cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047

General

Target

cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
Size

132KB
MD5

2b20a6936da978e4ed5cb14589689151
SHA1

aab10f79f884342508e27db4556fe11e60cc59e3
SHA256

cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047
SHA512

0e2ab16e83084c44e4f0248039bd66be8f2b3310eb091eb39e4177c61eac3a0b6f00b619e5d30626516a0c33b91eb329b3554cce86a30aad624f688ede914a0a
SSDEEP

1536:jvJjYfQoomlMvYf8LtpfKUACQIENnSwHC4QxCIrOiotb2t:DKfQ9bQIe9C3xCIrmtb2t

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

4216 csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3748 netsh.exe

pid	process
4216	csrss.exe

pid	process
3748	netsh.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.execsrss.exe

pid process

1516 cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
4216 csrss.exe

pid	process
1516	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
4216	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe

description	pid	process	target process
PID 1516 wrote to memory of 3748	1516	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe	netsh.exe
PID 1516 wrote to memory of 3748	1516	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe	netsh.exe
PID 1516 wrote to memory of 3748	1516	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe	netsh.exe
PID 1516 wrote to memory of 4216	1516	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe	csrss.exe
PID 1516 wrote to memory of 4216	1516	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe	csrss.exe
PID 1516 wrote to memory of 4216	1516	cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
"C:\Users\Admin\AppData\Local\Temp\cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Nero" dir=in action=allow description="Multimedia suite" program="C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3748

C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe
C:\Users\Admin\AppData\Local\Temp\cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe

Filesize
132KB

MD5
2b20a6936da978e4ed5cb14589689151

SHA1
aab10f79f884342508e27db4556fe11e60cc59e3

SHA256
cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047

SHA512
0e2ab16e83084c44e4f0248039bd66be8f2b3310eb091eb39e4177c61eac3a0b6f00b619e5d30626516a0c33b91eb329b3554cce86a30aad624f688ede914a0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe

Filesize
132KB

MD5
2b20a6936da978e4ed5cb14589689151

SHA1
aab10f79f884342508e27db4556fe11e60cc59e3

SHA256
cc31fcfe935ea7374ca4a86783a47f77d7e6c6d840fb11789a9ff6ba665f9047

SHA512
0e2ab16e83084c44e4f0248039bd66be8f2b3310eb091eb39e4177c61eac3a0b6f00b619e5d30626516a0c33b91eb329b3554cce86a30aad624f688ede914a0a

Download Submit
memory/3748-134-0x0000000000000000-mapping.dmp

Download
memory/4216-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads