Analysis
-
max time kernel
59s -
max time network
55s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/04/2024, 17:45
Static task
static1
Behavioral task
behavioral1
Sample
4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe
Resource
win10v2004-20240226-en
General
-
Target
4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe
-
Size
4.1MB
-
MD5
26d7d6f179a5a619a78529366f519304
-
SHA1
b27899e55ffe3a800ea4483346ebec442511ca4f
-
SHA256
4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345
-
SHA512
15b3a0948acacc333f92bf8d31528c4c9140e2b70beaf59627bbfd96415ad9b4a876ed82a33ac2e166971d03c05cc6b66723a76bd4a0d2983446d6a5da0cff26
-
SSDEEP
98304:LH5J7CzszSbiwn7GrcYbqmT2oxXGbns7pL8WqJWTgfc:1MU4iw7Yx2bns7pLfTgfc
Malware Config
Signatures
-
Glupteba payload 10 IoCs
resource yara_rule behavioral2/memory/3568-2-0x0000000005300000-0x0000000005BEB000-memory.dmp family_glupteba behavioral2/memory/3568-3-0x0000000000400000-0x0000000002F43000-memory.dmp family_glupteba behavioral2/memory/3568-52-0x0000000000400000-0x0000000002F43000-memory.dmp family_glupteba behavioral2/memory/3568-53-0x0000000005300000-0x0000000005BEB000-memory.dmp family_glupteba behavioral2/memory/4416-56-0x0000000000400000-0x0000000002F43000-memory.dmp family_glupteba behavioral2/memory/4416-102-0x0000000000400000-0x0000000002F43000-memory.dmp family_glupteba behavioral2/memory/4416-142-0x0000000000400000-0x0000000002F43000-memory.dmp family_glupteba behavioral2/memory/4964-148-0x0000000005600000-0x0000000005EEB000-memory.dmp family_glupteba behavioral2/memory/4964-149-0x0000000000400000-0x0000000002F43000-memory.dmp family_glupteba behavioral2/memory/4964-208-0x0000000000400000-0x0000000002F43000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 724 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 4964 csrss.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe File created C:\Windows\rss\csrss.exe 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2332 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 936 powershell.exe 936 powershell.exe 3568 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 3568 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 1416 powershell.exe 1416 powershell.exe 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 1848 powershell.exe 1848 powershell.exe 1364 powershell.exe 1364 powershell.exe 1932 powershell.exe 1932 powershell.exe 3164 powershell.exe 3164 powershell.exe 2936 powershell.exe 2936 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 3568 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Token: SeImpersonatePrivilege 3568 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3568 wrote to memory of 936 3568 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 77 PID 3568 wrote to memory of 936 3568 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 77 PID 3568 wrote to memory of 936 3568 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 77 PID 4416 wrote to memory of 1416 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 82 PID 4416 wrote to memory of 1416 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 82 PID 4416 wrote to memory of 1416 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 82 PID 4416 wrote to memory of 1348 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 84 PID 4416 wrote to memory of 1348 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 84 PID 1348 wrote to memory of 724 1348 cmd.exe 86 PID 1348 wrote to memory of 724 1348 cmd.exe 86 PID 4416 wrote to memory of 1848 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 87 PID 4416 wrote to memory of 1848 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 87 PID 4416 wrote to memory of 1848 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 87 PID 4416 wrote to memory of 1364 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 89 PID 4416 wrote to memory of 1364 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 89 PID 4416 wrote to memory of 1364 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 89 PID 4416 wrote to memory of 4964 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 91 PID 4416 wrote to memory of 4964 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 91 PID 4416 wrote to memory of 4964 4416 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe 91 PID 4964 wrote to memory of 1932 4964 csrss.exe 92 PID 4964 wrote to memory of 1932 4964 csrss.exe 92 PID 4964 wrote to memory of 1932 4964 csrss.exe 92 PID 4964 wrote to memory of 3164 4964 csrss.exe 98 PID 4964 wrote to memory of 3164 4964 csrss.exe 98 PID 4964 wrote to memory of 3164 4964 csrss.exe 98 PID 4964 wrote to memory of 2936 4964 csrss.exe 100 PID 4964 wrote to memory of 2936 4964 csrss.exe 100 PID 4964 wrote to memory of 2936 4964 csrss.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe"C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe"C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:724
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2332
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2208
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD511df36e6b4e130a03d4044879e2f62d8
SHA1880f6effa9fa0be32dc182f930b5b179574f984f
SHA2560863ced90fd898af9a4789de663a852de7419e311a6de81eaebf40530cd7ad97
SHA512bcbe5c81462e19f060690c5fc65777afc38943252414146bc346bfccbdc2721aad8d14bf44ada39346143b67fde61f7046b33bdbc98ec4bf4a68db0a5e5cae3e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD583d7edce36f80c5568c35e9cac0af06e
SHA154d4c286e79dfd03ee7744d222c467e8c497306d
SHA256f7319774af409b499c78c08ecd83e62dcccc7b0deb8d2464676aacd77aef01e3
SHA512e3004ba10b5c7a45b06feeef537a7d65215dc4b64c7db31da8c7cc49fe6758b4043d3abdb169c314b49f5f3fdcbab4d06f44a39299c0116d5db72526bcf58d37
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD58dd401d2477a028e5d1f3c9672aa016e
SHA130cb98dc7c1559b6435349c2384018db621a5cc4
SHA2563cedefce48aaf478f48ffb12e200a32d284be113ea75c11b72935b3278994057
SHA51211528e6e2c0d7be04e2d6a2b817449362c8c4179a3f1ea17eed4c47b70980c03fab47caecfc280f744eaf17ef646484c3e8d55672fb16d6e0dcbac44ef823da3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5901831ad1f7efa67c85283d61f2f8b02
SHA14f1b5d05e66398fe2291c7af771816a862043f35
SHA256d97b98d5beaf9df3c6831c93511e6110c219ba8d7b6fea54896bbd9295fe2917
SHA512a530598be8d28cb4e5d8d88287110916fb380d6b4c80f5814c190d81240af00bfc3ca617226ded6ff77337572d42fbb16b8f84a9be5bee447bdf1f3548576993
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5675e5720816c419d3f242b9336c6d1da
SHA1279fda572c83a43e18526e21c818e6e0110fa83f
SHA256b851ab3760d8c4878025f5a2ee3486195cf0bb7445952ee68c7d20064ac09935
SHA512fee1dea7da4d28f9342c9eeb169ab8c52878a24a98978a1dbbd35a54d35548790131f6d8ea2a62a5b142e241e8ad480d9ec158dc72c217126238e7735efe9ac4
-
Filesize
4.1MB
MD526d7d6f179a5a619a78529366f519304
SHA1b27899e55ffe3a800ea4483346ebec442511ca4f
SHA2564f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345
SHA51215b3a0948acacc333f92bf8d31528c4c9140e2b70beaf59627bbfd96415ad9b4a876ed82a33ac2e166971d03c05cc6b66723a76bd4a0d2983446d6a5da0cff26