sality | e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Size

820KB
MD5

14d0b4619c03706d5853c0cf3626cb6a
SHA1

261dc7aac68bab5bf1ece7f5a9ba84f3346d807d
SHA256

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f
SHA512

a8f7d4b060dd5329bfe1620eb88d035b3e3b2345d8675d27a91bd1fc6e2f2c97c0cd6b965fb509daf74f197a786e2d0020b4b14cd5a7bace81c3082d6ebaa1d2
SSDEEP

24576:ZFE//Tct4bOsgXOEiuZ/TML1VEvpc6L1S:bSVgXv/TrcaS

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	csrcs.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrcs.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

csrcs.exee6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

csrcs.exee6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	csrcs.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\SysWOW64\\csrcs.exe"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	csrcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\SysWOW64\\csrcs.exe"	csrcs.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	csrcs.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

csrcs.exe

pid process

2892 csrcs.exe

pid	process
2892	csrcs.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4848-132-0x0000000003700000-0x000000000478E000-memory.dmp	upx
behavioral2/memory/4848-133-0x0000000000400000-0x0000000000555000-memory.dmp	upx
behavioral2/memory/4848-134-0x0000000003700000-0x000000000478E000-memory.dmp	upx
C:\Windows\SysWOW64\csrcs.exe	upx
C:\Windows\SysWOW64\csrcs.exe	upx
behavioral2/memory/2892-138-0x0000000000400000-0x0000000000555000-memory.dmp	upx
behavioral2/memory/4848-139-0x0000000000400000-0x0000000000555000-memory.dmp	upx
behavioral2/memory/4848-140-0x0000000003700000-0x000000000478E000-memory.dmp	upx
behavioral2/memory/2892-142-0x00000000048A0000-0x000000000592E000-memory.dmp	upx
behavioral2/memory/2892-143-0x00000000048A0000-0x000000000592E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	csrcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	csrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	csrcs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\csrcs = "C:\\Windows\\SysWOW64\\csrcs.exe"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	csrcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\csrcs = "C:\\Windows\\SysWOW64\\csrcs.exe"	csrcs.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrcs.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrcs.exe

description	ioc	process
File opened (read-only)	\??\L:	csrcs.exe
File opened (read-only)	\??\S:	csrcs.exe
File opened (read-only)	\??\V:	csrcs.exe
File opened (read-only)	\??\Y:	csrcs.exe
File opened (read-only)	\??\Q:	csrcs.exe
File opened (read-only)	\??\R:	csrcs.exe
File opened (read-only)	\??\T:	csrcs.exe
File opened (read-only)	\??\Z:	csrcs.exe
File opened (read-only)	\??\E:	csrcs.exe
File opened (read-only)	\??\G:	csrcs.exe
File opened (read-only)	\??\J:	csrcs.exe
File opened (read-only)	\??\N:	csrcs.exe
File opened (read-only)	\??\W:	csrcs.exe
File opened (read-only)	\??\F:	csrcs.exe
File opened (read-only)	\??\H:	csrcs.exe
File opened (read-only)	\??\M:	csrcs.exe
File opened (read-only)	\??\P:	csrcs.exe
File opened (read-only)	\??\X:	csrcs.exe
File opened (read-only)	\??\I:	csrcs.exe
File opened (read-only)	\??\K:	csrcs.exe
File opened (read-only)	\??\O:	csrcs.exe
File opened (read-only)	\??\U:	csrcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 checkip.dyndns.org

flow	ioc
46	checkip.dyndns.org

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4848-133-0x0000000000400000-0x0000000000555000-memory.dmp	autoit_exe
behavioral2/memory/2892-138-0x0000000000400000-0x0000000000555000-memory.dmp	autoit_exe
behavioral2/memory/4848-139-0x0000000000400000-0x0000000000555000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

csrcs.exe

description ioc process

File opened for modification C:\autorun.inf csrcs.exe

description	ioc	process
File opened for modification	C:\autorun.inf	csrcs.exe

Drops file in System32 directory 4 IoCs

Processes:

csrcs.exee6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\autorun.i	csrcs.exe
File created	C:\Windows\SysWOW64\csrcs.exe	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
File opened for modification	C:\Windows\SysWOW64\csrcs.exe	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
File opened for modification	C:\Windows\SysWOW64\autorun.in	csrcs.exe

Drops file in Program Files directory 11 IoCs

Processes:

csrcs.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	csrcs.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	csrcs.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	csrcs.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	csrcs.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	csrcs.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	csrcs.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	csrcs.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	csrcs.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	csrcs.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	csrcs.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	csrcs.exe

Drops file in Windows directory 1 IoCs

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

pid	process
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe

description	pid	process
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Token: SeDebugPrivilege	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

pid	process
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

pid	process
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
2892	csrcs.exe
2892	csrcs.exe
2892	csrcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

description	pid	process	target process
PID 4848 wrote to memory of 776	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	fontdrvhost.exe
PID 4848 wrote to memory of 780	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	fontdrvhost.exe
PID 4848 wrote to memory of 1020	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	dwm.exe
PID 4848 wrote to memory of 2300	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	sihost.exe
PID 4848 wrote to memory of 2324	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	svchost.exe
PID 4848 wrote to memory of 2424	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	taskhostw.exe
PID 4848 wrote to memory of 3024	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	Explorer.EXE
PID 4848 wrote to memory of 1328	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	svchost.exe
PID 4848 wrote to memory of 3220	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	DllHost.exe
PID 4848 wrote to memory of 3320	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	StartMenuExperienceHost.exe
PID 4848 wrote to memory of 3392	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	RuntimeBroker.exe
PID 4848 wrote to memory of 3516	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	SearchApp.exe
PID 4848 wrote to memory of 3688	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	RuntimeBroker.exe
PID 4848 wrote to memory of 4580	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	RuntimeBroker.exe
PID 4848 wrote to memory of 2892	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	csrcs.exe
PID 4848 wrote to memory of 2892	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	csrcs.exe
PID 4848 wrote to memory of 2892	4848	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe	csrcs.exe
PID 2892 wrote to memory of 776	2892	csrcs.exe	fontdrvhost.exe
PID 2892 wrote to memory of 780	2892	csrcs.exe	fontdrvhost.exe
PID 2892 wrote to memory of 1020	2892	csrcs.exe	dwm.exe
PID 2892 wrote to memory of 2300	2892	csrcs.exe	sihost.exe
PID 2892 wrote to memory of 2324	2892	csrcs.exe	svchost.exe
PID 2892 wrote to memory of 2424	2892	csrcs.exe	taskhostw.exe
PID 2892 wrote to memory of 3024	2892	csrcs.exe	Explorer.EXE
PID 2892 wrote to memory of 1328	2892	csrcs.exe	svchost.exe
PID 2892 wrote to memory of 3220	2892	csrcs.exe	DllHost.exe
PID 2892 wrote to memory of 3320	2892	csrcs.exe	StartMenuExperienceHost.exe
PID 2892 wrote to memory of 3392	2892	csrcs.exe	RuntimeBroker.exe
PID 2892 wrote to memory of 3516	2892	csrcs.exe	SearchApp.exe
PID 2892 wrote to memory of 3688	2892	csrcs.exe	RuntimeBroker.exe
PID 2892 wrote to memory of 4580	2892	csrcs.exe	RuntimeBroker.exe
PID 2892 wrote to memory of 776	2892	csrcs.exe	fontdrvhost.exe
PID 2892 wrote to memory of 780	2892	csrcs.exe	fontdrvhost.exe
PID 2892 wrote to memory of 1020	2892	csrcs.exe	dwm.exe
PID 2892 wrote to memory of 2300	2892	csrcs.exe	sihost.exe
PID 2892 wrote to memory of 2324	2892	csrcs.exe	svchost.exe
PID 2892 wrote to memory of 2424	2892	csrcs.exe	taskhostw.exe
PID 2892 wrote to memory of 3024	2892	csrcs.exe	Explorer.EXE
PID 2892 wrote to memory of 1328	2892	csrcs.exe	svchost.exe
PID 2892 wrote to memory of 3220	2892	csrcs.exe	DllHost.exe
PID 2892 wrote to memory of 3320	2892	csrcs.exe	StartMenuExperienceHost.exe
PID 2892 wrote to memory of 3392	2892	csrcs.exe	RuntimeBroker.exe
PID 2892 wrote to memory of 3516	2892	csrcs.exe	SearchApp.exe
PID 2892 wrote to memory of 3688	2892	csrcs.exe	RuntimeBroker.exe
PID 2892 wrote to memory of 4580	2892	csrcs.exe	RuntimeBroker.exe
PID 2892 wrote to memory of 776	2892	csrcs.exe	fontdrvhost.exe
PID 2892 wrote to memory of 780	2892	csrcs.exe	fontdrvhost.exe
PID 2892 wrote to memory of 1020	2892	csrcs.exe	dwm.exe
PID 2892 wrote to memory of 2300	2892	csrcs.exe	sihost.exe
PID 2892 wrote to memory of 2324	2892	csrcs.exe	svchost.exe
PID 2892 wrote to memory of 2424	2892	csrcs.exe	taskhostw.exe
PID 2892 wrote to memory of 3024	2892	csrcs.exe	Explorer.EXE
PID 2892 wrote to memory of 1328	2892	csrcs.exe	svchost.exe
PID 2892 wrote to memory of 3220	2892	csrcs.exe	DllHost.exe
PID 2892 wrote to memory of 3320	2892	csrcs.exe	StartMenuExperienceHost.exe
PID 2892 wrote to memory of 3392	2892	csrcs.exe	RuntimeBroker.exe
PID 2892 wrote to memory of 3516	2892	csrcs.exe	SearchApp.exe
PID 2892 wrote to memory of 3688	2892	csrcs.exe	RuntimeBroker.exe
PID 2892 wrote to memory of 4580	2892	csrcs.exe	RuntimeBroker.exe
PID 2892 wrote to memory of 776	2892	csrcs.exe	fontdrvhost.exe
PID 2892 wrote to memory of 780	2892	csrcs.exe	fontdrvhost.exe
PID 2892 wrote to memory of 1020	2892	csrcs.exe	dwm.exe
PID 2892 wrote to memory of 2300	2892	csrcs.exe	sihost.exe
PID 2892 wrote to memory of 2324	2892	csrcs.exe	svchost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.execsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrcs.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2324

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3220

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3320

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4580

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe
"C:\Users\Admin\AppData\Local\Temp\e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f.exe"
2⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4848

C:\Windows\SysWOW64\csrcs.exe
"C:\Windows\SysWOW64\csrcs.exe"
3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI

Filesize
257B

MD5
11c1656cf56ca49f8ba06ba1ec91e5e5

SHA1
d8663801ad612925fbfc35668ebbbf940738ba01

SHA256
847f3d0d1891b23f716988cfadc927e633d452a7d0bce617dc6186f9fdb94dae

SHA512
4f8356d2de4fe5e2ca83ddee01154ac0de5e6bc93460c852b71f38971eee8c47a7ab52422b365be325531887ae6cd1ae0a9233f24c3b2af6486a79d32bf510b4

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
820KB

MD5
14d0b4619c03706d5853c0cf3626cb6a

SHA1
261dc7aac68bab5bf1ece7f5a9ba84f3346d807d

SHA256
e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f

SHA512
a8f7d4b060dd5329bfe1620eb88d035b3e3b2345d8675d27a91bd1fc6e2f2c97c0cd6b965fb509daf74f197a786e2d0020b4b14cd5a7bace81c3082d6ebaa1d2

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
820KB

MD5
14d0b4619c03706d5853c0cf3626cb6a

SHA1
261dc7aac68bab5bf1ece7f5a9ba84f3346d807d

SHA256
e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f

SHA512
a8f7d4b060dd5329bfe1620eb88d035b3e3b2345d8675d27a91bd1fc6e2f2c97c0cd6b965fb509daf74f197a786e2d0020b4b14cd5a7bace81c3082d6ebaa1d2

Download Submit
memory/2892-135-0x0000000000000000-mapping.dmp

Download
memory/2892-138-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2892-142-0x00000000048A0000-0x000000000592E000-memory.dmp

Filesize
16.6MB

Download
memory/2892-143-0x00000000048A0000-0x000000000592E000-memory.dmp

Filesize
16.6MB

Download
memory/4848-132-0x0000000003700000-0x000000000478E000-memory.dmp

Filesize
16.6MB

Download
memory/4848-133-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4848-134-0x0000000003700000-0x000000000478E000-memory.dmp

Filesize
16.6MB

Download
memory/4848-139-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4848-140-0x0000000003700000-0x000000000478E000-memory.dmp

Filesize
16.6MB

Download