5e9409b0e5ba2605584ed39633fc3470ac485af23cc5f4d16e2742b7411401b7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5957273f83c34330397a570ff4f82a6d.exe
Size

632KB
MD5

5957273f83c34330397a570ff4f82a6d
SHA1

8df8ac5ad6a7ded21ae53143671c705654f85c2d
SHA256

5e9409b0e5ba2605584ed39633fc3470ac485af23cc5f4d16e2742b7411401b7
SHA512

381de51797e040cb28e809880addaad64fa3f83d8118e5fc029fa37e80b9ca9ea69555d39b78b83f90ecc711dce5a97ba3b23803f354e7e521a11097aaeedbaa
SSDEEP

12288:YyK0hHqBQExSsbxdb/kjGo2fFZd766nyYYNniD5NKqt:zK0hH7kdkzQvdyHNnSN

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	4952	rundll32.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
2436	rundll32.exe
2740	rundll32.exe
4952	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csccache.dll_xserve = "rundll32.exe \"C:\\Windows\\SysWOW64\\csccache.dll\",xserve"	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csccache.dll	5957273f83c34330397a570ff4f82a6d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2436	5040	5957273f83c34330397a570ff4f82a6d.exe	88
PID 5040 wrote to memory of 2436	5040	5957273f83c34330397a570ff4f82a6d.exe	88
PID 5040 wrote to memory of 2436	5040	5957273f83c34330397a570ff4f82a6d.exe	88
PID 2436 wrote to memory of 2740	2436	rundll32.exe	89
PID 2436 wrote to memory of 2740	2436	rundll32.exe	89
PID 2436 wrote to memory of 2740	2436	rundll32.exe	89
PID 2436 wrote to memory of 4952	2436	rundll32.exe	91
PID 2436 wrote to memory of 4952	2436	rundll32.exe	91
PID 2436 wrote to memory of 4952	2436	rundll32.exe	91

C:\Users\Admin\AppData\Local\Temp\5957273f83c34330397a570ff4f82a6d.exe
"C:\Users\Admin\AppData\Local\Temp\5957273f83c34330397a570ff4f82a6d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\csccache.dll",install
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\csccache.dll",watch
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2740
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\csccache.dll",xserve
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\csccache.dll

Filesize
333KB

MD5
9c38d073530856084dde416c2b19f08f

SHA1
eef1929fee160369a20b5aceb70633b898ced494

SHA256
d80191ae4ae6669e4dbd653867f9c8fc1ea11e220d56fd3e34071b5b558e7c92

SHA512
89240a9b34d23e34d29d32c490ca885747cdc535b2b02fc5e1835c60b4be310d87dab2f76459c09b08a1ceb2919b44ad28580eddfe98f5fd5606b7357f1d3ebd

Download Submit
C:\Windows\SysWOW64\csccache.dll

Filesize
392KB

MD5
e6f1532798b7a5bfe5d212401e67b63f

SHA1
7b4cd1ee16e9d75e57e3e5c3e80beab3477312b1

SHA256
434a78934fa7c508a5414edcef9f0338a4980022e45384fdf25c391b280660b2

SHA512
0b5726c80141fe615bf2c860e7a61679ddf3102ba6ed0aed8167e3ef2cb86868cd145ded78b59284077c07d849604baa8c7b6b6f3228d6b55d2dfa3743b853f5

Download Submit
C:\Windows\SysWOW64\csccache.dll

Filesize
445KB

MD5
ad37cf2fd50ba0e3cb11ec6d30dc2005

SHA1
f7f9a75ebb13f7303282164945510159107fff81

SHA256
3fa3cc36574ee911d5d363a6750cd04bffca16d1fc720070945b79ad16fef611

SHA512
fc2d76f74f238cd61f2e9311c862fcdbf602c56af8d159694d469cc673b169d4857a71d23b873392c4fb4aa089ace3df34b3a92fc0bc4f16d1ea95e00dd425ae

Download Submit
C:\Windows\SysWOW64\csccache.dll

Filesize
413KB

MD5
a8fdbdacec9374362d379db1b68d8682

SHA1
9aa78fb7c1d5b1b2928c0bea10fe8a1fc8e7f236

SHA256
03cb85dc4185450173b993a49ae9344cf1df50bcd6c48cd28f856844b4c5b508

SHA512
caa008ed14e96becd76528d4bae812b9e158565bb5565218e22beb9a62fdb49bd30e5fc25bb398c041c2b23e1c76fe7ca41b48f7172fbd0da9a812cb2c852d23

Download Submit
memory/2436-6-0x00000000749E0000-0x0000000074AE7000-memory.dmp

Filesize
1.0MB

Download
memory/2436-5-0x00000000025D0000-0x00000000026D0000-memory.dmp

Filesize
1024KB

Download
memory/2740-11-0x0000000002B90000-0x0000000002C90000-memory.dmp

Filesize
1024KB

Download
memory/2740-23-0x00000000749E0000-0x0000000074AE7000-memory.dmp

Filesize
1.0MB

Download
memory/2740-27-0x0000000002B90000-0x0000000002C90000-memory.dmp

Filesize
1024KB

Download
memory/4952-18-0x0000000000B00000-0x0000000000C00000-memory.dmp

Filesize
1024KB

Download
memory/4952-24-0x00000000749E0000-0x0000000074AE7000-memory.dmp

Filesize
1.0MB

Download
memory/4952-28-0x0000000000B00000-0x0000000000C00000-memory.dmp

Filesize
1024KB

Download
memory/5040-0-0x0000000002270000-0x0000000002370000-memory.dmp

Filesize
1024KB

Download
memory/5040-1-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/5040-22-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download