b68ee58364b4ffc336369fd1d211f340ca9ab352a10dc06faea87cf07968fbcc

General

Target

d72e6b65c98007efa6db6141020a4ee4.exe
Size

32KB
MD5

d72e6b65c98007efa6db6141020a4ee4
SHA1

5d328146c73783c717cb8b9aaf7f46e5c5e81602
SHA256

b68ee58364b4ffc336369fd1d211f340ca9ab352a10dc06faea87cf07968fbcc
SHA512

2b17d14b5b72d8441d86da7b812952dbe7d231224884d5aad070987f5220e265956b04654854dfe59cc16cc91da5a170705f18618da2321c67714b4ce0b90ff5
SSDEEP

768:PtS3UKzpDXDDVjJz40NSYsdwbhOETD78kQfKbwKexbha5:0kubXzsYqwbh18PfKbwKY

Score

7^/10

aspackv2 persistence spyware stealer

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0004000000022d20-3.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	crsss.exe

Executes dropped EXE 1 IoCs

pid	Process
2128	crsss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crsss = "C:\\Windows\\system32\\crsss.exe"	reg.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	crsss.exe
File opened (read-only)	\??\n:	crsss.exe
File opened (read-only)	\??\u:	crsss.exe
File opened (read-only)	\??\y:	crsss.exe
File opened (read-only)	\??\z:	crsss.exe
File opened (read-only)	\??\g:	crsss.exe
File opened (read-only)	\??\h:	crsss.exe
File opened (read-only)	\??\t:	crsss.exe
File opened (read-only)	\??\v:	crsss.exe
File opened (read-only)	\??\x:	crsss.exe
File opened (read-only)	\??\e:	crsss.exe
File opened (read-only)	\??\q:	crsss.exe
File opened (read-only)	\??\p:	crsss.exe
File opened (read-only)	\??\i:	crsss.exe
File opened (read-only)	\??\o:	crsss.exe
File opened (read-only)	\??\m:	crsss.exe
File opened (read-only)	\??\r:	crsss.exe
File opened (read-only)	\??\s:	crsss.exe
File opened (read-only)	\??\w:	crsss.exe
File opened (read-only)	\??\k:	crsss.exe
File opened (read-only)	\??\l:	crsss.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File created	C:\autorun.inf	crsss.exe
File opened for modification	C:\autorun.inf	crsss.exe
File created	\??\c:\autorun.inf	crsss.exe
File opened for modification	\??\c:\autorun.inf	crsss.exe
File created	\??\f:\autorun.inf	crsss.exe
File opened for modification	\??\f:\autorun.inf	crsss.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	crsss.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\crsss.exe	d72e6b65c98007efa6db6141020a4ee4.exe
File opened for modification	C:\Windows\SysWOW64\crsss.exe	d72e6b65c98007efa6db6141020a4ee4.exe
File created	C:\Windows\SysWOW64\crsss.exe	crsss.exe
File opened for modification	C:\Windows\SysWOW64\crsss.exe	crsss.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\Autorun.inf	crsss.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\wefgalleryonenoteinsertwinrt.htm	crsss.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\pages\winrthost.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office16\OSPP.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\SetSelect.htm	crsss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3308	reg.exe
3136	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2128	crsss.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 2128	4176	d72e6b65c98007efa6db6141020a4ee4.exe	96
PID 4176 wrote to memory of 2128	4176	d72e6b65c98007efa6db6141020a4ee4.exe	96
PID 4176 wrote to memory of 2128	4176	d72e6b65c98007efa6db6141020a4ee4.exe	96
PID 4176 wrote to memory of 1576	4176	d72e6b65c98007efa6db6141020a4ee4.exe	100
PID 4176 wrote to memory of 1576	4176	d72e6b65c98007efa6db6141020a4ee4.exe	100
PID 4176 wrote to memory of 1576	4176	d72e6b65c98007efa6db6141020a4ee4.exe	100
PID 4176 wrote to memory of 3624	4176	d72e6b65c98007efa6db6141020a4ee4.exe	101
PID 4176 wrote to memory of 3624	4176	d72e6b65c98007efa6db6141020a4ee4.exe	101
PID 4176 wrote to memory of 3624	4176	d72e6b65c98007efa6db6141020a4ee4.exe	101
PID 2128 wrote to memory of 3308	2128	crsss.exe	105
PID 2128 wrote to memory of 3308	2128	crsss.exe	105
PID 2128 wrote to memory of 3308	2128	crsss.exe	105
PID 2128 wrote to memory of 2664	2128	crsss.exe	107
PID 2128 wrote to memory of 2664	2128	crsss.exe	107
PID 2128 wrote to memory of 2664	2128	crsss.exe	107
PID 2128 wrote to memory of 3136	2128	crsss.exe	109
PID 2128 wrote to memory of 3136	2128	crsss.exe	109
PID 2128 wrote to memory of 3136	2128	crsss.exe	109

C:\Users\Admin\AppData\Local\Temp\d72e6b65c98007efa6db6141020a4ee4.exe
"C:\Users\Admin\AppData\Local\Temp\d72e6b65c98007efa6db6141020a4ee4.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\crsss.exe
  C:\Windows\system32\crsss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V crsss /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_dword /d 00000000 /f
    3⤵
    - Modifies registry key
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\d72e6b65c98007efa6db6141020a4ee4.bat
  2⤵
  PID:1576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d72e6b65c98007efa6db6141020a4ee4.bat""
  2⤵
  PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d72e6b65c98007efa6db6141020a4ee4.bat

Filesize
184B

MD5
d616b6076643337be695447ba10d5f52

SHA1
888fd913f1ebde96e885fe339ce3eb9ad9f1fc1c

SHA256
423347942fff54101b3538f297c15d733048fbda2f532e07632f1d43618c0171

SHA512
91d9f5f038aa3af59b5f386ef4bac43c26c3d19d4ac90ca29cc6d043acf12b6e1aa429e40e2b2b0537ebc3156008b172fb90f25a1f776057c1276ee2fa99d0de

Download Submit
C:\Windows\SysWOW64\crsss.exe

Filesize
32KB

MD5
d72e6b65c98007efa6db6141020a4ee4

SHA1
5d328146c73783c717cb8b9aaf7f46e5c5e81602

SHA256
b68ee58364b4ffc336369fd1d211f340ca9ab352a10dc06faea87cf07968fbcc

SHA512
2b17d14b5b72d8441d86da7b812952dbe7d231224884d5aad070987f5220e265956b04654854dfe59cc16cc91da5a170705f18618da2321c67714b4ce0b90ff5

Download Submit
C:\autorun.inf

Filesize
159B

MD5
1936d4487e994cdcdfd75538ad6b26b1

SHA1
7ea7c2cb2fa0efcd476bc67024782e3d6a11f1f1

SHA256
e1306be2c236374e9c5a732ab39b6f3bc633644a6a6645460aa2f3c6f9782c5d

SHA512
4d6eca70e4f00e9a8483373ed946c6d3e4fc1f258699c8b17b0520fc04aa29ba16df7a4f101402a49fdf7a7399ce1066afdd4866a4754db76829c35169ea4508

Download Submit
memory/2128-34-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-6-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-38-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4176-15-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4176-5-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4176-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads