Overview
overview
10Static
static
8trojan/1.exe
windows7_x64
10trojan/1.exe
windows10-2004_x64
10trojan/10.exe
windows7_x64
10trojan/10.exe
windows10-2004_x64
8trojan/2.exe
windows7_x64
3trojan/2.exe
windows10-2004_x64
5trojan/3.exe
windows7_x64
10trojan/3.exe
windows10-2004_x64
10trojan/4.exe
windows7_x64
8trojan/4.exe
windows10-2004_x64
8trojan/5.exe
windows7_x64
8trojan/5.exe
windows10-2004_x64
8trojan/6.exe
windows7_x64
10trojan/6.exe
windows10-2004_x64
10trojan/7.exe
windows7_x64
10trojan/7.exe
windows10-2004_x64
10trojan/8.exe
windows7_x64
trojan/8.exe
windows10-2004_x64
10trojan/9.exe
windows7_x64
8trojan/9.exe
windows10-2004_x64
8Analysis
-
max time kernel
111s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
trojan/1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
trojan/1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
trojan/10.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
trojan/10.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
trojan/2.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
trojan/2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
trojan/3.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
trojan/3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
trojan/4.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
trojan/4.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
trojan/5.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
trojan/5.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
trojan/6.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
trojan/6.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
trojan/7.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
trojan/7.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
trojan/8.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
trojan/8.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
trojan/9.exe
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
trojan/9.exe
Resource
win10v2004-20220414-en
General
-
Target
trojan/10.exe
-
Size
216KB
-
MD5
78621f1e196497d440afb57f4609fcf9
-
SHA1
eed7c3bb3fc5181b88abeed2204997f350324022
-
SHA256
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080
-
SHA512
8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 4672 csrss.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 10.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
10.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run 10.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" 10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3496 4672 WerFault.exe csrss.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
csrss.exepid process 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe 4672 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
10.exedescription pid process Token: SeDebugPrivilege 4772 10.exe Token: SeDebugPrivilege 4772 10.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10.exedescription pid process target process PID 4772 wrote to memory of 4672 4772 10.exe csrss.exe PID 4772 wrote to memory of 4672 4772 10.exe csrss.exe PID 4772 wrote to memory of 4672 4772 10.exe csrss.exe PID 4772 wrote to memory of 4684 4772 10.exe notepad.exe PID 4772 wrote to memory of 4684 4772 10.exe notepad.exe PID 4772 wrote to memory of 4684 4772 10.exe notepad.exe PID 4772 wrote to memory of 4684 4772 10.exe notepad.exe PID 4772 wrote to memory of 4684 4772 10.exe notepad.exe PID 4772 wrote to memory of 4684 4772 10.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trojan\10.exe"C:\Users\Admin\AppData\Local\Temp\trojan\10.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 7643⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4672 -ip 46721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exeFilesize
216KB
MD578621f1e196497d440afb57f4609fcf9
SHA1eed7c3bb3fc5181b88abeed2204997f350324022
SHA2564a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080
SHA5128bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exeFilesize
216KB
MD578621f1e196497d440afb57f4609fcf9
SHA1eed7c3bb3fc5181b88abeed2204997f350324022
SHA2564a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080
SHA5128bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44
-
memory/4672-130-0x0000000000000000-mapping.dmp
-
memory/4684-133-0x0000000000000000-mapping.dmp