7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
Size

80KB
MD5

670f69a6374b461d123ed616314d480b
SHA1

5d648ef1c6a5620e67b65205b250079fdd2881df
SHA256

7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c
SHA512

f8660b913725070f3523dc4a96b2ed10893f232b1b1568e1f431e554c10bc7ae1b50856fd7c88957bb3fda8f7063d66e88d1e46c4b247d6ee75b2298dd0f6afe
SSDEEP

1536:PcsriZiTLNxtH8DbtSWXlov+nUrgW99HiYDZOblI0nQhkpI9r7LtA6dU:BLxtH8D/V/UrgkYMKlnQII9r7LtA6dU

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\csrsss.exe = "C:\\Program Files (x86)\\Common Files\\System\\csrsss.exe:*:Enabled:CSR System Services"	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\csrsss.exe = "C:\\Program Files (x86)\\Common Files\\System\\csrsss.exe:*:Enabled:CSR System Services"	csrsss.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\csrsss.exe = "C:\\Program Files (x86)\\Common Files\\System\\csrsss.exe:*:Enabled:CSR System Services"	csrsss.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\csrsss.exe = "C:\\Program Files (x86)\\Common Files\\System\\csrsss.exe:*:Enabled:CSR System Services"	csrsss.exe

Executes dropped EXE 3 IoCs

pid	Process
1276	csrsss.exe
1796	csrsss.exe
1012	csrsss.exe

Deletes itself 1 IoCs

pid	Process
1276	csrsss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\kazaa\my shared folder\AOL Instant Messenger (AIM) Cracker.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\AOL Triton Cracker.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\RuneScape Gold Exploit.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\emule\incoming\Virus Generator.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Adobe Photoshop Crack.exe	csrsss.exe
File created	C:\Program Files (x86)\icq\shared folder\Microsoft Visual Basic 2008 KeyGen.exe	csrsss.exe
File created	C:\Program Files (x86)\grokster\my grokster\RuneScape 2008 - Newest Exploits.exe	csrsss.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Kaspersky Keygen.exe	csrsss.exe
File created	C:\Program Files (x86)\bearshare\shared\Microsoft Visual Basic 2008 KeyGen.exe	csrsss.exe
File created	C:\Program Files (x86)\emule\incoming\Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe	csrsss.exe
File created	C:\Program Files (x86)\grokster\my grokster\DivX Pro KeyGen.exe	csrsss.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\Microsoft Visual Basic 6 KeyGen.exe	csrsss.exe
File created	C:\Program Files (x86)\emule\incoming\Widnows Vista Crack.exe	csrsss.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Widnows Vista Crack.exe	csrsss.exe
File created	C:\Program Files (x86)\tesla\files\MSN Live Password Cracker.exe	csrsss.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\DivX Pro KeyGen.exe	csrsss.exe
File created	C:\Program Files (x86)\limewire\shared\AOL Instant Messenger (AIM) Cracker.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Limewire Pro Downloader.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Project 7 Private 4.8.exe	csrsss.exe
File created	C:\Program Files (x86)\icq\shared folder\Photoshop Crack.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\YIM HAcker 2009.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Norton Anti-Virus 2008 Enterprise Crack.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Limewire Speed Patch	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\grokster\my grokster\AOL Triton Cracker.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\emule\incoming\Myspace Attack.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Hotmail Hacker.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Windows XP Keygen	csrsss.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Myspace Bruteforce.exe	csrsss.exe
File created	C:\Program Files (x86)\grokster\my grokster\Microsoft Visual Basic 6 KeyGen.exe	csrsss.exe
File created	C:\Program Files (x86)\bearshare\shared\RuneScape Gold Exploit.exe	csrsss.exe
File created	C:\Program Files (x86)\limewire\shared\MSN Hacker 2009.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Microsoft Visual Basic 6 KeyGen.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\limewire\shared\RuneScape Cracker.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Hotmail Hacker.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Kaspersky Crck.exe	csrsss.exe
File opened for modification	C:\Program Files (x86)\Common Files\System	csrsss.exe
File created	C:\Program Files (x86)\grokster\my grokster\Kaspersky Crck.exe	csrsss.exe
File created	C:\Program Files (x86)\emule\incoming\Kaspersky Keygen.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Adobe Photoshop Crack.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Adobe Photoshop CS3 Keygen.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\winmx\shared\Windows 2008 Server KeyGen.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\bearshare\shared\Microsoft Visual C++ 6 KeyGen.exe	csrsss.exe
File created	C:\Program Files (x86)\tesla\files\Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\ICQ Account Cracker.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\AOL Hacker 2008.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\YIM HAcker 2008.exe	csrsss.exe
File created	C:\Program Files (x86)\icq\shared folder\AOL Hacker 2009.exe	csrsss.exe
File created	C:\Program Files (x86)\grokster\my grokster\DeadSpace KeyGen.exe	csrsss.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Counter-Strike Source KeyGen.exe	csrsss.exe
File created	C:\Program Files (x86)\winmx\shared\PhotoShop Keygen.exe	csrsss.exe
File created	C:\Program Files (x86)\tesla\files\RuneScape Cracker.exe	csrsss.exe
File created	C:\Program Files (x86)\winmx\shared\WOW Account Cracker.exe	csrsss.exe
File created	C:\Program Files (x86)\grokster\my grokster\Tcpip Patch.exe	7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
File created	C:\Program Files (x86)\emule\incoming\Password Cracker.exe	csrsss.exe
File created	C:\Program Files (x86)\icq\shared folder\AOL Instant Messenger (AIM) Cracker.exe	csrsss.exe
File created	C:\Program Files (x86)\grokster\my grokster\Windows XP Keygen	csrsss.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Adobe Keygen.exe	csrsss.exe
File created	C:\Program Files (x86)\icq\shared folder\Password Cracker.exe	csrsss.exe
File created	C:\Program Files (x86)\winmx\shared\Microsoft Visual Studio 6 KeyGen.exe	csrsss.exe
File created	C:\Program Files (x86)\grokster\my grokster\Norton Anti-Virus 2008 Enterprise Crack.exe	csrsss.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\AOL Password Cracker.exe	csrsss.exe
File created	C:\Program Files (x86)\tesla\files\Tcpip Patch.exe	csrsss.exe
File created	C:\Program Files (x86)\emule\incoming\AOL Password Cracker.exe	csrsss.exe

C:\Users\Admin\AppData\Local\Temp\7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe
"C:\Users\Admin\AppData\Local\Temp\7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c.exe"
1⤵
- Modifies firewall policy service
- Drops file in Program Files directory
PID:1148

C:\Program Files (x86)\Common Files\System\csrsss.exe
"C:\Program Files (x86)\Common Files\System\csrsss.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Drops file in Program Files directory
PID:1276

C:\Program Files (x86)\Common Files\System\csrsss.exe
"C:\Program Files (x86)\Common Files\System\csrsss.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Program Files directory
PID:1796

C:\Program Files (x86)\Common Files\System\csrsss.exe
"C:\Program Files (x86)\Common Files\System\csrsss.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Program Files directory
PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\csrsss.exe

Filesize
80KB

MD5
670f69a6374b461d123ed616314d480b

SHA1
5d648ef1c6a5620e67b65205b250079fdd2881df

SHA256
7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c

SHA512
f8660b913725070f3523dc4a96b2ed10893f232b1b1568e1f431e554c10bc7ae1b50856fd7c88957bb3fda8f7063d66e88d1e46c4b247d6ee75b2298dd0f6afe

Download Submit
C:\Program Files (x86)\Common Files\System\csrsss.exe

Filesize
80KB

MD5
670f69a6374b461d123ed616314d480b

SHA1
5d648ef1c6a5620e67b65205b250079fdd2881df

SHA256
7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c

SHA512
f8660b913725070f3523dc4a96b2ed10893f232b1b1568e1f431e554c10bc7ae1b50856fd7c88957bb3fda8f7063d66e88d1e46c4b247d6ee75b2298dd0f6afe

Download Submit
C:\Program Files (x86)\Common Files\System\csrsss.exe

Filesize
80KB

MD5
670f69a6374b461d123ed616314d480b

SHA1
5d648ef1c6a5620e67b65205b250079fdd2881df

SHA256
7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c

SHA512
f8660b913725070f3523dc4a96b2ed10893f232b1b1568e1f431e554c10bc7ae1b50856fd7c88957bb3fda8f7063d66e88d1e46c4b247d6ee75b2298dd0f6afe

Download Submit
C:\Program Files (x86)\Common Files\System\csrsss.exe

Filesize
80KB

MD5
670f69a6374b461d123ed616314d480b

SHA1
5d648ef1c6a5620e67b65205b250079fdd2881df

SHA256
7923cb36fae8a824dfe9e415ebf00325265dc2c047ff74ae036311965be5249c

SHA512
f8660b913725070f3523dc4a96b2ed10893f232b1b1568e1f431e554c10bc7ae1b50856fd7c88957bb3fda8f7063d66e88d1e46c4b247d6ee75b2298dd0f6afe

Download Submit
memory/1148-54-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download