Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 17:54
Behavioral task
behavioral1
Sample
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe
Resource
win10v2004-20220901-en
General
-
Target
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe
-
Size
305KB
-
MD5
1a1733bae2a5c22dc130d2f0f82302ef
-
SHA1
5334d5f2c4d14c214ce4e86fe3f5098b7f38d008
-
SHA256
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
-
SHA512
0b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
SSDEEP
6144:XNFawti8qjlBtYCcYWctAnvLxSRO3NO4n06qAOssKfpYT:doQiDpBuCcB9WO3U40hAOssMps
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
WindowsUpdatechecker.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdatechecker.exe" WindowsUpdatechecker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdatechecker.exe" WindowsUpdatechecker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdatechecker.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdatechecker.exe" csrss.exe -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 1888 csrss.exe -
Loads dropped DLL 5 IoCs
Processes:
WindowsUpdatechecker.execsrss.exepid process 1584 WindowsUpdatechecker.exe 1584 WindowsUpdatechecker.exe 1888 csrss.exe 1888 csrss.exe 1888 csrss.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\csrss.exe agile_net \Users\Admin\AppData\Roaming\csrss.exe agile_net C:\Users\Admin\AppData\Roaming\csrss.exe agile_net \Users\Admin\AppData\Roaming\csrss.exe agile_net \Users\Admin\AppData\Roaming\csrss.exe agile_net \Users\Admin\AppData\Roaming\csrss.exe agile_net C:\Users\Admin\AppData\Roaming\csrss.exe agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
csrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\windws = "\"C:\\Windows\\SysWOW64\\svchost.exe\"" csrss.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
csrss.exepid process 1888 csrss.exe 1888 csrss.exe 1888 csrss.exe 1888 csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WindowsUpdatechecker.exedescription pid process target process PID 1584 set thread context of 1516 1584 WindowsUpdatechecker.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.execsrss.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe -
Modifies registry class 3 IoCs
Processes:
csrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{22788406-694E-E14F-9635-57A764C20F26}\5EE8079D\CS1 csrss.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{22788406-694E-E14F-9635-57A764C20F26}\5EE8079D\CW1 csrss.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{22788406-694E-E14F-9635-57A764C20F26}\5EE8079D\CW1\1888 = 88000000a00700008df17d0416000600 csrss.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
csrss.exepid process 1888 csrss.exe 1888 csrss.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
svchost.exepid process 1516 svchost.exe 1516 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exepid process 2032 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
csrss.exesvchost.exedescription pid process Token: SeDebugPrivilege 1888 csrss.exe Token: SeRestorePrivilege 1516 svchost.exe Token: SeBackupPrivilege 1516 svchost.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exeWindowsUpdatechecker.exesvchost.exedescription pid process target process PID 2032 wrote to memory of 1584 2032 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe WindowsUpdatechecker.exe PID 2032 wrote to memory of 1584 2032 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe WindowsUpdatechecker.exe PID 2032 wrote to memory of 1584 2032 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe WindowsUpdatechecker.exe PID 2032 wrote to memory of 1584 2032 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe WindowsUpdatechecker.exe PID 2032 wrote to memory of 1584 2032 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe WindowsUpdatechecker.exe PID 2032 wrote to memory of 1584 2032 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe WindowsUpdatechecker.exe PID 2032 wrote to memory of 1584 2032 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe WindowsUpdatechecker.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1516 1584 WindowsUpdatechecker.exe svchost.exe PID 1584 wrote to memory of 1888 1584 WindowsUpdatechecker.exe csrss.exe PID 1584 wrote to memory of 1888 1584 WindowsUpdatechecker.exe csrss.exe PID 1584 wrote to memory of 1888 1584 WindowsUpdatechecker.exe csrss.exe PID 1584 wrote to memory of 1888 1584 WindowsUpdatechecker.exe csrss.exe PID 1584 wrote to memory of 1888 1584 WindowsUpdatechecker.exe csrss.exe PID 1584 wrote to memory of 1888 1584 WindowsUpdatechecker.exe csrss.exe PID 1584 wrote to memory of 1888 1584 WindowsUpdatechecker.exe csrss.exe PID 1516 wrote to memory of 1592 1516 svchost.exe WerFault.exe PID 1516 wrote to memory of 1592 1516 svchost.exe WerFault.exe PID 1516 wrote to memory of 1592 1516 svchost.exe WerFault.exe PID 1516 wrote to memory of 1592 1516 svchost.exe WerFault.exe PID 1516 wrote to memory of 1592 1516 svchost.exe WerFault.exe PID 1516 wrote to memory of 1592 1516 svchost.exe WerFault.exe PID 1516 wrote to memory of 1592 1516 svchost.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe"C:\Users\Admin\AppData\Local\Temp\43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
- Checks for any installed AV software in registry
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\SysWOW64\WerFault.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -reg "explorer.exe, C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
memory/1516-87-0x00000000002B0000-0x00000000002BB000-memory.dmpFilesize
44KB
-
memory/1516-89-0x00000000001B0000-0x00000000001FB000-memory.dmpFilesize
300KB
-
memory/1516-68-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-70-0x000000000040120A-mapping.dmp
-
memory/1516-71-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-63-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-61-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-66-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-60-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-85-0x00000000001B0000-0x00000000001FB000-memory.dmpFilesize
300KB
-
memory/1516-59-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1516-84-0x00000000001B0000-0x00000000001FB000-memory.dmpFilesize
300KB
-
memory/1584-56-0x0000000000000000-mapping.dmp
-
memory/1584-83-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/1592-91-0x0000000077A30000-0x0000000077BB1000-memory.dmpFilesize
1.5MB
-
memory/1592-88-0x0000000000000000-mapping.dmp
-
memory/1592-90-0x0000000000180000-0x00000000001CE000-memory.dmpFilesize
312KB
-
memory/1592-93-0x0000000000180000-0x00000000001CE000-memory.dmpFilesize
312KB
-
memory/1592-94-0x0000000077A30000-0x0000000077BB1000-memory.dmpFilesize
1.5MB
-
memory/1888-86-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/1888-76-0x0000000000000000-mapping.dmp
-
memory/1888-92-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/1888-95-0x0000000000840000-0x000000000084B000-memory.dmpFilesize
44KB
-
memory/2032-55-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB
-
memory/2032-54-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/2032-57-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB