c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79

General

Target

c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
Size

197KB
MD5

91f678982da4c4cba3f8f92e590d0b48
SHA1

ab8589c9ef664f438891fd39284ca76315b57a38
SHA256

c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79
SHA512

a97655ada4022553ee472542c62037004468fbe5ac2d1dbb14b1432b22ee71a892766b311703dfed4fa93acf9ef69e6e081ac97df0b5b18941b24ec26af34846
SSDEEP

3072:92RKXhQc1J5v3yQU7BzyrxjJlWZR6OGtACo3FIBP48ahMaYC83M3qXMZVsLh4B:gR4Gc1DnlSR6btwFIl4laPDqqmO

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\""	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\""	csrss.exe

Executes dropped EXE 2 IoCs

pid	Process
1944	csrss.exe
288	csrss.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1604	netsh.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1416-56-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1416-61-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/files/0x0009000000012333-68.dat	upx
behavioral1/files/0x0009000000012333-71.dat	upx
behavioral1/files/0x0009000000012333-69.dat	upx
behavioral1/memory/1944-76-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/files/0x0009000000012333-77.dat	upx
behavioral1/memory/1944-83-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/files/0x0009000000012333-81.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\""	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\""	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\""	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\""	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1416 set thread context of 1980	1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	28
PID 1944 set thread context of 288	1944	csrss.exe	34

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
1944	csrss.exe
288	csrss.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1980	1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	28
PID 1416 wrote to memory of 1980	1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	28
PID 1416 wrote to memory of 1980	1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	28
PID 1416 wrote to memory of 1980	1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	28
PID 1416 wrote to memory of 1980	1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	28
PID 1416 wrote to memory of 1980	1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	28
PID 1416 wrote to memory of 1980	1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	28
PID 1416 wrote to memory of 1980	1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	28
PID 1416 wrote to memory of 1980	1416	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	28
PID 1980 wrote to memory of 1604	1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	31
PID 1980 wrote to memory of 1604	1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	31
PID 1980 wrote to memory of 1604	1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	31
PID 1980 wrote to memory of 1604	1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	31
PID 1980 wrote to memory of 1944	1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	33
PID 1980 wrote to memory of 1944	1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	33
PID 1980 wrote to memory of 1944	1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	33
PID 1980 wrote to memory of 1944	1980	c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe	33
PID 1944 wrote to memory of 288	1944	csrss.exe	34
PID 1944 wrote to memory of 288	1944	csrss.exe	34
PID 1944 wrote to memory of 288	1944	csrss.exe	34
PID 1944 wrote to memory of 288	1944	csrss.exe	34
PID 1944 wrote to memory of 288	1944	csrss.exe	34
PID 1944 wrote to memory of 288	1944	csrss.exe	34
PID 1944 wrote to memory of 288	1944	csrss.exe	34
PID 1944 wrote to memory of 288	1944	csrss.exe	34
PID 1944 wrote to memory of 288	1944	csrss.exe	34

C:\Users\Admin\AppData\Local\Temp\c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
"C:\Users\Admin\AppData\Local\Temp\c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
  "C:\Users\Admin\AppData\Local\Temp\c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\csrss.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    PID:1604
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    /d C:\Users\Admin\AppData\Local\Temp\c5ac63420f19c63bb1883b85daa800441cce3f2c79447b85d03108d0dbb75e79.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Roaming\csrss.exe
      "C:\Users\Admin\AppData\Roaming\csrss.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
197KB

MD5
e7b164664e344a122faa22dda3e258f5

SHA1
1aa3cc8d1b619848280afd32ddcaf1105c7c4415

SHA256
7e5d7f5920fada6e5be54102c87314240b03741cdcbc8d63827cda2af4cd1817

SHA512
127aeb6c6008efcc2f1ec5866c6209d5ba8fb96c0a206f5b0970bf7422d839149c5f9692178d34c1dc4eead36cbba0ee90fe58117032bd4ef4365b2848bc531c

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
197KB

MD5
e7b164664e344a122faa22dda3e258f5

SHA1
1aa3cc8d1b619848280afd32ddcaf1105c7c4415

SHA256
7e5d7f5920fada6e5be54102c87314240b03741cdcbc8d63827cda2af4cd1817

SHA512
127aeb6c6008efcc2f1ec5866c6209d5ba8fb96c0a206f5b0970bf7422d839149c5f9692178d34c1dc4eead36cbba0ee90fe58117032bd4ef4365b2848bc531c

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
197KB

MD5
e7b164664e344a122faa22dda3e258f5

SHA1
1aa3cc8d1b619848280afd32ddcaf1105c7c4415

SHA256
7e5d7f5920fada6e5be54102c87314240b03741cdcbc8d63827cda2af4cd1817

SHA512
127aeb6c6008efcc2f1ec5866c6209d5ba8fb96c0a206f5b0970bf7422d839149c5f9692178d34c1dc4eead36cbba0ee90fe58117032bd4ef4365b2848bc531c

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe

Filesize
197KB

MD5
e7b164664e344a122faa22dda3e258f5

SHA1
1aa3cc8d1b619848280afd32ddcaf1105c7c4415

SHA256
7e5d7f5920fada6e5be54102c87314240b03741cdcbc8d63827cda2af4cd1817

SHA512
127aeb6c6008efcc2f1ec5866c6209d5ba8fb96c0a206f5b0970bf7422d839149c5f9692178d34c1dc4eead36cbba0ee90fe58117032bd4ef4365b2848bc531c

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe

Filesize
197KB

MD5
e7b164664e344a122faa22dda3e258f5

SHA1
1aa3cc8d1b619848280afd32ddcaf1105c7c4415

SHA256
7e5d7f5920fada6e5be54102c87314240b03741cdcbc8d63827cda2af4cd1817

SHA512
127aeb6c6008efcc2f1ec5866c6209d5ba8fb96c0a206f5b0970bf7422d839149c5f9692178d34c1dc4eead36cbba0ee90fe58117032bd4ef4365b2848bc531c

Download Submit
memory/288-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/288-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/288-80-0x0000000000401274-mapping.dmp

Download
memory/1416-61-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1416-56-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1604-67-0x0000000000000000-mapping.dmp

Download
memory/1944-70-0x0000000000000000-mapping.dmp

Download
memory/1944-76-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1944-83-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1980-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1980-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1980-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1980-64-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1980-59-0x0000000000401274-mapping.dmp

Download
memory/1980-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1980-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads