Analysis Overview
SHA256
244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf
Threat Level: Known bad
The file 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf was found to be: Known bad.
Malicious Activity Summary
RMS
Sets file to hidden
Executes dropped EXE
Checks computer location settings
Drops startup file
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Views/modifies file attributes
Kills process with taskkill
Delays execution with timeout.exe
Runs .reg file with regedit
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-20 03:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-20 03:41
Reported
2022-05-20 03:58
Platform
win7-20220414-en
Max time kernel
3s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Sets file to hidden
Loads dropped DLL
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe
"C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im csrss.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ccsrss.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\System32\vipcatalog"
C:\Users\Admin\AppData\Local\Temp\csrss.exe
"csrss.exe" /silentinstall
Network
Files
memory/1792-54-0x0000000075451000-0x0000000075453000-memory.dmp
memory/1268-55-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Injector.exe
| MD5 | ec801a7d4b72a288ec6c207bb9ff0131 |
| SHA1 | 32eec2ae1f9e201516fa7fcdc16c4928f7997561 |
| SHA256 | b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46 |
| SHA512 | a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac |
\Users\Admin\AppData\Local\Temp\Injector.exe
| MD5 | ec801a7d4b72a288ec6c207bb9ff0131 |
| SHA1 | 32eec2ae1f9e201516fa7fcdc16c4928f7997561 |
| SHA256 | b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46 |
| SHA512 | a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac |
\Users\Admin\AppData\Local\Temp\Injector.exe
| MD5 | ec801a7d4b72a288ec6c207bb9ff0131 |
| SHA1 | 32eec2ae1f9e201516fa7fcdc16c4928f7997561 |
| SHA256 | b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46 |
| SHA512 | a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac |
\Users\Admin\AppData\Local\Temp\Injector.exe
| MD5 | ec801a7d4b72a288ec6c207bb9ff0131 |
| SHA1 | 32eec2ae1f9e201516fa7fcdc16c4928f7997561 |
| SHA256 | b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46 |
| SHA512 | a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac |
C:\Users\Admin\AppData\Local\Temp\install.vbs
| MD5 | 65fc32766a238ff3e95984e325357dbb |
| SHA1 | 3ac16a2648410be8aa75f3e2817fbf69bb0e8922 |
| SHA256 | a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420 |
| SHA512 | 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608 |
C:\Users\Admin\AppData\Local\Temp\Injector.exe
| MD5 | ec801a7d4b72a288ec6c207bb9ff0131 |
| SHA1 | 32eec2ae1f9e201516fa7fcdc16c4928f7997561 |
| SHA256 | b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46 |
| SHA512 | a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac |
C:\Users\Admin\AppData\Local\Temp\Injector.exe
| MD5 | ec801a7d4b72a288ec6c207bb9ff0131 |
| SHA1 | 32eec2ae1f9e201516fa7fcdc16c4928f7997561 |
| SHA256 | b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46 |
| SHA512 | a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac |
memory/1288-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\install.bat
| MD5 | 836eb56035271bdd5ba96d7d3e9ea733 |
| SHA1 | f38a9c5e37947dbcf59e9bb728316eeefb1cc630 |
| SHA256 | c70172116a25dcc9c067a4c557103e5e2350c419cd728b8efc6a438409179748 |
| SHA512 | f9ff472f6f892604d3457738636ef5af20a35346264677c510dda5a76bbb0f9c7645e7a38cea77864c903e257df4eeb4e5daf4254c4e12b4d06df57b21fea2e9 |
memory/1380-66-0x0000000000000000-mapping.dmp
memory/1288-67-0x0000000000830000-0x0000000000A16000-memory.dmp
memory/1820-68-0x0000000000000000-mapping.dmp
memory/268-69-0x0000000000000000-mapping.dmp
memory/1768-70-0x0000000000000000-mapping.dmp
memory/1084-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | 439564aa3c2b3fa4f28273c47036a22a |
| SHA1 | 820f3cb07a4cd7e6601cb072362f921656ff870f |
| SHA256 | bced15349dc6331e5bbdcf87915a22d9e833a1e61e1aba0061196412f5a72782 |
| SHA512 | dc4e879d999b7b8fa8a6dd116625addc87c570af9a57cb866c6b8d09b25a8da040ab905558a2052c45fc9722a492f7b1afe4a5a879f40319b7b54c2dae17350d |
\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | dd62926280171739773745792e3975a6 |
| SHA1 | 73429a73d97ca1a28d5a9eae1cb5f4addaf2e52d |
| SHA256 | a3bcf5dade28e370eb1239f42f9817dd78833f2c407856aa81d5f943a5282d34 |
| SHA512 | 5cddc822b1bd04afc2afec53a7ad1d50250583392b5ddeefa32a2a2767a1d940bb2e57964f33a8799d760348a8232bb4add0425014829612478877423620a93a |
memory/1560-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | 24e09cdb30c90832e671abeb4631eae5 |
| SHA1 | 0ebf52631f4cf8c42dccc2cf6c3ad807b7e85126 |
| SHA256 | 1311f41cf4a5ede4d7e5d9a2c19c8c01d9477501a52b900b3ab26713e1c423cd |
| SHA512 | bb1c5296f794c79fe8e1ef37d8e8b074a2569ea0e271500e805e36e44a834fc4afebdb1a4ca4afc9d31b334b65600b0426a81a4c806f13c1166444b42a115993 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-20 03:41
Reported
2022-05-20 03:59
Platform
win10v2004-20220414-en
Max time kernel
157s
Max time network
162s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Sets file to hidden
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\install.bat | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\install.bat | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe
"C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im csrss.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ccsrss.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\System32\vipcatalog"
C:\Users\Admin\AppData\Local\Temp\csrss.exe
"csrss.exe" /silentinstall
C:\Windows\SysWOW64\regedit.exe
regedit /s regedit.reg
C:\Users\Admin\AppData\Local\Temp\csrss.exe
"csrss.exe" /start
C:\Users\Admin\AppData\Local\Temp\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss.exe
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\SysWOW64\find.exe
find "5."
Network
| Country | Destination | Domain | Proto |
| NL | 20.50.201.200:443 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/3308-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\install.vbs
| MD5 | 65fc32766a238ff3e95984e325357dbb |
| SHA1 | 3ac16a2648410be8aa75f3e2817fbf69bb0e8922 |
| SHA256 | a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420 |
| SHA512 | 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608 |
C:\Users\Admin\AppData\Local\Temp\install.bat
| MD5 | 836eb56035271bdd5ba96d7d3e9ea733 |
| SHA1 | f38a9c5e37947dbcf59e9bb728316eeefb1cc630 |
| SHA256 | c70172116a25dcc9c067a4c557103e5e2350c419cd728b8efc6a438409179748 |
| SHA512 | f9ff472f6f892604d3457738636ef5af20a35346264677c510dda5a76bbb0f9c7645e7a38cea77864c903e257df4eeb4e5daf4254c4e12b4d06df57b21fea2e9 |
memory/1728-133-0x0000000000000000-mapping.dmp
memory/3712-134-0x0000000000000000-mapping.dmp
memory/2680-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Injector.exe
| MD5 | ec801a7d4b72a288ec6c207bb9ff0131 |
| SHA1 | 32eec2ae1f9e201516fa7fcdc16c4928f7997561 |
| SHA256 | b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46 |
| SHA512 | a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac |
C:\Users\Admin\AppData\Local\Temp\Injector.exe
| MD5 | ec801a7d4b72a288ec6c207bb9ff0131 |
| SHA1 | 32eec2ae1f9e201516fa7fcdc16c4928f7997561 |
| SHA256 | b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46 |
| SHA512 | a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac |
memory/2680-138-0x0000000000E70000-0x0000000001056000-memory.dmp
memory/2680-139-0x00007FFC2E400000-0x00007FFC2EEC1000-memory.dmp
memory/4412-140-0x0000000000000000-mapping.dmp
memory/816-141-0x0000000000000000-mapping.dmp
memory/4916-142-0x0000000000000000-mapping.dmp
memory/5116-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | 8f6e38cc55206473121c8bf63fcbcf2d |
| SHA1 | 35504ce4bc1cea9e737a3be108cd428ab2251e1d |
| SHA256 | fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57 |
| SHA512 | 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9 |
C:\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | 8f6e38cc55206473121c8bf63fcbcf2d |
| SHA1 | 35504ce4bc1cea9e737a3be108cd428ab2251e1d |
| SHA256 | fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57 |
| SHA512 | 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9 |
memory/3908-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\regedit.reg
| MD5 | 17bb440d7ba46e17a987ed1f374f2ac1 |
| SHA1 | 728ee6597098eea4be6f6b6b47fe78ed9cf398c9 |
| SHA256 | db044f668a36fd829dfaa5795987509dec80220ddab120722329c34a7dce22e4 |
| SHA512 | 2845891eb7259be7a8553c347560c4feadabe14637763080bd7f22b56818abbce884e61852d64fe921a147133268d5ac008da693ea39cca87dcf8e7ed01ee6ac |
memory/2232-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | 8f6e38cc55206473121c8bf63fcbcf2d |
| SHA1 | 35504ce4bc1cea9e737a3be108cd428ab2251e1d |
| SHA256 | fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57 |
| SHA512 | 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9 |
C:\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | 8f6e38cc55206473121c8bf63fcbcf2d |
| SHA1 | 35504ce4bc1cea9e737a3be108cd428ab2251e1d |
| SHA256 | fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57 |
| SHA512 | 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9 |
memory/4428-151-0x0000000000000000-mapping.dmp
memory/972-152-0x0000000000000000-mapping.dmp
memory/2172-153-0x0000000000000000-mapping.dmp
memory/2680-154-0x000000001D0C0000-0x000000001D0D2000-memory.dmp
memory/2680-155-0x000000001D120000-0x000000001D15C000-memory.dmp
memory/2680-156-0x000000001BE0A000-0x000000001BE0F000-memory.dmp