4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
Size

473KB
MD5

05734ec77bf7ff49ab33faa9ea9241f7
SHA1

3650464a2f997b9530c129d6f1420ab8b4f5bebd
SHA256

4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb
SHA512

6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c
SSDEEP

12288:jnNhuBoY8SorxgmA+nlvVlg2qn1G3GWVxWu:jPatCg7EPGn1G3GWVMu

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe csrcs.exe"	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\system32\\csrcs.exe"	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe

Executes dropped EXE 1 IoCs

pid	Process
904	csrcs.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1544-55-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral1/files/0x0009000000005c51-56.dat	upx
behavioral1/files/0x0009000000005c51-59.dat	upx
behavioral1/files/0x0009000000005c51-58.dat	upx
behavioral1/files/0x0009000000005c51-57.dat	upx
behavioral1/files/0x0009000000005c51-61.dat	upx
behavioral1/files/0x0009000000005c51-65.dat	upx
behavioral1/memory/904-66-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral1/files/0x0009000000005c51-67.dat	upx
behavioral1/files/0x0009000000005c51-68.dat	upx
behavioral1/memory/904-70-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral1/memory/1544-74-0x0000000000400000-0x00000000004D3000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
904	csrcs.exe
904	csrcs.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1544-55-0x0000000000400000-0x00000000004D3000-memory.dmp	autoit_exe
behavioral1/memory/904-66-0x0000000000400000-0x00000000004D3000-memory.dmp	autoit_exe
behavioral1/memory/904-70-0x0000000000400000-0x00000000004D3000-memory.dmp	autoit_exe
behavioral1/memory/1544-74-0x0000000000400000-0x00000000004D3000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrcs.exe	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
File opened for modification	C:\Windows\SysWOW64\csrcs.exe	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
240	PING.EXE
1332	PING.EXE
1916	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
904	csrcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 904	1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe	26
PID 1544 wrote to memory of 904	1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe	26
PID 1544 wrote to memory of 904	1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe	26
PID 1544 wrote to memory of 904	1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe	26
PID 904 wrote to memory of 332	904	csrcs.exe	27
PID 904 wrote to memory of 332	904	csrcs.exe	27
PID 904 wrote to memory of 332	904	csrcs.exe	27
PID 904 wrote to memory of 332	904	csrcs.exe	27
PID 332 wrote to memory of 1332	332	cmd.exe	29
PID 332 wrote to memory of 1332	332	cmd.exe	29
PID 332 wrote to memory of 1332	332	cmd.exe	29
PID 332 wrote to memory of 1332	332	cmd.exe	29
PID 1544 wrote to memory of 984	1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe	30
PID 1544 wrote to memory of 984	1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe	30
PID 1544 wrote to memory of 984	1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe	30
PID 1544 wrote to memory of 984	1544	4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe	30
PID 984 wrote to memory of 1916	984	cmd.exe	32
PID 984 wrote to memory of 1916	984	cmd.exe	32
PID 984 wrote to memory of 1916	984	cmd.exe	32
PID 984 wrote to memory of 1916	984	cmd.exe	32
PID 332 wrote to memory of 240	332	cmd.exe	33
PID 332 wrote to memory of 240	332	cmd.exe	33
PID 332 wrote to memory of 240	332	cmd.exe	33
PID 332 wrote to memory of 240	332	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
"C:\Users\Admin\AppData\Local\Temp\4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\csrcs.exe
  "C:\Windows\System32\csrcs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1332
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      Runs ping.exe
      PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 -w 250 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
141B

MD5
9d7ddbc6c331aefed77908f803fca1e5

SHA1
d36afa796236730342b216f083c68a39227c13bf

SHA256
19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

SHA512
014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
287B

MD5
81a4b977163fca252ff5731254c3706a

SHA1
bf37a1336c67da451cf2e36d6e08b5e86503e750

SHA256
48bbcb7416a5385897819953ed12bdc9676d325aeddf8b1e10f69a74ace0c824

SHA512
a99d94f0b113ededcf2f41f029da64131973e4a5b3ce4891b1028ab4050525f332fe5beeb35cb2960ea28cda5dad3b5ff23154de1a070c899c12ccc038a99f9f

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
473KB

MD5
05734ec77bf7ff49ab33faa9ea9241f7

SHA1
3650464a2f997b9530c129d6f1420ab8b4f5bebd

SHA256
4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

SHA512
6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
473KB

MD5
05734ec77bf7ff49ab33faa9ea9241f7

SHA1
3650464a2f997b9530c129d6f1420ab8b4f5bebd

SHA256
4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

SHA512
6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
473KB

MD5
05734ec77bf7ff49ab33faa9ea9241f7

SHA1
3650464a2f997b9530c129d6f1420ab8b4f5bebd

SHA256
4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

SHA512
6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
473KB

MD5
05734ec77bf7ff49ab33faa9ea9241f7

SHA1
3650464a2f997b9530c129d6f1420ab8b4f5bebd

SHA256
4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

SHA512
6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
473KB

MD5
05734ec77bf7ff49ab33faa9ea9241f7

SHA1
3650464a2f997b9530c129d6f1420ab8b4f5bebd

SHA256
4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

SHA512
6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
473KB

MD5
05734ec77bf7ff49ab33faa9ea9241f7

SHA1
3650464a2f997b9530c129d6f1420ab8b4f5bebd

SHA256
4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

SHA512
6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
473KB

MD5
05734ec77bf7ff49ab33faa9ea9241f7

SHA1
3650464a2f997b9530c129d6f1420ab8b4f5bebd

SHA256
4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

SHA512
6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
473KB

MD5
05734ec77bf7ff49ab33faa9ea9241f7

SHA1
3650464a2f997b9530c129d6f1420ab8b4f5bebd

SHA256
4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

SHA512
6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

Download Submit
memory/904-70-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/904-66-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1544-64-0x0000000005DD0000-0x0000000005EA3000-memory.dmp

Filesize
844KB

Download
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1544-63-0x0000000005DD0000-0x0000000005EA3000-memory.dmp

Filesize
844KB

Download
memory/1544-74-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1544-55-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download