4325d96d8e6a9a2e380b552eb4275db55238111927c8ba1b28ad1b33c2d5266e

Analysis

max time kernel
148s
max time network
159s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.279eb2b456f30111b8ee4f89b88fe3f0.exe
Size

298KB
MD5

279eb2b456f30111b8ee4f89b88fe3f0
SHA1

e80d817fcd7240838efb744a842207dd65c4582c
SHA256

4325d96d8e6a9a2e380b552eb4275db55238111927c8ba1b28ad1b33c2d5266e
SHA512

b0c08e490ea533ce42c5f671ec5ec334b670dc243da69276837927fdca33fcdd50a37884cb10795ac76e48e4022fe2191bb3ed14e17140fe75a8acbf6fdf15fb
SSDEEP

6144:JqTsnMHDrY9HogPB4aBpSi6x7ShFlCw5ySyfVI+YaNWP/mhdyKc:pMyHogPRBpSi6xehDF8NYVC8Kc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2088	csrrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrrss.exe = "\"C:\\windows\\csrrss.exe\""	csrrss.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\csrrss.exe	NEAS.279eb2b456f30111b8ee4f89b88fe3f0.exe
File created	\??\c:\windows\csrrss.exe	NEAS.279eb2b456f30111b8ee4f89b88fe3f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2088	csrrss.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2088	2072	NEAS.279eb2b456f30111b8ee4f89b88fe3f0.exe	28
PID 2072 wrote to memory of 2088	2072	NEAS.279eb2b456f30111b8ee4f89b88fe3f0.exe	28
PID 2072 wrote to memory of 2088	2072	NEAS.279eb2b456f30111b8ee4f89b88fe3f0.exe	28
PID 2072 wrote to memory of 2088	2072	NEAS.279eb2b456f30111b8ee4f89b88fe3f0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.279eb2b456f30111b8ee4f89b88fe3f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.279eb2b456f30111b8ee4f89b88fe3f0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2072
- C:\windows\csrrss.exe
  "C:\windows\csrrss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\csrrss.exe

Filesize
298KB

MD5
279eb2b456f30111b8ee4f89b88fe3f0

SHA1
e80d817fcd7240838efb744a842207dd65c4582c

SHA256
4325d96d8e6a9a2e380b552eb4275db55238111927c8ba1b28ad1b33c2d5266e

SHA512
b0c08e490ea533ce42c5f671ec5ec334b670dc243da69276837927fdca33fcdd50a37884cb10795ac76e48e4022fe2191bb3ed14e17140fe75a8acbf6fdf15fb

Download Submit
C:\Windows\csrrss.exe

Filesize
298KB

MD5
279eb2b456f30111b8ee4f89b88fe3f0

SHA1
e80d817fcd7240838efb744a842207dd65c4582c

SHA256
4325d96d8e6a9a2e380b552eb4275db55238111927c8ba1b28ad1b33c2d5266e

SHA512
b0c08e490ea533ce42c5f671ec5ec334b670dc243da69276837927fdca33fcdd50a37884cb10795ac76e48e4022fe2191bb3ed14e17140fe75a8acbf6fdf15fb

Download Submit
memory/2072-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2088-8-0x00000000004A0000-0x00000000004E8000-memory.dmp

Filesize
288KB

Download
memory/2088-9-0x00000000004A0000-0x00000000004E8000-memory.dmp

Filesize
288KB

Download
memory/2088-10-0x00000000004A0000-0x00000000004E8000-memory.dmp

Filesize
288KB

Download
memory/2088-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2088-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2088-14-0x00000000004A0000-0x00000000004E8000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads