Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 07:09

General

  • Target

    c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe

  • Size

    41KB

  • MD5

    46bdb9d50ae95275d88695f773e3ed72

  • SHA1

    33778431bff5f34a331bd15a3025bafe3fd76197

  • SHA256

    c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614

  • SHA512

    d1c4c4edbeb296b4a9839c5cf34d4d91be83f01e13a39e3ace202977b9a63282556a32c03bfea2292bea5a7edead36b1b7beb7de37a6f47a39a58864bb6abf7f

  • SSDEEP

    768:dIkFZdVUyjRtS5ES4p+Vh1Fs8OAjiiup9yqxBxKWCA5sIqcT0:TXRtmES4YVhrKAbup9BHaAGzcT0

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe
    "C:\Users\Admin\AppData\Local\Temp\c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in System32 directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\Windows\SysWOW64\csmm.exe
      C:\Windows\system32\csmm.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Windows\SysWOW64\csmm.exe
        C:\Windows\system32\csmm.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5060

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\csmm.exe

    Filesize

    41KB

    MD5

    560f08ad9f8f3c9f7743cdbf59ffea5b

    SHA1

    a645e552242226befb6aa93c89e3b57be20998be

    SHA256

    723b9bdbb753d95fe5f4cea605542eb0d0f68403e24350150777b945916bc6c8

    SHA512

    8d37b9bcfc5300eb4aeda5bfca5b5660ac011f2e602ca41e90ae8c13697d535ee0780c363519a3fc5cee3b3cc945946aebb37707f29ed521bbd3ac1d51a37f98

  • C:\Windows\SysWOW64\csmm.exe

    Filesize

    41KB

    MD5

    560f08ad9f8f3c9f7743cdbf59ffea5b

    SHA1

    a645e552242226befb6aa93c89e3b57be20998be

    SHA256

    723b9bdbb753d95fe5f4cea605542eb0d0f68403e24350150777b945916bc6c8

    SHA512

    8d37b9bcfc5300eb4aeda5bfca5b5660ac011f2e602ca41e90ae8c13697d535ee0780c363519a3fc5cee3b3cc945946aebb37707f29ed521bbd3ac1d51a37f98

  • C:\Windows\SysWOW64\csmm.exe

    Filesize

    41KB

    MD5

    560f08ad9f8f3c9f7743cdbf59ffea5b

    SHA1

    a645e552242226befb6aa93c89e3b57be20998be

    SHA256

    723b9bdbb753d95fe5f4cea605542eb0d0f68403e24350150777b945916bc6c8

    SHA512

    8d37b9bcfc5300eb4aeda5bfca5b5660ac011f2e602ca41e90ae8c13697d535ee0780c363519a3fc5cee3b3cc945946aebb37707f29ed521bbd3ac1d51a37f98