ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed

General

Target

ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe
Size

860KB
MD5

cd3b6cf8794f8770c6272da194d9c8f6
SHA1

cd9e7257c0ae93dad220b2872215f7d103b89db4
SHA256

ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed
SHA512

75d8ae249a68640b0d12edc68bee771f54036871a11390902aebdd8c1ffc340afe4c7c1f7a3a8f687be9f0d7647126ec6c5e19a7a7f43b642e572b35aa81997d
SSDEEP

24576:0xqT31T6WE6I5jKqosOm+bmxyZxzVH2JLweKon:76WE6IN95+bDWpweKon

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe csrcs.exe"	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\system32\\csrcs.exe"	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe

Executes dropped EXE 1 IoCs

pid	Process
3004	csrcs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000022f5e-133.dat	autoit_exe
behavioral2/files/0x0009000000022f5e-134.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrcs.exe	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe
File opened for modification	C:\Windows\SysWOW64\csrcs.exe	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4776	PING.EXE
2700	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe
4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe
4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe
4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe
4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe
4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe
3004	csrcs.exe
3004	csrcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 3004	4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe	81
PID 4284 wrote to memory of 3004	4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe	81
PID 4284 wrote to memory of 3004	4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe	81
PID 3004 wrote to memory of 2164	3004	csrcs.exe	83
PID 3004 wrote to memory of 2164	3004	csrcs.exe	83
PID 3004 wrote to memory of 2164	3004	csrcs.exe	83
PID 4284 wrote to memory of 324	4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe	85
PID 4284 wrote to memory of 324	4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe	85
PID 4284 wrote to memory of 324	4284	ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe	85
PID 324 wrote to memory of 2700	324	cmd.exe	88
PID 324 wrote to memory of 2700	324	cmd.exe	88
PID 324 wrote to memory of 2700	324	cmd.exe	88
PID 2164 wrote to memory of 4776	2164	cmd.exe	87
PID 2164 wrote to memory of 4776	2164	cmd.exe	87
PID 2164 wrote to memory of 4776	2164	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe
"C:\Users\Admin\AppData\Local\Temp\ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\SysWOW64\csrcs.exe
  "C:\Windows\System32\csrcs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 -w 250 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
141B

MD5
9d7ddbc6c331aefed77908f803fca1e5

SHA1
d36afa796236730342b216f083c68a39227c13bf

SHA256
19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

SHA512
014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
287B

MD5
66bf96f15173b8e5df2bd8ed8b11fbac

SHA1
0e46fe410ee2d1009e1637ed246a744eca2ec01d

SHA256
6c0c074406c18565b48147611d3e4634abcd9c3118b2a7bc216c3306b888ac5a

SHA512
ec8c7096a729ef371094935ca36fc3798e149da92cff13bc4b9620060bff3b6cd4aceef0ad5b19ca24e99f61e50b24604d1e9e24a8d33bf34239847a5b59367a

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
860KB

MD5
cd3b6cf8794f8770c6272da194d9c8f6

SHA1
cd9e7257c0ae93dad220b2872215f7d103b89db4

SHA256
ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed

SHA512
75d8ae249a68640b0d12edc68bee771f54036871a11390902aebdd8c1ffc340afe4c7c1f7a3a8f687be9f0d7647126ec6c5e19a7a7f43b642e572b35aa81997d

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
860KB

MD5
cd3b6cf8794f8770c6272da194d9c8f6

SHA1
cd9e7257c0ae93dad220b2872215f7d103b89db4

SHA256
ab4a350062a38881352f243d4028a57de90fd9bb8870b083c2c9e78d80049aed

SHA512
75d8ae249a68640b0d12edc68bee771f54036871a11390902aebdd8c1ffc340afe4c7c1f7a3a8f687be9f0d7647126ec6c5e19a7a7f43b642e572b35aa81997d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads