Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 07:09
Static task
static1
Behavioral task
behavioral1
Sample
c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe
Resource
win10v2004-20220812-en
General
-
Target
c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe
-
Size
41KB
-
MD5
46bdb9d50ae95275d88695f773e3ed72
-
SHA1
33778431bff5f34a331bd15a3025bafe3fd76197
-
SHA256
c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614
-
SHA512
d1c4c4edbeb296b4a9839c5cf34d4d91be83f01e13a39e3ace202977b9a63282556a32c03bfea2292bea5a7edead36b1b7beb7de37a6f47a39a58864bb6abf7f
-
SSDEEP
768:dIkFZdVUyjRtS5ES4p+Vh1Fs8OAjiiup9yqxBxKWCA5sIqcT0:TXRtmES4YVhrKAbup9BHaAGzcT0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe" c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe" csmm.exe -
Executes dropped EXE 2 IoCs
pid Process 5100 csmm.exe 5060 csmm.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\csmm.exe c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe File opened for modification C:\Windows\SysWOW64\csmm.exe csmm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 676 c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe 5100 csmm.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 676 c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe 5100 csmm.exe 5060 csmm.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 676 wrote to memory of 5100 676 c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe 83 PID 676 wrote to memory of 5100 676 c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe 83 PID 676 wrote to memory of 5100 676 c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe 83 PID 5100 wrote to memory of 5060 5100 csmm.exe 84 PID 5100 wrote to memory of 5060 5100 csmm.exe 84 PID 5100 wrote to memory of 5060 5100 csmm.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe"C:\Users\Admin\AppData\Local\Temp\c181ec70bfb70b605977f435fffd1933be9f36de72b8a6a0531ab2c6f322e614.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\csmm.exeC:\Windows\system32\csmm.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\csmm.exeC:\Windows\system32\csmm.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5060
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5560f08ad9f8f3c9f7743cdbf59ffea5b
SHA1a645e552242226befb6aa93c89e3b57be20998be
SHA256723b9bdbb753d95fe5f4cea605542eb0d0f68403e24350150777b945916bc6c8
SHA5128d37b9bcfc5300eb4aeda5bfca5b5660ac011f2e602ca41e90ae8c13697d535ee0780c363519a3fc5cee3b3cc945946aebb37707f29ed521bbd3ac1d51a37f98
-
Filesize
41KB
MD5560f08ad9f8f3c9f7743cdbf59ffea5b
SHA1a645e552242226befb6aa93c89e3b57be20998be
SHA256723b9bdbb753d95fe5f4cea605542eb0d0f68403e24350150777b945916bc6c8
SHA5128d37b9bcfc5300eb4aeda5bfca5b5660ac011f2e602ca41e90ae8c13697d535ee0780c363519a3fc5cee3b3cc945946aebb37707f29ed521bbd3ac1d51a37f98
-
Filesize
41KB
MD5560f08ad9f8f3c9f7743cdbf59ffea5b
SHA1a645e552242226befb6aa93c89e3b57be20998be
SHA256723b9bdbb753d95fe5f4cea605542eb0d0f68403e24350150777b945916bc6c8
SHA5128d37b9bcfc5300eb4aeda5bfca5b5660ac011f2e602ca41e90ae8c13697d535ee0780c363519a3fc5cee3b3cc945946aebb37707f29ed521bbd3ac1d51a37f98