Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
28-11-2022 17:54
General
-
Target
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe
-
Size
305KB
-
MD5
1a1733bae2a5c22dc130d2f0f82302ef
-
SHA1
5334d5f2c4d14c214ce4e86fe3f5098b7f38d008
-
SHA256
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
-
SHA512
0b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
SSDEEP
6144:XNFawti8qjlBtYCcYWctAnvLxSRO3NO4n06qAOssKfpYT:doQiDpBuCcB9WO3U40hAOssMps
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe"C:\Users\Admin\AppData\Local\Temp\43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
- Checks for any installed AV software in registry
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\SysWOW64\WerFault.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -reg "explorer.exe, C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
memory/1516-87-0x00000000002B0000-0x00000000002BB000-memory.dmpFilesize
44KB
-
memory/1516-89-0x00000000001B0000-0x00000000001FB000-memory.dmpFilesize
300KB
-
memory/1516-68-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-70-0x000000000040120A-mapping.dmp
-
memory/1516-71-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-63-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-61-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-66-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-60-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-85-0x00000000001B0000-0x00000000001FB000-memory.dmpFilesize
300KB
-
memory/1516-59-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-84-0x00000000001B0000-0x00000000001FB000-memory.dmpFilesize
300KB
-
memory/1584-56-0x0000000000000000-mapping.dmp
-
memory/1584-83-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/1592-91-0x0000000077A30000-0x0000000077BB1000-memory.dmpFilesize
1.5MB
-
memory/1592-88-0x0000000000000000-mapping.dmp
-
memory/1592-90-0x0000000000180000-0x00000000001CE000-memory.dmpFilesize
312KB
-
memory/1592-93-0x0000000000180000-0x00000000001CE000-memory.dmpFilesize
312KB
-
memory/1592-94-0x0000000077A30000-0x0000000077BB1000-memory.dmpFilesize
1.5MB
-
memory/1888-86-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/1888-76-0x0000000000000000-mapping.dmp
-
memory/1888-92-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/1888-95-0x0000000000840000-0x000000000084B000-memory.dmpFilesize
44KB
-
memory/2032-55-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB
-
memory/2032-54-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/2032-57-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB