bf8737c19f3524d55476474700b5f329bbccb93cae13383bdcf33881bfb5487d

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 10:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71fde528cb5b8c054c163b4dee2f695e.exe
Size

94KB
MD5

71fde528cb5b8c054c163b4dee2f695e
SHA1

745eb0a909613a612e22345e478c167949529186
SHA256

bf8737c19f3524d55476474700b5f329bbccb93cae13383bdcf33881bfb5487d
SHA512

2e9f61b72c1035e43e077cb2f243427605665f1d16cb16f313db08b67050a62c0dda48a2993b4ac0bcb4141ea191ca4be34eec5e79b6653a72ec11d718c77085
SSDEEP

1536:uoDbjEPwyUgtYqYSF9khAdHIFn8ccQIwUtiLuo:uyb+5YSFurcQIwUtiLuo

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1084	cssrs.exe
2132	cssrs.exe

Loads dropped DLL 4 IoCs

pid	Process
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
1084	cssrs.exe
1084	cssrs.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft system = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\TINTSETP = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ctfmen = "C:\\WINDOWS\\system32\\cssrs.exe"	71fde528cb5b8c054c163b4dee2f695e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft csrss = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\TINTSETP = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\IMJPMG = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft system = "C:\\WINDOWS\\system32\\cssrs.exe"	71fde528cb5b8c054c163b4dee2f695e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\IMJPMG = "C:\\WINDOWS\\system32\\cssrs.exe"	71fde528cb5b8c054c163b4dee2f695e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft system = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft service = "C:\\WINDOWS\\system32\\cssrs.exe"	71fde528cb5b8c054c163b4dee2f695e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\TINTSETP = "C:\\WINDOWS\\system32\\cssrs.exe"	71fde528cb5b8c054c163b4dee2f695e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft service = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ctfmen = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft csrss = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ctfmen = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\IMJPMG = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft csrss = "C:\\WINDOWS\\system32\\cssrs.exe"	71fde528cb5b8c054c163b4dee2f695e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft service = "C:\\WINDOWS\\system32\\cssrs.exe"	cssrs.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\cssrs.exe	71fde528cb5b8c054c163b4dee2f695e.exe
File opened for modification	C:\WINDOWS\SysWOW64\cssrs.exe	71fde528cb5b8c054c163b4dee2f695e.exe
File created	C:\WINDOWS\SysWOW64\cssrs.exe	cssrs.exe
File created	C:\WINDOWS\SysWOW64\cssrs.exe	cssrs.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	cssrs.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	cssrs.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	71fde528cb5b8c054c163b4dee2f695e.exe

Modifies Internet Explorer start page 1 TTPs 3 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.muluwu.com"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.muluwu.com"	cssrs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.muluwu.com"	71fde528cb5b8c054c163b4dee2f695e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	71fde528cb5b8c054c163b4dee2f695e.exe
1084	cssrs.exe
2132	cssrs.exe
1084	cssrs.exe
2132	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
1084	cssrs.exe
2132	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
1084	cssrs.exe
2132	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
1084	cssrs.exe
2132	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
1084	cssrs.exe
2132	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
1084	cssrs.exe
2132	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
1084	cssrs.exe
2132	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
2132	cssrs.exe
1084	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
1084	cssrs.exe
2132	cssrs.exe
2152	71fde528cb5b8c054c163b4dee2f695e.exe
1084	cssrs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1084	2152	71fde528cb5b8c054c163b4dee2f695e.exe	28
PID 2152 wrote to memory of 1084	2152	71fde528cb5b8c054c163b4dee2f695e.exe	28
PID 2152 wrote to memory of 1084	2152	71fde528cb5b8c054c163b4dee2f695e.exe	28
PID 2152 wrote to memory of 1084	2152	71fde528cb5b8c054c163b4dee2f695e.exe	28
PID 1084 wrote to memory of 2132	1084	cssrs.exe	29
PID 1084 wrote to memory of 2132	1084	cssrs.exe	29
PID 1084 wrote to memory of 2132	1084	cssrs.exe	29
PID 1084 wrote to memory of 2132	1084	cssrs.exe	29

C:\Users\Admin\AppData\Local\Temp\71fde528cb5b8c054c163b4dee2f695e.exe
"C:\Users\Admin\AppData\Local\Temp\71fde528cb5b8c054c163b4dee2f695e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152
- C:\WINDOWS\SysWOW64\cssrs.exe
  C:\WINDOWS\system32\cssrs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\WINDOWS\SysWOW64\cssrs.exe
    C:\WINDOWS\system32\cssrs.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious behavior: EnumeratesProcesses
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\cssrs.exe

Filesize
94KB

MD5
71fde528cb5b8c054c163b4dee2f695e

SHA1
745eb0a909613a612e22345e478c167949529186

SHA256
bf8737c19f3524d55476474700b5f329bbccb93cae13383bdcf33881bfb5487d

SHA512
2e9f61b72c1035e43e077cb2f243427605665f1d16cb16f313db08b67050a62c0dda48a2993b4ac0bcb4141ea191ca4be34eec5e79b6653a72ec11d718c77085

Download Submit
memory/1084-17-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/1084-15-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/1084-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1084-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2132-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2132-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2152-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2152-12-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/2152-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2152-19-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download