cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f

General

Target

cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe
Size

20KB
MD5

ac6bc1cc2144e8766deed97f4a27cbbb
SHA1

b2cef8fd9103e2bdc1cff6cccb1fbe394320a166
SHA256

cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f
SHA512

00b6f5897b30cb8e6653c6abc44314b40e0c5f60ed68140061f1ca6643c6ca98f576db60178afd683157c2acea1f0c52ac8b7e4ce9e8d61248a2efabca46d291
SSDEEP

384:m1ehrR8pKHOc/ByUlvsM4Jz1fdYCpiZx:wejPHxJJlsM+QCpi

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1472	csrcs.exe

Deletes itself 1 IoCs

pid	Process
1612	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1612	svchost.exe
1612	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrcs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrcs.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1552 set thread context of 1612	1552	cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe	26
PID 1472 set thread context of 592	1472	csrcs.exe	28

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1612	1552	cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe	26
PID 1552 wrote to memory of 1612	1552	cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe	26
PID 1552 wrote to memory of 1612	1552	cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe	26
PID 1552 wrote to memory of 1612	1552	cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe	26
PID 1552 wrote to memory of 1612	1552	cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe	26
PID 1552 wrote to memory of 1612	1552	cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe	26
PID 1552 wrote to memory of 1612	1552	cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe	26
PID 1552 wrote to memory of 1612	1552	cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe	26
PID 1612 wrote to memory of 1472	1612	svchost.exe	27
PID 1612 wrote to memory of 1472	1612	svchost.exe	27
PID 1612 wrote to memory of 1472	1612	svchost.exe	27
PID 1612 wrote to memory of 1472	1612	svchost.exe	27
PID 1472 wrote to memory of 592	1472	csrcs.exe	28
PID 1472 wrote to memory of 592	1472	csrcs.exe	28
PID 1472 wrote to memory of 592	1472	csrcs.exe	28
PID 1472 wrote to memory of 592	1472	csrcs.exe	28
PID 1472 wrote to memory of 592	1472	csrcs.exe	28
PID 1472 wrote to memory of 592	1472	csrcs.exe	28
PID 1472 wrote to memory of 592	1472	csrcs.exe	28
PID 1472 wrote to memory of 592	1472	csrcs.exe	28

C:\Users\Admin\AppData\Local\Temp\cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe
"C:\Users\Admin\AppData\Local\Temp\cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\csrcs.exe
    "C:\Users\Admin\AppData\Local\Temp\csrcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrcs.exe

Filesize
20KB

MD5
ac6bc1cc2144e8766deed97f4a27cbbb

SHA1
b2cef8fd9103e2bdc1cff6cccb1fbe394320a166

SHA256
cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f

SHA512
00b6f5897b30cb8e6653c6abc44314b40e0c5f60ed68140061f1ca6643c6ca98f576db60178afd683157c2acea1f0c52ac8b7e4ce9e8d61248a2efabca46d291

Download Submit
\Users\Admin\AppData\Local\Temp\csrcs.exe

Filesize
20KB

MD5
ac6bc1cc2144e8766deed97f4a27cbbb

SHA1
b2cef8fd9103e2bdc1cff6cccb1fbe394320a166

SHA256
cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f

SHA512
00b6f5897b30cb8e6653c6abc44314b40e0c5f60ed68140061f1ca6643c6ca98f576db60178afd683157c2acea1f0c52ac8b7e4ce9e8d61248a2efabca46d291

Download Submit
\Users\Admin\AppData\Local\Temp\csrcs.exe

Filesize
20KB

MD5
ac6bc1cc2144e8766deed97f4a27cbbb

SHA1
b2cef8fd9103e2bdc1cff6cccb1fbe394320a166

SHA256
cbeb85c0d26f2d520503583f2ca5f8acb91aa86790196c8ad3f3c2511eb7008f

SHA512
00b6f5897b30cb8e6653c6abc44314b40e0c5f60ed68140061f1ca6643c6ca98f576db60178afd683157c2acea1f0c52ac8b7e4ce9e8d61248a2efabca46d291

Download Submit
memory/1612-59-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1612-63-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1612-64-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing