fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c

Analysis

max time kernel
183s
max time network
181s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Size

218KB
MD5

5a366d62530247bbb7fe6460fc748da0
SHA1

c430642e000fbff14d0e05209085a473d33aaf1f
SHA256

fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c
SHA512

dd08b8d160aecfc2f6937475e058b29b4ab70cf0f5d9ecde56d4dddd297fac8437f5943a7c10f4bbb5ee349911d038003526429aabd3fc04f344969d02645c67
SSDEEP

6144:2TMpSoR/PJ+Ol8uTCnDnxdj24lSZACZK:2WSoR/PJ+OlvqDxR24lSZAd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1244	cwrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1780	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
1780	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\r:	cwrss.exe
File opened (read-only)	\??\v:	cwrss.exe
File opened (read-only)	\??\l:	cwrss.exe
File opened (read-only)	\??\u:	cwrss.exe
File opened (read-only)	\??\q:	cwrss.exe
File opened (read-only)	\??\s:	cwrss.exe
File opened (read-only)	\??\t:	cwrss.exe
File opened (read-only)	\??\j:	cwrss.exe
File opened (read-only)	\??\k:	cwrss.exe
File opened (read-only)	\??\m:	cwrss.exe
File opened (read-only)	\??\n:	cwrss.exe
File opened (read-only)	\??\o:	cwrss.exe
File opened (read-only)	\??\y:	cwrss.exe
File opened (read-only)	\??\z:	cwrss.exe
File opened (read-only)	\??\p:	cwrss.exe
File opened (read-only)	\??\w:	cwrss.exe
File opened (read-only)	\??\x:	cwrss.exe
File opened (read-only)	\??\e:	cwrss.exe
File opened (read-only)	\??\f:	cwrss.exe
File opened (read-only)	\??\g:	cwrss.exe
File opened (read-only)	\??\h:	cwrss.exe
File opened (read-only)	\??\i:	cwrss.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\open	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\runas	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\runas\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\runas\command\ = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\DefaultIcon\ = "%1"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\cscsvc\DefaultIcon	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\open\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\ommand	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\ommand\ = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\Content-Type = "application/x-msdownload"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "cscsvc"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\ommand	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\cscsvc\shell\runas\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\Microsoft\\Ole32\\cwrss.exe\" /START \"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\open\command\ = "\"C:\\ProgramData\\Microsoft\\Ole32\\cwrss.exe\" /START \"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\cscsvc\shell\open\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\ = "Application"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\open\command\IsolatedCommand = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\cscsvc	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\ommand\IsolatedCommand = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe
1244	cwrss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1780	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1244	cwrss.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1244	1780	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe	28
PID 1780 wrote to memory of 1244	1780	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe	28
PID 1780 wrote to memory of 1244	1780	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe	28
PID 1780 wrote to memory of 1244	1780	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe	28

C:\Users\Admin\AppData\Local\Temp\fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
"C:\Users\Admin\AppData\Local\Temp\fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\ProgramData\Microsoft\Ole32\cwrss.exe
  C:\ProgramData\Microsoft\Ole32\cwrss.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Ole32\cwrss.exe

Filesize
218KB

MD5
f03197ea7486d52c2410542fc60804c7

SHA1
54c01e6222f06006030870315f123e2b37b55afa

SHA256
70f0eaf7a452750be1a742ff291d5bd361db13fd5b4761a2d422f121f833ed88

SHA512
5a9aac4b363160cf6f790bc7d40958c70a9b20fa0b0afb3489d74bb3095d58a09e2a68e6fe504574a023eed16d7697b074b9b81a7bd56587465b7f55f3f3ad1a

Download Submit
C:\ProgramData\Microsoft\Ole32\cwrss.exe

Filesize
218KB

MD5
f03197ea7486d52c2410542fc60804c7

SHA1
54c01e6222f06006030870315f123e2b37b55afa

SHA256
70f0eaf7a452750be1a742ff291d5bd361db13fd5b4761a2d422f121f833ed88

SHA512
5a9aac4b363160cf6f790bc7d40958c70a9b20fa0b0afb3489d74bb3095d58a09e2a68e6fe504574a023eed16d7697b074b9b81a7bd56587465b7f55f3f3ad1a

Download Submit
\ProgramData\Microsoft\Ole32\cwrss.exe

Filesize
218KB

MD5
f03197ea7486d52c2410542fc60804c7

SHA1
54c01e6222f06006030870315f123e2b37b55afa

SHA256
70f0eaf7a452750be1a742ff291d5bd361db13fd5b4761a2d422f121f833ed88

SHA512
5a9aac4b363160cf6f790bc7d40958c70a9b20fa0b0afb3489d74bb3095d58a09e2a68e6fe504574a023eed16d7697b074b9b81a7bd56587465b7f55f3f3ad1a

Download Submit
\ProgramData\Microsoft\Ole32\cwrss.exe

Filesize
218KB

MD5
f03197ea7486d52c2410542fc60804c7

SHA1
54c01e6222f06006030870315f123e2b37b55afa

SHA256
70f0eaf7a452750be1a742ff291d5bd361db13fd5b4761a2d422f121f833ed88

SHA512
5a9aac4b363160cf6f790bc7d40958c70a9b20fa0b0afb3489d74bb3095d58a09e2a68e6fe504574a023eed16d7697b074b9b81a7bd56587465b7f55f3f3ad1a

Download Submit
memory/1244-57-0x0000000000000000-mapping.dmp

Download
memory/1780-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download