a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f

Analysis

max time kernel
79s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
Size

763KB
MD5

29450941fc49b5d7ae5f5cd2187e3e7e
SHA1

24dc493f52acffdcd896cf66ccccd6041d97d099
SHA256

a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f
SHA512

448a6eb6c1079184f60369c8fd4fda5452ee7cb54f33b93f023fefebd801dd16ef0907389e9bafcc5026ad87b386f958731654afe5c83645e16341b0f052f9b8
SSDEEP

12288:P6SKqT31T6WpJY6V765jKqostkm3ObvHVyKrCqDfUrt12F+z3xrKjH:CxqT31T6WE6I5jKqosOm+bfs0CqiDyeu

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe csrcs.exe"	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\system32\\csrcs.exe"	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	csrcs.exe

Deletes itself 1 IoCs

pid	Process
1640	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
1916	csrcs.exe
1916	csrcs.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000c0000000122d8-55.dat	autoit_exe
behavioral1/files/0x000c0000000122d8-56.dat	autoit_exe
behavioral1/files/0x000c0000000122d8-57.dat	autoit_exe
behavioral1/files/0x000c0000000122d8-58.dat	autoit_exe
behavioral1/files/0x000c0000000122d8-60.dat	autoit_exe
behavioral1/files/0x000c0000000122d8-62.dat	autoit_exe
behavioral1/files/0x000c0000000122d8-64.dat	autoit_exe
behavioral1/files/0x000c0000000122d8-63.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\csrcs.exe	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
File created	C:\Windows\SysWOW64\csrcs.exe	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
956	PING.EXE
340	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
1916	csrcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1916	1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe	28
PID 1176 wrote to memory of 1916	1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe	28
PID 1176 wrote to memory of 1916	1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe	28
PID 1176 wrote to memory of 1916	1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe	28
PID 1916 wrote to memory of 1640	1916	csrcs.exe	29
PID 1916 wrote to memory of 1640	1916	csrcs.exe	29
PID 1916 wrote to memory of 1640	1916	csrcs.exe	29
PID 1916 wrote to memory of 1640	1916	csrcs.exe	29
PID 1176 wrote to memory of 1716	1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe	30
PID 1176 wrote to memory of 1716	1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe	30
PID 1176 wrote to memory of 1716	1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe	30
PID 1176 wrote to memory of 1716	1176	a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe	30
PID 1716 wrote to memory of 956	1716	cmd.exe	33
PID 1716 wrote to memory of 956	1716	cmd.exe	33
PID 1716 wrote to memory of 956	1716	cmd.exe	33
PID 1716 wrote to memory of 956	1716	cmd.exe	33
PID 1640 wrote to memory of 340	1640	cmd.exe	34
PID 1640 wrote to memory of 340	1640	cmd.exe	34
PID 1640 wrote to memory of 340	1640	cmd.exe	34
PID 1640 wrote to memory of 340	1640	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe
"C:\Users\Admin\AppData\Local\Temp\a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\csrcs.exe
  "C:\Windows\System32\csrcs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      Runs ping.exe
      PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 -w 250 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
141B

MD5
9d7ddbc6c331aefed77908f803fca1e5

SHA1
d36afa796236730342b216f083c68a39227c13bf

SHA256
19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

SHA512
014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
287B

MD5
27c96cce9db3c61eecfcfc559dc37cc6

SHA1
0c7d6f526fa09a1e9c30cb0f90570b25a00951e7

SHA256
70a16e9fa3efe6f17a5819de37a2872847bc66fa86e4ecc52529755bb10606da

SHA512
a6995f521726d63d558924b9cf78d0e9b9ec8147d626f244176533c26817614a364b042990f2b64e2e85b022c0cba318dda913fbf38c34d556178917b8ca7650

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
763KB

MD5
29450941fc49b5d7ae5f5cd2187e3e7e

SHA1
24dc493f52acffdcd896cf66ccccd6041d97d099

SHA256
a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f

SHA512
448a6eb6c1079184f60369c8fd4fda5452ee7cb54f33b93f023fefebd801dd16ef0907389e9bafcc5026ad87b386f958731654afe5c83645e16341b0f052f9b8

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
763KB

MD5
29450941fc49b5d7ae5f5cd2187e3e7e

SHA1
24dc493f52acffdcd896cf66ccccd6041d97d099

SHA256
a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f

SHA512
448a6eb6c1079184f60369c8fd4fda5452ee7cb54f33b93f023fefebd801dd16ef0907389e9bafcc5026ad87b386f958731654afe5c83645e16341b0f052f9b8

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
763KB

MD5
29450941fc49b5d7ae5f5cd2187e3e7e

SHA1
24dc493f52acffdcd896cf66ccccd6041d97d099

SHA256
a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f

SHA512
448a6eb6c1079184f60369c8fd4fda5452ee7cb54f33b93f023fefebd801dd16ef0907389e9bafcc5026ad87b386f958731654afe5c83645e16341b0f052f9b8

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
763KB

MD5
29450941fc49b5d7ae5f5cd2187e3e7e

SHA1
24dc493f52acffdcd896cf66ccccd6041d97d099

SHA256
a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f

SHA512
448a6eb6c1079184f60369c8fd4fda5452ee7cb54f33b93f023fefebd801dd16ef0907389e9bafcc5026ad87b386f958731654afe5c83645e16341b0f052f9b8

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
763KB

MD5
29450941fc49b5d7ae5f5cd2187e3e7e

SHA1
24dc493f52acffdcd896cf66ccccd6041d97d099

SHA256
a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f

SHA512
448a6eb6c1079184f60369c8fd4fda5452ee7cb54f33b93f023fefebd801dd16ef0907389e9bafcc5026ad87b386f958731654afe5c83645e16341b0f052f9b8

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
763KB

MD5
29450941fc49b5d7ae5f5cd2187e3e7e

SHA1
24dc493f52acffdcd896cf66ccccd6041d97d099

SHA256
a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f

SHA512
448a6eb6c1079184f60369c8fd4fda5452ee7cb54f33b93f023fefebd801dd16ef0907389e9bafcc5026ad87b386f958731654afe5c83645e16341b0f052f9b8

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
763KB

MD5
29450941fc49b5d7ae5f5cd2187e3e7e

SHA1
24dc493f52acffdcd896cf66ccccd6041d97d099

SHA256
a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f

SHA512
448a6eb6c1079184f60369c8fd4fda5452ee7cb54f33b93f023fefebd801dd16ef0907389e9bafcc5026ad87b386f958731654afe5c83645e16341b0f052f9b8

Download Submit
\Windows\SysWOW64\csrcs.exe

Filesize
763KB

MD5
29450941fc49b5d7ae5f5cd2187e3e7e

SHA1
24dc493f52acffdcd896cf66ccccd6041d97d099

SHA256
a39ac30c3cac43d02e7c98e281176533ff69901e0960e258e95eba9b7f74050f

SHA512
448a6eb6c1079184f60369c8fd4fda5452ee7cb54f33b93f023fefebd801dd16ef0907389e9bafcc5026ad87b386f958731654afe5c83645e16341b0f052f9b8

Download Submit
memory/1176-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download