655b7213bb942e01565ba42376a5d98ca84fbf3728523cdb119710153eb10cd4

Analysis

max time kernel
156s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 21:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3e370c2b0669635eeefa7d4519e116f2.exe
Size

170KB
MD5

3e370c2b0669635eeefa7d4519e116f2
SHA1

08da18c23049e8dfb1fd1f63a1bfa787c2a24d72
SHA256

655b7213bb942e01565ba42376a5d98ca84fbf3728523cdb119710153eb10cd4
SHA512

3b9774a559977490f40083438dc236e3d756be40e855a0992dd9bf573598602988a4a1ea238c5122ee10d410963be3d6e8502dc0dacb8ae2393088d36fd4f3de
SSDEEP

1536:XssGQLphzQHUyRPkN2HpuP7HIPe5MQVgd54vkwkRbTG9TTTTTTTTGo5tzJEqceXf:QQL/bCrwIPe5ML7nwkRA9uo

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3e370c2b0669635eeefa7d4519e116f2.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe	3e370c2b0669635eeefa7d4519e116f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe	3e370c2b0669635eeefa7d4519e116f2.exe

Executes dropped EXE 2 IoCs

pid	Process
3428	cssrs.exe
1384	cssrs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TINTIMG = "C:\\Users\\Admin\\AppData\\Roaming\\cssrs.exe"	3e370c2b0669635eeefa7d4519e116f2.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\AboutURLs	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\blank = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\AboutURLs	3e370c2b0669635eeefa7d4519e116f2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\blank = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main	3e370c2b0669635eeefa7d4519e116f2.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.114116.info"	3e370c2b0669635eeefa7d4519e116f2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	3e370c2b0669635eeefa7d4519e116f2.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
1384	cssrs.exe
1384	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
4860	3e370c2b0669635eeefa7d4519e116f2.exe
3428	cssrs.exe
3428	cssrs.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 3428	4860	3e370c2b0669635eeefa7d4519e116f2.exe	91
PID 4860 wrote to memory of 3428	4860	3e370c2b0669635eeefa7d4519e116f2.exe	91
PID 4860 wrote to memory of 3428	4860	3e370c2b0669635eeefa7d4519e116f2.exe	91
PID 4860 wrote to memory of 1384	4860	3e370c2b0669635eeefa7d4519e116f2.exe	92
PID 4860 wrote to memory of 1384	4860	3e370c2b0669635eeefa7d4519e116f2.exe	92
PID 4860 wrote to memory of 1384	4860	3e370c2b0669635eeefa7d4519e116f2.exe	92

C:\Users\Admin\AppData\Local\Temp\3e370c2b0669635eeefa7d4519e116f2.exe
"C:\Users\Admin\AppData\Local\Temp\3e370c2b0669635eeefa7d4519e116f2.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Roaming\cssrs.exe
  C:\Users\Admin\AppData\Roaming\cssrs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3428
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe

Filesize
170KB

MD5
3e370c2b0669635eeefa7d4519e116f2

SHA1
08da18c23049e8dfb1fd1f63a1bfa787c2a24d72

SHA256
655b7213bb942e01565ba42376a5d98ca84fbf3728523cdb119710153eb10cd4

SHA512
3b9774a559977490f40083438dc236e3d756be40e855a0992dd9bf573598602988a4a1ea238c5122ee10d410963be3d6e8502dc0dacb8ae2393088d36fd4f3de

Download Submit
memory/3428-10-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4860-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download