ecc6813aec4ba2f24bfe772096e643567f947712c081e4c3ed45d908009305b1

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 08:46

Target

5ace14115d8f8881ed4fde86397673fd.exe
Size

23KB
MD5

5ace14115d8f8881ed4fde86397673fd
SHA1

8da8a13321b7428d8a31449248ef975285e2f69e
SHA256

ecc6813aec4ba2f24bfe772096e643567f947712c081e4c3ed45d908009305b1
SHA512

8cfd156d58ee710b5138d61a5496bab634f576eeddf6e6137cb8fa02fd943d02f2e988563b1a68045d01538bcd59630b7d4c8360a37f034192b46969f55fbd5e
SSDEEP

384:8EYLcKNs5MRfmNZadsZT9uxTce3LEfljkvqyenicc+Leh:/SDy5MCYdsaTRLUlgNvZ+Lo

Score

7^/10

discovery

Executes dropped EXE 2 IoCs

pid	Process
1740	csrss.exe
2536	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\csrss.exe	5ace14115d8f8881ed4fde86397673fd.exe
File opened for modification	C:\Windows\csrss.exe	5ace14115d8f8881ed4fde86397673fd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2536	csrss.exe
2536	csrss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	csrss.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1740	1708	5ace14115d8f8881ed4fde86397673fd.exe	28
PID 1708 wrote to memory of 1740	1708	5ace14115d8f8881ed4fde86397673fd.exe	28
PID 1708 wrote to memory of 1740	1708	5ace14115d8f8881ed4fde86397673fd.exe	28
PID 1708 wrote to memory of 1740	1708	5ace14115d8f8881ed4fde86397673fd.exe	28

C:\Users\Admin\AppData\Local\Temp\5ace14115d8f8881ed4fde86397673fd.exe
"C:\Users\Admin\AppData\Local\Temp\5ace14115d8f8881ed4fde86397673fd.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\csrss.exe
  C:\Windows\csrss.exe
  2⤵
  - Executes dropped EXE
  PID:1740

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\csrss.exe

Filesize
23KB

MD5
5ace14115d8f8881ed4fde86397673fd

SHA1
8da8a13321b7428d8a31449248ef975285e2f69e

SHA256
ecc6813aec4ba2f24bfe772096e643567f947712c081e4c3ed45d908009305b1

SHA512
8cfd156d58ee710b5138d61a5496bab634f576eeddf6e6137cb8fa02fd943d02f2e988563b1a68045d01538bcd59630b7d4c8360a37f034192b46969f55fbd5e

Download Submit
memory/1708-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-6-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/1708-11-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1740-8-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1740-10-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download