bb045c59bb4753ea894b4ef131fc7bc3dd3ca525b0ca5dfaa5665fe737a7b7cd

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2866667f8a51f15b5a750d7e5301c9d8.exe
Size

100KB
MD5

2866667f8a51f15b5a750d7e5301c9d8
SHA1

0de2f55ebbd23e676fb27383cd1ebf4b2c7fb672
SHA256

bb045c59bb4753ea894b4ef131fc7bc3dd3ca525b0ca5dfaa5665fe737a7b7cd
SHA512

29c3f5df1bea7d127447dcaf1587fdbf79478374ccea568c9336d19bc0d413b5b089c121cbf314bcb24de5847c79377d19514dca414b5cbb177533c3c63b128b
SSDEEP

1536:mayt3u/g1bJjRroLVPjXCDw+/MO8zCzhiSayt3qyVjMoRPWn/sV:ma2tJNroLVrC78zEiSa2qyjTWg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	csrss.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2768	2672	csrss.exe	29
PID 2672 set thread context of 2716	2672	csrss.exe	30
PID 2672 set thread context of 2600	2672	csrss.exe	31
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe
PID 2672 set thread context of 0	2672	csrss.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Magix Video Deluxe 5 beta.pif	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Nostradamus.doc.pif	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Nostradamus.doc.pif	svchost.exe
File created	C:\Program Files\DVD Maker\Shared\Britney Spears fuck.jpg.exe	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Britney Spears fuck.jpg.exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Nostradamus.doc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Nostradamus.doc.exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Magix Video Deluxe 5 beta.pif	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\csrss.exe	2866667f8a51f15b5a750d7e5301c9d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1244	2866667f8a51f15b5a750d7e5301c9d8.exe
Token: SeSystemtimePrivilege	1244	2866667f8a51f15b5a750d7e5301c9d8.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2672	1244	2866667f8a51f15b5a750d7e5301c9d8.exe	28
PID 1244 wrote to memory of 2672	1244	2866667f8a51f15b5a750d7e5301c9d8.exe	28
PID 1244 wrote to memory of 2672	1244	2866667f8a51f15b5a750d7e5301c9d8.exe	28
PID 1244 wrote to memory of 2672	1244	2866667f8a51f15b5a750d7e5301c9d8.exe	28
PID 2672 wrote to memory of 2768	2672	csrss.exe	29
PID 2672 wrote to memory of 2768	2672	csrss.exe	29
PID 2672 wrote to memory of 2768	2672	csrss.exe	29
PID 2672 wrote to memory of 2768	2672	csrss.exe	29
PID 2672 wrote to memory of 2768	2672	csrss.exe	29
PID 2672 wrote to memory of 2716	2672	csrss.exe	30
PID 2672 wrote to memory of 2716	2672	csrss.exe	30
PID 2672 wrote to memory of 2716	2672	csrss.exe	30
PID 2672 wrote to memory of 2716	2672	csrss.exe	30
PID 2672 wrote to memory of 2716	2672	csrss.exe	30
PID 2672 wrote to memory of 2600	2672	csrss.exe	31
PID 2672 wrote to memory of 2600	2672	csrss.exe	31
PID 2672 wrote to memory of 2600	2672	csrss.exe	31
PID 2672 wrote to memory of 2600	2672	csrss.exe	31
PID 2672 wrote to memory of 2600	2672	csrss.exe	31

C:\Users\Admin\AppData\Local\Temp\2866667f8a51f15b5a750d7e5301c9d8.exe
"C:\Users\Admin\AppData\Local\Temp\2866667f8a51f15b5a750d7e5301c9d8.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\csrss.exe
  "C:\Windows\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\svchost.exe
    svchost C:\Windows\csrss.exe
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\svchost.exe
    svchost C:\Windows\csrss.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\svchost.exe
    svchost C:\Windows\csrss.exe
    3⤵
    - Drops file in Program Files directory
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\csrss.exe

Filesize
100KB

MD5
2866667f8a51f15b5a750d7e5301c9d8

SHA1
0de2f55ebbd23e676fb27383cd1ebf4b2c7fb672

SHA256
bb045c59bb4753ea894b4ef131fc7bc3dd3ca525b0ca5dfaa5665fe737a7b7cd

SHA512
29c3f5df1bea7d127447dcaf1587fdbf79478374ccea568c9336d19bc0d413b5b089c121cbf314bcb24de5847c79377d19514dca414b5cbb177533c3c63b128b

Download Submit
C:\Windows\csrss.exe

Filesize
19KB

MD5
fee46916fb2001f26840522903f38d71

SHA1
e870b20d23cf4e09dbb21e10581c2593cf746153

SHA256
4e4d1df2d53e7c48dc8c781872e404792a1253926785f0ea1a94e4f40e0696cb

SHA512
f8f6abee86e5891e66fe65c8b039e9459ccec162d151d8729a7b017be214876747299da80aca3938abb6566e1225469a861ecbe2f65cf36991ffd968fde5420d

Download Submit
C:\Windows\csrss.exe

Filesize
8KB

MD5
0c3ca64ad51122ac3fbfbdda94a55bd3

SHA1
378ce6035d6fbb61753b0362f45a5309f048c3d1

SHA256
dfcd604638de667a471d00b3f9cff7cde92bdaa7bb0cd2a95542e8686c0e4468

SHA512
2ce54ddbd0f3a03aba9b5f02cf999be926fe7190091efc35d3d517d77a9f47a6fa62d3b3f43c5cbff1e5e669de1154f779b5f09f8c564ff5c5d1632b641f067e

Download Submit
memory/2600-22-0x0000000013140000-0x0000000013157000-memory.dmp

Filesize
92KB

Download
memory/2600-20-0x0000000013140000-0x0000000013157000-memory.dmp

Filesize
92KB

Download
memory/2600-19-0x0000000013140000-0x0000000013157000-memory.dmp

Filesize
92KB

Download
memory/2716-16-0x0000000013140000-0x0000000013157000-memory.dmp

Filesize
92KB

Download
memory/2716-15-0x0000000013140000-0x0000000013157000-memory.dmp

Filesize
92KB

Download
memory/2716-14-0x0000000013140000-0x0000000013157000-memory.dmp

Filesize
92KB

Download
memory/2768-10-0x0000000013140000-0x0000000013157000-memory.dmp

Filesize
92KB

Download
memory/2768-11-0x0000000013140000-0x0000000013157000-memory.dmp

Filesize
92KB

Download
memory/2768-9-0x0000000013140000-0x0000000013157000-memory.dmp

Filesize
92KB

Download
memory/2768-7-0x0000000013140000-0x0000000013157000-memory.dmp

Filesize
92KB

Download