16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015

Analysis

max time kernel
33s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 20:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
Size

918KB
MD5

a217e6b7f3656578c3b9df5d5d91a2b9
SHA1

118b97cf67b33dc284aed0bca8ff0779fb93c82b
SHA256

16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015
SHA512

ae661e9471c981b986170767e561fdb677e521d0d396ecaca6477bf42231ab8ac72b295f5d74fd43c26ec4888f86ca7b23f8beb6fe1351c1e64c9fed96a83137
SSDEEP

24576:OxqT31T6WE6I5jKqosOm+bz/MjC6g+9V02TsVF:Z6WE6IN95+bz/MjCraQVF

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\system32\\csrcs.exe"	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe

Executes dropped EXE 1 IoCs

pid	Process
1744	csrcs.exe

Loads dropped DLL 6 IoCs

pid	Process
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1744	csrcs.exe
1744	csrcs.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000d0000000054a8-55.dat	autoit_exe
behavioral1/files/0x000d0000000054a8-56.dat	autoit_exe
behavioral1/files/0x000d0000000054a8-57.dat	autoit_exe
behavioral1/files/0x000d0000000054a8-60.dat	autoit_exe
behavioral1/files/0x000d0000000054a8-58.dat	autoit_exe
behavioral1/files/0x000d0000000054a8-62.dat	autoit_exe
behavioral1/files/0x000d0000000054a8-63.dat	autoit_exe
behavioral1/files/0x000d0000000054a8-64.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrcs.exe	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
File opened for modification	C:\Windows\SysWOW64\csrcs.exe	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1100	PING.EXE
1684	PING.EXE
964	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1744	csrcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1744	csrcs.exe
1744	csrcs.exe
1744	csrcs.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
1744	csrcs.exe
1744	csrcs.exe
1744	csrcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1744	1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe	27
PID 1632 wrote to memory of 1744	1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe	27
PID 1632 wrote to memory of 1744	1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe	27
PID 1632 wrote to memory of 1744	1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe	27
PID 1744 wrote to memory of 1304	1744	csrcs.exe	28
PID 1744 wrote to memory of 1304	1744	csrcs.exe	28
PID 1744 wrote to memory of 1304	1744	csrcs.exe	28
PID 1744 wrote to memory of 1304	1744	csrcs.exe	28
PID 1304 wrote to memory of 1100	1304	cmd.exe	30
PID 1304 wrote to memory of 1100	1304	cmd.exe	30
PID 1304 wrote to memory of 1100	1304	cmd.exe	30
PID 1304 wrote to memory of 1100	1304	cmd.exe	30
PID 1632 wrote to memory of 520	1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe	31
PID 1632 wrote to memory of 520	1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe	31
PID 1632 wrote to memory of 520	1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe	31
PID 1632 wrote to memory of 520	1632	16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe	31
PID 520 wrote to memory of 1684	520	cmd.exe	33
PID 520 wrote to memory of 1684	520	cmd.exe	33
PID 520 wrote to memory of 1684	520	cmd.exe	33
PID 520 wrote to memory of 1684	520	cmd.exe	33
PID 1304 wrote to memory of 964	1304	cmd.exe	34
PID 1304 wrote to memory of 964	1304	cmd.exe	34
PID 1304 wrote to memory of 964	1304	cmd.exe	34
PID 1304 wrote to memory of 964	1304	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe
"C:\Users\Admin\AppData\Local\Temp\16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\csrcs.exe
  "C:\Windows\System32\csrcs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1100
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      Runs ping.exe
      PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 -w 250 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
141B

MD5
9d7ddbc6c331aefed77908f803fca1e5

SHA1
d36afa796236730342b216f083c68a39227c13bf

SHA256
19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

SHA512
014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
287B

MD5
ff4932c25367663a5ed0e934bdf95b16

SHA1
eca5d49525d8b7d9aacca6038df038daff9eb113

SHA256
5880077a7f8de06985ba0d9bc030dd994ac9184ffa6b888852463a8d7cf8d0f3

SHA512
7fed886b94de3f35eb260b7b399bf4f0f28856e5ecc346cfb194dab358e5158b2425fb7493b032180a7c358ed5794174340f56da6ab5676ddc1877fda9ce6e6a

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
918KB

MD5
a217e6b7f3656578c3b9df5d5d91a2b9

SHA1
118b97cf67b33dc284aed0bca8ff0779fb93c82b

SHA256
16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015

SHA512
ae661e9471c981b986170767e561fdb677e521d0d396ecaca6477bf42231ab8ac72b295f5d74fd43c26ec4888f86ca7b23f8beb6fe1351c1e64c9fed96a83137

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
918KB

MD5
a217e6b7f3656578c3b9df5d5d91a2b9

SHA1
118b97cf67b33dc284aed0bca8ff0779fb93c82b

SHA256
16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015

SHA512
ae661e9471c981b986170767e561fdb677e521d0d396ecaca6477bf42231ab8ac72b295f5d74fd43c26ec4888f86ca7b23f8beb6fe1351c1e64c9fed96a83137

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
918KB

MD5
a217e6b7f3656578c3b9df5d5d91a2b9

SHA1
118b97cf67b33dc284aed0bca8ff0779fb93c82b

SHA256
16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015

SHA512
ae661e9471c981b986170767e561fdb677e521d0d396ecaca6477bf42231ab8ac72b295f5d74fd43c26ec4888f86ca7b23f8beb6fe1351c1e64c9fed96a83137

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
918KB

MD5
a217e6b7f3656578c3b9df5d5d91a2b9

SHA1
118b97cf67b33dc284aed0bca8ff0779fb93c82b

SHA256
16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015

SHA512
ae661e9471c981b986170767e561fdb677e521d0d396ecaca6477bf42231ab8ac72b295f5d74fd43c26ec4888f86ca7b23f8beb6fe1351c1e64c9fed96a83137

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
918KB

MD5
a217e6b7f3656578c3b9df5d5d91a2b9

SHA1
118b97cf67b33dc284aed0bca8ff0779fb93c82b

SHA256
16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015

SHA512
ae661e9471c981b986170767e561fdb677e521d0d396ecaca6477bf42231ab8ac72b295f5d74fd43c26ec4888f86ca7b23f8beb6fe1351c1e64c9fed96a83137

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
918KB

MD5
a217e6b7f3656578c3b9df5d5d91a2b9

SHA1
118b97cf67b33dc284aed0bca8ff0779fb93c82b

SHA256
16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015

SHA512
ae661e9471c981b986170767e561fdb677e521d0d396ecaca6477bf42231ab8ac72b295f5d74fd43c26ec4888f86ca7b23f8beb6fe1351c1e64c9fed96a83137

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
918KB

MD5
a217e6b7f3656578c3b9df5d5d91a2b9

SHA1
118b97cf67b33dc284aed0bca8ff0779fb93c82b

SHA256
16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015

SHA512
ae661e9471c981b986170767e561fdb677e521d0d396ecaca6477bf42231ab8ac72b295f5d74fd43c26ec4888f86ca7b23f8beb6fe1351c1e64c9fed96a83137

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
918KB

MD5
a217e6b7f3656578c3b9df5d5d91a2b9

SHA1
118b97cf67b33dc284aed0bca8ff0779fb93c82b

SHA256
16154547ca0a0937b252cdb93818e9dd69a7773ec4e77cc043d0ee803104d015

SHA512
ae661e9471c981b986170767e561fdb677e521d0d396ecaca6477bf42231ab8ac72b295f5d74fd43c26ec4888f86ca7b23f8beb6fe1351c1e64c9fed96a83137

Download Submit
memory/1632-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download