b64e52fbd392cc861b0246318ee4556ef9c8b43cd6c4a3f2384f844ababf59c1

General

Target

c83e2a419b36410f3d907c52fbffe6fb.exe
Size

702KB
MD5

c83e2a419b36410f3d907c52fbffe6fb
SHA1

44209ef2c21fd51e0770aab6da3ccba11f8ce7ca
SHA256

b64e52fbd392cc861b0246318ee4556ef9c8b43cd6c4a3f2384f844ababf59c1
SHA512

c0034a2da49b38e83b11519b69c0b62c7e3453c788945b843f37ecde329c16a16fa11f4275d96fcbd1615827b14183b62ebc23468549191c6636b721a634597c
SSDEEP

12288:U6SKqT31T6WpJY6V765jKqostkm3NbHsPUuZacEJ:FxqT31T6WE6I5jKqosOm9bHNiEJ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe csrcs.exe"	c83e2a419b36410f3d907c52fbffe6fb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c83e2a419b36410f3d907c52fbffe6fb.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c83e2a419b36410f3d907c52fbffe6fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\system32\\csrcs.exe"	c83e2a419b36410f3d907c52fbffe6fb.exe

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	csrcs.exe

Loads dropped DLL 6 IoCs

pid	Process
2284	c83e2a419b36410f3d907c52fbffe6fb.exe
2284	c83e2a419b36410f3d907c52fbffe6fb.exe
2284	c83e2a419b36410f3d907c52fbffe6fb.exe
2284	c83e2a419b36410f3d907c52fbffe6fb.exe
2568	csrcs.exe
2568	csrcs.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2284-0-0x0000000000400000-0x0000000000498000-memory.dmp	autoit_exe
behavioral1/files/0x000f000000012248-13.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrcs.exe	c83e2a419b36410f3d907c52fbffe6fb.exe
File opened for modification	C:\Windows\SysWOW64\csrcs.exe	c83e2a419b36410f3d907c52fbffe6fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2424	PING.EXE
1908	PING.EXE
2696	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2284	c83e2a419b36410f3d907c52fbffe6fb.exe
2284	c83e2a419b36410f3d907c52fbffe6fb.exe
2284	c83e2a419b36410f3d907c52fbffe6fb.exe
2568	csrcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2568	2284	c83e2a419b36410f3d907c52fbffe6fb.exe	28
PID 2284 wrote to memory of 2568	2284	c83e2a419b36410f3d907c52fbffe6fb.exe	28
PID 2284 wrote to memory of 2568	2284	c83e2a419b36410f3d907c52fbffe6fb.exe	28
PID 2284 wrote to memory of 2568	2284	c83e2a419b36410f3d907c52fbffe6fb.exe	28
PID 2568 wrote to memory of 2624	2568	csrcs.exe	29
PID 2568 wrote to memory of 2624	2568	csrcs.exe	29
PID 2568 wrote to memory of 2624	2568	csrcs.exe	29
PID 2568 wrote to memory of 2624	2568	csrcs.exe	29
PID 2624 wrote to memory of 2424	2624	cmd.exe	31
PID 2624 wrote to memory of 2424	2624	cmd.exe	31
PID 2624 wrote to memory of 2424	2624	cmd.exe	31
PID 2624 wrote to memory of 2424	2624	cmd.exe	31
PID 2284 wrote to memory of 2896	2284	c83e2a419b36410f3d907c52fbffe6fb.exe	32
PID 2284 wrote to memory of 2896	2284	c83e2a419b36410f3d907c52fbffe6fb.exe	32
PID 2284 wrote to memory of 2896	2284	c83e2a419b36410f3d907c52fbffe6fb.exe	32
PID 2284 wrote to memory of 2896	2284	c83e2a419b36410f3d907c52fbffe6fb.exe	32
PID 2896 wrote to memory of 1908	2896	cmd.exe	34
PID 2896 wrote to memory of 1908	2896	cmd.exe	34
PID 2896 wrote to memory of 1908	2896	cmd.exe	34
PID 2896 wrote to memory of 1908	2896	cmd.exe	34
PID 2624 wrote to memory of 2696	2624	cmd.exe	35
PID 2624 wrote to memory of 2696	2624	cmd.exe	35
PID 2624 wrote to memory of 2696	2624	cmd.exe	35
PID 2624 wrote to memory of 2696	2624	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\c83e2a419b36410f3d907c52fbffe6fb.exe
"C:\Users\Admin\AppData\Local\Temp\c83e2a419b36410f3d907c52fbffe6fb.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\csrcs.exe
  "C:\Windows\System32\csrcs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2424
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 -w 250 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qzbifrk

Filesize
89KB

MD5
90ee7705add6d9c01728f68facf0d6be

SHA1
838c317d1d680cdd5e597a0f106dd21b094b58e7

SHA256
16978aa7e7c3877837ee1980732a2dbf6886b82510b622118aeff26ea0a99ca6

SHA512
7643b872bd2a91af813581bbbf67d639a555ba9262d8d77e6ab7df1b1352b72b2d0ec1d9b9963b8557bf99a191b3bca6f8328528d4bc325e9c2f39e8c301d5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
141B

MD5
9d7ddbc6c331aefed77908f803fca1e5

SHA1
d36afa796236730342b216f083c68a39227c13bf

SHA256
19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

SHA512
014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
223B

MD5
5f870af505fd3ba65590f880f2d89162

SHA1
ff74f0474fb52b146a24ce57510da09da6b29de0

SHA256
063ab4e329a59d2fb1d1ab89190b0242ba89bcbbd47e4d47480314246968903e

SHA512
4332f7d820f5a4d023a7c715b06e917e80e3324ae97dc73da700d46e53de78e2f0e4e7362afad9df0663391c31481c9ad46e4aafab721234c86eec5393c930e4

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
702KB

MD5
c83e2a419b36410f3d907c52fbffe6fb

SHA1
44209ef2c21fd51e0770aab6da3ccba11f8ce7ca

SHA256
b64e52fbd392cc861b0246318ee4556ef9c8b43cd6c4a3f2384f844ababf59c1

SHA512
c0034a2da49b38e83b11519b69c0b62c7e3453c788945b843f37ecde329c16a16fa11f4275d96fcbd1615827b14183b62ebc23468549191c6636b721a634597c

Download Submit
memory/2284-0-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads