c6f700253c650e6595b8c8aad96d8907e90e3d82b6d6881aa713c2fb92d28ed2

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 15:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

295e3870060c440669699e92475b2498.exe
Size

20KB
MD5

295e3870060c440669699e92475b2498
SHA1

4fc3896f03adec73d15cf6edfc6d9379cdd63fce
SHA256

c6f700253c650e6595b8c8aad96d8907e90e3d82b6d6881aa713c2fb92d28ed2
SHA512

830ea9bc6f03890424d061ab480cf2ff65e0fce040be9a386c01a92d4801c804e4f21c5df9e74259e8d589508cc81add0238d8be7ac85034366802ff6a1a3d73
SSDEEP

192:xU7lH4WHwya5pKLbdmLkiG7zZFkiG17a7RjZ1wTQyGrx5eT/nEucZs:xkqWHda5pKHsLPG7dFNoSkTVGr1P

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2136	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	csrcs.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	svchost.exe
2136	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrcs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrcs.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 2136	3000	295e3870060c440669699e92475b2498.exe	28
PID 2840 set thread context of 2300	2840	csrcs.exe	30

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2136	3000	295e3870060c440669699e92475b2498.exe	28
PID 3000 wrote to memory of 2136	3000	295e3870060c440669699e92475b2498.exe	28
PID 3000 wrote to memory of 2136	3000	295e3870060c440669699e92475b2498.exe	28
PID 3000 wrote to memory of 2136	3000	295e3870060c440669699e92475b2498.exe	28
PID 3000 wrote to memory of 2136	3000	295e3870060c440669699e92475b2498.exe	28
PID 3000 wrote to memory of 2136	3000	295e3870060c440669699e92475b2498.exe	28
PID 3000 wrote to memory of 2136	3000	295e3870060c440669699e92475b2498.exe	28
PID 3000 wrote to memory of 2136	3000	295e3870060c440669699e92475b2498.exe	28
PID 2136 wrote to memory of 2840	2136	svchost.exe	29
PID 2136 wrote to memory of 2840	2136	svchost.exe	29
PID 2136 wrote to memory of 2840	2136	svchost.exe	29
PID 2136 wrote to memory of 2840	2136	svchost.exe	29
PID 2840 wrote to memory of 2300	2840	csrcs.exe	30
PID 2840 wrote to memory of 2300	2840	csrcs.exe	30
PID 2840 wrote to memory of 2300	2840	csrcs.exe	30
PID 2840 wrote to memory of 2300	2840	csrcs.exe	30
PID 2840 wrote to memory of 2300	2840	csrcs.exe	30
PID 2840 wrote to memory of 2300	2840	csrcs.exe	30
PID 2840 wrote to memory of 2300	2840	csrcs.exe	30
PID 2840 wrote to memory of 2300	2840	csrcs.exe	30

C:\Users\Admin\AppData\Local\Temp\295e3870060c440669699e92475b2498.exe
"C:\Users\Admin\AppData\Local\Temp\295e3870060c440669699e92475b2498.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\csrcs.exe
    "C:\Users\Admin\AppData\Local\Temp\csrcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\csrcs.exe

Filesize
20KB

MD5
295e3870060c440669699e92475b2498

SHA1
4fc3896f03adec73d15cf6edfc6d9379cdd63fce

SHA256
c6f700253c650e6595b8c8aad96d8907e90e3d82b6d6881aa713c2fb92d28ed2

SHA512
830ea9bc6f03890424d061ab480cf2ff65e0fce040be9a386c01a92d4801c804e4f21c5df9e74259e8d589508cc81add0238d8be7ac85034366802ff6a1a3d73

Download Submit
memory/2136-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-8-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2136-13-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads