General
-
Target
csrss.exe
-
Size
127KB
-
Sample
240715-kzax8a1flc
-
MD5
1ad665334adfaf19e853ac90fd7a004b
-
SHA1
b4bfda59a1a66bb117544a6407bb4ab262cab563
-
SHA256
763f6b72f4a2661bcd54df6fdfd7a6b12885781a9dd73a2eede466d495ef0986
-
SHA512
a2020536d30cca90127c0c43ba60b1616eefdfea7e6c9ab8d06768e0c412bbc28566aa43aff76c4fb7dc6677a8dc8830223b89aeb97239f8bd16efe5bebb80d8
-
SSDEEP
1536:7985mcHIqfypX78ZJuuPHbYwEm+5lHtaRWO1NZEjgWQeN+KnkGi:h85mcH9fi8ZJ/DYwiaZaRvnli
Malware Config
Targets
-
-
Target
csrss.exe
-
Size
127KB
-
MD5
1ad665334adfaf19e853ac90fd7a004b
-
SHA1
b4bfda59a1a66bb117544a6407bb4ab262cab563
-
SHA256
763f6b72f4a2661bcd54df6fdfd7a6b12885781a9dd73a2eede466d495ef0986
-
SHA512
a2020536d30cca90127c0c43ba60b1616eefdfea7e6c9ab8d06768e0c412bbc28566aa43aff76c4fb7dc6677a8dc8830223b89aeb97239f8bd16efe5bebb80d8
-
SSDEEP
1536:7985mcHIqfypX78ZJuuPHbYwEm+5lHtaRWO1NZEjgWQeN+KnkGi:h85mcH9fi8ZJ/DYwiaZaRvnli
Score10/10-
Modifies WinLogon for persistence
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Disables RegEdit via registry modification
-
Disables cmd.exe use via registry modification
-
Drops file in Drivers directory
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1