d005e4914eab4fabdbe31078662a48b27fee09f6eabbe5d0edcbaa6604a3fbb7

General

Target

3dbfb5aed328650b960d1ba6aa3c8e6f.exe
Size

155KB
MD5

3dbfb5aed328650b960d1ba6aa3c8e6f
SHA1

9b3344c6b399829370b286c46c991f2a163cf1ef
SHA256

d005e4914eab4fabdbe31078662a48b27fee09f6eabbe5d0edcbaa6604a3fbb7
SHA512

516af3255a23122f1d3c17b1624a21e282a0d66ae82b8ec30cd5a388d35b04d76ee95ef2653795d01e14e9f599ff77ffbaf0eb8ec61d5f13555353461c4cced8
SSDEEP

384:eOFiGwXaJ+EHqm4fLl3C8esEBqhn9NhqaxhqCKI3U/sLa/nCpZc6bG:eOFiGUw7qmWyqhEaxCD/nCt6

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrssc.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrssc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	3dbfb5aed328650b960d1ba6aa3c8e6f.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	csrssc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tezrtsjhfr84iusjfo84f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrssc.exe"	3dbfb5aed328650b960d1ba6aa3c8e6f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tezrtsjhfr84iusjfo84f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrssc.exe"	csrssc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	csrssc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\PopupMgr = "yes"	csrssc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "no"	csrssc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3068	2844	3dbfb5aed328650b960d1ba6aa3c8e6f.exe	90
PID 2844 wrote to memory of 3068	2844	3dbfb5aed328650b960d1ba6aa3c8e6f.exe	90
PID 2844 wrote to memory of 3068	2844	3dbfb5aed328650b960d1ba6aa3c8e6f.exe	90
PID 2844 wrote to memory of 3372	2844	3dbfb5aed328650b960d1ba6aa3c8e6f.exe	91
PID 2844 wrote to memory of 3372	2844	3dbfb5aed328650b960d1ba6aa3c8e6f.exe	91
PID 2844 wrote to memory of 3372	2844	3dbfb5aed328650b960d1ba6aa3c8e6f.exe	91

C:\Users\Admin\AppData\Local\Temp\3dbfb5aed328650b960d1ba6aa3c8e6f.exe
"C:\Users\Admin\AppData\Local\Temp\3dbfb5aed328650b960d1ba6aa3c8e6f.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\csrssc.exe
  C:\Users\Admin\AppData\Local\Temp\csrssc.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gtseyhbe7.bat" "C:\Users\Admin\AppData\Local\Temp\3dbfb5aed328650b960d1ba6aa3c8e6f.exe""
  2⤵
  PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrssc.exe

Filesize
155KB

MD5
3dbfb5aed328650b960d1ba6aa3c8e6f

SHA1
9b3344c6b399829370b286c46c991f2a163cf1ef

SHA256
d005e4914eab4fabdbe31078662a48b27fee09f6eabbe5d0edcbaa6604a3fbb7

SHA512
516af3255a23122f1d3c17b1624a21e282a0d66ae82b8ec30cd5a388d35b04d76ee95ef2653795d01e14e9f599ff77ffbaf0eb8ec61d5f13555353461c4cced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrssc.exe

Filesize
85KB

MD5
1e0ea48e5e68c998909e189cbbc9f238

SHA1
47280a7910eb4c3b4b034cc364a37e89764a43f3

SHA256
c56dbbf68b848beebf7d7f27183e5b699d909dfaf3e4361ee374fd613bfd1d83

SHA512
2d24c13c7f78f673d01dde12971f149746a6f1c2d96e7217589b1e03cfa20374c53e073578003a1e069740a2ab3f4d16d596c07e0ba714365ff36b18b45627cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtseyhbe7.bat

Filesize
52B

MD5
8db53e31a3117b405e1abf5ba790bf9e

SHA1
242a8834c7c89a12336481b5e2c3264672f9ffc4

SHA256
669a10708b8b580ecdb9d50e83c2e2a8826155c1836d27d6e9f418bccf06c87c

SHA512
b8bff236a0bb3b161295665db26c9ac597441d2bf19acdeb2a70c1f6c75d8f6268dfa1241926b0400aa98c89b4acebc7ae6216a03558231706480a0dc990499f

Download Submit
memory/2844-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2844-1-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2844-2-0x0000000002170000-0x0000000002175000-memory.dmp

Filesize
20KB

Download
memory/2844-3-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2844-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2844-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2844-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3068-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads