61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276

General

Target

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
Size

32KB
MD5

a4b15fa2f09dcd53c485de850050dc13
SHA1

83183db5ce3ba0b4cc2910ef194c36759d9f6b6d
SHA256

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276
SHA512

f560b64c683a0917edbca66de7973529e8365f144c3bd681360e88f6a22c212fec9e15d9cd43eacba77ea72c2dc0595738832bf957be4b7f652357b3ff1fd006
SSDEEP

768:UgpcJkoH/kYLeV/omwUZJt6R7pA21KUsFZh1aaj:ZfoHslpweJt6R7pA21KRTh1zj

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Audio Driver = "C:\\Program Files\\Common Files\\lsass.exe"	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exelsass.exe

pid process

1576 csrss.exe
268 lsass.exe

pid	process
1576	csrss.exe
268	lsass.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6ade2044-6219-11ed-961c-806e6f6e6963}	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6ade2044-6219-11ed-961c-806e6f6e6963}\StubPath = "C:\\ProgramData\\csrss.exe -r"	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6ade2044-6219-11ed-961c-806e6f6e6963}\IsInstalled = "1"	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1756 netsh.exe

pid	process
1756	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Driver = "C:\\ProgramData\\csrss.exe"	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 2 IoCs

Processes:

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe

description	ioc	process
File created	C:\Program Files\Common Files\lsass.exe	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
File opened for modification	C:\Program Files\Common Files\lsass.exe	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.execsrss.exelsass.exe

description	pid	process
Token: SeDebugPrivilege	1476	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
Token: SeDebugPrivilege	1576	csrss.exe
Token: SeDebugPrivilege	268	lsass.exe
Token: SeIncreaseQuotaPrivilege	1576	csrss.exe
Token: SeSecurityPrivilege	1576	csrss.exe
Token: SeTakeOwnershipPrivilege	1576	csrss.exe
Token: SeLoadDriverPrivilege	1576	csrss.exe
Token: SeSystemProfilePrivilege	1576	csrss.exe
Token: SeSystemtimePrivilege	1576	csrss.exe
Token: SeProfSingleProcessPrivilege	1576	csrss.exe
Token: SeIncBasePriorityPrivilege	1576	csrss.exe
Token: SeCreatePagefilePrivilege	1576	csrss.exe
Token: SeBackupPrivilege	1576	csrss.exe
Token: SeRestorePrivilege	1576	csrss.exe
Token: SeShutdownPrivilege	1576	csrss.exe
Token: SeDebugPrivilege	1576	csrss.exe
Token: SeSystemEnvironmentPrivilege	1576	csrss.exe
Token: SeRemoteShutdownPrivilege	1576	csrss.exe
Token: SeUndockPrivilege	1576	csrss.exe
Token: SeManageVolumePrivilege	1576	csrss.exe
Token: 33	1576	csrss.exe
Token: 34	1576	csrss.exe
Token: 35	1576	csrss.exe
Token: SeIncreaseQuotaPrivilege	1576	csrss.exe
Token: SeSecurityPrivilege	1576	csrss.exe
Token: SeTakeOwnershipPrivilege	1576	csrss.exe
Token: SeLoadDriverPrivilege	1576	csrss.exe
Token: SeSystemProfilePrivilege	1576	csrss.exe
Token: SeSystemtimePrivilege	1576	csrss.exe
Token: SeProfSingleProcessPrivilege	1576	csrss.exe
Token: SeIncBasePriorityPrivilege	1576	csrss.exe
Token: SeCreatePagefilePrivilege	1576	csrss.exe
Token: SeBackupPrivilege	1576	csrss.exe
Token: SeRestorePrivilege	1576	csrss.exe
Token: SeShutdownPrivilege	1576	csrss.exe
Token: SeDebugPrivilege	1576	csrss.exe
Token: SeSystemEnvironmentPrivilege	1576	csrss.exe
Token: SeRemoteShutdownPrivilege	1576	csrss.exe
Token: SeUndockPrivilege	1576	csrss.exe
Token: SeManageVolumePrivilege	1576	csrss.exe
Token: 33	1576	csrss.exe
Token: 34	1576	csrss.exe
Token: 35	1576	csrss.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.execsrss.exe

description	pid	process	target process
PID 1476 wrote to memory of 1576	1476	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe	csrss.exe
PID 1476 wrote to memory of 1576	1476	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe	csrss.exe
PID 1476 wrote to memory of 1576	1476	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe	csrss.exe
PID 1476 wrote to memory of 268	1476	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe	lsass.exe
PID 1476 wrote to memory of 268	1476	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe	lsass.exe
PID 1476 wrote to memory of 268	1476	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe	lsass.exe
PID 1576 wrote to memory of 1756	1576	csrss.exe	netsh.exe
PID 1576 wrote to memory of 1756	1576	csrss.exe	netsh.exe
PID 1576 wrote to memory of 1756	1576	csrss.exe	netsh.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

C:\Users\Admin\AppData\Local\Temp\61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe
"C:\Users\Admin\AppData\Local\Temp\61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276.exe"
1⤵
- UAC bypass
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1476

C:\ProgramData\csrss.exe
"C:\ProgramData\csrss.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1576

C:\Windows\system32\netsh.exe
"netsh.exe" firewall add allowedprogram program="C:\ProgramData\csrss.exe" name="Audio Driver" mode=ENABLE scope=ALL profile=ALL
3⤵
- Modifies Windows Firewall
PID:1756

C:\Program Files\Common Files\lsass.exe
"C:\Program Files\Common Files\lsass.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\lsass.exe

Filesize
32KB

MD5
a4b15fa2f09dcd53c485de850050dc13

SHA1
83183db5ce3ba0b4cc2910ef194c36759d9f6b6d

SHA256
61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276

SHA512
f560b64c683a0917edbca66de7973529e8365f144c3bd681360e88f6a22c212fec9e15d9cd43eacba77ea72c2dc0595738832bf957be4b7f652357b3ff1fd006

Download Submit
C:\Program Files\Common Files\lsass.exe

Filesize
32KB

MD5
a4b15fa2f09dcd53c485de850050dc13

SHA1
83183db5ce3ba0b4cc2910ef194c36759d9f6b6d

SHA256
61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276

SHA512
f560b64c683a0917edbca66de7973529e8365f144c3bd681360e88f6a22c212fec9e15d9cd43eacba77ea72c2dc0595738832bf957be4b7f652357b3ff1fd006

Download Submit
C:\ProgramData\csrss.exe

Filesize
32KB

MD5
a4b15fa2f09dcd53c485de850050dc13

SHA1
83183db5ce3ba0b4cc2910ef194c36759d9f6b6d

SHA256
61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276

SHA512
f560b64c683a0917edbca66de7973529e8365f144c3bd681360e88f6a22c212fec9e15d9cd43eacba77ea72c2dc0595738832bf957be4b7f652357b3ff1fd006

Download Submit
C:\ProgramData\csrss.exe

Filesize
32KB

MD5
a4b15fa2f09dcd53c485de850050dc13

SHA1
83183db5ce3ba0b4cc2910ef194c36759d9f6b6d

SHA256
61e6b39454f3b5fef2fde0bd3ccc3acf37830e68d6ba1e3d5402d2d7cd38d276

SHA512
f560b64c683a0917edbca66de7973529e8365f144c3bd681360e88f6a22c212fec9e15d9cd43eacba77ea72c2dc0595738832bf957be4b7f652357b3ff1fd006

Download Submit
memory/268-60-0x0000000000000000-mapping.dmp

Download
memory/268-63-0x000007FEF3600000-0x000007FEF4023000-memory.dmp

Filesize
10.1MB

Download
memory/1476-54-0x000007FEF3600000-0x000007FEF4023000-memory.dmp

Filesize
10.1MB

Download
memory/1476-55-0x000007FEFB941000-0x000007FEFB943000-memory.dmp

Filesize
8KB

Download
memory/1576-56-0x0000000000000000-mapping.dmp

Download
memory/1576-59-0x000007FEF3600000-0x000007FEF4023000-memory.dmp

Filesize
10.1MB

Download
memory/1756-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads