Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 15:04
Static task
static1
Behavioral task
behavioral1
Sample
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe
Resource
win10v2004-20220812-en
General
-
Target
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe
-
Size
235KB
-
MD5
a017b4b86dc239fe0cefc07a726505f7
-
SHA1
4f80660d04f9b18953aaa008f63a65ac2fecd913
-
SHA256
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282
-
SHA512
36058a74780fab6d246b400f58702bf0bd51d3823a1423dad363c6467a8a7753f68471ef971c2d51cfb670e9041da058121a50fbea4c731aeca4bf2c9182515f
-
SSDEEP
6144:CeV9TbKC3OgmJPq8jMwfMxBhPmPNKedp+T:CebTbvegkqyJEXhWNz+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 1100 csrss.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
csrss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jtkyyvgiu.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jtkyyvgiu.exe\DisableExceptionChainValidation csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exepid process 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" reg.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
csrss.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus csrss.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira csrss.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
csrss.exedescription ioc process File created C:\ProgramData\explorer\desktop.ini csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exedescription pid process target process PID 1436 set thread context of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
csrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 csrss.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 7 IoCs
Processes:
csrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{AD2AA9DE-361C-414B-BC4B-7647DDE5A0BF}\633F07D8 csrss.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{AD2AA9DE-361C-414B-BC4B-7647DDE5A0BF}\633F07D8\CG1\HAL = 05ee0000 csrss.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{AD2AA9DE-361C-414B-BC4B-7647DDE5A0BF}\633F07D8\ê'^u3 csrss.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{AD2AA9DE-361C-414B-BC4B-7647DDE5A0BF}\633F07D8\ê'^u3\BID = 200008001d000b00e6070000140000001d0015002a00160000000000be7c8663 csrss.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{AD2AA9DE-361C-414B-BC4B-7647DDE5A0BF}\633F07D8\CG1 csrss.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID csrss.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{AD2AA9DE-361C-414B-BC4B-7647DDE5A0BF} csrss.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
csrss.exepid process 1100 csrss.exe 1100 csrss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
csrss.exedescription pid process Token: SeRestorePrivilege 1100 csrss.exe Token: SeBackupPrivilege 1100 csrss.exe Token: SeDebugPrivilege 1100 csrss.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.execmd.execsrss.exedescription pid process target process PID 1436 wrote to memory of 760 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe cmd.exe PID 1436 wrote to memory of 760 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe cmd.exe PID 1436 wrote to memory of 760 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe cmd.exe PID 1436 wrote to memory of 760 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe cmd.exe PID 1436 wrote to memory of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 1436 wrote to memory of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 1436 wrote to memory of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 1436 wrote to memory of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 1436 wrote to memory of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 1436 wrote to memory of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 1436 wrote to memory of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 1436 wrote to memory of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 1436 wrote to memory of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 1436 wrote to memory of 1100 1436 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 760 wrote to memory of 1752 760 cmd.exe reg.exe PID 760 wrote to memory of 1752 760 cmd.exe reg.exe PID 760 wrote to memory of 1752 760 cmd.exe reg.exe PID 760 wrote to memory of 1752 760 cmd.exe reg.exe PID 1100 wrote to memory of 2040 1100 csrss.exe schtasks.exe PID 1100 wrote to memory of 2040 1100 csrss.exe schtasks.exe PID 1100 wrote to memory of 2040 1100 csrss.exe schtasks.exe PID 1100 wrote to memory of 2040 1100 csrss.exe schtasks.exe PID 1100 wrote to memory of 1668 1100 csrss.exe WerFault.exe PID 1100 wrote to memory of 1668 1100 csrss.exe WerFault.exe PID 1100 wrote to memory of 1668 1100 csrss.exe WerFault.exe PID 1100 wrote to memory of 1668 1100 csrss.exe WerFault.exe PID 1100 wrote to memory of 1668 1100 csrss.exe WerFault.exe PID 1100 wrote to memory of 1668 1100 csrss.exe WerFault.exe PID 1100 wrote to memory of 1668 1100 csrss.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe"C:\Users\Admin\AppData\Local\Temp\dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v csrss /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Roaming\csrss.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v csrss /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Roaming\csrss.exe3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeC:\Users\Admin\AppData\Local\Temp\csrss.exe2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x633F07D8" /TR "C:\ProgramData\explorer\jtkyyvgiu.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\SysWOW64\WerFault.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
235KB
MD5a017b4b86dc239fe0cefc07a726505f7
SHA14f80660d04f9b18953aaa008f63a65ac2fecd913
SHA256dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282
SHA51236058a74780fab6d246b400f58702bf0bd51d3823a1423dad363c6467a8a7753f68471ef971c2d51cfb670e9041da058121a50fbea4c731aeca4bf2c9182515f
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
235KB
MD5a017b4b86dc239fe0cefc07a726505f7
SHA14f80660d04f9b18953aaa008f63a65ac2fecd913
SHA256dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282
SHA51236058a74780fab6d246b400f58702bf0bd51d3823a1423dad363c6467a8a7753f68471ef971c2d51cfb670e9041da058121a50fbea4c731aeca4bf2c9182515f
-
\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
235KB
MD5a017b4b86dc239fe0cefc07a726505f7
SHA14f80660d04f9b18953aaa008f63a65ac2fecd913
SHA256dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282
SHA51236058a74780fab6d246b400f58702bf0bd51d3823a1423dad363c6467a8a7753f68471ef971c2d51cfb670e9041da058121a50fbea4c731aeca4bf2c9182515f
-
\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
235KB
MD5a017b4b86dc239fe0cefc07a726505f7
SHA14f80660d04f9b18953aaa008f63a65ac2fecd913
SHA256dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282
SHA51236058a74780fab6d246b400f58702bf0bd51d3823a1423dad363c6467a8a7753f68471ef971c2d51cfb670e9041da058121a50fbea4c731aeca4bf2c9182515f
-
memory/760-63-0x0000000000000000-mapping.dmp
-
memory/1100-67-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1100-81-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1100-87-0x00000000003B0000-0x00000000003FB000-memory.dmpFilesize
300KB
-
memory/1100-79-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/1100-76-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1100-69-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1100-68-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1100-71-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1100-66-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1100-73-0x000000000040120A-mapping.dmp
-
memory/1100-80-0x00000000003B0000-0x00000000003FB000-memory.dmpFilesize
300KB
-
memory/1100-72-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1100-82-0x00000000003B0000-0x00000000003FB000-memory.dmpFilesize
300KB
-
memory/1100-83-0x0000000000460000-0x000000000046B000-memory.dmpFilesize
44KB
-
memory/1436-54-0x0000000070B40000-0x0000000070B6E000-memory.dmpFilesize
184KB
-
memory/1668-86-0x0000000000000000-mapping.dmp
-
memory/1668-88-0x0000000000130000-0x00000000001B9000-memory.dmpFilesize
548KB
-
memory/1668-89-0x0000000077C90000-0x0000000077E11000-memory.dmpFilesize
1.5MB
-
memory/1668-90-0x0000000000130000-0x00000000001B9000-memory.dmpFilesize
548KB
-
memory/1668-91-0x0000000077C90000-0x0000000077E11000-memory.dmpFilesize
1.5MB
-
memory/1752-78-0x0000000000000000-mapping.dmp
-
memory/2040-85-0x0000000000000000-mapping.dmp