89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a

Analysis

max time kernel
156s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 20:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe
Size

984KB
MD5

8b1597746c989d0dd27045021363557c
SHA1

a31fda47bc6ee7a79e29456a31593d518bb9752a
SHA256

89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a
SHA512

12a109c3c008bafbc9820a5522dec09fbf24d391ffff0333d6cd8814a0f3625a4097d6cdd59eb728516e7ef79fb0a0b8c64a6d65ceac3e780b7f43f2f8a0db2f
SSDEEP

12288:ZSjzwRzH1RighUFZzHtC9FDY8c8H+Lm/yjxeiSOHTApwn2fTrNsef1JOXRqhqii:MeVRrhMxY9FDY8cLa/OerzTrNtSc

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\csrss.exe"	csrss.exe

Executes dropped EXE 1 IoCs

pid	Process
1920	csrss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winlogs.dll	csrss.exe
File opened for modification	C:\Windows\csrss.exe	csrss.exe
File created	C:\Windows\winlogs.dll	89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe
File opened for modification	C:\Windows\winlogs.dll	89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe
File created	C:\Windows\csrss.exe	89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe
File opened for modification	C:\Windows\csrss.exe	89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1920	csrss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1920	csrss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1920	1336	89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe	32
PID 1336 wrote to memory of 1920	1336	89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe	32
PID 1336 wrote to memory of 1920	1336	89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe	32

C:\Users\Admin\AppData\Local\Temp\89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe
"C:\Users\Admin\AppData\Local\Temp\89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\csrss.exe
  "C:\Windows\csrss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\csrss.exe

Filesize
984KB

MD5
8b1597746c989d0dd27045021363557c

SHA1
a31fda47bc6ee7a79e29456a31593d518bb9752a

SHA256
89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a

SHA512
12a109c3c008bafbc9820a5522dec09fbf24d391ffff0333d6cd8814a0f3625a4097d6cdd59eb728516e7ef79fb0a0b8c64a6d65ceac3e780b7f43f2f8a0db2f

Download Submit
C:\Windows\csrss.exe

Filesize
984KB

MD5
8b1597746c989d0dd27045021363557c

SHA1
a31fda47bc6ee7a79e29456a31593d518bb9752a

SHA256
89e9bd0769f9002d0c26a63dbacc0d324c3cd322f77061ec82ae11f0f670387a

SHA512
12a109c3c008bafbc9820a5522dec09fbf24d391ffff0333d6cd8814a0f3625a4097d6cdd59eb728516e7ef79fb0a0b8c64a6d65ceac3e780b7f43f2f8a0db2f

Download Submit
C:\Windows\winlogs.dll

Filesize
154B

MD5
802f7b65757f2828dd76f278b27f14d3

SHA1
8457d0bd64fab45e2e94f6a8107c9f82f9452b12

SHA256
701a62c88314eb5f54f5d3d78aec9d0a22be1729870ab9506164e4aa307fd63e

SHA512
b6e34265ba59341c867abb33cad4058f2c23b7961a9181865baad6e22da3f7a23a9f3f9734c21b98a51f02e80827c5fae228a5373ec820a255ef1e2d47508d75

Download Submit