41c14b6c1c1332206e04a490a6065adad92209bea55d5f5356fcd9ac87fba182

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19275d4b17856c67163cb849c0a7f805.exe
Size

92KB
MD5

19275d4b17856c67163cb849c0a7f805
SHA1

d25b0d85ba3d499e2a02cebbc23aca31a964e2e4
SHA256

41c14b6c1c1332206e04a490a6065adad92209bea55d5f5356fcd9ac87fba182
SHA512

c437ae03fa6f033f8a8f632613e50eac69c32f597249ef5c5eed32d0c1ee2b7b25c4bf4811abde4a00d85ca1bec89256fae3d419428917c1325f0b050978b8e3
SSDEEP

384:8qIP3UdwjcIP3UdwHJZ415LW1u93HLrEWJ:ZS3UdwYS3UdwHJGGu93HLrP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\csrsrvmy = "{00150015-0015-0015-0015-00150015BB15}"	19275d4b17856c67163cb849c0a7f805.exe

Deletes itself 1 IoCs

pid	Process
1100	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	19275d4b17856c67163cb849c0a7f805.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrsrvmy.tmp	19275d4b17856c67163cb849c0a7f805.exe
File opened for modification	C:\Windows\SysWOW64\csrsrvmy.tmp	19275d4b17856c67163cb849c0a7f805.exe
File opened for modification	C:\Windows\SysWOW64\csrsrvmy.nls	19275d4b17856c67163cb849c0a7f805.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00150015-0015-0015-0015-00150015BB15}	19275d4b17856c67163cb849c0a7f805.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00150015-0015-0015-0015-00150015BB15}\InProcServer32	19275d4b17856c67163cb849c0a7f805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00150015-0015-0015-0015-00150015BB15}\InProcServer32\ = "C:\\Windows\\SysWow64\\csrsrvmy.dll"	19275d4b17856c67163cb849c0a7f805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00150015-0015-0015-0015-00150015BB15}\InProcServer32\ThreadingModel = "Apartment"	19275d4b17856c67163cb849c0a7f805.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2040	19275d4b17856c67163cb849c0a7f805.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2040	19275d4b17856c67163cb849c0a7f805.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1100	2040	19275d4b17856c67163cb849c0a7f805.exe	29
PID 2040 wrote to memory of 1100	2040	19275d4b17856c67163cb849c0a7f805.exe	29
PID 2040 wrote to memory of 1100	2040	19275d4b17856c67163cb849c0a7f805.exe	29
PID 2040 wrote to memory of 1100	2040	19275d4b17856c67163cb849c0a7f805.exe	29

C:\Users\Admin\AppData\Local\Temp\19275d4b17856c67163cb849c0a7f805.exe
"C:\Users\Admin\AppData\Local\Temp\19275d4b17856c67163cb849c0a7f805.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\13EE.tmp.bat
  2⤵
  - Deletes itself
  PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13EE.tmp.bat

Filesize
179B

MD5
9696c00221ad406f9a13abfe630a9a07

SHA1
38cbebb1ca7be4736b5e30efc69ce92e45764b61

SHA256
5d33648f06621c14f2d6dcba3fd70b609fc10af4bbeaff45604622f19404e669

SHA512
e1cda5b4f90d4904bf4f3c49d8dd5fa5a816cbebb1e2b575de0c55e19d07c962a1b0b4c0dc8e31a235368ca24671406db46af1eecb1c3325a8eabbb928ec67c0

Download Submit
C:\Windows\SysWOW64\csrsrvmy.dll

Filesize
137KB

MD5
dd629fe42efe0044abf0107702597fcc

SHA1
c8880f2aa43cc78eda6cd818f0018ed51323a23d

SHA256
684adb0c61b745982fe8e7c6d325ac33fcec5b6eea426299f8e8446c97ddf90d

SHA512
449faa3c9c3611984c39f0b2bf19f2d29019f88016aa906c1d5c18960424ab2082564b83a8649760a823f52c86dad1162382ecac8f57f8b76e78b16be71aaf4f

Download Submit
\Windows\SysWOW64\csrsrvmy.dll

Filesize
561KB

MD5
006afacabf827d87bc8a5e5148d533be

SHA1
cfaa74707c1136c3be7f90eaf1be55c88ef617da

SHA256
075b26c2bc72e976b484637b16707a655507cd7b1ec1eb97fd5dd991610ead27

SHA512
c309d592a1f6724bcb692abe64818b36dccc4333f4a224163fe30a89bda97d7b5c73ac876e9e40090054553d2ccb393d0c229f887bd5625aa5a8217d2ebe3bbf

Download Submit