Analysis
-
max time kernel
216s -
max time network
237s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 15:04
Static task
static1
Behavioral task
behavioral1
Sample
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe
Resource
win10v2004-20220812-en
General
-
Target
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe
-
Size
235KB
-
MD5
a017b4b86dc239fe0cefc07a726505f7
-
SHA1
4f80660d04f9b18953aaa008f63a65ac2fecd913
-
SHA256
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282
-
SHA512
36058a74780fab6d246b400f58702bf0bd51d3823a1423dad363c6467a8a7753f68471ef971c2d51cfb670e9041da058121a50fbea4c731aeca4bf2c9182515f
-
SSDEEP
6144:CeV9TbKC3OgmJPq8jMwfMxBhPmPNKedp+T:CebTbvegkqyJEXhWNz+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 4792 csrss.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
csrss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afdvqtcmv.exe\DisableExceptionChainValidation csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afdvqtcmv.exe csrss.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
csrss.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation csrss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
csrss.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus csrss.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
csrss.exedescription ioc process File created C:\ProgramData\explorer\desktop.ini csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exedescription pid process target process PID 2532 set thread context of 4792 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
csrss.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 csrss.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 6 IoCs
Processes:
csrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID csrss.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{2E301F8F-8367-214D-A144-0138C06DBDED} csrss.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{2E301F8F-8367-214D-A144-0138C06DBDED}\633F07D8 csrss.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{2E301F8F-8367-214D-A144-0138C06DBDED}\633F07D8\CG1\HAL = 05ee0000 csrss.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{2E301F8F-8367-214D-A144-0138C06DBDED}\633F07D8\CG1\BID = 200008001d000b00e6070000140000001d0016002b00220000000000168b8663 csrss.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{2E301F8F-8367-214D-A144-0138C06DBDED}\633F07D8\CG1 csrss.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
csrss.exepid process 4792 csrss.exe 4792 csrss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
csrss.exedescription pid process Token: SeRestorePrivilege 4792 csrss.exe Token: SeBackupPrivilege 4792 csrss.exe Token: SeDebugPrivilege 4792 csrss.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.execmd.execsrss.exedescription pid process target process PID 2532 wrote to memory of 3380 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe cmd.exe PID 2532 wrote to memory of 3380 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe cmd.exe PID 2532 wrote to memory of 3380 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe cmd.exe PID 2532 wrote to memory of 4792 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 2532 wrote to memory of 4792 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 2532 wrote to memory of 4792 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 2532 wrote to memory of 4792 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 2532 wrote to memory of 4792 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 2532 wrote to memory of 4792 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 2532 wrote to memory of 4792 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 2532 wrote to memory of 4792 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 2532 wrote to memory of 4792 2532 dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe csrss.exe PID 3380 wrote to memory of 1784 3380 cmd.exe reg.exe PID 3380 wrote to memory of 1784 3380 cmd.exe reg.exe PID 3380 wrote to memory of 1784 3380 cmd.exe reg.exe PID 4792 wrote to memory of 1456 4792 csrss.exe schtasks.exe PID 4792 wrote to memory of 1456 4792 csrss.exe schtasks.exe PID 4792 wrote to memory of 1456 4792 csrss.exe schtasks.exe PID 4792 wrote to memory of 216 4792 csrss.exe WerFault.exe PID 4792 wrote to memory of 216 4792 csrss.exe WerFault.exe PID 4792 wrote to memory of 216 4792 csrss.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe"C:\Users\Admin\AppData\Local\Temp\dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v csrss /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Roaming\csrss.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v csrss /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Roaming\csrss.exe3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeC:\Users\Admin\AppData\Local\Temp\csrss.exe2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x633F07D8" /TR "C:\ProgramData\explorer\afdvqtcmv.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\SysWOW64\WerFault.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
235KB
MD5a017b4b86dc239fe0cefc07a726505f7
SHA14f80660d04f9b18953aaa008f63a65ac2fecd913
SHA256dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282
SHA51236058a74780fab6d246b400f58702bf0bd51d3823a1423dad363c6467a8a7753f68471ef971c2d51cfb670e9041da058121a50fbea4c731aeca4bf2c9182515f
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
235KB
MD5a017b4b86dc239fe0cefc07a726505f7
SHA14f80660d04f9b18953aaa008f63a65ac2fecd913
SHA256dbf4eed2ff148d9ddb7c7d4bd4d08943b88a992a876f14a1f5688d2b65450282
SHA51236058a74780fab6d246b400f58702bf0bd51d3823a1423dad363c6467a8a7753f68471ef971c2d51cfb670e9041da058121a50fbea4c731aeca4bf2c9182515f
-
memory/216-155-0x0000000000000000-mapping.dmp
-
memory/216-159-0x00000000006E0000-0x0000000000769000-memory.dmpFilesize
548KB
-
memory/216-158-0x00000000006E0000-0x0000000000769000-memory.dmpFilesize
548KB
-
memory/216-157-0x0000000000D70000-0x0000000000DEB000-memory.dmpFilesize
492KB
-
memory/1456-154-0x0000000000000000-mapping.dmp
-
memory/1784-149-0x0000000000000000-mapping.dmp
-
memory/2532-132-0x0000000070B40000-0x0000000070B6E000-memory.dmpFilesize
184KB
-
memory/3380-141-0x0000000000000000-mapping.dmp
-
memory/4792-150-0x00000000001A0000-0x00000000001EB000-memory.dmpFilesize
300KB
-
memory/4792-151-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4792-152-0x00000000001A0000-0x00000000001EB000-memory.dmpFilesize
300KB
-
memory/4792-153-0x00000000007A0000-0x00000000007AB000-memory.dmpFilesize
44KB
-
memory/4792-142-0x0000000000000000-mapping.dmp
-
memory/4792-156-0x00000000001A0000-0x00000000001EB000-memory.dmpFilesize
300KB
-
memory/4792-147-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4792-143-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB