b68ee58364b4ffc336369fd1d211f340ca9ab352a10dc06faea87cf07968fbcc

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d72e6b65c98007efa6db6141020a4ee4.exe
Size

32KB
MD5

d72e6b65c98007efa6db6141020a4ee4
SHA1

5d328146c73783c717cb8b9aaf7f46e5c5e81602
SHA256

b68ee58364b4ffc336369fd1d211f340ca9ab352a10dc06faea87cf07968fbcc
SHA512

2b17d14b5b72d8441d86da7b812952dbe7d231224884d5aad070987f5220e265956b04654854dfe59cc16cc91da5a170705f18618da2321c67714b4ce0b90ff5
SSDEEP

768:PtS3UKzpDXDDVjJz40NSYsdwbhOETD78kQfKbwKexbha5:0kubXzsYqwbh18PfKbwKY

Score

7^/10

aspackv2 persistence spyware stealer

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b00000001224d-1.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2108	crsss.exe

Loads dropped DLL 2 IoCs

pid	Process
808	d72e6b65c98007efa6db6141020a4ee4.exe
808	d72e6b65c98007efa6db6141020a4ee4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crsss = "C:\\Windows\\system32\\crsss.exe"	reg.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	crsss.exe
File opened (read-only)	\??\m:	crsss.exe
File opened (read-only)	\??\p:	crsss.exe
File opened (read-only)	\??\v:	crsss.exe
File opened (read-only)	\??\y:	crsss.exe
File opened (read-only)	\??\g:	crsss.exe
File opened (read-only)	\??\i:	crsss.exe
File opened (read-only)	\??\k:	crsss.exe
File opened (read-only)	\??\o:	crsss.exe
File opened (read-only)	\??\x:	crsss.exe
File opened (read-only)	\??\z:	crsss.exe
File opened (read-only)	\??\e:	crsss.exe
File opened (read-only)	\??\h:	crsss.exe
File opened (read-only)	\??\j:	crsss.exe
File opened (read-only)	\??\u:	crsss.exe
File opened (read-only)	\??\w:	crsss.exe
File opened (read-only)	\??\n:	crsss.exe
File opened (read-only)	\??\q:	crsss.exe
File opened (read-only)	\??\t:	crsss.exe
File opened (read-only)	\??\r:	crsss.exe
File opened (read-only)	\??\s:	crsss.exe

Drops autorun.inf file 1 TTPs 9 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	crsss.exe
File opened for modification	\??\c:\autorun.inf	crsss.exe
File opened for modification	C:\autorun.inf	crsss.exe
File created	\??\c:\autorun.inf	crsss.exe
File created	\??\f:\autorun.inf	crsss.exe
File opened for modification	\??\f:\autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File created	C:\autorun.inf	crsss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\crsss.exe	crsss.exe
File opened for modification	C:\Windows\SysWOW64\crsss.exe	crsss.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\crsss.exe	d72e6b65c98007efa6db6141020a4ee4.exe
File opened for modification	C:\Windows\SysWOW64\crsss.exe	d72e6b65c98007efa6db6141020a4ee4.exe

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	crsss.exe
File opened for modification	\??\c:\Program Files\SubmitRestart.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM	crsss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-13.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-11.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\500-13.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Shades of Blue.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-2.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Roses.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\405.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\406.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-1.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-13.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\412.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Soft Blue.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-1.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-5.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-9.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-16.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-10.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-11.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\406.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-7.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-12.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\500-19.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-17.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-1.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-8.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\500-17.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-4.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-4.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-6.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-12.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-9.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-9.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\406.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401-1.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-6.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-2.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-15.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\405.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-15.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\502.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-19.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\405.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-18.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-5.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-15.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-13.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\412.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-8.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-9.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-12.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-10.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-4.htm	crsss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies Internet Explorer start page 1 TTPs 27 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hao123.com"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2772	reg.exe
3008	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2108	crsss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 2108	808	d72e6b65c98007efa6db6141020a4ee4.exe	28
PID 808 wrote to memory of 2108	808	d72e6b65c98007efa6db6141020a4ee4.exe	28
PID 808 wrote to memory of 2108	808	d72e6b65c98007efa6db6141020a4ee4.exe	28
PID 808 wrote to memory of 2108	808	d72e6b65c98007efa6db6141020a4ee4.exe	28
PID 2108 wrote to memory of 2772	2108	crsss.exe	29
PID 2108 wrote to memory of 2772	2108	crsss.exe	29
PID 2108 wrote to memory of 2772	2108	crsss.exe	29
PID 2108 wrote to memory of 2772	2108	crsss.exe	29
PID 2108 wrote to memory of 2940	2108	crsss.exe	31
PID 2108 wrote to memory of 2940	2108	crsss.exe	31
PID 2108 wrote to memory of 2940	2108	crsss.exe	31
PID 2108 wrote to memory of 2940	2108	crsss.exe	31
PID 2108 wrote to memory of 3008	2108	crsss.exe	32
PID 2108 wrote to memory of 3008	2108	crsss.exe	32
PID 2108 wrote to memory of 3008	2108	crsss.exe	32
PID 2108 wrote to memory of 3008	2108	crsss.exe	32
PID 808 wrote to memory of 2652	808	d72e6b65c98007efa6db6141020a4ee4.exe	33
PID 808 wrote to memory of 2652	808	d72e6b65c98007efa6db6141020a4ee4.exe	33
PID 808 wrote to memory of 2652	808	d72e6b65c98007efa6db6141020a4ee4.exe	33
PID 808 wrote to memory of 2652	808	d72e6b65c98007efa6db6141020a4ee4.exe	33
PID 808 wrote to memory of 2572	808	d72e6b65c98007efa6db6141020a4ee4.exe	35
PID 808 wrote to memory of 2572	808	d72e6b65c98007efa6db6141020a4ee4.exe	35
PID 808 wrote to memory of 2572	808	d72e6b65c98007efa6db6141020a4ee4.exe	35
PID 808 wrote to memory of 2572	808	d72e6b65c98007efa6db6141020a4ee4.exe	35
PID 2108 wrote to memory of 2704	2108	crsss.exe	41
PID 2108 wrote to memory of 2704	2108	crsss.exe	41
PID 2108 wrote to memory of 2704	2108	crsss.exe	41
PID 2108 wrote to memory of 2704	2108	crsss.exe	41
PID 2108 wrote to memory of 2684	2108	crsss.exe	42
PID 2108 wrote to memory of 2684	2108	crsss.exe	42
PID 2108 wrote to memory of 2684	2108	crsss.exe	42
PID 2108 wrote to memory of 2684	2108	crsss.exe	42
PID 2108 wrote to memory of 292	2108	crsss.exe	45
PID 2108 wrote to memory of 292	2108	crsss.exe	45
PID 2108 wrote to memory of 292	2108	crsss.exe	45
PID 2108 wrote to memory of 292	2108	crsss.exe	45
PID 2108 wrote to memory of 1052	2108	crsss.exe	46
PID 2108 wrote to memory of 1052	2108	crsss.exe	46
PID 2108 wrote to memory of 1052	2108	crsss.exe	46
PID 2108 wrote to memory of 1052	2108	crsss.exe	46
PID 2108 wrote to memory of 2220	2108	crsss.exe	50
PID 2108 wrote to memory of 2220	2108	crsss.exe	50
PID 2108 wrote to memory of 2220	2108	crsss.exe	50
PID 2108 wrote to memory of 2220	2108	crsss.exe	50
PID 2108 wrote to memory of 2340	2108	crsss.exe	51
PID 2108 wrote to memory of 2340	2108	crsss.exe	51
PID 2108 wrote to memory of 2340	2108	crsss.exe	51
PID 2108 wrote to memory of 2340	2108	crsss.exe	51
PID 2108 wrote to memory of 1152	2108	crsss.exe	56
PID 2108 wrote to memory of 1152	2108	crsss.exe	56
PID 2108 wrote to memory of 1152	2108	crsss.exe	56
PID 2108 wrote to memory of 1152	2108	crsss.exe	56
PID 2108 wrote to memory of 2408	2108	crsss.exe	57
PID 2108 wrote to memory of 2408	2108	crsss.exe	57
PID 2108 wrote to memory of 2408	2108	crsss.exe	57
PID 2108 wrote to memory of 2408	2108	crsss.exe	57
PID 2108 wrote to memory of 1220	2108	crsss.exe	61
PID 2108 wrote to memory of 1220	2108	crsss.exe	61
PID 2108 wrote to memory of 1220	2108	crsss.exe	61
PID 2108 wrote to memory of 1220	2108	crsss.exe	61
PID 2108 wrote to memory of 2852	2108	crsss.exe	62
PID 2108 wrote to memory of 2852	2108	crsss.exe	62
PID 2108 wrote to memory of 2852	2108	crsss.exe	62
PID 2108 wrote to memory of 2852	2108	crsss.exe	62

C:\Users\Admin\AppData\Local\Temp\d72e6b65c98007efa6db6141020a4ee4.exe
"C:\Users\Admin\AppData\Local\Temp\d72e6b65c98007efa6db6141020a4ee4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\SysWOW64\crsss.exe
  C:\Windows\system32\crsss.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V crsss /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_dword /d 00000000 /f
    3⤵
    - Modifies registry key
    PID:3008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\d72e6b65c98007efa6db6141020a4ee4.bat
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\d72e6b65c98007efa6db6141020a4ee4.bat""
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d72e6b65c98007efa6db6141020a4ee4.bat

Filesize
184B

MD5
d616b6076643337be695447ba10d5f52

SHA1
888fd913f1ebde96e885fe339ce3eb9ad9f1fc1c

SHA256
423347942fff54101b3538f297c15d733048fbda2f532e07632f1d43618c0171

SHA512
91d9f5f038aa3af59b5f386ef4bac43c26c3d19d4ac90ca29cc6d043acf12b6e1aa429e40e2b2b0537ebc3156008b172fb90f25a1f776057c1276ee2fa99d0de

Download Submit
C:\Windows\SysWOW64\Autorun.inf

Filesize
159B

MD5
1936d4487e994cdcdfd75538ad6b26b1

SHA1
7ea7c2cb2fa0efcd476bc67024782e3d6a11f1f1

SHA256
e1306be2c236374e9c5a732ab39b6f3bc633644a6a6645460aa2f3c6f9782c5d

SHA512
4d6eca70e4f00e9a8483373ed946c6d3e4fc1f258699c8b17b0520fc04aa29ba16df7a4f101402a49fdf7a7399ce1066afdd4866a4754db76829c35169ea4508

Download Submit
\Windows\SysWOW64\crsss.exe

Filesize
32KB

MD5
d72e6b65c98007efa6db6141020a4ee4

SHA1
5d328146c73783c717cb8b9aaf7f46e5c5e81602

SHA256
b68ee58364b4ffc336369fd1d211f340ca9ab352a10dc06faea87cf07968fbcc

SHA512
2b17d14b5b72d8441d86da7b812952dbe7d231224884d5aad070987f5220e265956b04654854dfe59cc16cc91da5a170705f18618da2321c67714b4ce0b90ff5

Download Submit
memory/808-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-225-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-49-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-179-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-191-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-248-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-271-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-294-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-317-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-340-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2108-352-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads