271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe
Size

80KB
MD5

73e91b1ab6d5a198be59978c1d8a4e78
SHA1

c5b2d5036fc1531ed367cdff3f6c1feab1e72feb
SHA256

271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc
SHA512

18bce3147e442b9655ec875cecf763081aae4e60c65642c8f53c884fd244553a4284163d05eabe353a660883a2231b647a21d1bc3381276a914bd619a226dab8
SSDEEP

768:78QXvyTFpHrP/58ByHA/oEraNsNHPkUfb+uTld9woHBX4QXsFwAbF1PGCwwtIa:BKFF358KAAErO4PrquZwor/4+Cf6

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "ÏµÍ³ÉèÖÃ"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\Tasks\\hackshen.vbs"	csrss.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	csrss.exe

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	cmd.exe
2844	cmd.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\wsock32.dll	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\wsock32.dll	csrss.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\wsock32.dll	csrss.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\wsock32.dll	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\wsock32.dll	csrss.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\wsock32.dll	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\7-Zip\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\wsock32.dll	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\wsock32.dll	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\wsock32.dll	csrss.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\wsock32.dll	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\wsock32.dll	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\wsock32.dll	csrss.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\wsock32.dll	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\wsock32.dll	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\Common Files\Services\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\wsock32.dll	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\wsock32.dll	csrss.exe
File created	C:\Program Files\Common Files\Services\wsock32.dll	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\wsock32.dll	csrss.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\wsock32.dll	csrss.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\csrss.exe	271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe
File created	C:\Windows\Tasks\hackshen.vbs	csrss.exe
File opened for modification	C:\Windows\Tasks\hackshen.vbs	csrss.exe
File created	C:\Windows\Tasks\ÂÌ»¯.bat	csrss.exe
File opened for modification	C:\Windows\Tasks\ÂÌ»¯.bat	csrss.exe
File created	C:\Windows\Tasks\wsock32.dll	csrss.exe
File created	C:\Windows\mfxixue.ini	csrss.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2440	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2844	1808	271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe	30
PID 1808 wrote to memory of 2844	1808	271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe	30
PID 1808 wrote to memory of 2844	1808	271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe	30
PID 1808 wrote to memory of 2844	1808	271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe	30
PID 2844 wrote to memory of 2440	2844	cmd.exe	32
PID 2844 wrote to memory of 2440	2844	cmd.exe	32
PID 2844 wrote to memory of 2440	2844	cmd.exe	32
PID 2844 wrote to memory of 2440	2844	cmd.exe	32
PID 2844 wrote to memory of 2796	2844	cmd.exe	33
PID 2844 wrote to memory of 2796	2844	cmd.exe	33
PID 2844 wrote to memory of 2796	2844	cmd.exe	33
PID 2844 wrote to memory of 2796	2844	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe
"C:\Users\Admin\AppData\Local\Temp\271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\mfxixue.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2440
- - C:\Windows\Tasks\csrss.exe
    C:\Windows\Tasks\csrss.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0YPCSSfbir.pif

Filesize
88B

MD5
bcd8edb015ddc9e31e8e1b4657c3df43

SHA1
d320e044bc0ed73e557a885a1a47714b8c85200e

SHA256
37646c67c0e8429e6fbfc56678a20fd311cb48d0cb19bb5097078968f0673f37

SHA512
2a1497b35930c516a0f5bf75be460eff986b08d2ed0331dd702be5533b88198a59a41f39252809ef83b455bcf4d07ab0d9723494e8008a9578d0509a643cd6cc

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
912B

MD5
48ec95bacc8186d72cce11b9584faeb7

SHA1
0a6900de60be125b545d36a55f56bd0f7db18d32

SHA256
402d34fd239a2ecdc35929964d2ba2b8094fc601cee519955734994c67d3d79c

SHA512
42115db0a178b8ff4f80d932b1c716724f52159c9e00cab154c6b984bbc1a726947c560cf74821a49876b7d9fa491791e5a5ce5a6e3545ee6fd7c5a0bfc6873d

Download Submit
C:\Windows\Tasks\csrss.exe

Filesize
80KB

MD5
4a13f3bb778f7f2eba62f21a78902b4c

SHA1
26d01de427a25643eaf762283960860af0bb66af

SHA256
3107209e838a18074282445c086c9c6f06ebf82d067de22378c75acce7aa0a49

SHA512
127eec36429019662c9b1aa6cb9ad75c547d1523b729eccf296cc4964e0d4ed9d222d1819cb0dc4b51df49eae678cd15a143903b3cbe64a1aa52f66adde7fb7c

Download Submit
C:\Windows\Tasks\hackshen.vbs

Filesize
97B

MD5
a8c57eab4925bb4ad48cbabba42746e0

SHA1
f9fa7820051d33dadb862777fffd9714517e086d

SHA256
bc37a3b40be7e73055684637731ac8514e7ec9a32fd470eb73c71fd8600dba51

SHA512
d03022e7dee4f2121c41fa4fc236147cc79dfd8006630e6cb3ac84b1f732015fc957dd27df94fc5e28bc144b932e297f783edf009cd2b55b9fd25529f07e0ec6

Download Submit
C:\Windows\Tasks\wsock32.dll

Filesize
15KB

MD5
dead113140d0686a7d7feba99e884258

SHA1
47289ad8994a2d7a26c8b675a8d273683fc33452

SHA256
4712b10f86fd235297ccf236a2321bd0e82e65f98bdb7abb30d748cb6b54a221

SHA512
4a71779dc868aad54d3227ef5f783bd4a5cd60e3dffeb50f8b5325b43b24b2fb92b8ce0b4b09490dd050ac7560d4c485575e5142c95f8d67ebe224b0cf9475e0

Download Submit
\??\c:\mfxixue.bat

Filesize
163B

MD5
9778810ad3491466374117f3630150b5

SHA1
288b5a8dbfc0830c17bbbea1ea0097781116d7fe

SHA256
a703afbf3c99934feda32706444d39805bc21d96d6baf03779c867259aa445d2

SHA512
41afbf47eed5a980e1c366281f6ea8dda606826a99f94ff8506ab4b937f00a05f778d1cdb6a8ff3d3acc30823809b3643b2df555832febdf39627f659b7f52fa

Download Submit
memory/1808-9-0x0000000000400000-0x000000000041308C-memory.dmp

Filesize
76KB

Download
memory/1808-0-0x0000000000400000-0x000000000041308C-memory.dmp

Filesize
76KB

Download
memory/2796-22-0x0000000000400000-0x000000000041308C-memory.dmp

Filesize
76KB

Download
memory/2844-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2844-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download