Overview

overview

8

Static

static

boost-fps.exe

windows7_x64

8

boost-fps.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24-05-2021 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    boost-fps.exe

  • Size

    1.3MB

  • MD5

    92fc1129af30ba08a79113624f51bcb7

  • SHA1

    b68388c46a78d262fcdedbaea09372785fb6786c

  • SHA256

    121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

  • SHA512

    3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\boost-fps.exe
    "C:\Users\Admin\AppData\Local\Temp\boost-fps.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Users\Admin\AppData\Local\Temp\boost-fps.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "boost-fps" /sc ONLOGON /tr "'C:\Boot\fr-CA\boost-fps.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4028
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:500
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2620
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Application Data\csrss.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1848
      • C:\ProgramData\Application Data\csrss.exe
        "C:\ProgramData\Application Data\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\ProgramData\Application Data\csrss.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3676
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Application Data\csrss.exe
    MD5

    92fc1129af30ba08a79113624f51bcb7

    SHA1

    b68388c46a78d262fcdedbaea09372785fb6786c

    SHA256

    121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

    SHA512

    3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

    Download Submit
  • C:\ProgramData\csrss.exe
    MD5

    92fc1129af30ba08a79113624f51bcb7

    SHA1

    b68388c46a78d262fcdedbaea09372785fb6786c

    SHA256

    121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

    SHA512

    3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

    Download Submit
  • C:\ProgramData\csrss.exe
    MD5

    92fc1129af30ba08a79113624f51bcb7

    SHA1

    b68388c46a78d262fcdedbaea09372785fb6786c

    SHA256

    121dec5bd279daf16e683e472949a269bb9751d6ceae4274875e36abe8871946

    SHA512

    3c1b7f326e717e0ed6cc435647598ec37ce0c2b90a942317f8d4b2c2ac8d3bd4f6c94ec86ad5af4ded8bf31a25485590b03549e0cd5e3509308e04e066efc12c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boost-fps.exe.log
    MD5

    0c2899d7c6746f42d5bbe088c777f94c

    SHA1

    622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

    SHA256

    5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

    SHA512

    ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csrss.exe.log
    MD5

    0c2899d7c6746f42d5bbe088c777f94c

    SHA1

    622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

    SHA256

    5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

    SHA512

    ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

    Download Submit
  • memory/500-134-0x0000000000000000-mapping.dmp
    Download
  • memory/1540-130-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1540-131-0x0000000004EB0000-0x00000000053AE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1540-124-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/1540-125-0x0000000000465BEE-mapping.dmp
    Download
  • memory/1848-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2620-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2660-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2660-147-0x0000000005E00000-0x00000000062FE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3676-158-0x0000000005500000-0x00000000059FE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3676-151-0x0000000000465BEE-mapping.dmp
    Download
  • memory/3968-121-0x0000000005770000-0x0000000005775000-memory.dmp
    Filesize

    20KB

    Download
  • memory/3968-120-0x0000000008A10000-0x0000000008A11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-114-0x0000000000A70000-0x0000000000A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-119-0x00000000053A0000-0x000000000589E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-118-0x0000000005420000-0x0000000005421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-123-0x000000000B460000-0x000000000B4D6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3968-122-0x0000000008DD0000-0x0000000008E6C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3968-117-0x0000000005440000-0x0000000005441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-116-0x00000000058A0000-0x00000000058A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-133-0x0000000000000000-mapping.dmp
    Download