c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568

General

Target

c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Size

76KB
MD5

8af4ccb79598f213851c0c7e291fba53
SHA1

de8fe5e8f60a811466c9af084e8efd598dd60af5
SHA256

c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568
SHA512

321b49361451c7d4bdfff9aaf70a699f0f7724169251764bd85fb523c2f0d9477acdcdd2662eb0e75bb1026eb1eefe095f60107e7c5692cfde91825b6f6685f5
SSDEEP

768:VembNRqsuhlGOBrhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+Xkq:bnqdu3abBGy3G8V0iuo2X

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.execswp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	cswp.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.execswp.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cswp.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.execswp.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cswp.exe

Executes dropped EXE 1 IoCs

Processes:

cswp.exe

pid process

3268 cswp.exe

pid	process
3268	cswp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cswp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	cswp.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cswp.exe

description	ioc	process
File opened (read-only)	\??\Q:	cswp.exe
File opened (read-only)	\??\B:	cswp.exe
File opened (read-only)	\??\I:	cswp.exe
File opened (read-only)	\??\L:	cswp.exe
File opened (read-only)	\??\M:	cswp.exe
File opened (read-only)	\??\F:	cswp.exe
File opened (read-only)	\??\H:	cswp.exe
File opened (read-only)	\??\Y:	cswp.exe
File opened (read-only)	\??\Z:	cswp.exe
File opened (read-only)	\??\J:	cswp.exe
File opened (read-only)	\??\K:	cswp.exe
File opened (read-only)	\??\T:	cswp.exe
File opened (read-only)	\??\W:	cswp.exe
File opened (read-only)	\??\P:	cswp.exe
File opened (read-only)	\??\R:	cswp.exe
File opened (read-only)	\??\S:	cswp.exe
File opened (read-only)	\??\U:	cswp.exe
File opened (read-only)	\??\E:	cswp.exe
File opened (read-only)	\??\G:	cswp.exe
File opened (read-only)	\??\N:	cswp.exe
File opened (read-only)	\??\O:	cswp.exe
File opened (read-only)	\??\V:	cswp.exe
File opened (read-only)	\??\X:	cswp.exe

Drops file in System32 directory 6 IoCs

Processes:

cswp.exec45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	cswp.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	cswp.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	cswp.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	cswp.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe

Drops file in Program Files directory 27 IoCs

Processes:

cswp.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	cswp.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	cswp.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	cswp.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	cswp.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	cswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	cswp.exe

Modifies registry class 36 IoCs

Processes:

c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.execswp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	cswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	cswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	cswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	cswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	cswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	cswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	cswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	cswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	cswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	cswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	cswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	cswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	cswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	cswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	cswp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.execswp.exe

pid process

2484 c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
3268 cswp.exe

pid	process
2484	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
3268	cswp.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe

description	pid	process	target process
PID 2484 wrote to memory of 3268	2484	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe	cswp.exe
PID 2484 wrote to memory of 3268	2484	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe	cswp.exe
PID 2484 wrote to memory of 3268	2484	c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe	cswp.exe

C:\Users\Admin\AppData\Local\Temp\c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe
"C:\Users\Admin\AppData\Local\Temp\c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\cswp.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\cswp.exe" c45333732863cc8c57f66b5210e7dda042011057d4f5327daa8d42eba804f568
2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\cswp.exe

Filesize
76KB

MD5
5d145ea4f8f2d6e9dd374c3fcb0fd1bb

SHA1
77ad577e8106f0a21bde5ac45177f0fd34c3b973

SHA256
e8d988e86af413e0b2eb27af5d865db034f004c781ec6428fb822b7eace41c8c

SHA512
9fb8b3ef386393108c31d7145e0bad3ac2b19ff7d65039a1bead686ba69cc3a3a3c4f9e959fefdc70f7ca35d2de4a68c130210a3e2d920b57237e0c5430f09cf

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\cswp.exe

Filesize
76KB

MD5
5d145ea4f8f2d6e9dd374c3fcb0fd1bb

SHA1
77ad577e8106f0a21bde5ac45177f0fd34c3b973

SHA256
e8d988e86af413e0b2eb27af5d865db034f004c781ec6428fb822b7eace41c8c

SHA512
9fb8b3ef386393108c31d7145e0bad3ac2b19ff7d65039a1bead686ba69cc3a3a3c4f9e959fefdc70f7ca35d2de4a68c130210a3e2d920b57237e0c5430f09cf

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
03fcd9091657a4aa24e890d5b8f46549

SHA1
c6660687165bcbad04a88eacfd5cb50d10f2967d

SHA256
207ea4bb7fafb8ad5cca117e2e9c0c9c186f25512a023c890e791b5e35106ce4

SHA512
4b9902bd5e9f15fbca3c7e012d1549edf13c16595f48149ad6fedb7f6a3b81c65880775fe621a072f10ac9c2a4117609321f42695198f71a045e6ec9ea71082d

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/3268-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads