655b7213bb942e01565ba42376a5d98ca84fbf3728523cdb119710153eb10cd4

General

Target

3e370c2b0669635eeefa7d4519e116f2.exe
Size

170KB
MD5

3e370c2b0669635eeefa7d4519e116f2
SHA1

08da18c23049e8dfb1fd1f63a1bfa787c2a24d72
SHA256

655b7213bb942e01565ba42376a5d98ca84fbf3728523cdb119710153eb10cd4
SHA512

3b9774a559977490f40083438dc236e3d756be40e855a0992dd9bf573598602988a4a1ea238c5122ee10d410963be3d6e8502dc0dacb8ae2393088d36fd4f3de
SSDEEP

1536:XssGQLphzQHUyRPkN2HpuP7HIPe5MQVgd54vkwkRbTG9TTTTTTTTGo5tzJEqceXf:QQL/bCrwIPe5ML7nwkRA9uo

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3e370c2b0669635eeefa7d4519e116f2.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3e370c2b0669635eeefa7d4519e116f2.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe	3e370c2b0669635eeefa7d4519e116f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe	3e370c2b0669635eeefa7d4519e116f2.exe

Executes dropped EXE 2 IoCs

pid	Process
2348	cssrs.exe
2864	cssrs.exe

Loads dropped DLL 4 IoCs

pid	Process
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TINTIMG = "C:\\Users\\Admin\\AppData\\Roaming\\cssrs.exe"	3e370c2b0669635eeefa7d4519e116f2.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\blank = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\AboutURLs	3e370c2b0669635eeefa7d4519e116f2.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\AboutURLs	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\AboutURLs\blank = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	3e370c2b0669635eeefa7d4519e116f2.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	3e370c2b0669635eeefa7d4519e116f2.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	3e370c2b0669635eeefa7d4519e116f2.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2348	cssrs.exe
2864	cssrs.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe
2952	3e370c2b0669635eeefa7d4519e116f2.exe
2864	cssrs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2348	2952	3e370c2b0669635eeefa7d4519e116f2.exe	29
PID 2952 wrote to memory of 2348	2952	3e370c2b0669635eeefa7d4519e116f2.exe	29
PID 2952 wrote to memory of 2348	2952	3e370c2b0669635eeefa7d4519e116f2.exe	29
PID 2952 wrote to memory of 2348	2952	3e370c2b0669635eeefa7d4519e116f2.exe	29
PID 2952 wrote to memory of 2864	2952	3e370c2b0669635eeefa7d4519e116f2.exe	28
PID 2952 wrote to memory of 2864	2952	3e370c2b0669635eeefa7d4519e116f2.exe	28
PID 2952 wrote to memory of 2864	2952	3e370c2b0669635eeefa7d4519e116f2.exe	28
PID 2952 wrote to memory of 2864	2952	3e370c2b0669635eeefa7d4519e116f2.exe	28

C:\Users\Admin\AppData\Local\Temp\3e370c2b0669635eeefa7d4519e116f2.exe
"C:\Users\Admin\AppData\Local\Temp\3e370c2b0669635eeefa7d4519e116f2.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\Users\Admin\AppData\Roaming\cssrs.exe
  C:\Users\Admin\AppData\Roaming\cssrs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe

Filesize
96KB

MD5
81d7f8d9a0c51af7d0014eb1db1d6e88

SHA1
2ccfc6a27414ceab471b1289853d7a34ddb9991f

SHA256
6ca1efe821d4fb633eebc3de0da23a72f8f30cde47c9e5d5cc3512f93c82c87c

SHA512
0956ed54462980b220d00a9b9555744d5b253598187f3cebf4d13ca5a0dfc11cb63ed0e7fa8bd378846d056adbee24bf1942c9048245cc53b51330a569b273db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe

Filesize
100KB

MD5
c28cb5edb868d5c4ae4d371adf570ee0

SHA1
3b289c7ae82e5514d71b330bdca8159e642a7435

SHA256
42abbf4631fae28ee0382666b088c23b539af1312b8ca0b218e60536ad0f80c8

SHA512
94883c3256de1f20131fe64b83c1d9e7fdb1b55da215125573b356873bf286380a40fc0a51bf5d093ee7233df24f9101bf6086614368497733e04b8745a582f9

Download Submit
C:\Users\Admin\AppData\Roaming\cssrs.exe

Filesize
68KB

MD5
2f4cb30b3a4dd05624de0b11c69ccd01

SHA1
6b8fbfa43488599fdb2c9223f8486c3947e1fbc0

SHA256
4cffef9c4c28c452a084e13afbf8b01deb9aebd6b271b1b24de2a95dcf2b89a5

SHA512
782f89be64426edacc30392d9a7d2d640a42cec36537be6fa79ab287cbf92da6b72058dbe215e3fae8922dadec190ef8a659dd9a2fd65b5c7b68f1a8552757ac

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe

Filesize
90KB

MD5
6303c63ce9f4286a479a4e330c73432c

SHA1
0296e3d4ef29aeed7582bc9cce1f1baa2c3ff710

SHA256
cace7c4067cb61d1029cea38edce7125a57a3e8127075280d4b361cfcc9bd413

SHA512
102339a1886406410b008f32ea67133b2cd7e33b0bc9d96b57dac99e383d32c1a27f9a5b8fd6cc8824f99d9f6ed75e4effeba1973c2a81aecbb177503a7dbbe7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe

Filesize
50KB

MD5
082105de117205036a4c1baf61b647eb

SHA1
18ad2dbd7b8df57b7dfecfbc9ee3f7dbfe9fa14c

SHA256
777dc637a0a89042e737939d1daa180fb5aadc29074a26b9021afbe217d4526d

SHA512
d2d7af4bd79b58241d28e161334216967649055c85be12c794fd6ebc240e86fc8c1012068ff41fc3cf7df6ad8ddb85ed686748b34c46854bfa5192deb796ee98

Download Submit
\Users\Admin\AppData\Roaming\cssrs.exe

Filesize
90KB

MD5
f5c41812ad1d3f9416c83a9737bb763d

SHA1
97824bc115af070d460544900994a89a3fdb834c

SHA256
ad1275e9305380be93fb71f60fe6e5aec452a74409f5e3008027e3dc027074ff

SHA512
43e81d2123d42d70138b4e9fd61f3505fd8cd2b070e7e7801ba1d576c8eb1f7b21eea842e702396f347a188e2f18d46fc66569292b1076c27cbc87c8c270e061

Download Submit
\Users\Admin\AppData\Roaming\cssrs.exe

Filesize
61KB

MD5
ed8e9b004620ade39cd34eff6ebfe80a

SHA1
666ff411d0f10e32e729e8733f55ac49bd6dedfd

SHA256
08f2c00c2a20aced620b70d6de7beadc00af12e47301459ae9bfaf3dc3279e80

SHA512
91d680f60195754250a116d895534144919667b3f8c0ec8dae03bcc1ede1315f99b48a800a5f77d5d2dd80919941ae53b2dec77163b57c0d6a0c19f23b8fd4d8

Download Submit
memory/2348-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-14-0x0000000000650000-0x0000000000693000-memory.dmp

Filesize
268KB

Download
memory/2952-17-0x0000000000650000-0x0000000000693000-memory.dmp

Filesize
268KB

Download
memory/2952-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-25-0x0000000000650000-0x0000000000693000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads