c6079f689a8a692799e84ae1fbb1341d1ee5519e89cc5a622f315da8e651abeb

Resubmissions

18-02-2022 07:34

220218-jea7tadbcq 8

18-02-2022 07:13

220218-h2b7yschgj 8

Analysis

max time kernel
225s
max time network
280s
platform
windows10_x64
resource
win10-en-20211208
submitted
18-02-2022 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

csrts.exe
Size

498KB
MD5

aa877144edcef2e8d5a8d37d7ea0d4b6
SHA1

865fe61d037b67841c36468a9e7af15656621abc
SHA256

3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee
SHA512

300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

2464 updater.exe

pid	process
2464	updater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	updater.exe

Loads dropped DLL 2 IoCs

Processes:

updater.exe

pid process

2464 updater.exe
2464 updater.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2464	updater.exe
2464	updater.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

updater.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	updater.exe

Drops file in Program Files directory 8 IoCs

Processes:

updater.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\Myou.dll	updater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A‎c‎r‎o‎R‎d‎3‎2‎.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A‎c‎r‎o‎R‎d‎3‎2‎.exe	updater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Myou.dll	updater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Myou.dll	updater.exe
File created	C:\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe	updater.exe
File opened for modification	C:\Program Files\Mozilla Firefox\f‎i‎r‎e‎f‎o‎x‎.exe	updater.exe
File created	C:\Program Files\Mozilla Firefox\Myou.dll	updater.exe

Drops file in Windows directory 5 IoCs

Processes:

updater.exemspaint.exe

description	ioc	process
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\S‎C‎_‎R‎e‎a‎d‎e‎r‎.ico	updater.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\S‎C‎_‎R‎e‎a‎d‎e‎r‎.ico	updater.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Myou.dll	updater.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Myou.dll	updater.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

updater.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance updater.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

updater.exemspaint.exe

pid process

2464 updater.exe
3800 mspaint.exe
3800 mspaint.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

csrts.exeupdater.exe

description pid process

Token: SeDebugPrivilege 1800 csrts.exe
Token: SeDebugPrivilege 2464 updater.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

updater.exe

pid process

2464 updater.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mspaint.exe

pid process

3800 mspaint.exe
3800 mspaint.exe
3800 mspaint.exe
3800 mspaint.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	updater.exe

pid	process
2464	updater.exe
3800	mspaint.exe
3800	mspaint.exe

description	pid	process
Token: SeDebugPrivilege	1800	csrts.exe
Token: SeDebugPrivilege	2464	updater.exe

pid	process
2464	updater.exe

pid	process
3800	mspaint.exe
3800	mspaint.exe
3800	mspaint.exe
3800	mspaint.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

csrts.exeupdater.exe

description	pid	process	target process
PID 1800 wrote to memory of 2464	1800	csrts.exe	updater.exe
PID 1800 wrote to memory of 2464	1800	csrts.exe	updater.exe
PID 1800 wrote to memory of 2464	1800	csrts.exe	updater.exe
PID 1800 wrote to memory of 1900	1800	csrts.exe	cmd.exe
PID 1800 wrote to memory of 1900	1800	csrts.exe	cmd.exe
PID 1800 wrote to memory of 1900	1800	csrts.exe	cmd.exe
PID 2464 wrote to memory of 3112	2464	updater.exe	cmd.exe
PID 2464 wrote to memory of 3112	2464	updater.exe	cmd.exe
PID 2464 wrote to memory of 3112	2464	updater.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\csrts.exe
"C:\Users\Admin\AppData\Local\Temp\csrts.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Roaming\updater.exe
"C:\Users\Admin\AppData\Roaming\updater.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b23aba79-0484-4260-98e6-5f13849138d9.bat" "
3⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\62701414-a807-4782-abb9-4bc778f3dfb5.bat" "
2⤵
PID:1900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3680

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\CompleteInvoke.emf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3800

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:1908

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\请阅读我.RSA.txt
1⤵
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62701414-a807-4782-abb9-4bc778f3dfb5.bat
MD5
0a8022bac033cce238b7e344c2cecc78

SHA1
9255d9c5f1ccf77efdfcec40be92aeb98896a391

SHA256
a56efe904bd6357561e87be6ca556445f22733e26d9a98e843eb08d58b5656d5

SHA512
b6fd83d8227d4753989c3f128e1ae4baa0aaa5be03a3cf18e962ae176f0f0f11a09d3643bc1540684d5f624b2d5448a2dcd71f9fb26460c8bb6d411a29ab79bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b23aba79-0484-4260-98e6-5f13849138d9.bat
MD5
828c5b96d0306ca4b4f8321711a0d78b

SHA1
200bd5b788f5cad2f7ef5fc90b0561cb55631258

SHA256
c571fcfde329cb909cc62b2dcaa05c9ae3ed69da3bb3d69e1ffe222e6f8f7e5a

SHA512
8e365db127113e96dd9c6de1e6771d938e8d3b8bb8cc87fd3deb99f708055ff10ef34753005881bcc3a58a31d7f648038b14cebddd9b8ecd6b73ca0bed0cfad5

Download Submit
C:\Users\Admin\AppData\Roaming\EasiUpdate\Log.txt
MD5
831d59a9c81492520237d44da7e8172b

SHA1
0c433e9deca85594e6c1ddd7b3cf86a8c27ef9dd

SHA256
7c57220c61d17c04e28bd507ef3932554302be4b81ab4fabad211095172b903e

SHA512
0882376489e18fb80b97a9f5b17fe7eca4df88dbf27e165baea24c029c69d81ca3cb40e693fd622671481fc11324cddb94c2d4f83acd89d10601031b27d10cfc

Download Submit
C:\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
C:\Users\Admin\AppData\Roaming\updater.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
C:\Users\Admin\AppData\Roaming\updater.exe
MD5
aa877144edcef2e8d5a8d37d7ea0d4b6

SHA1
865fe61d037b67841c36468a9e7af15656621abc

SHA256
3dca9bd1af28bbf348c0562475edd60de2b5a2424e586eaf118909b013054eee

SHA512
300386cf27f163867e5448acb6119ef774d9ebf4e3702ff8ceb578477c583982151f95d21ac0ec2979b72034d51fae244eca37ba60256334cee42926cdcbad6b

Download Submit
C:\Users\Admin\Downloads\请阅读我.RSA.txt
MD5
c1039c734709f73a3af9a383fb9c2639

SHA1
6c04df37bd9e626aa319917dc459cf2a6bfad3d0

SHA256
51b98e60e1c96ac128ada45d42f615a14e9db0e630bf9162de217cc5050337d3

SHA512
b1543200384f75e1f9ae2193055177cdc007cf12a944eb32786cc982f10b0fc38e784ad5a600b0bc18ac1ef1b7f51132ebc1859f253dec6c6bf812a272ad8b75

Download Submit
\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
\Users\Admin\AppData\Roaming\Myou.dll
MD5
313bc92dce801c2ec316c57ea74dd92a

SHA1
dd13b2799a9ecea34c29aeffba8ffee5a85d10c6

SHA256
467e0dce7deac627f86ce46aa0ec23b0265da45dc85564a71cf10bf676f84a6f

SHA512
442559f5dc67fc27dfeff9fad504cd5cab577b21df20e9c7853a79e7d7c12fe4063cbe3b91ef8444467e96d6dc500a3f6baf7c65ac405de364d94d6a7ad32b1c

Download Submit
memory/1800-120-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/1800-115-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/1800-119-0x0000000005850000-0x0000000005D4E000-memory.dmp

Filesize
5.0MB

Download
memory/1800-118-0x00000000029B0000-0x00000000029BE000-memory.dmp

Filesize
56KB

Download
memory/1800-117-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/1800-116-0x0000000000610000-0x000000000068E000-memory.dmp

Filesize
504KB

Download
memory/2464-128-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2464-127-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2464-130-0x00000000061C0000-0x00000000061F0000-memory.dmp

Filesize
192KB

Download
memory/2464-131-0x0000000005093000-0x0000000005095000-memory.dmp

Filesize
8KB

Download
memory/2464-132-0x0000000006940000-0x000000000694A000-memory.dmp

Filesize
40KB

Download
memory/2464-133-0x0000000008FD0000-0x0000000008FF2000-memory.dmp

Filesize
136KB

Download