6-5f13849138d9.bat" "3⤵PID:3112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\62701414-a807-4782-abb9-4bc778f3dfb5.bat" "2⤵PID:1900
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3680
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\CompleteInvoke.emf"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3800
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:1908
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\请阅读我.RSA.txt1⤵PID:744